WEBVTT

00:07.280 --> 00:11.690
As a cyber security analyst, you should understand the different vulnerabilities associated with your

00:11.690 --> 00:17.480
network, whether it's from a perspective of email or different systems, different operating systems,

00:17.480 --> 00:24.020
even your servers, or even your basic infrastructure including your switches, routers and other items

00:24.020 --> 00:24.800
on your network.

00:24.830 --> 00:29.480
Believe it or not, IoT devices are considered to be part of your network as well if your organization

00:29.480 --> 00:30.440
uses them.

00:30.470 --> 00:34.730
Vulnerability identification and scanning is one of those things that you should really understand how

00:34.730 --> 00:35.360
to do.

00:35.360 --> 00:40.970
And there's two basic platforms that we're going to discuss in chapter ten, Openvas and Nessus, as

00:40.970 --> 00:42.830
the biggest ones out there today.

00:42.830 --> 00:47.180
Right now we're going to go over what those actually include, and then we'll highlight those videos

00:47.180 --> 00:51.200
and understanding of how to actually run those scans and install them on your systems.

00:51.200 --> 00:57.110
In chapter ten, before you get started and actually scanning a system, we need to go through the process

00:57.110 --> 01:00.440
of understanding what a baseline scan really entails.

01:00.470 --> 01:08.350
A baseline scan is a standardized baseline for your network operating on a standard day at a given hour.

01:08.380 --> 01:14.560
We want to understand what is my system doing on a day to day basis, on an hourly basis, at different

01:14.560 --> 01:15.820
times throughout the day.

01:15.850 --> 01:21.880
I need to understand as an analyst, if my system is pushing out one gigabytes of traffic every second

01:21.910 --> 01:27.580
on a Wednesday afternoon at 2:00 pm, because if that's my standardized traffic patterns throughout

01:27.580 --> 01:33.940
every Wednesday, and all of a sudden now I'm pushing out 350GB of traffic every hour, then that could

01:33.940 --> 01:34.720
pose a problem.

01:34.720 --> 01:36.610
That's an indicator of compromise.

01:36.610 --> 01:41.620
We need to understand that baseline scanning is something that goes into play at different levels.

01:41.620 --> 01:47.230
It's not just about tracking the data, it's also about tracking the utilization of different ports,

01:47.230 --> 01:53.740
protocols and what's available on our systems when we bring in vulnerability scanning into the fray,

01:53.770 --> 01:58.360
we're also looking at different vulnerabilities associated with the different items on my network.

01:58.360 --> 02:04.040
I need to understand if this port is open on a network and we have it unsecure.

02:04.070 --> 02:05.750
Why do we have it under secure?

02:05.780 --> 02:11.810
If that scan provides that as a critical component or a vulnerability within my network, I want to

02:11.810 --> 02:14.330
know about it before something actually happens.

02:14.360 --> 02:16.520
This poses two big reasons why.

02:16.550 --> 02:22.820
The first one being if my standard operating procedure on my network is to say, have port 20 open.

02:22.850 --> 02:27.440
I don't want to have everybody jumping up and down two weeks from now when they rerun that scan.

02:27.440 --> 02:32.330
And now port 20 is open and it causes a lot of mess because people are saying that's unsecure.

02:32.330 --> 02:37.520
And then we're devoting manpower, energy and money to fixing that issue when it was already a known

02:37.520 --> 02:39.260
issue that we already documented.

02:39.260 --> 02:40.790
And so why are we fixing it?

02:40.820 --> 02:42.980
It's already been authorized to be on our network.

02:43.010 --> 02:48.080
A standardized baseline for compliance on our network is more than just understanding the different

02:48.080 --> 02:49.040
vulnerabilities.

02:49.040 --> 02:51.680
It's also understanding the vulnerabilities associated with it.

02:51.710 --> 02:58.670
From a compliance standpoint, if I'm using Pci-dss or HIPAA as my compliance protocol within my network,

02:58.670 --> 03:03.350
I need to understand what those different compliances have, based on the vulnerabilities associated

03:03.350 --> 03:08.300
with my individual network or systems associated with that compliance requirement.

03:08.330 --> 03:13.850
A lot of times, we'll see a compliance requirement in one section or one isolated network within our

03:13.880 --> 03:16.670
system, but not throughout the entire network as a whole.

03:16.700 --> 03:22.460
We often do this because compliance is required for a specific system, and it costs more money to do

03:22.460 --> 03:24.470
it across the entire system as a whole.

03:24.470 --> 03:29.450
Whereas if I could just do one segment of my network for compliance, I'm usually going to go down a

03:29.450 --> 03:30.110
pathway.

03:30.140 --> 03:33.410
We need to verify our automated configuration standards.

03:33.410 --> 03:39.890
If I have a router or a switch or even a server that I'm bringing online and something breaks, I want

03:39.920 --> 03:42.620
to automate that configuration as much as possible.

03:42.620 --> 03:48.530
If you have a tedious task that you need to do over and over and over again, we as human beings tend

03:48.530 --> 03:49.190
to wonder.

03:49.190 --> 03:53.090
We tend to go through our minds and start thinking about what I'm going to do after work, or what I'm

03:53.090 --> 03:56.750
going to have for lunch or something other than the fact of what I'm actually doing.

03:56.780 --> 04:00.290
Human beings suck at tedious things, and we know we do.

04:00.320 --> 04:01.890
So what's the best way to do that?

04:01.890 --> 04:04.590
Let's do a script and automate that process.

04:04.590 --> 04:10.710
If I can automate the process to tediously go through a thousand different routers and change one setting,

04:10.710 --> 04:16.140
then that's an automated verification of the process that's going to not only provide my workload a

04:16.140 --> 04:20.550
little bit better for my employees, but their minds aren't going to be wondering and making human errors

04:20.550 --> 04:21.690
throughout the process.

04:21.690 --> 04:24.210
We also need to highlight inadequate scans.

04:24.210 --> 04:29.220
What I mean by that is, if I scan a system and I'm only scanning to make sure there's a ping on each

04:29.220 --> 04:34.110
one of those items, that really doesn't tell me anything other than what is out there at the current

04:34.140 --> 04:34.740
time.

04:34.740 --> 04:36.690
It doesn't tell me what the operating system is.

04:36.690 --> 04:38.940
It doesn't tell me what the vulnerabilities are associated with it.

04:38.970 --> 04:44.460
It just tells me that I have items on my network that use an IP address that's not very good as a cybersecurity

04:44.460 --> 04:45.270
professional.

04:45.300 --> 04:49.050
As such, we want to do more scanning a lot of times than less.

04:49.050 --> 04:51.270
It's not enough just to do an IP scan.

04:51.270 --> 04:57.030
Sometimes we might do an IP scan just to go through the process and see if there's a machine or a new

04:57.030 --> 04:59.040
IP address that's popping up.

04:59.040 --> 05:04.270
But for a baseline scan And for a regular intermittent scan, we want to do something that's a little

05:04.270 --> 05:05.260
more hefty to it.

05:05.290 --> 05:10.480
We want to understand not only what the operating systems are, what the ports are open, but we also

05:10.510 --> 05:13.360
want to understand those vulnerabilities associated with it.

05:13.390 --> 05:14.830
We go through this process.

05:14.830 --> 05:19.870
We're going to show you the different scans that you can do and conduct as a vulnerability scanner.

05:19.900 --> 05:24.940
The first thing I want to talk about is the difference between a passive versus an active scan.

05:24.970 --> 05:29.620
A passive scan is simply a scan that we let go in the background of our systems.

05:29.650 --> 05:34.930
A lot of times our SIM takes care of this, or our SIM takes care of this, and our saw automates this

05:34.930 --> 05:38.950
process, and we're just listening to what's going on within our network.

05:38.980 --> 05:42.430
We're really not pushing a button to make the system do anything.

05:42.430 --> 05:45.760
We're just listening to the traffic as it goes from point A to point B.

05:45.790 --> 05:48.250
Sometimes this will tell us if a new port opens.

05:48.250 --> 05:48.640
Maybe.

05:48.640 --> 05:55.240
I don't normally use a port 21 on my system, but all of a sudden one pops up and now it's processing

05:55.240 --> 05:57.760
communication protocols on that port.

05:57.790 --> 06:02.880
I didn't tell the machine that's operating on port 21 to tell me what ports is operating on.

06:02.910 --> 06:08.670
It just started reporting that it's talking on port 21, and our automated systems picked it up through

06:08.670 --> 06:13.800
a passive communication channel that points out an alarm that tells us there's a problem within our

06:13.800 --> 06:18.900
systems, because I have communication that's unsecure, operating on a port that we didn't authorize.

06:18.930 --> 06:24.840
Going through our systems, this is a good example of a passive scan that we might see on our systems.

06:24.870 --> 06:30.870
In comparison, an active scan is me literally going to the system and telling me, hey, I want you

06:30.870 --> 06:35.130
to report out to me what every port you have open that you're currently communicating on.

06:35.160 --> 06:39.210
I also want you to provide the logs for all the different ports that you've communicated on the last

06:39.210 --> 06:40.170
24 hours.

06:40.170 --> 06:42.480
This is what's considered an active scan.

06:42.510 --> 06:45.330
I send a command forward and the machine responds.

06:45.330 --> 06:50.430
I'm actively asking for information, or I'm actively scanning that machine for different ports that

06:50.430 --> 06:51.810
are available and open.

06:51.840 --> 06:57.330
This is an example between an active scan versus a passive scan and the world of vulnerability scanning.

06:57.330 --> 07:01.100
We take the same similarities to a new level on a passive scan.

07:01.100 --> 07:06.200
I'm looking for different things like, I don't know, malware or ransomware that might be going through.

07:06.230 --> 07:08.600
Maybe somebody's doing something they're not supposed to.

07:08.630 --> 07:13.970
On my network, I'm not actively searching for it, but I am listening to the network to see what's

07:13.970 --> 07:14.750
going on.

07:14.780 --> 07:20.060
Again, if I have port 21 suddenly open and processing communication, that would be a vulnerability

07:20.060 --> 07:23.330
that's introduced to my network, even though it's just a simple port.

07:23.330 --> 07:27.980
And because my scene picked it up, I'm able to then grab that information and understand what's going

07:27.980 --> 07:29.750
on from a passive standpoint.

07:29.780 --> 07:35.000
On an active standpoint, I scan the machine, I'm looking at the software configurations, I'm looking

07:35.000 --> 07:40.310
at the software versions, and it's reporting back to me via Nessus or Openvas, that it's not the most

07:40.310 --> 07:43.280
up to date version of software available on that system.

07:43.280 --> 07:45.680
Maybe there's a reason for it, maybe there isn't.

07:45.680 --> 07:50.630
But the machine is actively providing me information because I'm scanning that machine with a third

07:50.630 --> 07:53.690
party software that's looking for vulnerabilities.

07:53.690 --> 07:57.080
This is the big difference between active scanning versus passive scanning.

07:57.080 --> 08:00.930
From a vulnerability standpoint, there's two major points of scanning.

08:00.930 --> 08:04.230
When it comes to vulnerability scanning, one is external scanning.

08:04.230 --> 08:06.270
This is from an outside perspective.

08:06.270 --> 08:08.880
Sometimes I want to know what the outsider sees.

08:08.880 --> 08:14.340
If they're looking at my organization or my infrastructure from outside the internet, this would mean

08:14.340 --> 08:20.040
that maybe a malware user or a malicious user is looking at my network, trying to gain information,

08:20.040 --> 08:25.710
and sometimes it's a good idea to know exactly what they can see, because it could provide me a little

08:25.740 --> 08:27.360
bit of security through obscurity.

08:27.360 --> 08:32.250
And what I mean by that is that if the outsider cannot see the different communication protocols that

08:32.250 --> 08:36.240
I'm using inside my internal network, maybe it's not a priority to fix those.

08:36.240 --> 08:40.320
If I only have a limited budget or limited manpower in order to deal with that.

08:40.320 --> 08:44.730
This is that public facing vulnerability that most malicious actors are searching for.

08:44.760 --> 08:49.920
It's important to me, as a cybersecurity professional to understand what's going on from my network,

08:49.920 --> 08:55.830
from the outside view, so I can properly delineate between real vulnerabilities that I'm afraid could

08:55.830 --> 09:01.010
be taken advantage of versus those hidden vulnerabilities that maybe, yeah, they're are vulnerabilities,

09:01.010 --> 09:03.890
but do I really want to spend the time and money to have them fixed?

09:03.920 --> 09:07.730
Remember, as a cybersecurity professional, it's bang for your buck.

09:07.730 --> 09:11.510
How much time, how much money do I need to spend fixing all these vulnerabilities?

09:11.540 --> 09:15.470
Throughout your career, there's always going to be too many vulnerabilities, and we can't constantly

09:15.470 --> 09:17.030
fix every last one of them.

09:17.030 --> 09:20.270
So we must prioritize which ones we're going to pick.

09:20.300 --> 09:25.880
Having that external viewpoint of what's going on from a malicious actor's eyes can help us determine

09:25.880 --> 09:29.750
what vulnerabilities we need to fix right away, versus which ones can fix.

09:29.750 --> 09:31.670
Then we have internal scanning.

09:31.670 --> 09:38.750
Internal scanning is a comprehensive review of all of our systems with credentials, or from the perspective

09:38.750 --> 09:40.580
of a security administrator.

09:40.580 --> 09:46.310
I know that I'm operating on port 21 between two servers because it's a legacy system.

09:46.310 --> 09:50.870
Maybe that legacy system doesn't have the capability of operating at a more secure channel.

09:50.870 --> 09:53.000
From that perspective, it's a vulnerability.

09:53.030 --> 09:56.900
We know it's a vulnerability, but can an external viewer see it?

09:56.900 --> 10:02.650
And so the priority of that fix may be different based on an internal versus an external scan.

10:02.650 --> 10:07.480
An internal scan is really going to provide us with a lot more leverage or a lot more visibility of

10:07.480 --> 10:09.370
our internal workings of our network.

10:09.400 --> 10:14.710
After all, I can see all the traffic and have full permission to access all the systems on my network.

10:14.740 --> 10:20.500
Because of that, I can actively scan and I can go through all the processes associated with it to get

10:20.500 --> 10:26.020
a good picture of every vulnerability on this network without this fear of being discovered.

10:26.050 --> 10:30.880
Unlike a malicious actor where they're constantly trying to hide their footprints, as a cybersecurity

10:30.880 --> 10:35.650
professional conducting an internal scan, I can blast through and I really don't care how much noise

10:35.650 --> 10:38.530
it makes, as long as it's not interfering with my systems.

10:38.680 --> 10:44.380
Agent versus Agentless scanning comes into play when we're looking at an agent scan or a local data

10:44.380 --> 10:45.670
collection standpoint.

10:45.670 --> 10:51.160
This means that we collect all the data, and we put it through a centralized server to store that data

10:51.160 --> 10:57.160
within an agent environment, I can run different scans that go through the process and then store them

10:57.160 --> 10:58.510
in a centralized point.

10:58.540 --> 11:04.160
This allows me to identify the different vulnerabilities and the interconnected vulnerabilities associated

11:04.160 --> 11:10.430
with it, meaning that I can look at a server that's connected to a switch and literally get a bigger

11:10.430 --> 11:13.280
picture of what's going on between both those systems.

11:13.280 --> 11:18.830
I can compare and contrast and actually see the pipelines and physical connections between them, because

11:18.830 --> 11:19.820
it's an agent scanned.

11:19.850 --> 11:24.260
I have a much more comprehensive review of all the vulnerabilities associated with it.

11:24.260 --> 11:26.960
In comparison with an agent list standpoint.

11:26.960 --> 11:32.000
This is via the network communication protocol, meaning I'm hitting it from a different perspective.

11:32.000 --> 11:38.240
I'm hitting it from a machine outside the environment, whereas Agent Viewpoint is on the machine itself.

11:38.240 --> 11:43.940
An agent list is on a separate machine looking at the systems and going, oh, this is going through

11:43.940 --> 11:47.600
this communication and I need to see it on an agent list point of view.

11:47.600 --> 11:53.090
I'm looking at it maybe even from Seattle or Georgia, where my network is actually in Florida.

11:53.120 --> 11:55.610
This can provide some distilled point of view.

11:55.640 --> 12:01.030
It doesn't provide as much coverage or detailed coverage, but it does provide me a broader overlook

12:01.030 --> 12:02.320
of the network as a whole.

12:02.320 --> 12:06.970
We can also see an agentless viewpoint where we're talking about different segmentations that are implemented

12:06.970 --> 12:11.290
in our network or isolated networks, where we're doing a little bit here and a little bit there, and

12:11.290 --> 12:14.410
a little bit over here to get a bigger overall picture.

12:14.440 --> 12:19.810
Again, not as detailed, but does have its benefits in the fact that it's providing me a broader coverage

12:19.810 --> 12:21.760
of what's going on across my network.

12:22.330 --> 12:24.670
Then we have credentialed versus non credentialed.

12:24.670 --> 12:27.010
Credentialed means that I log into the system.

12:27.010 --> 12:29.920
I'm able to see the internal workings of that software.

12:29.920 --> 12:32.230
I want you to imagine that you own a web page.

12:32.260 --> 12:37.210
On this web page, you have full administrative rights, and you log into that system and program that

12:37.240 --> 12:39.430
web configuration the way that you want.

12:39.430 --> 12:44.020
Then you have somebody that's not configured to that they don't have administrator privileges, but

12:44.020 --> 12:47.590
they can still scan the web page because they own part of that server.

12:47.620 --> 12:51.490
This is the difference between a credentialed versus a non credentialed viewpoint.

12:51.520 --> 12:57.160
Obviously if I log into the system, it gives me access to all the different viewpoints within it.

12:57.160 --> 12:59.890
I can see the different configurations that you modified.

12:59.890 --> 13:05.910
I can even in some cases see the code that you provided in order to provide that web page web access

13:05.910 --> 13:11.460
with a credentials scan, I can go through and actually provide a detailed vulnerability scan of everything

13:11.460 --> 13:15.960
that you see on the different web pages, because I have full access to them.

13:15.960 --> 13:20.760
This meets most of our compliance standards with different regulations associated with it.

13:20.790 --> 13:24.870
It's more detailed and it's more accurate with a non credentialed scan.

13:24.870 --> 13:27.570
I'm not actually logging in as an admin user.

13:27.570 --> 13:32.640
I can't see all those different perspectives of that web server, but I can still see the web server

13:32.640 --> 13:33.420
as a whole.

13:33.420 --> 13:38.520
This is a non credentialed scan where I'm able to go from an outsider point of view and go through the

13:38.520 --> 13:40.290
process and scan the website.

13:40.290 --> 13:44.790
It's usually quicker and it's not as detailed, but it's faster as well.

13:44.790 --> 13:48.780
I want you to look at it from a non credentialed versus a credentialed status, much like we see from

13:48.780 --> 13:54.090
an internal versus external process, they're typically the same even though a credentialed versus non

13:54.090 --> 13:57.810
credentialed scan are usually both performed from inside the network.

13:57.840 --> 14:01.210
It's just one has administrative privileges and one M1 doesn't.

14:01.720 --> 14:06.070
Throughout this episode, we talked about the different vulnerability scans that you can conduct as

14:06.070 --> 14:07.690
a cybersecurity professional.

14:07.690 --> 14:12.640
It's important to understand the different aspects from a Cisa perspective, because you may be asked

14:12.640 --> 14:17.800
specific questions as opposed to what is a credential scan versus a Non-credentialed scan.

14:17.800 --> 14:20.410
But remember, it's all going to be scenario based.

14:20.410 --> 14:25.600
It's going to come at you and from a perspective of you want to conduct a scan and have credentials

14:25.600 --> 14:28.630
for the administrative privileges of this web server.

14:28.630 --> 14:31.090
Based on that, what type of scan would you run?

14:31.090 --> 14:35.650
And you might possess credentialed versus non credential agent versus agentless.

14:35.650 --> 14:40.600
The whole gambit may be available to you, but the key words associated with it are usually the login

14:40.600 --> 14:43.180
information thereby being a credentialed scan.

14:43.180 --> 14:49.510
However, don't be surprised if Cisa tries to trick you by saying a question that says you have credentials,

14:49.510 --> 14:52.870
but you don't want to run it as a logged in user.

14:52.870 --> 14:55.690
In this case, it would actually be a non credentialed scan.

14:55.720 --> 15:00.850
Be aware that Cisa will try to trick you on some of these questions throughout your entire exam.