Although packet capture can help Max document his penetration test and gather

additional information about remote systems through packet analysis, as well as help troubleshoot connection and other network issues, sniffers aren’t useful for scanning for vulnerabilities on their own.

Rich should not attempt to solve this problem on his own or dictate a specific solution.

Instead, he should work with the business intelligence team to find a way to both meet their

business requirements and accomplish the security goals achieved by scanning.

Blind SQL injection vulnerabilities are difficult to detect and are a notorious source of false positive reports. Javier should verify the results of the tests performed by the developers but should be open to the possibility that this is a false positive report, as that is the most likely scenario.

Although it may be tempting to assign blame based on an IP address, attackers frequently

use compromised systems for attacks. Some may also use cloud services and hosting companies where they can purchase virtual machines or other resources using stolen credit cards. Thus, knowing the IP address from which an attack originated will typically not provide

information about an attacker. In some cases, deeper research can identify where an attack

originated, but even then, knowing the identity of an attacker is rarely certain.

Completely removing the systems involved in the compromise will ensure that they cannot impact the organization’s other production systems. Although attackers may be able to detect this change, it provides the best protection possible for the organization’s systems.

Piper should deploy the patch in a sandbox environment and then thoroughly test it prior to releasing it in production. This reduces the risk that the patch will not work well in her environment. Simply asking the vendor or waiting 60 days may identify some issues, but it

does not sufficiently reduce the risk because the patch will not have been tested in her company’s

environment.

The most likely scenario is that Kent ran the scan from a network that does not have

access to the CRM server. Even if the server requires strong authentication and/or encryption,

this would not prevent ports from appearing as open on the vulnerability scan. The CRM

server runs over the web, as indicated in the scenario. Therefore, it is most likely using ports

80 and/or 443, which are part of the default settings of any vulnerability scanner.