CySA+
  • CySA+ CS0-002 Exam Objectives
  • Threat Intelligence Cycle
  • Intelligence Sources
  • Security Intelligence Sharing
  • Threat Classification and Threat Actors
  • Threat Research and Indicators of Compromise
  • Attack Frameworks and The Cyber Kill Chain
  • Defining Threat Modeling and Threat Hunting
  • Vulnerability Identification and Validation
  • Vulnerability Scan Results and CVSS Scores
  • Nmap and Enumeration
  • Security Controls
  • Defense in Depth Security Baselines
  • Security Trend Analysis
  • Remediation Issues
  • Asset, Change, and Configuration Management
  • Software Development Lifecycle & Development Models
  • Software Assessment and Code Review
  • Mitigating Attack Types Part 1
  • Mitigating Attack Types Part 2
  • Mitigating Attack Types Part 3
  • Password Cracking and Hashing
  • Privilege Escalation & Man-in-the-Middle
  • Network Based IoCs
  • Host Based IoCs
  • Network Architecture and Segmentation
  • Network Traffic, Packet, and Protocol Analysis
  • Pentesting and Active Defense
  • Firewalls
  • URL Analysis & DNS in Malware
  • Network Access Control and Port Security
  • Identity and Access Management (IAM)
  • Web Application Scanners
  • SSL/TLS Digital Certificate Management
  • Mobile Threats
  • Email Threats and Mitigation
  • Data Loss Prevention (DLP)
  • Endpoint Security and Behavior Analysis
  • Hardware Assurance
  • Blackholes and Sinkholes
  • IoT, Embedded Systems & ICS/SCADA Threats
  • Log Analysis & Continuous Security Monitoring
  • SIEM and Event Correlation
  • Malware Analysis
  • Cloud Models and Service Threats
  • Cloud Automation and Other Cloud Threats
  • VDI, Containers, and Microservices
  • CI/CD, IaC, DevOps
  • AI and Machine Learning
  • Digital Forensics
  • Technical Controls for Securing Data
  • Non-Technical Controls for Securing Data
  • Security Policies and Procedures
  • Continuity Planning and Risk Assessment
  • Incident Response Phases and Communication
Powered by GitBook
On this page

Vulnerability Identification and Validation

  • What to scan?

    • Asset criticality

      • How important is an asset.

      • Not everything is critical.

      • People

      • Tangible assets

      • Intangible assets

    • Asset and Inventory Tracking

      • Use a dedicated tool.

      • Type, model, SN, ID, location, user, value, service

      • Group by: usage, networks, sensitivity, outside connections, financial value, legal requirements, contractual obligations

    • Infrastructure Vulnerability Scanner

      • Not nmap

      • Scans hosts and network devices

      • Looks for vulns in:

        • OS version and patches

        • Services

        • Configuration

        • Network shares

        • User accounts

        • Weak security policies

      • Mapping and Enumeration

        • Inventory of devices, services, versions, plugins, etc

      • Passive Scanning

        • Look for public info.

        • Capture network traffic

        • Don’t get involved!

        • Don’t interact with the target

        • Zero impact on network and services

        • Cannot be detected (mostly)

      • Active Scanning

        • Directly interact with the target

        • Actively send requests and analyze answers

        • Visible and noisy

        • Can create performance issues and downtime

        • Easily detected

      • Credentialed Scan

        • Relies on a user account

        • Scanner logs into the targets

        • Performs checks using that account

        • Insider point of view

        • Highest level of detail provided

      • Non-Credentialed Scan

        • No user account

        • Outsider point of view

        • Best for perimeter scanning

        • Trial and error

        • Not so accurate

        • Higher risk of downtime

      • Server based scanning

        • Connect to the server and scan

        • Credentialed and non-credentialed

      • Agent based

        • Application, plugin, script installed on the server

        • Acts as the backdoor for the scanning software

        • Advantages

          • Credentialed by default

          • Efficient resource usage

          • Works with offline devices

        • Disadvantages

          • Need to install and manage agents

          • Vulnerable backdoor

      • Segmentation: subnets, VLANs, VPNs. Reachability? Consider using a dedicated management network.

      • Frequency of scanning

        • Keep in mind

          • Service degradation

          • Time constraints

          • Licensing limitations

        • So scan at least when

          • Something changes

          • Regulations say so

          • After a security breach

  • Choosing a scanner

    • Free vs paid?

    • General purpose or specialized?

    • Nessus – Paid. Free for a limited number of hosts

    • OpenVAS – Fork of Nesuss

    • Qualys – cloud based service with sensors installed on networks

PreviousDefining Threat Modeling and Threat HuntingNextVulnerability Scan Results and CVSS Scores

Last updated 2 years ago