D484 PENETRATION PENTEST
STUDY NOTES WESTERN
GOVERNORS’ UNIVERSITY
, lOMoAR cPSD| 42147428
Planning an Engagement
• What engagement means in the world of cybersecurity
o A singular penetration testing project planned and scoped by the requesting
client and the performing analysts
• Risk
o Risk is the probability that a threat will be realized
▪ Vulnerability x Threat = Risk
o Threats vs Vulnerabilities
▪ Threats are anything that can cause harm to our systems
▪ Vulnerabilities are any weaknesses in infrastructure design or
implementation
o Risk Management
▪ Minimize the likelihood of a certain outcome from occurring and to
achieve the designed outcomes
▪ Decrease risks so they are manageable according to risk tolerance and
appetite
▪ Pros and cons associated with remediating specific risks
▪ Sometimes remediating a risk can cause business interruption
o Inherent Risk
▪ Occurs when a risk is identified but no mitigation factors are applied
• Setting up data centers in hurricane-prone areas, can lose the entire
data center
• Connecting server to the network, opens a potential attack vector
for a bad actor or APT
▪ All of this has inherent risk until we apply mitigation strategies such as
security controls to limit access and backup or redundant data centers.
▪ There is always inherent risk that some attack will try to exploit
• It is only a matter of time and resources
• An attacker will eventually get in
o Residual Risk
▪ Occurs when a risk is calculated after applying mitigations and security
controls
▪ There is still some left-over risk even when mitigations are applied
▪ Not everything can be avoided
▪ What is the risk that is left over
o Risk Exception
▪ Created risk due to exemption being granted or a failure to comply with
corporate policy
▪ For example, the CEO says no to password change policy, this is a risk
exception that the CEO must accept
▪ Exception to the policy is creating risk
• Risk Handling
, lOMoAR cPSD| 42147428
o What should the corporation due with the risks that are highlighted from a
penetration test
▪ There are four options, risk avoidance, risk mitigation, risk transfer, and
risk acceptance
o Risk Avoidance
▪ Stop the activity causing the risk or chose an alternative that does not
create as much risk
▪ Eliminates the hazards, activities, and exposures with potential negative
effects
o Risk Transfer
▪ Pass the risk to a third party such as an insurance company
▪ If the risk is realized the third party will pay us to recover operations
o Risk Mitigation
▪ Minimize the risk to an acceptable level
▪ If remediating the critical vulnerabilities on a server limits the risk, it can
be acceptable
o Risk Acceptance
▪ Accept the current level of risk and the cost associated with it if the risk is
realized
▪ Sometimes fix an issue will cost more than just leaving it alone
▪ Replacing an EOL server for 500k vs the 100k loss if it is compromised
▪ Spending hours remediating the risks associated with a small laptop
which is not worth much
o Risk Appetite and Risk Tolerance
▪ How much risk an organization is willing to accept in pursuit of its
objectives
▪ Everything is about an organization’s risk appetite
• Controls
o Used to protect network and information systems
o Compensative access controls
▪ Used in place of primary access controls measures to mitigate a given risk
▪ Example --> two admins needed to make a change or perform an action,
minimize risk of a trusted insider, dual control
o Corrective access controls
▪ Reduces the effect of an undesirable event or attack
▪ Example --> fire extinguishers, antivirus solutions
o Detective access controls
▪ Detects an ongoing attack and notifies the proper personnel
▪ Example --> alarm systems, honey pots
o Deterrent access controls
▪ Discourages any violation of security policies bot by attackers and
insiders
▪ Example --> signs saving this is protected, Firewalls
, lOMoAR cPSD| 42147428
o Directive access controls
▪ Force compliance with security policy and practices within an organization
▪ Example --> AUP
o Preventive access controls
▪ Prevent or stop an attack from occurring
▪ Example --> IPS, Firewall, security badges
o Recovery access controls
▪ Recover a device after an attack
▪ Example --> Disaster recovery plans, backups, business continuity plans
o Defense in depths layers various access controls for additional security
o Administrative controls (managerial)
▪ Manges personnel and assets through security policies, standards,
procedures, and baselines
▪ Example--> security awareness training
o Logical controls (Technical)
▪ Implemented thought hardware or software and used to prevent or
restrict access to a system
▪ Example --> firewalls, Encryption, biometrics
▪ Auditing vs monitoring
• Auditing is a onetime evaluation
• Monitoring is a continuous evaluation
o Automate this process using change management policies,
configuration management, log monitoring, status report
analysis
o Evaluate access controls and make recommendations
o Physical controls
▪ Protects the organization’s personnel and facilities
▪ Example --> security guard, camera, mantraps
• PenTest Methodologies
o What is a pentest methodology?
▪ The systematic approach a pen tester uses before, during, and after a
penetration test, assessment, or engagement
▪ Methodology includes these phases:
• Planning and Scoping
• Information Gathering and Vulnerability Scanning
• Attack and Exploits
• Reporting and Communication
o Adversary Emulation
▪ Mimics the tactics, techniques, and procedures of a real-world threat actor
in a penetration test
▪ MITRE ATT&CK framework
• Common adversary TTPs in the real world
• Visualize an adversary’s capabilities, techniques, and capacities
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller saraciousstuvia. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $17.99. You're not tied to anything after your purchase.