CySA+Sy Test 03

The presence of this vulnerability does indicate a misconfiguration on the targeted server,

but that is not the most significant concern that Ty should have. Rather, he should be alarmed

that the domain security policy does not prevent this configuration and should know that

many other systems on the network may be affected. This vulnerability is not an indicator of

an active compromise and does not rise to the level of a critical flaw.

This vulnerability has a low severity, but that could be dramatically increased if the

management interface is exposed to external networks. If that were the case, it is possible that an attacker on a remote network would be able to eavesdrop on administrative connections and steal user credentials. Out-of-date antivirus definitions and missing security patches may also be severe vulnerabilities, but they do not increase the severity of this specific

vulnerability. The lack of encryption is already known because of the nature of this vulnerability, so confirming that fact would not change the severity assessment.

Both ports 22 and 23 should be of concern to Rowan because they indicate that the network switch is accepting administrative connections from a general-use network. Instead, the switch should accept administrative connections only from a network management VLAN. Of these two results, port 23 should be of the greatest concern because it indicates that the switch is allowing unencrypted telnet connections that may be subject to eavesdropping. The results from ports 80 and 8192 to 8194 are of lesser concern because they are being filtered by a firewall.

All of the scenarios described here could result in failed vulnerability scans and are plausible on this network. However, the fact that the web server logs do not show any denied

requests indicates that the issue is not with the web server application itself. If this were the

case, Evan would see evidence of it in the web server logs.

The shim cache is used by Windows to track scripts and programs that need specialized

compatibility settings. It is stored in the registry at shutdown, which means that a thorough

registry cleanup will remove program references from it. The master file table (MFT), volume

shadow copies, and prefetch files can all contain evidence of deleted applications.

Fuzz testing involves sending invalid or random data to an application to test its ability to handle unexpected data. Fault injection directly inserts faults into error-handling paths, particularly error-handling mechanisms that are rarely used or might otherwise be missed during normal testing. Mutation testing is related to fuzzing and fault injection, but rather than changing the inputs to the program or introducing faults to it, mutation testing makes small modifications to the program itself. Stress testing is a performance test that ensures applications and the systems that support them can stand up to the full production load.

Although TCP ports 21, 23, 80, and 443 are all common ports, 515 and 9100 are commonly associated with printers

NIST identifies four major categories of security event indicators: alerts, logs, publicly

available information, and people both inside and outside the organization. Exploiting

developers may provide some information but is not a primary source of security event

information.

A host that is not running any services or that has a firewall enabled that prevents

responses can be invisible to nmap. Charles cannot determine whether there are hosts on this

network segment and may want to use other means such as ARP queries, DHCP logs, and

other network layer checks to determine whether there are systems on the network.

The business impact assessment (BIA) is an internal document used to identify and

assess risks. It is unlikely to contain customer requirements. Service level agreements (SLAs),

business partner agreements (BPAs), and memorandums of understanding (MOUs) are much more likely to contain this information.