CompTIA CASP+ CAS-004 – Chapter 06 – Utilizing Security Assessments and Incident Response Part 2

11. Public Information

Much of what an attacker can determine in the reconnaissance phases before an attack is going to be based on public information. And so we’ve mentioned this a couple of times, but organizations need to now evaluate the amount of public information that’s available and we should just be going through various technical sources. So we’re going to talk about a couple of these. Who is is a protocol that’s used to query databases that have information about the owners of Internet resources. This includes domain names, IP address blocks, autonomous system numbers, which is used to identify private networks on the Internet. And that information has, you know, there’s a ton of detail that can enhance attacks on, on the network. Now it was originally, who is was originally developed as a command line interface application, but it now exists in web based tools. It’s said to be important by law enforcement. They claim that who is an important tool for investigating violations of spamming and fishing. But ICANN has actually called for scrapping the system. And the reason is because the system doesn’t really keep information secret about most Internet users.

And so instead, ICANN, the Internet Corporation for Assigned Names and Numbers, would like to develop a system that is going to disclose information only for permissible reasons. The WHOIS database will contain a number of different pieces of information which if in the wrong hands, could be used with disastrous effects. Another piece of public information that may be accessible would be routing tables. And this 1 may sound odd, but it’s basically something that I’m trying to obtain. It’s not that it’s necessarily public information per se like the others. It’s not as if I can find a routing table using an Internet search engine or a website. But these routers that contain these routing tables are connected to the Internet. And we know routing tables are going to contain information about the different IP networks to which that router is communicated, so that layer three routing is able to happen. The problem is that most of these routers are going to use dynamic routing protocols and that just allows them to both expect routing table updates and requests for routing table updates and they’re going to be able to respond, they have the capability.

Now if you were using static routing, that wouldn’t be the case. If you don’t have dynamic routing turned on, on an interface on a router, then it’s not going to talk to other routers. I’d have to remotely access that system, I’d have to compromise login credentials to be able to get in and view that information. But with dynamic routing protocols, you have the possibility that routing update traffic may be captured because these systems are responding so a hacker can gain valuable information about the layout of the network. Cisco devices in particular are using a proprietary layer two protocol called Cisco Discovery Protocol, and Cisco routers use that to inform each other about their capabilities. Well, the problem is if CDP packets are captured, then you have even more information that can be obtained that can be helpful to mapping the network in preparation for an attack. Another alternative is hackers could introduce rogue routers into the network and then do routing table updates with a legitimate company router. And I can do that to learn all of the information in the routing tables. And if I have the information in the routing tables, then that’s going to give me the information I need to map out the network. So how do you prevent that type of attack?

Well, the easiest way is just to configure your routers with authentication. If your routers are using dynamic routing protocols, they should not just be responding to anyone who requested, they should authenticate any routers with which they are going to exchange information. Most routers can be configured to authenticate with one another as long as they’ve been configured to use PPP point to point protocol, and then they can use password authentication protocol or Chap. Ideally, I should say we would be using Chat because the password authentication protocol is much older and uses plain text challenge handshake authentication protocol we’ve discussed in previous sections.

We’ll be using a challenge string and as a much more secure way of doing it, another repository for very valuable information about your network is going to be DNS records. DNS, the domain name system, is how we resolve user friendly host names to numeric IP addresses. So it serves a very useful purpose out in the real world. Everybody uses these domain names and so therefore these names have to be publicly accessible. When somebody wants to send you an email, they look up an MX record for your particular domain. It has to be publicly accessible, right? If somebody wants to contact your web server, they have to use an A record or a CNAME Record or both in order to contact your web server.

We identify the authoritative name servers for a particular domain by using NS Records and So Records. It’s this repository of information that you really can’t help. Now, you can keep private DNS records private. You can keep them separated from the Internet with a firewall. You can ensure that inbound DNS, queries on that firewall are never allowed. But the public records are simply going to be public. And so we need to evaluate what kind of information is listed there. There are a number of different record types. It’s likely that some of you are already aware of this, but let’s just hit them real quick. So an A record is just also called a host record. It simply maps a single name to an IP address. You have the IP version six version of this, which is the quad A record, AAA single name only. Differences it’s an IPV six address. A CNAME is an alias.

And so you can create a CNAME record and then associate it with an A record that already exists. A good example of that is the Www. Often there’s no server that’s actually called Www. So we just do a CNAME record. That’s an alternative. You don’t have to do it that way. NS identifies the name servers for a particular DNS domain. MX is the mail exchanger record. So that represents SMTP servers, and then SOA is the DNS server that’s authoritative for that particular namespace. So the process of obtaining DNS records for this purpose is DNS harvesting.

So if I’m trying to map out the network, then I’m going to do DNS harvesting if it’s possible. And typically that’s done through zone transfers. There are several different ways that I can do it. I can also use just the Trace route, the Tracert on Windows, trace route on Unix, Linux. It’s going to trace the path of a packet from source to destination. But as it lists each individual hop or router, typically it’s going to list the names of those devices. And so if they’re available, it shows the output and is going to give me the names of some of the routers. Now, they’re not always going to respond, but typically I can get a path to those systems by doing that zone transfer.

And that would be kind of just your simple lookup. I can look up just a single host, but using a trace route would be more effective because it’s going to show me the steps along the way. The zone transfer is the copying of information from one DNS server to another. And it is a legitimate process when you have multiple DNS servers that are responsible for a single domain name. Publicly, this doesn’t make any sense, often because it’s not that necessary. But internally, where the DNS database can contain hundreds or thousands of records for a particular domain, then often we have multiple DNS servers to facilitate queries for, for that that domain. And so zone transfers would happen, and server B would communicate with server A and request a zone transfer of any changes. Because clients, when they update, they’re only updating against one server. Well, then those updates have to be replicated to other systems. Now at one time, zone transfer was pretty simple. It’s a little bit more difficult now because it’s very easy to configure DNS servers to only allow zone transfers with particular machines.

In Windows, it’s possible to use what’s called an Active Directory integrated zone, which means it doesn’t even use the standard process of zone transfer and instead replicates information between domain controllers. And so they’ve this is known to be an issue, and because it’s known to be an issue, companies have really taken the steps I’m sorry, vendors, I should say, have really taken the steps to locking down their DNS software. So that’s definitely something we should do. You can go through and see what kind of information can be obtained by using Traceroute, what can be obtained from your routers, what kind of information can be obtained from your public DNS by using various websites or just NS Lookup commands. In Linux, the command that’s used to troubleshoot DNS is the Dig command. So NS, lookup in windows, dig in linux.

MX Toolbox. com is a great public website that can analyze all different DNS records for a public domain. And so you could take a look at that. The last one here is search engines. Google, Yahoo, bing they can all be used to gather reconnaissance information. Search engine hacking involves using advanced operator based searching to try to identify targets that are exploitable and sensitive data. You don’t typically do that via Google. Okay? Shodan Ivre, Zuni, Census, those are some examples of hackerfriendly search engines. You.

12. Demo – Accessing Public Information

In this demonstration, we’re going to look at how to go about accessing public information about a company as it relates to security and some of the things we’ve been talking about. So first off, the WHOIS, you can see that you have WHOIS. Net. You have the actual official ICAN who is allowing you to look up generic domains, okay? And so you can put in any domain name that you want. Let’s do Inscompliance. com and we can do a lookup on that. That’s a business here. And again, this is just basically this is something that is available to everybody. So it doesn’t really hurt that I’m using legitimate companies as opposed to just random domain names because everybody can do this. And that’s kind of the point of the whole section is show me the results, show me what is out there, who registered it and whatnot. So the registrar is GoDaddy. com.

And there’s the contact information. We’ve got the name servers. And then down here the actual raw who is record. Now in this case it looks like there was a proxy of sorts, but then you can get they actually have it registration private because it was done by domains, by proxy, the street name, street, city, and that’s in Arizona. Well, this is actually a company that’s not in Arizona. So they’ve gone about it the right way and they’ve kind of hidden their information. Let’s try to check somebody else, the calibration, make sure we’re not a robot again. But this is the official ICAN. Now you might be able to get some additional information somewhere else. See, they have redacted a lot of this for privacy reasons. So remember we said something about ICANN trying to do this and there we go. I mean, look, that’s all redacted. So let’s go about go out of the ICAN’s website and then we’re going to go back to the original Google search. And I don’t want just necessarily just domain lookups.

And that’s maybe what this is. It looks like it WHOIS. Net. It looks like it’s just telling me if my domain name is used or not. But we’ll compare because there are some other places where you might be given in some additional information. So this is just telling you that looks like the same stuff. And yeah, this is just a domain purchase site, but you’ll often get the who is lookups information there as well. Let’s go down here. Okay. And a lot of these, they’re going to be very similar network solutions. GoDaddy, who is. com and as you can see, I may have just picked a couple that are kind of cleaning this up a little bit. I was just checking without using ICANN to see if that in fact is the case because the ICANN is definitely trying to clean things up and not give out nearly as much information, apparently. I didn’t like that. Let’s do that search again. Okay. And in this case okay, that’s even showing me less.

Sorry, I thought Network Solution showed me more than that. So we’ll move on to DNS, right? And MX toolbox. And MX Toolbox sounds like it’s just going to just be doing DNS lookups for SMTP servers, but it’s actually beyond just that. So incompliance. com. And you can hit MX lookup, that kind of gets the start of the process started. This is an actual customer domain, and it’ll show me the MX records and what their values are. I know in this case they use Office 365, so it’s pointed at Office 365. But then we can go here and we can do a number of things. So notice actually everything I might need is right here. What’s my who is lookup. So I don’t know.

They may change the name of this at some point from MX Toolbox, but I think it’s so well known that you’re unlikely to see that. But there you’ve got a lot of that same information that you can obtain from here and note then we’ve got all kinds of other DNS lookups. Okay? We can just go into just look up DNS that’s just going to tell me who is actually hosting that domain name. But then I can also look at particular types of records. Service records are going to identify services. DNS check. I think there was another one here. If I went or maybe it was just DNS lookup.

Yeah, we can get to a quick page where you’re just looking for just about anything you can find all in one page. And you just plug in the domain names and you can obtain that information fairly easily. Okay, so as I said, we might be doing this from a support perspective, but there are tools out there to help you do some reconnaissance. And all of this information is just publicly accessible. So you got to you want to make sure you are aware what is available in regards to your organization, to the general public.

13. Penetration Test

It might seem to be a slightly overwhelming job to maintain the security of the network, but you can use many tools to do the job. Unfortunately, every tool that has a legitimate use may also have an illegitimate use. So hackers use these same tools to discover, to penetrate, to control networks, but you can use them to make sure the attackers don’t succeed. And so we want to think like the attacker and we want to then use some of the same tools as those attackers. So we’re going to be taking a look at different test types and then moving on to different test tools. We’ll start with the types, though. The penetration test is the first one, often just called a pen test.

It’s designed to simulate an attack on the system, on the network, on applications. And the value here lies in the potential to discover security holes that may have gone unnoticed. It’s different than a vulnerability test because it actually attempts to exploit vulnerabilities. We’re not just looking to identify them, we’re actually trying to exploit them because to be honest, nothing places the focus on a software bug like the exposure of critical data as a result of that bug. In a lot of cases, one of the valuable pieces of information that comes from these tests is the identification of single operations that while they look benign on their own, they create security problems when they’re used in combination. And if you use a framework like Metasploit or Canvas, these tests can be even more effective. Now pen testing should be an operation that actually happens at regular intervals. The frequency that you do it is going to be determined by the sensitivity of the information, of course, on the network. But it is important that you test internally as well as externally and that you do so regularly. Internal tests are going to be those tests within the network. External tests are going to originate outside the network and they would only target servers and devices that were publicly visible.

 Let’s talk about some of the strategies for pen testing that you need to be familiar with for the CASP exam. The first is blind testing. With blind testing, the testing team is provided with limited knowledge of the network systems and devices. So basically, just using publicly available information, the security team of the organization is going to know the attack is coming. Okay, so this is one that’s going to take more effort from the testing team. Double blind is like the blind test, except the organization security team does not know that the attack is coming. And so that would require, generally speaking, just about equal effort between the two teams. Target Test both the testing team and the organization security team are given as much information about the network as we can and the type of test that will occur. This is the easiest one to complete, but it doesn’t really give us a full picture of organizational security because there’s knowledge behind it.

Pen testing is also divided into different categories based on the amount of information provided to the testing team. Now, some of that is implied with blind, double blind, and target test, but we kind of break it out a little bit more. The first is a black box testing which is also called the zero knowledge test. This is where the testing team doesn’t have any knowledge regarding the organization’s network. Now, they can use any means at their disposal to get said information and so typically they would be using the publicly accessible information or any other methods, but they have zero knowledge to begin with and it is referred to also as closed or black box testing.

The partial knowledge test is a situation when your testing team is provided with public knowledge regarding the organization’s network. You could set some boundaries for that type of test so it doesn’t fall into one of these categories and then you have full knowledge test. So they go by different names. Black box is also zero knowledge, but white box and gray box a bit different. So whitebox is the team going into the process of testing with a deep understanding of the application or system. If that could correlate with one of the levels of knowledge, it would be full knowledge.

 So using that knowledge they build test cases to exercise each path particular input fields, the routine that they’re going to utilize. In the case of the network, they’d have access to all the network information and so then the team can use that and leverage that in the test. Gray box is sort of a middle ground. They’re provided with more information than in black box testing, but not as much as with white box testing. The advantage of gray box as being non intrusive while maintaining the boundary between the developer and the tester. But it may uncover some of the problems that might be discovered with white box testing, but you kind of have a smaller level of knowledge. All right, so those are the three different types of penetration testing that are used in today’s organization.

14. Vulnerability Assessment

It might seem to be a slightly overwhelming job to maintain the security of the network, but you can use many tools to do the job. Unfortunately, every tool that has a legitimate use may also have an illegitimate use. So hackers use these same tools to discover, to penetrate, to control networks, but you can use them to make sure the attackers don’t succeed. And so we want to think like the attacker and we want to then use some of the same tools as those attackers. So we’re going to be taking a look at different test types and then moving on to different test tools.

We’ll start with the types, though. The penetration test is the first one, often just called a pen test. It’s designed to simulate an attack on the system, on the network, on applications. And the value here lies in the potential to discover security holes that may have gone unnoticed. It’s different than a vulnerability test because it actually attempts to exploit vulnerabilities. We’re not just looking to identify them, we’re actually trying to exploit them because to be honest, nothing places the focus on a software bug like the exposure of critical data as a result of that bug. In a lot of cases, one of the valuable pieces of information that comes from these tests is the identification of single operations that while they look benign on their own, they create security problems when they’re used in combination. And if you use a framework like Metasploit or Canvas, these tests can be even more effective. Now pen testing should be an operation that actually happens at regular intervals.

The frequency that you do it is going to be determined by the sensitivity of the information, of course, on the network. But it is important that you test internally as well as externally and that you do so regularly. Internal tests are going to be those tests within the network. External tests are going to originate outside the network and they would only target servers and devices that were publicly visible. Let’s talk about some of the strategies for pen testing that you need to be familiar with for the CASP exam. The first is blind testing. With blind testing, the testing team is provided with limited knowledge of the network systems and devices. So basically, just using publicly available information, the security team of the organization is going to know the attack is coming. Okay, so this is one that’s going to take more effort from the testing team. Double blind is like the blind test, except the organization security team does not know that the attack is coming. And so that would require, generally speaking, just about equal effort between the two teams. Target Test both the testing team and the organization security team are given as much information about the network as we can and the type of test that will occur. This is the easiest one to complete, but it doesn’t really give us a full picture of organizational security because there’s knowledge behind it.

Pen testing is also divided into different categories based on the amount of information provided to the testing team. Now, some of that is implied with blind, double blind, and target test, but we kind of break it out a little bit more. The first is a black box testing which is also called the zero knowledge test. This is where the testing team doesn’t have any knowledge regarding the organization’s network. Now, they can use any means at their disposal to get said information and so typically they would be using the publicly accessible information or any other methods, but they have zero knowledge to begin with and it is referred to also as closed or black box testing. The partial knowledge test is a situation when your testing team is provided with public knowledge regarding the organization’s network. You could set some boundaries for that type of test so it doesn’t fall into one of these categories and then you have full knowledge test. So they go by different names.

Black box is also zero knowledge, but white box and gray box a bit different. So whitebox is the team going into the process of testing with a deep understanding of the application or system. If that could correlate with one of the levels of knowledge, it would be full knowledge. So using that knowledge they build test cases to exercise each path particular input fields, the routine that they’re going to utilize. In the case of the network, they’d have access to all the network information and so then the team can use that and leverage that in the test. Gray box is sort of a middle ground. They’re provided with more information than in black box testing, but not as much as with white box testing. The advantage of gray box as being non intrusive while maintaining the boundary between the developer and the tester. But it may uncover some of the problems that might be discovered with white box testing, but you kind of have a smaller level of knowledge. All right, so those are the three different types of penetration testing that are used in today’s organization.

15. Assessment Styles

There are some other assessment styles that we need to discuss. You know, we’re just talking about general testing, vulnerability assessments, pen testing, et cetera. This is more who’s going to be responsible. So a lot of organizations choose to have vulnerability and pen testing done by third parties. And it’s those test organizations that are, I’m sorry, those organizations that are performing these tests, but there are self assessments that can be done as well. Okay. And it is very useful to use third party companies. Those individuals are highly trained and good at what they do. And so I have a family member actually, that does this for a contracting company that’s brought in. And so that’s very useful, but we should also be doing them internally.

One of those options is tabletop exercises. It’s probably the most cost effective and efficient way to identify areas of vulnerability before moving into a higher level of testing. Essentially, tabletop exercise is just an informal brainstorming session. It’s one that encourages participation from a number of different places. Key employees, business leaders. The participants agree to determine a particular attack scenario and then to focus upon that in a tabletop exercise. We should also be conducting internal and external audits as a part of any assessment and testing strategy.

The audit should test all your security controls, make sure everything that’s currently in place is legitimate and working. There are a lot of different potential recommendations when it comes to auditing, but at a minimum, you should be doing annual audits to establish security baselines. We need auditors who have good security experience. We need management involved early in the process. Your auditors really, to be the most effective, should be relying on experience rather than just going through a checklist. The audit should be conducted properly.

It should cover all systems, all policies, all procedures, and it’s something that should be reported on and reviewed after the fact. And a lot of regulations today, mind you, require that audits occur. So organizations have to go through this. And it’s not necessarily something that is an option, but just a few notes about that. We do want to do those. The next type of assessment is a color team exercise. Color team exercises are divided into, into three types. This is essentially like a war game exercise, you know, where you have one group attacking the network of while another one tries to defend the network. And so it’s teams of analysts that could include both employees and third-party contractors that can be organized and can even have Well-established names for the team.

Red Team is typically the attacking force, so it would be carrying out pen testing, scanning the network for vulnerabilities, and then trying to exploit those vulnerabilities. The actions that the Red Team takes are often established ahead of time in the rules of engagement. The Blue Team would be the network defense team. They are trying to respond to the Red Team’s attacks.

And so that’s very beneficial in identifying how the red team is going to attack and how we can combat against that. It also serves as practice for a real attack. It typically is going to include accessing log data, using security information, event management systems, and then doing maybe traffic and data flow analysis. The white team is a group of technicians who sort of referee the encounter between the red and the Blue team. All right, so sounds kind of fun.

And yeah, from a security perspective, this is very cool when an organization takes part in those types of assessments and then with internal, we’d also mentioned the external formal audits that are going to need to be done and regulated in a lot of situations. So these are the different assessments and the assessment styles. Moving forward, we’ll take a look at various assessment tools.

16. Topic B: Security Assessment Tools

In this topic, we’re going to look at different options that you have for security assessment tools. Talk about the different types of tools that perform security assessments on networks like Port Scanners, vulnerability scanners Protocol Analyzers, Fuzzers Enumerators, ETCA.

We’ve got host tools, we’ve got physical security tools as well. You’ll knowledge and understanding of these tools is really going to help you utilize them to ensure the security of your network.

17. Network Tool Types

Most people simply think in terms of the network when they consider security assessments. But security assessments encompass a lot more than that. If you were only looking at network security, then you would be leaving major vulnerabilities out there. It can be argued that without sufficient physical security, network security can’t be achieved. When we’re doing a defense, in depth strategy to security, we have to consider network layers, host layers, physical layers, so we’ll be looking at all of those. We are going to start with the network because before you can secure a network, you have to actually determine where security weaknesses exist. And really the only way to do that is to look at and make an honest assessment of the current state of the network.

Because there are a number of different types of weaknesses that can exist on the network, there are a number of different assessments that should be used. Port scanner is probably your simplest one. It’s used to identify open ports on target systems. You can use ICMP messages to do this. ICMP can scan the network for open ports. What do open ports indicate? Well, they indicate services that may be running on a device and may be listening and susceptible to an attack. An ICMP attack or port scanning attack essentially just pings every address and port number combination and then keeps track of the ports that are open on each device as the ping is answered. One of the most widely used port scanners is the network Mapper Nmap.

This is free. It’s an open source utility, can be used for network discovery and security auditing, has a gui and will just identify individual host and the ports that are open up on that host. Whereas a port scanner can just discover open ports, a vulnerability scanner can probe for a variety of security weaknesses. This could be network or misconfigurations on the device. Out of date software, missing patches, open ports. Network vulnerability scanners are going to scan the entire network. One of the most commonly used ones is a scanner called Nessus. It’s free of charge for personal use as long as you’re in a non enterprise environment. And then it costs if you are in an enterprise environment. But that’s going to look at particular machines, it’s going to show you if there are certificate related issues, default configurations. It goes well beyond ports.

So when you need to, I mean, the vulnerabilities go well beyond ports, so we should really be using a vulnerability scanner that goes beyond that as well. Protocol analyzing is the next. This is a concept known as sniffing, which is just the process of capturing packets for later analysis. Sniffing, if it’s used maliciously, is referred to as eavesdropping. But you don’t necessarily have to be doing it maliciously, you’re just talking about capturing packets. But the idea is that when an attacker attaches or inserts a device or software into the communication medium, then they can collect all of the information that’s transmitted over that medium.

And so they’re collecting raw packets from the network and both legitimate security pros and attackers will use them. The fact that a sniffer does what it does without transmitting any data to the network is really an advantage when the tool is being used legitimately but it’s an extreme disadvantage when it’s being used against you. Why? Because you cannot tell that your packets are being captured. If at all possible we want to try to monitor and limit the use of packet sniffers and then of course, to render them unusable then you should just encrypt traffic.

One of the most widely used packet sniffers on a wired network is Wireshark. It just pulls raw packets off the interface and allows you to examine each packet. If the data is encrypted then you won’t be able to read it but if it’s unencrypted then you would be able to read it. Wireshark can work with both wired and wireless. I think I may have said that already. And there are other protocol analyzers as well that are out there. Microsoft used to have network monitor. Now they call it the Microsoft Message Analyzer. But that is a freely download utility for Windows machines.

18. Security Content Automation Protocol (SCAP)

The security content automation protocol. SCAP is a standard that the security automation community uses to try to enumerate software flaws and configuration issues. It really standardized the nomenclature and the formats that are going to be used and so a vendor of these types of automation products can obtain a validation and against SCAP and that they do so in order to demonstrate that it’ll interoperate with other scanners and express the scan results in a very standardized way. If you’re going to understand SCAP, then you have to understand its various components.

Those include the Common Configuration Enumeration or CCE, which are configuration best practice statements maintained by NIST. The National Institute of Standards and Technology. We have the CPE Common Platform Enumeration which are methods for describing and classifying operating systems applications as well as hardware devices. Common weaknesses or weakness. Enumeration CWE are design flaws in the development of software that can lead to vulnerabilities and then CVE common vulnerabilities and exposures vulnerabilities in published OSes and application software. The Common Vulnerability Scoring System, or CVSS is a system of ranking vulnerabilities that are discovered and doing so based upon predefined metrics.

It ensures that the most critical vulnerabilities can be easily identified and addressed after the test is met. So essentially scores are awarded on a scale of zero to 100 being no issues and ten being critical. We’re looking at different metrics as well or metric groups as a part of CVSS, which we’ll identify here shortly.

19. Common Vulnerability Scoring System (CVSS)

So let’s take a look at those metric groups. The base metric group is going to include characteristics of a vulnerability that are constant over time and across user environments. Among those you have the access vector. AV describes exactly how an attacker would exploit the vulnerability. Essentially, there’s three possible values. L for local means the attacker would have to have physical or logical access to the affected system. A for adjacent, meaning they have to be on an adjacent network. They have to be on the local network.

And then N would stand for network means the attacker can cause the vulnerability from any network. Then you have AC or Access complexity, which describes the difficulty of exploiting the vulnerability. And there’s three possible values high, medium and low. High means you have to have special conditions that are hard to find in order to exploit it. Medium, somewhat special conditions and then low. It means the vulnerability doesn’t really require any sort of special conditions. Au for authentication that metric describes the authentication the attacker would require to get through to exploit the vulnerability. M would be multiple, they have to get through two or more authentication methods s for single and then N for none. No authentications are in place to stop the vulnerability.

The A metric or Availability describes the disruption that can occur if a vulnerability is exploited. There’s three possible values for that n for none, no availability impact, p for partial system performance would be degraded and then C for complete would mean if the vulnerability was exploited, the system would be completely shut down. The C metric for confidentiality is just describing the information disclosure that can occur if a vulnerability is exploited. N for none, P for partial, C for complete, meaning all the information on the system would be compromised.

And then finally the integrity metric describes the type of data alteration that can occur. N for none, p for partial, some information modification, then C for complete, meaning all the information on the system would be compromised. Then you have the temporal and environmental metric groups. Temporal, the characteristics of the vulnerability are going to change over time, but not among user environments.

And then environmental, it means the characteristics of the vulnerability are relevant or unique to a particular user environment. And so essentially this would be read the CVSS score would say the CBD, the metric group. So like access vector and then a colon and then the level. All right, so AV colon, LCNi colon, p A colon, N. So just depending on what the actual results are.

20. Fuzzing

We have software tools that will help us define and exploit weaknesses in Web applications through a process known as Fuzzing. These tools are called fuzzers. Sort of a funny name, but basically they operate by injecting semirandum data into the program and then just detecting the bugs that result from that. They’re easy to use, but one of the limitations is that they tend to just find simple bugs rather than some of the more complex ones. The Open Web Application Security Project OWASP is an organization that focuses on improving software security, and they recommend several tools. WS Fuzzier is one of those, and Soap Simple Object Access Protocol services are the main targets of these types of utilities.