Happy Learning
!!
Sunday, August 20, 2023
Vulnerability Management - Interview Questions
Most of the questions are straightforward. You can google 90% of the questions.
Vulnerability Management - SCAP and DISA STIG
As free versions of commercial vulnerability management vendors do not provide compliance scanning options, we can use freely available tools such as SCC (DISA) and CAT Lite (CIS) from learning perspective.
I have created a document depicting the use of SCC from DISA. You can google basic concepts such as CIS, DISA, STIG, SRG, CIS Benchmarks, SCAP, OVAL, CVE, CPE, XCCDF, CCE and OCIL etc.
I find Wikipedia definition perfect, "SCAP comprises a number of open standards that are widely used to enumerate software flaws and configuration issues related to security. Applications which conduct security monitoring use the standards when measuring systems to find vulnerabilities, and offer methods to score those findings in order to evaluate the possible impact. The SCAP suite of specifications standardize the nomenclature and formats used by these automated vulnerability management, measurement, and policy compliance products.
A vendor of a computer system configuration scanner can get their product validated against SCAP, demonstrating that it will interoperate with other scanners and express the scan results in a standardized way."
Point of this post was as free tools, resources and videos are available, let's make use of these and come out of the mindset that we can learn only when we will join some organization. I agree, there is no substitute to industry experience but nobody can stop you from learning. Let's create labs, read documentation, demonstrate PoCs, and share the gained knowledge with community. Thanks to all content creators on YouTube and Linkedin, I have learned a lot from you and I am still learning.
Happy Learning !!
Vulnerability Management - SSL vs TLS
In one of the interviews, interviewer asked me "What is the difference between SSL and TLS ?"
I said TLS is successor of SSL. But he was not satisfied with my one line answer. Then he asked "Does that mean there is no difference between SSL and TLS ?"
So guys following are the high level differences between SSL and TLS:
- Hashing --> SSL uses MD5, SHA-1 while TLS uses SHA-256
- Key exchange algorithm --> SSL uses KEA while TLS uses DH, ECDH, DHE, ECDHE, PSK etc.
- Data encryption --> SSL uses DES, RC4 etc. while TLS uses AES etc.
- Integrity --> SSL uses MAC while TLS uses HMAC
The point of this post is, don't be like me, be like Bob.
Whenever Bob studies a concept, he always asks himself WHY ? (For e.g. in this case) "Why TLS is needed when SSL is already there ?"
So, being in cybersecurity domain, you are not always expected to know low level details of each and every protocol but atleast you should know high level details and be able to corelate your answer with vulnerabilities (For e.g. in this case, SSL3.0 is vulnerable to BEAST and POODLE attacks whereas TLS1.0 fixes them).
Happy Learning !!
Monday, August 7, 2023
Vulnerability Management - Secure privileged account use
As performing a vulnerability scan or audit with an account lacking sufficient privileges may result in incomplete result, scanning solutions must be provided with privileged authentication and access levels to access the end system.
Since accounts used are privileged ones, following are the strategies Tenable recommends to avoid any kind of misuse:
1. Implement compensating controls for privileged accounts to limit risk, such as:
a. Log monitoring for when the account is in use outside of standard change control hours, with alerts for activities outside of normal windows.
b. Perform frequent password rotation for privileged accounts more often than the “normal” internal standard.
c. Enable accounts only when the time window for scans is active; disable accounts at other times.
d. On non-Windows systems, do not allow remote root logins. Configure your scans to utilize escalation such as su, sudo, pbrun, .k5login, or dzdo.
e. Use key authentication instead of password authentication.
2. Use Nessus Agents where available.
3. If you do not grant an exception with compensating controls, perform a scan with an account having lower privileges than what Tenable recommends and observe any missing results. Modify the account privileges so that all expected results are shown. Changes to the audit file or plugins may impact results later.
Please refer below URLs for more details:
Happy Learning !!
Vulnerability Management - On a lighter note !!
Few nessus agents were appearing offline in Nessus Manager. I was working with a Windows engineer to troubleshoot the issue.
Normally, to resolve this issue, we try to unlink and re-link the Nessus Agent, from the Agent host.
As an administrator, from a command prompt, run the following commands:
Based on your operating system, use either C:\Program Files\Tenable\Nessus Agent or C:\ProgramData\Tenable\Nessus Agent.
> net stop "Tenable Nessus Agent"
> "C:\Program Files\Tenable\Nessus Agent\nessuscli" agent unlink (--force)
> "C:\Program Files\Tenable\Nessus Agent\nessuscli" agent link --key=<key> --host=<host> --port=<port>
> net start "Tenable Nessus Agent"
I shared the steps with the engineer and asked him to execute them. While he was running those commands, suddenly he asked me, if we are stopping the "Tenable Nessus Agent" service then what is the use of running subsequent commands ? I went blank for a couple of minutes.
Happy Learning !!
Vulnerability Management - Duplicate entries in vulnerability database
Let's first understand what a reimage is ->
A reimage is the process of installing a new operating system on a machine. This process includes wiping, or clearing, the hard drive entirely, and installing a fresh operating system. When the reimage is complete, it is almost like getting a brand new machine!
Now, both Qualys and Tenable stamp a machine with a tracking UUID the first time they scan it. This way, if a machine changes IP addresses, or has multiple network interfaces, they can track the machine without creating duplicates.
But when you reimage a machine, Identification Attributes change, which in turn means same vulnerability will be repeated. How ? Suppose a developer is using a particular version of a library. This particular version is affected with a vulnerability. The developer after working for few days decides to move out of the organization. The machine is sent to reimage. Now, another developer gets this machine. When Tenable agent is installed, it creates a new UUID. If the new developer installs and uses the same library then a duplicate entry will be created.
As the machine was using the same mac address and hostname, for the particular instance (Hostname + Port + Vulnerability), there will be two entries (two UUIDs). Tenable considered the machine as two different machines. Hence solution to such issue is:
Save the whole key before you rebuild the machine, then restore the key before you re-scan it, or before you install the Qualys/Tenable agent if you use agents (Qualys stores its UUID in the Registry, in HKLM\Software\Qualys, Tenable stores its UUID in HKLM\Software\Tenable).
Please refer below URLs for more details:
https://community.tenable.com/s/article/How-Does-Tenable-io-Identify-an-Asset-as-Unique
https://hub.wpi.edu/article/183/prepare-a-computer-for-reimage
For duplication, there are other use cases also. This is just one of the use case.
Happy Learning !!
Subscribe to:
Posts (Atom)