One of the most important roles of a security professional is to keep the company's environment safe from attack and so, in this chapter, we are going to look at monitoring, scanning, and penetration testing.
In this chapter, we will cover the following topics:
A penetration test is an intrusive test where a third party has been authorized to attack a company's network to identify weaknesses. The intrusive tests used by them can cause damage to your systems.
Penetration testing is commonly known as pen-testing. Pen testers are given different amounts of information, including the following:
In the CompTIA Security+ exam, they measure the types of reconnaissance that could be used by an attacker. Let's first look at active and passive reconnaissance and then the tools that can be used to carry out these activities:
Team exercises are similar to pen testing, but they use friendly IT professionals to participate in the different teams. The teams are red, blue, green, white, and purple. Let's look at each of these in turn:
Figure 5.1 – Exercise teams
Here is a brief overview of the different teams:
A vulnerability scanner is a passive scanner that identifies vulnerabilities or weaknesses in a system. For example, there could be a missing update for the operating system, anti-virus solutions, or account vulnerabilities.
A Zero-Day exploit cannot be traced by a vulnerability scanner; the exploit has not yet been identified and has no updates or patches available. Let's look at the type of output a vulnerability scanner could produce:
The systems on a network produce a massive amount of information in log files and most of them will be related to errors or possible attacks. They will require a real-time solution to correlate these events so that the security team can be alerted immediately. Let's look at the role that the SIEM and syslog server play.
Security Information and Event Management (SIEM) is regarded as an IT best practice, used by regulated industries to fulfill security and audit compliance regulations, for example, HIPAA, GDPR, SOX, and PCI DSS. SIEM supports IT teams by consolidating event log values through the correlation, aggregation, normalizing standard, and non-standard log formats; it can also filter out false positives.
The only time that a SIEM system will not provide the correct information is when the wrong filters are used or the wrong host is monitored. In these cases, a false positive will be produced.
A System Logging (Syslog...
SOAR is an automated tool that integrates all of your security processes and tools in a central location. As an automated process that uses machine learning and artificial intelligence that makes it faster than humans searching for evidence of attacks, it helps reduce the mean time to detect (MTTD) and accelerates the time to respond to events. This could release members of the IT team to carry out other tasks.
The SOAR system uses playbooks that define an incident and the action taken. If the SOAR system does not detect an incident in a timely fashion, the playbook would have to be better tuned.
This will produce faster alert information for the security operations team, where the human entities can take further action to keep the company safe. Let's look at the workflow in the following diagram:
Figure 5.3 – Security integration
As you can see in the preceding diagram, we first sort the raw...
Now, it's time to check your knowledge. Answer the questions, and then check your answers, which can be found in the Solutions section at the end of the book:
© 2020 Packt Publishing Limited All Rights Reserved
