Chapter 9. Security Assessments

This chapter covers the following topics:

This chapter covers CAS-003 objective 3.1.

Before it can secure a network, an organization must determine where security weaknesses exist. The only way to do this is to make an honest assessment of the current state of the network. Considering the multitude of types of weaknesses that can exist in a network, multiple methods of assessment should be used. This chapter discusses types of assessments and the weakness each is designed to reveal. The chapter also discusses methods for ferreting out other types of security weaknesses that cannot be discovered with those tools.


A variety of assessment methods can be used to identify security weaknesses. While some involve determining network shortcomings, many others focus on insecure web server and application configurations. The following sections cover assessment methods, with a focus on a conceptual approach rather than specific tools.

Malware Sandboxing

Malware sandboxing aims to detect malware code by running it in a computer to analyze it for behavior and traits that indicate malware. One of its goals is to spot zero-day malware, which is malware that has not yet been identified by commercial anti-malware systems and for which there is not yet have a cure.

One example of a commercial malware sandboxing tool is Cuckoo, an open source automated malware analysis system. An example of a cloud-based solution is Seculert’s Elastic Sandbox. Customers, partners, vendors, and the malware experts at Seculert upload suspicious executables to the Elastic Sandbox, using an online platform or application programming interface (API). Within the sandbox, the behavior of the code is studied, including network communications, metadata in the network traffic, and host runtime changes. Using analytics, all the available information is processed to determine whether the code under investigation is malicious.

While this is only one example of how malware sandboxing works, the Elastic sandboxing process is depicted in Figure 9-1. Vendors and customers can use this sandbox environment to test malware and benefit from the results of all in the analysis.

A flow diagram represents Seculert’s Elastic Sandbox.

Figure 9-1 Seculert’s Elastic Sandbox

In summary, malware sandboxing can be used to analyze and identify malware that has not yet been identified by the major commercial anti-malware vendors.

Memory Dumping, Runtime Debugging

Many penetration testing tools perform an operation called a core dump or memory dump. Applications store information in memory, and this information can include sensitive data, passwords, usernames, and encryption keys. Hackers can use memory-reading tools to analyze the entire memory content used by an application. Any vulnerability testing should take this into consideration and utilize the same tools to identify any issues in the memory of an application.


Examples of memory-reading tools are:

  • Memdump: This free tool runs on Windows, Linux, and Solaris. It simply creates a bit-by-bit copy of the volatile memory on a system.

  • KnTTools: This memory acquisition and analysis tool used with Windows systems captures physical memory and stores it to a removable drive or sends it over the network to be archived on a separate machine.

  • FATKit: This popular memory forensics tool automates the process of extracting interesting data from volatile memory. FATKit helps an analyst visualize the objects it finds to help in understanding the data that the tool was able to find.

Runtime debugging, on the other hand, is the process of using a programming tool to not only identify syntactic problems in code but also discover weaknesses that can lead to memory leaks and buffer overflows. Runtime debugging tools operate by examining and monitoring the use of memory. These tools are specific to the language in which the code was written.

Table 9-1 shows examples of runtime debugging tools and the operating systems and languages for which they can be used.


Table 9-1 Runtime Debugging Tools


Operating Systems



Linux, Mac

C, C#


Windows (Visual Studio)

C, C#

Software Verify


.Net, C, C##, Java, JavaScript, Lua, Python, Ruby

Memory dumping can help determine what a hacker might be able to learn if she were able to cause a memory dump. Runtime debugging would be the correct approach for discovering syntactic problems in an application’s code or to identify other issues, such as memory leaks or potential buffer overflows.


A network attack is typically preceded by an information-gathering phase called reconnaissance. Both technical tools and nontechnical approaches can be used to identify targets and piece together helpful information that may make a target easier to attack. You might compare this stage of the hacking process to a bank robber casing a bank location before launching a robbery.


Fingerprinting tools are designed to scan a network, identify hosts, and identify services and applications that are available on those hosts. They help a hacker weed through all the uninteresting items in the network and locate what is really of interest. By fingerprinting or identifying the operating system of a host, a hacker can also identify exploits that may work on the host. There are two forms of fingerprinting:

  • Active: Active fingerprinting tools transmit packets to remote hosts and analyze the replies for clues about the replying system. Chapter 10, “Select the Appropriate Security Assessment Tool,” looks at one such tool, Nmap, and shows a port scan of an individual host. In the real world, a port scan is usually preceded by a ping scan to identify all the hosts in the network. Figure 9-2 shows the result of a ping scan.

    The result of a ping scan is shown.

    Figure 9-2 Ping Scan

    If you examine the output in Figure 9-2, you can see the following:

    • There are five Dell computers with addresses to and

    • There are three ShorTel devices (VoIP phones) at,, and

    • There is a Juniper device (a router, a switch, or both) at

      Using this information, the hacker would perform a port and services scan of the machines of interest.

  • Passive: It is possible to simply capture packets from a network and examine them rather than send packets on the network. NetworkMiner is an example of a passive fingerprinting tool. The output shown in Figure 9-3 identifies the OS, and you can see additional information by expanding the host. All this information is gathered through passive scanning.

A screenshot shows NetworkMiner 1.6.1 window.

Figure 9-3 NetworkMiner

The output in Figure 9-3 lists all the machines NetworkMiner discovered by IP address. By tunneling into the details of each machine, you can see the IP address, MAC address, hostname, operating system, and other information. In this case, the scan has not been running long enough for all the information about the machine at to be generated.

Code Review

Code review is the systematic investigation of the code for security and functional problems. It can take many forms, from simple peer review to formal code review. There are two main types of code review:

  • Formal review: This is an extremely thorough, line-by-line inspection, usually performed by multiple participants using multiple phases. This is the most time-consuming type of code review but the most effective at finding defects.

  • Lightweight review: This type of code review is much more cursory than a formal review. It is usually done as a normal part of the development process. It can happen in several forms:

    • Pair programming: Two coders work side-by-side, checking one another’s work as they go.

    • Email review: Code is emailed around to colleagues for them to review when time permits.

    • Over the shoulder: Coworkers review the code while the author explains his or her reasoning.

    • Tool-assisted: Perhaps the most efficient method, this method involves using automated testing tools.

While code review is most typically performed on in-house applications, it may be warranted in other scenarios as well. For example, say that you are contracting with a third party to develop a web application to process credit cards. Considering the sensitive nature of the application, it would not be unusual for you to request your own code review to assess the security of the product.

In many cases, more than one tool should be used in testing an application. For example, an online banking application that has had its source code updated should undergo both penetration testing with accounts of varying privilege levels and a code review of the critical models to ensure that defects do not exist.

Social Engineering

Social engineering attacks occur when attackers use believable language and user gullibility to obtain user credentials or some other confidential information. Social engineering threats that you should understand include phishing/pharming, shoulder surfing, identity theft, and Dumpster diving.

The best countermeasure against social engineering threats is to provide user security awareness training. This training should be required and must occur on a regular basis because social engineering techniques evolve constantly.


Phishing is a social engineering attack in which attackers try to learn personal information, including credit card information and financial data. This type of attack is usually carried out by implementing a fake website that is nearly identical to a legitimate website. Users enter data, including credentials, on the fake website, allowing the attackers to capture any information entered. Spear phishing is a phishing attack carried out against a specific target by learning about the target’s habits and likes. Spear phishing attacks take longer to carry out than phishing attacks because of the information that must be gathered.

Pharming is similar to phishing, but it involves polluting the contents of a computer’s DNS cache so that requests to a legitimate site are actually routed to an alternate site.

You should caution users against using any links embedded in email messages, even if the message appears to have come from a legitimate entity. Users should also review the address bar any time they access a site where their personal information is required to ensure that the site is correct and that SSL is being used.

Shoulder Surfing

Shoulder surfing occurs when an attacker watches when a user enters login or other confidential data. Users should be encouraged to always be aware of who is observing their actions. Implementing privacy screens helps ensure that data entry cannot be recorded.

Identity Theft

Identity theft occurs when someone obtains personal information, such as driver’s license number, bank account number, and Social Security number, and uses that information to assume the identity of the individual whose information was stolen. Once the identity is assumed, the attack can go in any direction. In most cases, attackers open financial accounts in the user’s name. Attackers also can gain access to the user’s valid accounts.

Dumpster Diving

Dumpster diving occurs when attackers examine the contents of physical garbage cans or recycling bins to obtain confidential information, including personnel information, account login information, network diagrams, and organizational financial data.

Organizations should implement policies for shredding documents that contain this information.


Pivoting is a technique used by hackers and pen testers alike to advance from an initially compromised host to other hosts on the same network. It allows the leveraging of pen test tools installed on the compromised machine to route traffic through other hosts on the subnet and potentially allows access to other subnets. One set of steps that could potentially illustrate pivoting is the following:

Step 1. Compromise a client.

Step 2. Open Metasploit.

Step 3. Choose an exploit.

Step 4. Get meterpreter and type meterpreter> ipconfig.

Step 5. Scan the network you find.

Step 6. Run the arp_scanner by typing:

meterpreter > run arp_scanner -r

Step 7. Add a route from the default gateway to the compromised system so that all traffic from the default gateway must be routed through the compromised machine.

Open Source Intelligence

Open source intelligence (OSINT) is data collected from publicly available sources. In many cases, information derived from these sources makes an attack possible. The following sections look at some of the places hackers look for information that can be leveraged in an attack.

Social Media

Organizations are increasingly using social media to reach out and connect with customers and the public in general. While the use of Twitter, Facebook, LinkedIn, and other social media platforms can enhance engagement with customers, build brands, and communicate information to the rest of the world, these social media sites can also inadvertently expose proprietary information. Specifically, some of the dangers presented by the use of social media are:

  • Mobile apps on company devices: We can’t completely blame social media for the use of mobile applications on company devices, but the availability and ease with which social media and other types of mobile apps can be downloaded and installed presents an increasing danger of malware.

  • Unwarranted trust in social media: Trade secrets and company plans may be innocently disclosed to a friend with the misplaced expectation of privacy. This is complicated by the poorly understood and frequently changing security and privacy settings of social media sites.

  • Malware in the social media sites: Malicious code may be lurking inside advertisements and third-party applications. Hackers benefit from the manner in which users repost links, thereby performing the distribution process for the hackers.

  • Lack of policies: Every organization should have a social media policy that expressly defines the way in which users may use social media. A social media director or coordinator should be designated, and proper training should be delivered that defines what users are allowed to say on behalf of the company.

The best way to prevent information leaks through social media that can be useful in attacking your network is to adopt a social media policy that defines what users are allowed to say on behalf of the company in social media posts.


Whois is a protocol used to query databases that contain information about the owners of Internet resources, such as domain names, IP address blocks, and autonomous system (AS) numbers (used to identify private Border Gateway Protocol [BGP] networks on the Internet). This information provides a treasure trove of information that can enhance attacks on a network.

While originally a command-line interface application, Whois now also exists in web-based tools. Although law enforcement organizations in the United States claim that Whois is an important tool for investigating violations of spamming and vishing, the Internet Corporation for Assigned Names and Numbers (ICANN) has called for scrapping the system and replacing it with one that keeps information secret from most Internet users and discloses information only for “permissible” reasons.

Some organizations use third-party privacy services to remove their information from the Whois database. Although this can be done, it may leave the general public wondering what an organization has to hide. It may make people less likely to do business with the organization. So when considering your options, you should balance the pros and cons.

Figure 9-4 shows a part of the output of a domain name search in Whois. As you can see, you can obtain quite a bit of information about an organization by using this tool.

A screenshot shows Whois Lookup window.

Figure 9-4 Whois

Routing Tables

Routing occurs at layer 3 of the OSI model. This is also the layer at which IP operates and where the source and destination IP addresses are placed in packets. Routers are devices that transfer traffic between systems in different IP networks. When computers are in different IP networks, they cannot communicate unless there is a router available to route the packets to the other networks.

Routers use routing tables to hold information about the paths to other networks. These tables can be populated several ways: Administrators can manually enter these routes, or dynamic routing protocols can allow the routers to exchange routing tables and routing information. Manual configuration, also called static routing, has the advantage of avoiding the additional traffic created by dynamic routing protocols and allows for precise control of routing behavior; however, it requires manual intervention when link failures occur. Dynamic routing protocols create traffic but can react to link outages and reroute traffic without manual intervention.

From a security standpoint, routing protocols introduce the possibility that routing update traffic may be captured, allowing a hacker to gain valuable information about the layout of the network. Moreover, Cisco devices (perhaps the most widely used networking devices) by default also use a proprietary layer 2 protocol called Cisco Discovery Protocol (CDP), which they use to inform each other about their capabilities. If CDP packets are captured, additional information can be obtained that can be helpful in mapping the network in preparation for an attack.

Hackers can also introduce rogue routers into a network and perform a routing table update or exchange with a legitimate company router. A hacker may do this to learn the routes and general layout of the network and may also do it to pollute the routing table with incorrect routes that may enhance an attack.

The following is a sample of a routing table before it is compromised:

Source Network Next hop Exit interface
O [110/5] via, 0:01:00, Ethernet2
O [110/128] via, 0:02:22, Ethernet2
O [110/5] via, 0:00:59, Ethernet2
O [110/5] via, 0:00:59, Ethernet2
O [110/128] via, 0:02:22, Ethernet2
O [110/129] via, 0:02:22, Ethernet2

The routing table shows the remote networks to which the router has routes. The first column in this example shows the source of the routing information. In this case, the router sees the O in the first column and knows about networks from the Open Shortest Path First (OSPF) protocol. The second column is the remote network, the third column shows the next-hop IP address to reach that network (another router), and the last column is the local exit interface on the router.

After the hacker has convinced the local router to exchange routing information and polluted the local routing table, the routing table looks like this:

O [110/5] via, 0:01:00, Ethernet2
O [110/128] via, 0:02:22, Ethernet2
O [110/5] via, 0:00:59, Ethernet2
O [110/5] via, 0:00:59, Ethernet2
O [110/128] via, 0:02:22, Ethernet2
O [110/129] via, 0:02:22, Ethernet2

Look at the route to the network. It is now routing to the IP address, which is the address of the hacker’s router. From there, the hacker can direct all traffic destined for a secure server at to a duplicate server at that he controls. The hacker can then collect names and passwords for the real secure server.

To prevent such attacks, routers should be configured with authentication so that they identify and authenticate any routers with which they exchange information. Routers can be configured to authenticate one another if the connection between them has been configured to use Point-to-Point Protocol (PPP) encapsulation. PPP is a layer 2 protocol that is simple to enable on a router interface with the command encapsulation ppp. Once enabled, it makes use of two types of authentication: PAP and CHAP.

Password Authentication Protocol (PAP) passes a credential in cleartext. A better alternative is Challenge-Handshake Authentication Protocol (CHAP), which never passes the credentials across the network. The CHAP process is as follows:


Step 1. The local router sends a challenge message to the remote router.

Step 2. The remote node responds with a value calculated using an MD5 hash salted with the password.

Step 3. The local router verifies the hash value with the same password, thus ensuring that the remote router knows the password without sending the password.

Figure 9-5 compares the two operations.

PPP authentication protocols are shown.

Figure 9-5 PAP Versus CHAP

DNS Records

The DNS records for the devices on a network are extremely valuable to an attacker because they identify each device by name and IP address. The IP addresses may also imply how the devices are grouped because it is possible to determine the network ID of the network in which each device resides and, therefore, which devices are grouped into common subnets. DNS records are organized by type. Table 9-2 lists the most common DNS record types.


Table 9-2 DNS Record Types

Record Type



A host record that represents the mapping of a single device to an IPv4 address


A host record that represents the mapping of a single device to an IPv6 address


An alias record that represents an additional hostname mapped to an IPv4 address that already has an A record mapped


A name server record that represents a DNS server mapped to an IPv4 address


A mail exchanger record that represents an email server mapped to an IPv4 address


A Start of Authority record that represents a DNS server that is authoritative for a DNS namespace

DNS harvesting involves acquiring the DNS records of an organization to use as part of mapping the network. The easiest way to do DNS harvesting (if it is possible) is through unauthorized zone transfers (covered later in this section). But one of the ways a malicious individual may be able to get a few records is through the use of the tracert tool on Windows or the traceroute tool on UNIX. These tools trace the path of a packet from its source to destination. When tracert lists the hops or routers through which the packet has traversed, the last several devices are typically inside the organization’s network. If tracert lists the names of those devices (which it attempts to do), they are available to the hacker. Figure 9-6 shows tracert output. In this example, tracert was able to resolve the names of some of the routers but not the last two. Often the last several hops time out because the destination network administrators have set the routers to not respond to ICMP traffic.

A screenshot shows the output of the command "tracert" listing the hops or routers through which the packet has traversed.

Figure 9-6 tracert

Another form of DNS harvesting involves convincing an organization’s DNS server to perform a zone transfer with the attacker. While there was a time when this was very simple, it is a bit more difficult now if the organization has chosen to specify the DNS servers with which zone transfer may be performed. You should ensure that you have taken this step and then attempt to perform a DNS zone transfer from an unauthorized DNS server.

Figure 9-7 shows the dialog box from a Microsoft DNS server. On the Zone Transfers tab of the properties of the DNS server, you can specify the only servers to which zone transfers may occur.

A screenshot shows a Microsoft DNS server dialog box.

Figure 9-7 Controlling DNS Zone Transfers

The nslookup command is a command-line administrative tool for testing and troubleshooting DNS servers. It can be run in two modes: interactive and noninteractive. Noninteractive mode is useful when only a single piece of data needs to be returned, and interactive mode allows you to query for either an IP address for a name or a name for an IP address without leaving nslookup mode. The command syntax is as follows:

nslookup [-option] [hostname] [server]

To enter interactive mode, simply type nslookup as shown here:

C:> nslookup
Default Server:

When you do this, by default nslookup identifies the IP address and name of the DNS server that the local machine is configured to use, if any, and then goes to the > prompt. At this prompt, you can type either an IP address or a name, and the system attempts to resolve the IP address to a name or the name to an IP address.

The following are other queries you can run when troubleshooting name resolution issues:

  • You can look up different data types in a database (such as Microsoft records).

  • You can query directly from another name server (from the one the local device is configured to use).

  • You can perform a zone transfer.

In Linux the dig command is used to troubleshoot DNS. As a simple example, the following command displays all host (A) records in the domain:

$ dig

As another example, the command to request a zone transfer from the server (called DNS harvesting) is as follows:

$ dig afxr

This command requests a zone transfer from the DNS server named for the records for the domain.

Search Engines

Search engines, such as Google, Yahoo, and Bing, can be used for gathering reconnaissance information. Search engine hacking involves using advanced operator-based searching to identify exploitable targets and sensitive data using the search engines. Some examples of hacker-friendly search engines are:

  • Shodan

  • IVRE

  • ZoonEye

  • Censys

Test Types

While it may seem to be an overwhelming job to maintain the security of a network, you can use many tools to do the job. Unfortunately, every tool that has a legitimate use may also have an illegitimate use. Hackers use these tools to discover, penetrate, and control networks, but you can use the same tools to ensure that attacks do not succeed. The following sections discuss some of the most common assessment tools.

Penetration Test

A penetration test (often called a pen test) is designed to simulate an attack on a system, a network, or an application. Its value lies in its potential to discover security holes that may have gone unnoticed. It differs from a vulnerability test in that it attempts to exploit vulnerabilities rather than simply identify them. Nothing places the focus on a software bug like the exposure of critical data as a result of the bug.

In many cases, one of the valuable pieces of information that comes from these tests is the identification of single operations that, while benign on their own, create security problems when used in combination. These tests can be made more effective when utilized with a framework like Metasploit or Canvas.

Penetration testing should be an operation that occurs at regular intervals, and its frequency should be determined by the sensitivity of the information on the network. Figure 9-8 shows an example of a vulnerability tool called Retina that can be integrated with the penetration testing tool Metasploit. In this output, you can see that the tool has identified eight serious problems (indicated by the upward-pointing arrows): weak encryption in Terminal Services, six weaknesses related to Oracle, and one weakness related to a virtualization product on the machine called Oracle VirtualBox.

A screenshot of the “Retina Community ” window.

Figure 9-8 Retina Penetration Tester


The steps in performing a penetration test are as follows:

Step 1. Document information about the target system or device.

Step 2. Gather information about attack methods against the target system or device.

Step 3. Identify the known vulnerabilities of the target system or device.

Step 4. Execute attacks against the target system or device to gain user and privileged access.

Step 5. Document the results of the penetration test and report the findings to management, with suggestions for remedial action.

Both internal and external tests should be performed. Internal tests occur from within the network, while external tests originate outside the network and target the servers and devices that are publicly visible.

Strategies for penetration testing are based on the testing objectives defined by the organization. The strategies that you should be familiar with as a CASP candidate include the following:

  • Blind test: The testing team is provided with limited knowledge of the network systems and devices and performs the test using publicly available information only. The organization’s security team knows that an attack is coming. This test requires more effort from the testing team.

  • Double-blind test: This test is like a blind test, except the organization’s security team does not know that an attack is coming. This test usually requires equal effort from the testing team and the organization’s security team.

  • Target test: Both the testing team and the organization’s security team are given maximum information about the network and the type of test that will occur. This is the easiest type of test to complete but does not provide a full picture of the organization’s security.

Penetration testing is also divided into categories based on the amount of information provided to the testing team. The main categories that you should be familiar with are:

  • Zero-knowledge test: The testing team is provided with no knowledge regarding the organization’s network. The testing team can use any means at its disposal to obtain information about the organization’s network. This is also referred to as closed or black-box testing.

  • Partial-knowledge test: The testing team is provided with public knowledge regarding the organization’s network. Boundaries may be set for this type of test.

  • Full-knowledge test: The testing team is provided with all available knowledge regarding the organization’s network. This type of test is focused on what attacks can be carried out.

Black Box

Penetration testing can be divided into categories based on the amount of information to be provided. In black-box testing, or zero-knowledge testing, the team is provided with no knowledge regarding the organization’s network. The team can use any means at its disposal to obtain information about the organization’s network. This is also referred to as closed testing.

White Box

A team goes into the process of white-box testing with a deep understanding of the application or system. Using this knowledge, the team builds test cases to exercise each path, input field, and processing routine. In the case of a network, the team would have access to all network information, which the team could use and leverage in the test.

Gray Box

In gray-box testing, the team is provided more information than in black-box testing, while not as much as in white-box testing. Gray-box testing has the advantage of being non-intrusive while maintaining the boundary between developer and tester. On the other hand, it may uncover some of the problems that might be discovered with white-box testing.

Table 9-3 compares the three testing methods.


Table 9-3 Testing Methods

Black Box

Gray Box

White Box

Internal workings of the application are not known.

Internal workings of the application are somewhat known.

Internal workings of the application are fully known.

Also called closed-box, data-driven, and functional testing.

Also called translucent testing, as the tester has partial knowledge.

Also known as clear-box, structural, or code-based testing.

Performed by end users, testers, and developers.

Performed by end users, testers, and developers.

Performed by testers and developers.

Least time-consuming.

More time-consuming than black-box testing but less so than white-box testing.

Most exhaustive and time-consuming.

When choosing between black-, white-, and gray-box testing, consider the security implications of each. You should only allow white-box testing by very trusted entities, such as internal testers, as it exposes the code to the testers. Black-box testing would be more appropriate for untrusted entities, like third-party testers. Black-box testing should be done by a third party that is large enough to have the resources to use as many test cases as required and to test all code paths.

You should also consider the type of malicious behavior that you are trying to determine is possible. For example, if you are interested in determining the likelihood of an attack from outside the network, you should use a black-box test, since presumably anyone attempting that would have no internal knowledge of the application. On the other hand, if you are more interested in the types of attacks that may come from your own people, you might want to use gray-box testing, where the attacker would have some knowledge of the system.

Finally, you should consider the effect that the testing method may have on the network. While white-box testing has a low risk of impacting system stability, black-box testing has a higher likelihood of creating instability in the system.

Vulnerability Assessment

Regardless of the components under study (network, application, database, etc.), the goal of any vulnerability assessment is to highlight issues before someone either purposefully or inadvertently leverages the issue to compromise the component. The design of the assessment process has a great impact on its success. Before an assessment process is developed, the following goals of the assessment need to be identified:

  • The relative value of the information that could be discovered through the compromise of the components under assessment: This helps to identify the number and type of resources that should be devoted to the issue.

  • The specific threats that are applicable to the component: For example, a web application would not be exposed to the same issues as a firewall, due to the differences in their operation and positions in the network.

  • The mitigation strategies that could be deployed to address issues that might be found: Identifying common strategies may suggest issues that weren’t anticipated initially. For example, if you were doing a vulnerability test of your standard network operating system image, you should anticipate issues you might find and identify what technique you will use to address each.

A security analyst who will be performing a vulnerability assessment needs to understand the systems and devices that are on the network and the jobs they perform. Having this information will ensure that the analyst can assess the vulnerabilities of the systems and devices based on the known and potential threats to the systems and devices.

After gaining knowledge regarding the systems and device, a security analyst should examine controls that are already in place and identify any threats against those controls. The security analyst will then use all the information gathered to determine which automated tools to use to analyze for vulnerabilities. Once the vulnerability analysis is complete, the security analyst should verify the results to ensure that they are accurate and then report the findings to management, with suggestions for remedial action. With this information in hand, threat modeling should be carried out to identify the threats that could negatively affect systems and devices and the attack methods that could be used.

In some situations, a vulnerability management system may be indicated. A vulnerability management system is software that centralizes and to a certain extent automates the process of continually monitoring and testing the network for vulnerabilities. Such a system can scan the network for vulnerabilities, report them, and in many cases remediate the problem without human intervention. While a vulnerability management system is a valuable tool to have, these systems, regardless of how sophisticated they may be, cannot take the place of vulnerability and penetration testing performed by trained professionals.

Keep in mind that after a vulnerability assessment is complete, its findings are a snapshot. Even if no vulnerabilities are found, the best statement to describe the situation is that there are no known vulnerabilities at this time. It is impossible to say with certainty that a vulnerability will not be discovered in the future.


While many organizations choose to have vulnerability and penetration tests performed by third parties, between these tests organizations should perform self-assessments. One of the most common methods used for this process is conducting tabletop exercises.

Tabletop Exercises

Conducting a tabletop exercise is the most cost-effective and efficient way to identify areas of vulnerability before moving on to higher-level testing. A tabletop exercise is an informal brainstorming session that encourages participation from business leaders and other key employees. In a tabletop exercise, the participants agree to determine a particular attack scenario upon which they then focus.

Internal and External Audits

Organizations should conduct internal and external audits as part of any security assessment and testing strategy. An audit should test all security controls that are currently in place. Some guidelines to consider as part of a good security audit plan include:

  • At minimum, perform annual audits to establish a security baseline.

  • Determine your organization’s objectives for the audit and share them with the auditors.

  • Set the ground rules for the audit before the audit starts, including the dates/times of the audit.

  • Choose auditors who have security experience.

  • Involve business unit managers early in the process.

  • Ensure that auditors rely on experience, not just checklists.

  • Ensure that an auditor’s report reflects risks that your organization has identified.

  • Ensure that the audit is conducted properly.

  • Ensure that the audit covers all systems and all policies and procedures.

  • Examine the report when the audit is complete.

Many regulations today require that audits occur. Organizations used to rely on Statement on Auditing Standards (SAS) 70, which provided auditors information and verification about data center controls and processes related to the data center users and their financial reporting. An SAS 70 audit was used to verify that the controls and processes set in place by a data center were actually followed. The Statements on Standards for Attestation Engagement (SSAE) Number 16 is a new standard that verifies the controls and processes and also requires a written assertion regarding the design and operating effectiveness of the controls being reviewed.

An SSAE 16 audit results in a Service Organization Control (SOC) 1 report. This report focuses on internal controls over financial reporting. There are two types of SOC 1 reports:

  • SOC 1 Type 1 report: This type of report focuses on the auditors’ opinion of the accuracy and completeness of the data center management’s design of controls, system, and/or service.

  • SOC 1 Type 2 report: This type of report includes the Type 1 report as well as an audit on the effectiveness of controls over a certain time period, normally between six months and a year.

Two other report types are also available: SOC 2 and SOC 3. Both of these audits provide benchmarks for controls related to the security, availability, processing integrity, confidentiality, or privacy of a system and its information. A SOC 2 report includes service auditor testing and results, and a SOC 3 report provides only the system description and auditor opinion. A SOC 3 report, which is for general use, provides a level of certification for data center operators that assures data center users of facility security, high availability, and process integrity. Table 9-4 briefly compares the three types of SOC reports.


Table 9-4 SOC Report Comparison

Report Type

What It Reports On

Who Uses It


Internal controls over financial reporting

User auditors and users’ controller office


Security, availability, processing integrity, confidentiality, or privacy controls

Management, regulators, and others; shared under non-disclosure agreement (NDA)


Security, availability, processing integrity, confidentiality, or privacy controls

Publicly available to anyone

Color Team Exercises

Security analysts must practice responding to security events in order to react to them in the most organized and efficient manner. There are some well-established ways to approach this. This section looks at how teams of analysts, both employees and third-party contractors, can be organized and some well-established names for these teams.

Security posture is typically assessed using war game exercises in which one group attacks the network while another attempts to defend the network. These games typically have some implementation of the following teams:

  • Red team: This team acts as the attacking force. It typically carries out penetration tests by following a well-established process of gathering information about the network, scanning the network for vulnerabilities, and attempting to take advantage of the vulnerabilities. The actions this team can take are established ahead of time in the rules of engagement. Often these individuals are third-party contractors with no prior knowledge of the network. This helps them simulate attacks that are not inside jobs.

  • Blue team: This team acts as the network defense team. The attempted attack by the red team tests the blue team’s ability to respond to the attack. It also serves as practice for a real attack. This includes accessing log data, using a security information event management (SIEM) system, garnering intelligence information, and performing traffic and data flow analysis.

  • White team: This team is a group of technicians who referee the encounter between the red team and the blue team. Enforcing the rules of engagement might be one of the white team’s roles, along with monitoring the responses to the attack by the blue team and making note of specific approaches employed by the red team.

Exam Preparation Tasks

As mentioned in the section “How to Use This Book” in the Introduction, you have a couple choices for exam preparation: the exercises here and the practice exams in the Pearson IT Certification test engine.

Review All Key Topics

Review the most important topics in this chapter, noted with the Key Topics icon in the outer margin of the page. Table 9-5 lists these key topics and the page number on which each is found.


Table 9-5 Key Topics for Chapter 9

Key Topic Element


Page Number


Examples of memory reading tools


Table 9-1

Runtime debugging tools



Forms of fingerprinting



Types of code reviews



Dangers presented using social media



The CHAP process


Table 9-2

DNS record types



Steps in performing a penetration test



Strategies for penetration testing



Penetration testing categories



Penetration testing approaches


Table 9-3

Testing methods



Goals of the assessment process



Audit guidelines



Types of SOC1 reports


Table 9-4

SOC report comparison



Color team exercises


Define Key Terms

Define the following key terms from this chapter and check your answers in the glossary:



active fingerprinting

black box

blind test

blue team

Challenge-Handshake Authentication Protocol (CHAP)

Cisco Discovery Protocol (CDP)


code review


DNS harvesting

double-blind test

dynamic routing protocol

email review


formal review

full-knowledge test

gray box

lightweight review

malware sandboxing

memory dumping




open source intelligence (OSINT)

over the shoulder

pair programming

partial-knowledge test

passive fingerprinting

Password Authentication Protocol (PAP)

penetration test


Point-to-Point Protocol (PPP)


red team

rogue router

routing table

runtime debugging






social engineering

Statement on Auditing Standards (SAS) 70

static routing

tabletop exercise

target test


Type 1 report

Type 2 report

vulnerability test

white box

white team


zero-knowledge test

zone transfer

Review Questions

1. In which type of test is the tester provided with limited knowledge of the network systems and devices, does the tester perform the test using publicly available information only, and does the organization’s security team knows that an attack is coming?

  • blind

  • target

  • double blind

  • fuzz

2. Which of the following is the process of using a programming tool to not only identify syntactic problems in code but also discover weaknesses that can lead to memory leaks and buffer overflows?

  • fuzzing

  • sandboxing

  • dumping

  • debugging

3. Which of the following is a technique used by hackers and pen testers alike to advance from the initially compromised host to other hosts on the same network?

  • port scanning

  • pivoting

  • APT

  • fuzzing

4. You would like to prevent the corruption of the routing tables in your network. Which of the following would be the best approach?

  • Implement CDP.

  • Configure CHAP between routers.

  • Implement sandboxing.

  • Disable CDP.

5. You need to identify zero-day malware. What technique could be used to help in this process?

  • fuzzing

  • deploying an HTTP interceptor

  • malware sandboxing

  • establishing a social media policy

6. You implemented a procedure whereby a testing team was provided with limited knowledge of the network systems and devices and could use publicly available information. The organization’s security team was NOT informed that an attack was coming. What type of test have you implemented?

  • double-blind test

  • target test

  • full-knowledge test

  • blind test

7. Which of the following testing types would you use if you wanted to spend the least amount of time on the test?

  • black box

  • gray box

  • white box

  • clear box

8. A group of your software developers just reviewed code while the author explained his reasoning. What type of code review have they just completed?

  • pair programming

  • over-the-shoulder

  • tool assisted

  • email

9. Recently your users were redirected to a malicious site when their DNS cache was polluted. What type of attack have you suffered?

  • phishing

  • shoulder surfing

  • pharming

  • Dumpster diving

10. What is the last step in performing a penetration test?

  • Gather information about attack methods against the target system or device.

  • Document information about the target system or device.

  • Execute attacks against the target system or device to gain user and privileged access.

  • Document the results of the penetration test and report the findings.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.