June 2, 2025 • 39 mins
Vulnerability assessments serve as the frontline defense against cybersecurity threats, yet many professionals struggle to understand the terminology and methodologies that make them effective. In this comprehensive episode, we demystify the critical components of vulnerability management that every security practitioner should master – whether you're preparing for the CISSP exam or strengthening your organization's security posture.
We begin by examining recent ransomware attacks targeting municipal governments across the United States, highlighting how 28 county and tribal governments have already fallen victim in 2024 alone. These incidents underscore why vulnerability management isn't just theoretical knowledge but an urgent practical necessity for protecting critical infrastructure and services.
Diving into the technical foundations, we explore how the Common Vulnerability and Exposures (CVE) system works, from discovery to disclosure, and how the Common Vulnerability Scoring System (CVSS) helps prioritize remediation efforts through its base, temporal, and environmental metrics. You'll gain clarity on related frameworks including CPE, CCE, and OVAL, understanding how these pieces fit together to create a comprehensive vulnerability management approach.
The episode also provides a practical breakdown of network scanning techniques essential for vulnerability discovery, including SYN scans, TCP connect scans, ACK scans, UDP scans, and Christmas tree scans. We explain the intricacies of the TCP handshake process and how different scanning methods leverage various aspects of this protocol to identify potential vulnerabilities while avoiding detection.
We also examine how AI-assisted code generation is transforming development practices, with 70% of professional developers expected to use these tools by 2027. While this technology promises significant productivity gains, it creates new security challenges that vulnerability assessment processes must address.
Whether you're studying for the CISSP exam or looking to strengthen your organization's security practices, this episode equips you with the knowledge to implement effective vulnerability management. Visit CISSP Cyber Training for additional resources to support your cybersecurity journey.
Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
Alright, let's get started.
Let's go.
Cybersecurity knowledge.
Speaker 2 (00:24):
All right, let's get started.
Good morning it's Sean Gerberwith CISSP Cyber Training and
hope you guys are all having abeautiful day today.
Today is a wonderful day.
We're going to be getting totalk about some awesome aspects
related to vulnerabilityassessments.
So as if you're aware of theCISSP Cyber Training and how
this works is we have a podcastthat occurs on Mondays and we
(00:45):
have a podcast that occurs onThursdays.
Mondays is designedspecifically to go over a topic
and then Thursdays is to coverthe questions as it relates to
the CISSP.
And so today we're going to betalking about vulnerability
assessments, but of those, thisis off domain 6.2.1.
We're going to get into thevulnerability assessments, kind
of just an overall about them.
(01:06):
Then we're going to get intoCVEs, cvss scores.
We're going to get into theoverall metrics around those.
Then we're going to get intoCCE, cpe and the extensible
configuration checklistdescription format, or XCDF.
We'll get into that a littlebit.
And then the last thing iswe're going to get into OVAL.
We're going to kind of talkabout how the CVEs work and then
(01:29):
also a little bit about the TCPhandshake and scanning as it
relates to a vulnerabilityassessment.
So the ultimate goal is we'regoing to get into these
different aspects related towhat you might do within a
vulnerability assessment andsome of the key terms that you
may be connected to doing those,as well as understanding that,
for the CISSP, what you need toknow in relation to those
(01:50):
acronyms and many other aspectsaround vulnerability assessments
, because you know, some of youmay or may not have done those
and if you haven't done those, alot of times these terms seem
very unique and very different.
So we want to cover all of thatto just kind of set a baseline
for everybody.
Okay, so let us get into the.
(02:11):
Okay, but before we do, we'regoing to go over just a couple.
I saw a couple articles todaythat I thought were interesting,
that you guys may or may not beinterested in.
I was kind of interested inthem, so they thought, well,
let's just talk about them alittle bit.
So the first one that I sawthat kind of stuck out and this
is something we've been talkingon, cissp Cyber Training is the
aspect around these ransomwareattacks that are hitting
municipalities.
So there was an article about aMissouri county that's in the
(02:34):
United States.
It's a state called Missouriand Missouri County declares a
specific state of emergency amida ransomware attack.
Of emergency amid a ransomwareattack.
Now, the main thing around thisthis is actually part of since
I did Kansas City because I'm inKansas one of the big things
that came out of this was thatthey were getting ready to hold
(02:55):
a special election for adding ina major league baseball field
and making changes to this field.
Well, the ransomware attack hitbasically at about that same
time and caused a massive effectwithin that county.
Now this county is part ofJackson County, missouri, where
there's approximately about 650million or 650 million Wow,
(03:15):
that'd be a big city.
No, it's about 650,000 people.
So my friends in China aregoing oh, that's not even a
village, but there's about650,000 people in the Jackson
County area as well.
Now the Jackson Countyexecutive that basically is in
charge of that overall countyitself issued what they call an
executive order declaring astate of emergency because of
(03:37):
this ransomware attack, and it'snow in a position where the
amount of money that's beingrequested is substantial to the
point where they don't know ifthey have enough money within
their money that they set asideto deal with this situation.
So the bottom line is isthere's right now from it comes
from a standpoint of differentmunicipalities being attacked
(03:57):
this one here.
There's about 28 county,municipal and tribal governments
in the United States have beenhit since the first of the year.
Last year, there were about 95.
And then, according to the ArsTechnica, there's about 106 in
2022.
The point I'm trying to makewith all of this is that one,
like we said before, you all aresecurity professionals or IT
professionals, and you'relistening to this podcast
(04:19):
because you like cybersecurity.
Whether you are one at thispoint, you're trying to learn,
or you are one right now, one ofthe things you want to do is
I'd highly recommend reachingout to your municipal
governments.
I have done that.
I will also just be verytransparent.
It has been, with some limitedsuccess, that the fact that
people are they go, yeah, yeah,yeah, let's talk about it, but
(04:42):
then nobody ever wants to talkabout it, and then, plus, most
of the time, they have othertechnical challenges just
because they don't have theright people in place to help
fix some of these problems.
So it really comes down to youas being the part of ones that
are going to have to help thisprocess, and I challenge you all
to that because, when it reallyboils down to it.
You all are some of the frontlines of these types of offense
(05:06):
that are occurring, and peopleare going to rely upon you to
help them in this situation.
Okay, so this next article isabout how good is AI-assisted
code generation?
Now, I ran into this when Ifirst began teaching at well,
actually, my end of my tenure atWichita State University and I
was teaching cybersecurity, riskand cybersecurity, iot, slash,
(05:29):
automobile security and so onand so forth.
One of the things that came outof that was learning how to use
AWS, and then you heard,learning how to use scripting.
From a Python standpoint, Icreated a Python script for a
product we were using, and whenwe were using this Python script
, when I originally started I'mnot a developer, right, I've had
(05:49):
developers work for me, butI've never really had to do much
of it I understood how itworked, but I I didn't know how
to do it bottom line.
So what ended up happening is Icreated a script and it took me
about three weeks of poking andprodding when we first started
to create this script.
Well, my students started up andthey go well, okay, can we use
AI?
This is when AI was releasedshortly thereafter, and so I
(06:11):
made a comment to them.
I said, well, heck, yeah, giveit a try, see what happens.
Well, they made the script.
That took me three weeks and,again, I'm a noob, so I didn't
know what I was doing.
They were able to create thatscript in like milliseconds and
it was way better than thescript that I created.
So I tried it myself and, sureenough, I was able to do it just
by telling it what I wanted itto do, and that was through
using the large language models,or LLMs, and I think it's
(06:34):
really cool that this isavailable for people, especially
developers, that are out therewanting to use this.
Now, the one thing that peopleworry about is is this going to
take away from what they do fora living?
And some people it may, butwhere it is going to be a
situation where it's going to bevery helpful, in my small
opinion, is the fact that if youare a professional developer
(06:56):
that wants to expand and look atdifferent ways to create better
content and better code, youwould use AI to help you with
the basics and then you can helpbuild upon that.
It does help reducedramatically the amount of code
generation you have to do overand over again.
So bottom line is that they hadsaid, by 27, 70% of
(07:18):
professional developers will beusing some level of AI code
generation, just because it'sgoing to be a useful factor, and
I've seen it myself before Iquit my job working at the Coke
Industries company.
One of the things that I sawwas our developers were using it
it and they were able to saveat least 50% of their time by
(07:43):
using AI code generation throughGitHub's products.
They were able to dramaticallyreduce the amount of code that
they had to generate.
I also know that Microsoft'sCopilot is useful in that
Copilot.
I love Copilot, by the way.
It's a really great product andI think that as time goes on
and these get better, more andmore code development is going
to occur.
Now the question that's goingto have to happen is is you, as
(08:05):
cybersecurity professionals,whether you're in the
development space or not, aregoing to need to be involved to
help them ensure that they arecreating good content and good,
secure code?
Many of them will rely on thecode that's created by the
product and they're going towalk away and they're not going
to potentially do the same levelof testing that they would with
code that they generated, so Isee that as a possible challenge
(08:27):
you all are going to have towork through One of the points
they brought up in here.
You know, obviously, some ofthe big places you can get this
code generation done is Amazon,codewhisperer, microsoft 365,
copilot, divi, ai I've seen thatCodium and then Google Barter.
There's many, many more, butthose are just a couple of the
few ones that are out there.
They had mentioned that AWSthey're using CodeWhisperer,
(08:51):
able to get their tasks doneabout 28% faster.
I've seen the statisticsanywhere from 30% to as much as
50% increase in capability inthe amount of time that you're
needed.
It definitely works well whenyou're dealing with IoT core,
when you're dealing with theoverall aspect.
Again, it's just to try tobring up the fact that if you
(09:12):
are interested in AI developmentcode, I think it's a great
place for you to be developmentcode.
I think it's a great place foryou to be as a security
professional.
I also think that just becausethey have the code development
doesn't mean they're not goingto need security professionals.
If anything, you're going tohave to be even more engaged and
I highly recommend that youkind of put that good foot
forward to try to be part ofthat discussion, especially if
(09:33):
your company is going to beputting that in place.
So again, great article.
Again it's on Computer World.
It's about how good isAI-assisted code generation and
you can check it out.
I think that's again anothergood article for you to look at
if you're looking to get intothis space and if anything it
allows you.
I highly recommend, if you're asecurity professional, you read
articles like this.
It makes you a much betterperson for one.
(09:56):
Two, it also helps youunderstand the different
technical challenges that areout there and available and then
, as when people come to youwith these ideas, you are
already schooled and alreadyunderstand at least the
conversational aspects aroundthe topics, versus not being
having any idea at all to dealwith them.
Okay, so let's get started intoday's podcast.
(10:17):
So we're going to talk aboutvulnerability assessments and
just some of the key componentsaround the CVEs and the
different pieces below into theoverall vulnerability
assessments and then we're goingto get into some network
scanning pieces of this.
So we're going to focus ondomain 6.2.1 as it relates to
the CISSP manual, and this wouldbe the one that's provided by
ISC squared, it's official studymanual and that's kind of lined
(10:40):
up to what 6.2.1 is.
And the overall goal, likewe've mentioned before, is to go
over each of these differentdomains and subsections of them
within the podcast so that youhave something to use for when
you're studying for the test.
So if you're looking to studythe book, you read the book, you
go through the is the cisspcyber training podcast.
You go through my blueprint,you go through various aspects
(11:01):
of this.
The goal is to help you passthe CISSP the first time.
That's the ultimate goal.
So vulnerability assessmentswhat they basically are is
they're a review of a securityweaknesses on the various
information systems that arewithin an organization, and they
can be done in many differentways.
I actually was doing anassessment on some startups that
are doing this from anautomated point of view, and so
(11:24):
they can do various pieces ofthis can be done either from an
individual's going in and doingthis and using a computer and
doing the scan, or, in somecases, like I mentioned,
potentially someone doing thisin an automated form.
They're crucial.
They really are an importantpart as far as preventing
breaches and identifying andaddressing vulnerabilities
before they get exploited.
(11:44):
And that it's an importantfactor because if you don't do
these vulnerability assessments,you really don't know what
problems you have.
And as you deal with computersystems, you all know they're
very complex and they have a lotof moving pieces and parts with
them and, as such, anything canbe out of date, right.
So, like in the case of mycomputer, it pinged me last
night saying hey, you need to doan update, we'll do it tonight
(12:06):
while you're sleeping If thesethings are not updated and
patched.
And that includes both.
The operating system, includesthe applications themselves, it
also includes the firmware, thehardware, so there's all kinds
of aspects in here that need tobe updated to ensure that
there's not a vulnerabilitywithin these systems.
When they first came out, theywere very small, they were very
basic, they were simple and youdidn't need as much hands-on
(12:31):
work with them as you do today,and so a vulnerability
assessment is an importantprocess.
Now there's typically variousstages of a vulnerability
assessment, which includesplanning, scanning, analysis,
remediation.
Those are the various stageswhich we do go through in the
podcast.
We've been through multiple ofthose.
You also can go to CISSP, cyberTraining and you can check out
(12:51):
some of the other content that Ihave there for free.
And then, if you sign up, youas well as far as with one of my
different packages, you can getout some more aspects around
vulnerability scanning toinclude some of the more
intricate details around thescans.
Now there's an iterative natureof this process which requires
an ongoing reassessment again tomaintain that security posture.
(13:12):
Now, if the automated piece ofthis is great, there's also
various tools out there withinthe, within companies, and you
can get you could buy thesealmost any time is to be able to
get a to do these types ofscans for you.
They they may actually do thiswhile from an automated
standpoint internally, you alsocan get them from external
entities that'll do that for youas well.
(13:33):
So the bottom line isvulnerability scanning, or
vulnerability assessments, arean important part of your
overall plan to secure yourorganization, and they should
constantly be used when you'redealing with your company.
And so, as you go forward,you're going okay.
Well, how do they work?
Well, we're going to get intowhat are some of the key
concepts around them and the keyterms that you may see.
(13:56):
So the first one is what wecall a common vulnerability and
exposures, or CVE, and you maysee this term used around a lot.
Now, if you've been in sort ofIT for a while, you understand
what a CVE is, but if you'rejust getting started, you may
not quite understand.
Or if you've really been in fora while you never dealt with
security you may not really evenknow what a CVE is, but it's a
(14:18):
registry that provides a uniqueidentifier for each publicly
known cybersecurityvulnerability, and this is
defined by what it can do.
So they'll see an issue,they'll have a problem that'll
be brought to their attention.
Then the governing bodies willthen turn around, and this is
done by CISA.
They'll say, okay, hey, we'regoing to go and create a CVE
based on this vulnerability thatwe have found and it's a way
(14:42):
that they'll help standardizethe information around the
vulnerabilities that are sharedand understood across various
platforms and systems.
So, as an example, if you havea system that is doing scanning
through your environment and itknows that in this potential
vulnerability it is supposed tolook for X whatever X is Well,
it's also that thatvulnerability is tied to a CVE.
(15:05):
So when it scans their systemand it says, oh, I found this
vulnerability, it will then tellyou hey, I found the
vulnerability and it's tied tothis CVE.
Now, the purpose behind this inmany cases is for you then, to
you as a security professional,to dig deeper and realize okay,
is this CVE, is thisvulnerability something that I
(15:26):
should be worried about?
Now, if you're in a largecompany, it doesn't really
matter even a small company.
You need to look at all ofthese CVEs that come in and
determine whether or not it'sappropriate for you to actually
do something to it, because insome cases, these
vulnerabilities will come in andyou'll say, okay, well, for me
to do this, I'm going to have toshut down this manufacturing
unit, and I'm just usingmanufacturing as an example.
(15:48):
I have certain windows in whichI can shut down this
manufacturing unit to make thischange, well, you may have to
live with that risk for a periodof time without having to do it
.
Or if you work potentially inanother type of business where
you have the ability to makechanges but they can only be
done on the weekends, becauseduring the week you have
production.
You can't mess with it unlessit's an absolute critical issue.
(16:10):
So then you could actually takeit down over the weekend and
make those changes and thosefixes.
So it depends upon the companyand what the company will allow
you to do.
But you need to look at all ofthose because, again, from a
risk-based decision, you need todecide is it important for me
to make this change or is it notimportant for me to make this
change?
Another common term you'll seeis a CVSS or the Common
(16:34):
Vulnerability Scoring System.
Now, the CVSS, it's a free andopen industry standard for
assessing the severity of thesevulnerabilities.
So we talk about thevulnerability there's an issue?
Well, the CVSS will tell youhow bad is the potential issue
and the score will provide you away to capture the
characteristics of thevulnerability and produce a
numerical score, or numberedscore more, reflecting the
(16:58):
severity.
So now you'll see, insituations where the CVE will
come up, the CVSS is there aswell, and if the CVSS is ranked
from a 1 to a 10, and it may bea 9.5, might be a 9.2, could be
a 2.3, you will see the severityof these systems and you'll go
well, should I fix it, should Inot fix it?
(17:19):
Now, as you're looking throughall of the different things that
are coming in as it relates tothe vulnerabilities within your
organization, if you seesomething that is maybe a four
or five and you're like I'm notgoing to worry about it, you may
want to consider the fact thatif it's easy to fix, you may
want to do it, and the reason Isay that is because the four of
the five could lead somebody toa much more critical type of
(17:42):
environment that you may not beaware of.
So, as a hacker by trade in thepast, if I found something that
would be a vulnerability thatwas relatively benign but it led
me to a more criticalvulnerability, I would take that
path Because, again, we're alllazy, and so if I can find a way
that makes my life easier, Iwould take that path Because,
again, we're all lazy, and so ifI can find a way that makes my
life easier, I will do that.
(18:03):
So what I'm saying is that ifyou find a vulnerability that
might be lower, you need to alsoevaluate those and consider the
fact that maybe you shouldupdate those, especially if
they're a simple fix.
Update those and get those outof the way, because the more
vulnerabilities you have in yourenvironment, it could go also
go from a 5 to a 10 because ofsomething.
We don't know what that couldbe, but it potentially could do
(18:25):
that, and if it does that, youwant to make sure that you are
properly prepared and you'veupdated those systems
appropriately.
Now, as you're dealing with thedifferent components of a CVSS,
again, there's it's broken intothree different metrics.
There's a base, a temporal, atemporal.
Temporal See, I can't speak.
I got my third grade.
Education is just coming out,it's coming out like gangbusters
(18:47):
.
And then you have environmentalmetrics.
So your base metrics theserepresent the intrinsic
qualities of the vulnerabilitythat are constant over time and
across various user environments.
The base score is determined byanalyzing the exploitability
and the impact.
That's a key factor of thevulnerability, considering again
how complex it is, all of thosepieces that roll into
(19:11):
confidentiality, integrity andavailability.
So they're going to come intocomplexity, need of the user
interaction, how the scope isgoing to be set up and then also
various other aspects relatedto can it be exploited.
So the temporal metrics thesereflect the characteristics of a
vulnerability that may changeover time but not across user
(19:31):
environments.
The temporal metrics are youwill include the current exploit
code maturity, basically, howeasy is it toward the code to be
exploited against thevulnerability?
The remediation level are thereavailable fixes for it?
And then the report confidence.
Obviously, do they feelconfident in the overall report
itself?
Is it something that issomething positive, right?
(19:51):
Do they understand that it'sactually an issue or not?
Those are the different metricsthat will roll into the
temporal aspects.
Not those are the differentmetrics that will roll into the
temporal aspects.
Then the environmental metricsthese capture the
characteristics of thevulnerability that are unique to
that particular user'senvironment.
So it could be where that thissystem, it can only happen in a
environment that has SAP or alike type of vulnerability
(20:15):
system running in theirenvironment.
So that would change the CVSSscore.
But if it was substantiallyacross all different types of
companies, then thatenvironmental metrics would
actually go up.
So it allows you to understandadjustments of the base and the
temporal scores to help youunderstand the securities
posture there.
And again, they want tounderstand the potential loss if
(20:38):
it was a successful exploit.
So those overall pieces are keyfactors when you're looking at
the CVSS score.
And how does it create it?
Because that I would say theCVE is important, but one of the
more important ones that I lookat is the overall CVSS score.
Now, another term you may hearis the CCE, or common
(20:59):
configuration enumeration.
Now, I haven't heard a lotabout this, but you may see it
and it may be a part of aquestion that you have on the
CISSP.
The CCE is a list of systemsecurity configuration issues
that can potentially lead tovulnerabilities and this CCE
provides a really uniqueidentifier for these
configuration issues to help youfix them and accurately
(21:21):
correlate them in a much fastermanner.
Honestly, I haven't seen manyof this.
I think I've seen thistangentially in a couple spots,
but it may be something thatyou're connected to with the
exam, so I just wanted to kindof throw it in there for you.
Common platform enumeration thisis something I have seen and
this is where it's a namingschema that's been created and
it's for IT type systems,software and packages and it's a
(21:44):
way they can identify theclasses of applications,
operating systems and thehardware that's associated with
them.
Now, if you can see my screenwhich, again, it was going to be
available at CISP CyberTraining, you can watch the
video there.
It'll be up to you there.
It'll also be at YouTube.
You'll be able to check it outthere.
It might be a few weeks,probably about a month, before
this one actually hits it, butthe ultimate goal is, if you go
(22:06):
to CISSP Cyber Training, you'llactually see all these videos.
All of my podcasts are in thevideo formats, are all there
specifically waiting for you tocome view, so you can go to
CISSP Cyber Training and checkthose out.
But the example is that with aCPE for, let's say, a Microsoft
Windows 10 environment, you cansee that it would be kind of an
(22:26):
abbreviated format.
That's there and it basicallygoes out that this is Microsoft,
it's a Windows, it's a Windows10, and then the version, which
would be 1903.
Now, as you all know, theversions of these various
operating systems are availableand with those operating systems
, as they all know, the versionsof these various operating
systems are available and withthose operating systems, as they
get updates and patches, theyget a number, a numerical number
, associated with them.
This identifies which operatingsystem it is and also the
(22:51):
version in which it's beingupdated.
So these CPEs are important.
Just because the CPE isimportant, because you can help
you understand is this riskagainst Windows 95 systems?
Well, no, it wouldn't be,because it would be tied to this
Windows 10 system, so youwouldn't have to worry about it.
You have other things to worryabout if you're using Windows 95
, but that being set aside,that's how CPE is set up.
(23:15):
Another one is extensibleconfiguration checklist
description format.
I don't know if somebody wassmoking some marijuana when they
wrote that, because it's likereally painful, or they're a
geek IT geek that just said, hey, let's just get a really long
word and then make anabbreviation for it, or a really
long set of words, not one word, but a set of words and make an
abbreviation.
So XCCDF is a specific languagefor writing security checklists
(23:37):
, benchmarks and relateddocuments.
Is a specific language forwriting security checklists,
benchmarks and related documents.
It does allow for the creationand maintenance and
dissemination of securityinformation.
That's consistent with amachine-readable format.
Again, that's the key factor.
It's machine-readable.
It allows it to be basicallyingested and used in that format
.
I've never dealt with it myselfpersonally, but Salt was on the
(23:59):
CISSP book was recommending itand so therefore I thought, well
, we better put it out there,because I was not really
connected with it prior toactually this podcast I'd heard
of I shouldn't say I've heard ofsomething like it, but it's new
.
So it's not new, but it'sprobably been out there for a
while.
It's new to me.
But it's XCCDF, which isExtensible Configuration
(24:20):
Checklist Description Format.
They talk about checklistsunder FISMA that you may use and
then also it basically helpsyou upload something to
demonstrate you've madecompliance with, specifically,
security requirements.
So if you're in the governmentspace, maybe you have dealt with
these types of XCCDF formats,but again, it's machine readable
(24:41):
.
That's the key factor on thatpiece.
Next one is open vulnerabilityassessment language, or
otherwise known as OVL, and it'san.
Ovl is a community standard topromote open and public
available security content andthe standard way for transfer is
information across the entirespectrum of security tools and
services.
It's obviously written in XML,which I understand XML better
(25:02):
than XCDF formats?
Yeah, I don't know that andit's using various tools to
automate the vulnerabilityassessment process.
Overall.
It's part of a broader set ofstandards that help in
automating the overallvulnerability management
lifecycle and it's an importantfactor when you're dealing with
creating security policies.
So, again, ovl, it's acommunity standard to promote
(25:23):
open and public availablesecurity content.
I've seen it.
I haven't really done much withit, but it's something else
that you may get exposed to onthe CISSP exam.
So one thing I want to bring upis we talked about CVEs and we
talked about whether they'rebrought up.
How does all that work?
So I want to kind of break downhow are the CVEs determined?
(25:44):
Because you need to kind ofunderstand that whole concept.
And when you're dealing withCVEs, there's the discovery
right.
We talked about how it's eitherdiscovered by an individual or
researcher or a company, orpotentially even an automated
system that will find the CVE.
Now, companies obviouslyMicrosoft and so forth they're
constantly looking for updates,but you also have individuals
that could be a researcherthat's looking at a potential
(26:06):
risk.
You could have someone thatjust stumbles across it.
They are then discovered.
Now you'll also have it wherethe reasonable disclosure piece
of this is that a researcherwill see this problem, say,
hypothetically, they will thengo to Microsoft and say, hey,
we're not going to release thisto the public, but you need to
get it fixed.
But you have a period of timeto get it fixed and they'll work
(26:26):
with the company Microsoft isan example in this situation to
come up with a fix for thatproduct.
And that's what they call thereasonable disclosure piece of
this.
Now, sometimes the softwarecompanies don't get it fixed in
time and so I've seenresearchers go well, hey, you
know what, we gave it to you,you did nothing with it, we're
releasing it to the public.
And then it forces their handto get it done.
(26:47):
So that's something that youmay hear about or read about,
that you'll see happen and gowonder why they did that.
So reporting, reporting how thisis all set up from a reporting
standpoint is that once adiscovery is made, then at that
point in time a CVE numberingauthority is going to assign a
CVD ID.
Now, this organization hasauthorized to do that.
(27:11):
Now, for an example we'll giveyou Microsoft is a CNA and they
can assign CVEs specifically forvulnerabilities found in
products Other companies may nothave a CNA and so they would
force that up with, potentiallywith CISA, to help them in this
overall process.
But then they would say, hey,this is the problem, we're going
to give it a CVE number andthen they will put that out to
(27:31):
the community.
The CNA will analyze the report, confirm its vulnerability.
They will then assess theimpact and the affected
components and whether it's anew issue or the issue is
related to an existing CVE.
Once it's confirmed, then theCNA will create a unique CVE ID.
I know there's acronymseverywhere, sorry, but basically
(27:52):
the CNA will create a new CVE.
If you say, hey, it's not new,it is new, it's not a used one,
they will then create this newnumber, and this new number
would be, in this case, cve 2021, 345678910, whatever that
number is or 2020, in this caseit would be CVE 2024 dash,
blankety, blankety, blankety,blank.
(28:13):
So they give it a number andthey put it to a date.
Once it's done, then they willthen put it in a national
vulnerability database, which isalso called NVD, a National
Vulnerability Database, orNovember Victor Delta, and this
includes a description of thevulnerability parties that are
affected and then any sort ofreferences and advisories that
go along with it.
The common scoring obviouslythe CVSS, which we talked about
(28:36):
earlier will be then alsoapplied to it to understand the
overall exposure that you may bedealing with.
So, again, the overall CVE andCVSS process are an important
factor, and the NationalVulnerability Database does
house all this information, andI highly recommend that you
become aware of this location,if you haven't been already,
because it's a great place to gocheck out CVEs and if they will
(28:58):
potentially affect you.
Okay, so, real quickly, we'regoing to go over the TCP
handshake and some key thingsyou need to be aware of.
And why am I doing that?
Well, the main reason is that,as we get into this next part of
network scanning, there aresome various scans that are
going to take place and you'regoing to need to be aware of the
overall TCP process.
Now I know many of you alreadyare.
You've probably been studyingfor your CISSP, you got it, so
(29:19):
I'm just real quickly going togo through these.
But if you go to CISSP, cyberTraining, you can actually see
the content as well.
I'm in the process of uploadingsome of the documents in there
as well.
I haven't got to all of thatyet, but, as you'll see the
documents for each of thepodcasts, you can actually look
at the content there as well.
So the TCP Handshake is set upto help go through this overall
(29:42):
process.
Right, so we talk about the TCPand that's the TCP.
Ip is your overall connectionthat you have with another
server, another computer,whatever that might be, that
initiates this connection.
Well, it's broken down intosome various pieces and we're
going to go over those veryquickly.
You have SYN, which isbasically initiates the content
(30:03):
using a SYN packet.
It'll send a picture, a SYNpacket, to a server.
It begins the conversation andthis includes various sequence
numbers and so on and so forth,but the bottom line is it's to
start the conversation.
Then you have a SYN ACK.
Okay, that's ACK, and this iswhat happens when the server is
willing to establish theconnection with you.
So you go hi, I'm here.
(30:24):
The server goes okay, yeah,I'll talk to.
And it sends you back a SYN ACKand that has its own sequence
number to basically be able totrack the conversation of the
communication connection.
Then the client will send backwith an ACK.
Oh, yeah, okay, so cool, youwant to talk to me.
So now I'm going to go.
Okay, I'm going to talk to youtoo.
And it sends back a SYNAC, thisACK packet, and this has again
(30:50):
another sequence number, againmore information's in there, but
it basically completes whatthey call the three-way
handshake establishing theoverall connection.
So that is the basics of a TCPIP connection.
Now there are other I can'tremember the name, they call
them triggers, but there's likeflags.
I'm missing it.
I think there's a differentterm for it and I'm just having
a total brain fart right now.
But there's other parts to theTCP handshake.
(31:13):
You have reset, you have FIN,you have FINAC.
So those are some other ones.
Now there's a couple in therethat's like urgent, there's post
.
But the next ones that you'lldeal with the overall TCP
connection is reset, fin andFINAC, and the same process by
which you did the three-wayhandshake that began the
connection.
You're going to do somethingvery similar when you're tearing
it down and you send the reset,the reset at any point.
(31:34):
This reset will receive apacket.
It's unexpected or out of thecurrent state.
It may respond with a resetpacket and it basically
terminates the connection orattempts to terminate the
connection that's in place,saying hey, there's a problem
and so we need to fix it.
The FIN is when the devicewants the end establishment to
end the connection completely.
It'll send the FIN packet andthe receiving device will
(31:57):
respond with an ACK and send itsown FIN packet and then, once
that is done, they'll respondwith a FIN ACK, basically
gracefully terminating theconnection between the two.
So the ultimate point of thisis that you have this breakdown
Again, like we talked about SIN,sinac and ACK.
You're going to have your FINand your FINAC are going to be
when you want to shut down theprocess altogether, and that's
(32:19):
an important factor.
So all of those are terms youneed to be aware of as you're
dealing with network scanning,because when you're dealing with
a network scan, there arevarious pieces that come into
play.
So I'm going to go over acouple of very quick network
scans that you may deal with.
One is a SIN scan.
Now, a SIN scan is known as ahalf-open scan and it's
basically a network probing typetechnique.
(32:41):
Now I will tell you that if badguys are doing SIN scans they
can come with depending on howbroad they do it.
They can be under the wire witha SIN scan, but if they are
going in there with likeblasting the network, then these
will trigger a lot of alarms.
A SIN scan will.
But they're looking for if thetarget's going to respond.
(33:02):
You know they're doing this TCPhandshake.
They're looking for someonewho's going to respond with a
SYN act and it basically meansthat the port is listening or
it's open.
So it's like you send out a SYNgoing hey, is anybody there?
And it sends back oh, hey, I'mhere, come talk to me.
Then at that point in time thescanner will send a reset to
basically close the connectionbefore the handshake is overall
completed.
(33:22):
But they're enumerating, tryingall completed, but they're
enumerating, trying to determinewhat is out there and what
potentially could they go after.
Now, this method is a stealthymethod, but it doesn't because
it doesn't establish a full TCPconnection.
And again, if you're doing avery narrow band with a very
small target subset, it can gounnoticed right, because there's
always there's SYNcommunications that are going on
(33:42):
everywhere.
But the problem is is if itgoes to be too large it would be
.
It gets into the position likea SYN flood where you're just
filling it up with SYNcommunications on the wire.
Then obviously you'd bediscovered very quickly.
But it's one of those pieceswhere your network scanning tool
.
If you're using SYN forenumeration, you want to keep it
in very small subnets, verysmall areas, because you
(34:05):
wouldn't want to broadcast it toa lot of different people, and
hence that's part of the SYNscan.
Now your TCP connect scanning.
This works as a morestraightforward method where a
full TCP connection isestablished and attempts to do
this three-way handshake bysending the various SYN and
SYN-ACK packets and obviouslyending that with an ACK.
If it is established the portis open, then hey, they're great
(34:31):
.
They then, at that point intime, can potentially scan the
system with that connection.
Now, depending upon what is onthat device, for some level of
security systems a TCPconnection to it from an unknown
IP address could cause an alarm.
So the full TCP connection,depending upon your environment,
may or may not be the bestoption, depending upon if you're
(34:53):
internal or if you're externaland so forth.
So those are just variousaspects, but that is the TCP
connect scanning.
Then there's the TCP actscanning.
Now this is used to map outfirewall rules regarding
filtered and unfiltered states.
Now the scanner will send outan ACK packet to a target port
and it looks for the response.
If the port is unfiltered, itwill receive a reset response.
(35:16):
If it is filtered, there willbe no response.
So basically, if it's open,it'll send a reset to you.
Now, this is not used to findopen ports, but rather to
understand the rules that areassociated with these ports, and
it can help the type alsodetermine what type of firewall
you're dealing with.
And and one of the aspects yourun into is, if you're trying to
work your way through afirewall, you would want to.
One of the key aspects isknowing who, what are the types
(35:38):
of equipment that you're goingagainst.
You want to be able tofingerprint the different
devices, both from a hardwarestandpoint and from a software
standpoint, because then it canhelp you understand what kind of
vulnerabilities may beassociated with that potential
system.
So that's TCP act scanning.
Udp scanning is used to identifyopen UDP ports and since UDP is
(35:59):
connectionless, this scan sendsout UDP packets to the target
port.
Now if it does that, if an ICMPport is reached, an unreachable
error is returned.
Okay, so basically, your pingright, your ping is your ICMP.
If it's returned, then thatport is closed.
If there's no response, theport is presumed open or
(36:19):
potentially filtered.
And again, udp scanning I'venever done it much myself,
honestly, and because, mainly,it's not very reliable from what
I understand, and so it'ssomething to consider and plus,
it creates a lot of noise.
So, okay, xmas or Christmasscanning the Christmas scanning
is named for as it would lightup the various packet flag, as
(36:41):
it sends a fin, a push and anurgent flags and it basically
causes it to come light up likea Christmas tree.
It sends a TCP packet withthese flags to the target port,
so the flags are set already onthe TCP packet.
If a reset is sent, is received, then the port is considered
closed.
If there's no response, theport is considered open, and
(37:02):
they're used to infer a statebasically of how the port is,
whether it's a lack of responseor how the port is open or not
open, and they're used to infera state basically of how the
port is, whether it's a lack ofresponse or how the port is open
or not open.
Like SYN scans, they're lesslikely to be logged but can
easily be detected by modern IDStype systems.
That is what they call aChristmas scam.
So that's all I have for youtoday and again, the bottom line
(37:23):
here is that we are here atCISSP Cyber Training and want to
provide you with the tools youneed to be successful to pass
the CISSP the first time, and soI recommend, highly recommend
if you are interested in passingthe CISSP or taking the test
you want to be able to go toCISSP Cyber Training.
Go to the website.
Look at all my free contentthat I have out there available
for you.
There's various things outthere that you can use.
(37:44):
You don't have to buy myproduct, that's fine, don't mind
.
I mean, obviously I'd like youto, but if you don't, that's
good, that's no problem.
You can get a lot of the freestuff that's there.
It will help you walk youthrough what you need to know.
If you do your own self-studywith the book, it will walk you
(38:09):
through those steps as well.
If you are signed up for myemail, you'll be able to get 360
free cissp questions availableto you.
That's just by signing up formy email list.
You'll get that, and that is agreat first step in helping you
get ready for the cissp exam.
If you're interested in taking alittle bit step further, you
can get one of my package dealsand it will give you all of this
information available to you.
Uh, depending on which packageyou purchase to include my my
blueprint, which walks youthrough step-by-step, the one
problem I had with the CISSP Ididn't know how to study for
(38:32):
this test.
I just didn't, and so Istruggled and I failed the first
time.
So I'd highly recommend thatyou go and you look at it,
consider the blueprint, considerone of the packages, and then
what you can do is go throughstep-by by step.
As long as you're methodicalwith your plan and you follow
the blueprint, you will pass theCISSP.
The part where this falls downis is that when you get busy
with life and you decide youdon't really want to study it
(38:55):
because it's too hard, then youmay not pass the CISSP, just to
be honest.
All right, so we're justletting you know.
Have a wonderful day.
No-transcript.
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
Alright, let's get started.
Let's go.
Cybersecurity knowledge.
Speaker 2 (00:24):
All right, let's get started.
Good morning it's Sean Gerberwith CISSP Cyber Training and
hope you guys are all having abeautiful day today.
Today is a wonderful day.
We're going to be getting totalk about some awesome aspects
related to vulnerabilityassessments.
So as if you're aware of theCISSP Cyber Training and how
this works is we have a podcastthat occurs on Mondays and we
(00:45):
have a podcast that occurs onThursdays.
Mondays is designedspecifically to go over a topic
and then Thursdays is to coverthe questions as it relates to
the CISSP.
And so today we're going to betalking about vulnerability
assessments, but of those, thisis off domain 6.2.1.
We're going to get into thevulnerability assessments, kind
of just an overall about them.
(01:06):
Then we're going to get intoCVEs, cvss scores.
We're going to get into theoverall metrics around those.
Then we're going to get intoCCE, cpe and the extensible
configuration checklistdescription format, or XCDF.
We'll get into that a littlebit.
And then the last thing iswe're going to get into OVAL.
We're going to kind of talkabout how the CVEs work and then
(01:29):
also a little bit about the TCPhandshake and scanning as it
relates to a vulnerabilityassessment.
So the ultimate goal is we'regoing to get into these
different aspects related towhat you might do within a
vulnerability assessment andsome of the key terms that you
may be connected to doing those,as well as understanding that,
for the CISSP, what you need toknow in relation to those
(01:50):
acronyms and many other aspectsaround vulnerability assessments
, because you know, some of youmay or may not have done those
and if you haven't done those, alot of times these terms seem
very unique and very different.
So we want to cover all of thatto just kind of set a baseline
for everybody.
Okay, so let us get into the.
(02:11):
Okay, but before we do, we'regoing to go over just a couple.
I saw a couple articles todaythat I thought were interesting,
that you guys may or may not beinterested in.
I was kind of interested inthem, so they thought, well,
let's just talk about them alittle bit.
So the first one that I sawthat kind of stuck out and this
is something we've been talkingon, cissp Cyber Training is the
aspect around these ransomwareattacks that are hitting
municipalities.
So there was an article about aMissouri county that's in the
(02:34):
United States.
It's a state called Missouriand Missouri County declares a
specific state of emergency amida ransomware attack.
Of emergency amid a ransomwareattack.
Now, the main thing around thisthis is actually part of since
I did Kansas City because I'm inKansas one of the big things
that came out of this was thatthey were getting ready to hold
(02:55):
a special election for adding ina major league baseball field
and making changes to this field.
Well, the ransomware attack hitbasically at about that same
time and caused a massive effectwithin that county.
Now this county is part ofJackson County, missouri, where
there's approximately about 650million or 650 million Wow,
(03:15):
that'd be a big city.
No, it's about 650,000 people.
So my friends in China aregoing oh, that's not even a
village, but there's about650,000 people in the Jackson
County area as well.
Now the Jackson Countyexecutive that basically is in
charge of that overall countyitself issued what they call an
executive order declaring astate of emergency because of
(03:37):
this ransomware attack, and it'snow in a position where the
amount of money that's beingrequested is substantial to the
point where they don't know ifthey have enough money within
their money that they set asideto deal with this situation.
So the bottom line is isthere's right now from it comes
from a standpoint of differentmunicipalities being attacked
(03:57):
this one here.
There's about 28 county,municipal and tribal governments
in the United States have beenhit since the first of the year.
Last year, there were about 95.
And then, according to the ArsTechnica, there's about 106 in
2022.
The point I'm trying to makewith all of this is that one,
like we said before, you all aresecurity professionals or IT
professionals, and you'relistening to this podcast
(04:19):
because you like cybersecurity.
Whether you are one at thispoint, you're trying to learn,
or you are one right now, one ofthe things you want to do is
I'd highly recommend reachingout to your municipal
governments.
I have done that.
I will also just be verytransparent.
It has been, with some limitedsuccess, that the fact that
people are they go, yeah, yeah,yeah, let's talk about it, but
(04:42):
then nobody ever wants to talkabout it, and then, plus, most
of the time, they have othertechnical challenges just
because they don't have theright people in place to help
fix some of these problems.
So it really comes down to youas being the part of ones that
are going to have to help thisprocess, and I challenge you all
to that because, when it reallyboils down to it.
You all are some of the frontlines of these types of offense
(05:06):
that are occurring, and peopleare going to rely upon you to
help them in this situation.
Okay, so this next article isabout how good is AI-assisted
code generation?
Now, I ran into this when Ifirst began teaching at well,
actually, my end of my tenure atWichita State University and I
was teaching cybersecurity, riskand cybersecurity, iot, slash,
(05:29):
automobile security and so onand so forth.
One of the things that came outof that was learning how to use
AWS, and then you heard,learning how to use scripting.
From a Python standpoint, Icreated a Python script for a
product we were using, and whenwe were using this Python script
, when I originally started I'mnot a developer, right, I've had
(05:49):
developers work for me, butI've never really had to do much
of it I understood how itworked, but I I didn't know how
to do it bottom line.
So what ended up happening is Icreated a script and it took me
about three weeks of poking andprodding when we first started
to create this script.
Well, my students started up andthey go well, okay, can we use
AI?
This is when AI was releasedshortly thereafter, and so I
(06:11):
made a comment to them.
I said, well, heck, yeah, giveit a try, see what happens.
Well, they made the script.
That took me three weeks and,again, I'm a noob, so I didn't
know what I was doing.
They were able to create thatscript in like milliseconds and
it was way better than thescript that I created.
So I tried it myself and, sureenough, I was able to do it just
by telling it what I wanted itto do, and that was through
using the large language models,or LLMs, and I think it's
(06:34):
really cool that this isavailable for people, especially
developers, that are out therewanting to use this.
Now, the one thing that peopleworry about is is this going to
take away from what they do fora living?
And some people it may, butwhere it is going to be a
situation where it's going to bevery helpful, in my small
opinion, is the fact that if youare a professional developer
(06:56):
that wants to expand and look atdifferent ways to create better
content and better code, youwould use AI to help you with
the basics and then you can helpbuild upon that.
It does help reducedramatically the amount of code
generation you have to do overand over again.
So bottom line is that they hadsaid, by 27, 70% of
(07:18):
professional developers will beusing some level of AI code
generation, just because it'sgoing to be a useful factor, and
I've seen it myself before Iquit my job working at the Coke
Industries company.
One of the things that I sawwas our developers were using it
it and they were able to saveat least 50% of their time by
(07:43):
using AI code generation throughGitHub's products.
They were able to dramaticallyreduce the amount of code that
they had to generate.
I also know that Microsoft'sCopilot is useful in that
Copilot.
I love Copilot, by the way.
It's a really great product andI think that as time goes on
and these get better, more andmore code development is going
to occur.
Now the question that's goingto have to happen is is you, as
(08:05):
cybersecurity professionals,whether you're in the
development space or not, aregoing to need to be involved to
help them ensure that they arecreating good content and good,
secure code?
Many of them will rely on thecode that's created by the
product and they're going towalk away and they're not going
to potentially do the same levelof testing that they would with
code that they generated, so Isee that as a possible challenge
(08:27):
you all are going to have towork through One of the points
they brought up in here.
You know, obviously, some ofthe big places you can get this
code generation done is Amazon,codewhisperer, microsoft 365,
copilot, divi, ai I've seen thatCodium and then Google Barter.
There's many, many more, butthose are just a couple of the
few ones that are out there.
They had mentioned that AWSthey're using CodeWhisperer,
(08:51):
able to get their tasks doneabout 28% faster.
I've seen the statisticsanywhere from 30% to as much as
50% increase in capability inthe amount of time that you're
needed.
It definitely works well whenyou're dealing with IoT core,
when you're dealing with theoverall aspect.
Again, it's just to try tobring up the fact that if you
(09:12):
are interested in AI developmentcode, I think it's a great
place for you to be developmentcode.
I think it's a great place foryou to be as a security
professional.
I also think that just becausethey have the code development
doesn't mean they're not goingto need security professionals.
If anything, you're going tohave to be even more engaged and
I highly recommend that youkind of put that good foot
forward to try to be part ofthat discussion, especially if
(09:33):
your company is going to beputting that in place.
So again, great article.
Again it's on Computer World.
It's about how good isAI-assisted code generation and
you can check it out.
I think that's again anothergood article for you to look at
if you're looking to get intothis space and if anything it
allows you.
I highly recommend, if you're asecurity professional, you read
articles like this.
It makes you a much betterperson for one.
(09:56):
Two, it also helps youunderstand the different
technical challenges that areout there and available and then
, as when people come to youwith these ideas, you are
already schooled and alreadyunderstand at least the
conversational aspects aroundthe topics, versus not being
having any idea at all to dealwith them.
Okay, so let's get started intoday's podcast.
(10:17):
So we're going to talk aboutvulnerability assessments and
just some of the key componentsaround the CVEs and the
different pieces below into theoverall vulnerability
assessments and then we're goingto get into some network
scanning pieces of this.
So we're going to focus ondomain 6.2.1 as it relates to
the CISSP manual, and this wouldbe the one that's provided by
ISC squared, it's official studymanual and that's kind of lined
(10:40):
up to what 6.2.1 is.
And the overall goal, likewe've mentioned before, is to go
over each of these differentdomains and subsections of them
within the podcast so that youhave something to use for when
you're studying for the test.
So if you're looking to studythe book, you read the book, you
go through the is the cisspcyber training podcast.
You go through my blueprint,you go through various aspects
(11:01):
of this.
The goal is to help you passthe CISSP the first time.
That's the ultimate goal.
So vulnerability assessmentswhat they basically are is
they're a review of a securityweaknesses on the various
information systems that arewithin an organization, and they
can be done in many differentways.
I actually was doing anassessment on some startups that
are doing this from anautomated point of view, and so
(11:24):
they can do various pieces ofthis can be done either from an
individual's going in and doingthis and using a computer and
doing the scan, or, in somecases, like I mentioned,
potentially someone doing thisin an automated form.
They're crucial.
They really are an importantpart as far as preventing
breaches and identifying andaddressing vulnerabilities
before they get exploited.
(11:44):
And that it's an importantfactor because if you don't do
these vulnerability assessments,you really don't know what
problems you have.
And as you deal with computersystems, you all know they're
very complex and they have a lotof moving pieces and parts with
them and, as such, anything canbe out of date, right.
So, like in the case of mycomputer, it pinged me last
night saying hey, you need to doan update, we'll do it tonight
(12:06):
while you're sleeping If thesethings are not updated and
patched.
And that includes both.
The operating system, includesthe applications themselves, it
also includes the firmware, thehardware, so there's all kinds
of aspects in here that need tobe updated to ensure that
there's not a vulnerabilitywithin these systems.
When they first came out, theywere very small, they were very
basic, they were simple and youdidn't need as much hands-on
(12:31):
work with them as you do today,and so a vulnerability
assessment is an importantprocess.
Now there's typically variousstages of a vulnerability
assessment, which includesplanning, scanning, analysis,
remediation.
Those are the various stageswhich we do go through in the
podcast.
We've been through multiple ofthose.
You also can go to CISSP, cyberTraining and you can check out
(12:51):
some of the other content that Ihave there for free.
And then, if you sign up, youas well as far as with one of my
different packages, you can getout some more aspects around
vulnerability scanning toinclude some of the more
intricate details around thescans.
Now there's an iterative natureof this process which requires
an ongoing reassessment again tomaintain that security posture.
(13:12):
Now, if the automated piece ofthis is great, there's also
various tools out there withinthe, within companies, and you
can get you could buy thesealmost any time is to be able to
get a to do these types ofscans for you.
They they may actually do thiswhile from an automated
standpoint internally, you alsocan get them from external
entities that'll do that for youas well.
(13:33):
So the bottom line isvulnerability scanning, or
vulnerability assessments, arean important part of your
overall plan to secure yourorganization, and they should
constantly be used when you'redealing with your company.
And so, as you go forward,you're going okay.
Well, how do they work?
Well, we're going to get intowhat are some of the key
concepts around them and the keyterms that you may see.
(13:56):
So the first one is what wecall a common vulnerability and
exposures, or CVE, and you maysee this term used around a lot.
Now, if you've been in sort ofIT for a while, you understand
what a CVE is, but if you'rejust getting started, you may
not quite understand.
Or if you've really been in fora while you never dealt with
security you may not really evenknow what a CVE is, but it's a
(14:18):
registry that provides a uniqueidentifier for each publicly
known cybersecurityvulnerability, and this is
defined by what it can do.
So they'll see an issue,they'll have a problem that'll
be brought to their attention.
Then the governing bodies willthen turn around, and this is
done by CISA.
They'll say, okay, hey, we'regoing to go and create a CVE
based on this vulnerability thatwe have found and it's a way
(14:42):
that they'll help standardizethe information around the
vulnerabilities that are sharedand understood across various
platforms and systems.
So, as an example, if you havea system that is doing scanning
through your environment and itknows that in this potential
vulnerability it is supposed tolook for X whatever X is Well,
it's also that thatvulnerability is tied to a CVE.
(15:05):
So when it scans their systemand it says, oh, I found this
vulnerability, it will then tellyou hey, I found the
vulnerability and it's tied tothis CVE.
Now, the purpose behind this inmany cases is for you then, to
you as a security professional,to dig deeper and realize okay,
is this CVE, is thisvulnerability something that I
(15:26):
should be worried about?
Now, if you're in a largecompany, it doesn't really
matter even a small company.
You need to look at all ofthese CVEs that come in and
determine whether or not it'sappropriate for you to actually
do something to it, because insome cases, these
vulnerabilities will come in andyou'll say, okay, well, for me
to do this, I'm going to have toshut down this manufacturing
unit, and I'm just usingmanufacturing as an example.
(15:48):
I have certain windows in whichI can shut down this
manufacturing unit to make thischange, well, you may have to
live with that risk for a periodof time without having to do it
.
Or if you work potentially inanother type of business where
you have the ability to makechanges but they can only be
done on the weekends, becauseduring the week you have
production.
You can't mess with it unlessit's an absolute critical issue.
(16:10):
So then you could actually takeit down over the weekend and
make those changes and thosefixes.
So it depends upon the companyand what the company will allow
you to do.
But you need to look at all ofthose because, again, from a
risk-based decision, you need todecide is it important for me
to make this change or is it notimportant for me to make this
change?
Another common term you'll seeis a CVSS or the Common
(16:34):
Vulnerability Scoring System.
Now, the CVSS, it's a free andopen industry standard for
assessing the severity of thesevulnerabilities.
So we talk about thevulnerability there's an issue?
Well, the CVSS will tell youhow bad is the potential issue
and the score will provide you away to capture the
characteristics of thevulnerability and produce a
numerical score, or numberedscore more, reflecting the
(16:58):
severity.
So now you'll see, insituations where the CVE will
come up, the CVSS is there aswell, and if the CVSS is ranked
from a 1 to a 10, and it may bea 9.5, might be a 9.2, could be
a 2.3, you will see the severityof these systems and you'll go
well, should I fix it, should Inot fix it?
(17:19):
Now, as you're looking throughall of the different things that
are coming in as it relates tothe vulnerabilities within your
organization, if you seesomething that is maybe a four
or five and you're like I'm notgoing to worry about it, you may
want to consider the fact thatif it's easy to fix, you may
want to do it, and the reason Isay that is because the four of
the five could lead somebody toa much more critical type of
(17:42):
environment that you may not beaware of.
So, as a hacker by trade in thepast, if I found something that
would be a vulnerability thatwas relatively benign but it led
me to a more criticalvulnerability, I would take that
path Because, again, we're alllazy, and so if I can find a way
that makes my life easier, Iwould take that path Because,
again, we're all lazy, and so ifI can find a way that makes my
life easier, I will do that.
(18:03):
So what I'm saying is that ifyou find a vulnerability that
might be lower, you need to alsoevaluate those and consider the
fact that maybe you shouldupdate those, especially if
they're a simple fix.
Update those and get those outof the way, because the more
vulnerabilities you have in yourenvironment, it could go also
go from a 5 to a 10 because ofsomething.
We don't know what that couldbe, but it potentially could do
(18:25):
that, and if it does that, youwant to make sure that you are
properly prepared and you'veupdated those systems
appropriately.
Now, as you're dealing with thedifferent components of a CVSS,
again, there's it's broken intothree different metrics.
There's a base, a temporal, atemporal.
Temporal See, I can't speak.
I got my third grade.
Education is just coming out,it's coming out like gangbusters
(18:47):
.
And then you have environmentalmetrics.
So your base metrics theserepresent the intrinsic
qualities of the vulnerabilitythat are constant over time and
across various user environments.
The base score is determined byanalyzing the exploitability
and the impact.
That's a key factor of thevulnerability, considering again
how complex it is, all of thosepieces that roll into
(19:11):
confidentiality, integrity andavailability.
So they're going to come intocomplexity, need of the user
interaction, how the scope isgoing to be set up and then also
various other aspects relatedto can it be exploited.
So the temporal metrics thesereflect the characteristics of a
vulnerability that may changeover time but not across user
(19:31):
environments.
The temporal metrics are youwill include the current exploit
code maturity, basically, howeasy is it toward the code to be
exploited against thevulnerability?
The remediation level are thereavailable fixes for it?
And then the report confidence.
Obviously, do they feelconfident in the overall report
itself?
Is it something that issomething positive, right?
(19:51):
Do they understand that it'sactually an issue or not?
Those are the different metricsthat will roll into the
temporal aspects.
Not those are the differentmetrics that will roll into the
temporal aspects.
Then the environmental metricsthese capture the
characteristics of thevulnerability that are unique to
that particular user'senvironment.
So it could be where that thissystem, it can only happen in a
environment that has SAP or alike type of vulnerability
(20:15):
system running in theirenvironment.
So that would change the CVSSscore.
But if it was substantiallyacross all different types of
companies, then thatenvironmental metrics would
actually go up.
So it allows you to understandadjustments of the base and the
temporal scores to help youunderstand the securities
posture there.
And again, they want tounderstand the potential loss if
(20:38):
it was a successful exploit.
So those overall pieces are keyfactors when you're looking at
the CVSS score.
And how does it create it?
Because that I would say theCVE is important, but one of the
more important ones that I lookat is the overall CVSS score.
Now, another term you may hearis the CCE, or common
(20:59):
configuration enumeration.
Now, I haven't heard a lotabout this, but you may see it
and it may be a part of aquestion that you have on the
CISSP.
The CCE is a list of systemsecurity configuration issues
that can potentially lead tovulnerabilities and this CCE
provides a really uniqueidentifier for these
configuration issues to help youfix them and accurately
(21:21):
correlate them in a much fastermanner.
Honestly, I haven't seen manyof this.
I think I've seen thistangentially in a couple spots,
but it may be something thatyou're connected to with the
exam, so I just wanted to kindof throw it in there for you.
Common platform enumeration thisis something I have seen and
this is where it's a namingschema that's been created and
it's for IT type systems,software and packages and it's a
(21:44):
way they can identify theclasses of applications,
operating systems and thehardware that's associated with
them.
Now, if you can see my screenwhich, again, it was going to be
available at CISP CyberTraining, you can watch the
video there.
It'll be up to you there.
It'll also be at YouTube.
You'll be able to check it outthere.
It might be a few weeks,probably about a month, before
this one actually hits it, butthe ultimate goal is, if you go
(22:06):
to CISSP Cyber Training, you'llactually see all these videos.
All of my podcasts are in thevideo formats, are all there
specifically waiting for you tocome view, so you can go to
CISSP Cyber Training and checkthose out.
But the example is that with aCPE for, let's say, a Microsoft
Windows 10 environment, you cansee that it would be kind of an
(22:26):
abbreviated format.
That's there and it basicallygoes out that this is Microsoft,
it's a Windows, it's a Windows10, and then the version, which
would be 1903.
Now, as you all know, theversions of these various
operating systems are availableand with those operating systems
, as they all know, the versionsof these various operating
systems are available and withthose operating systems, as they
get updates and patches, theyget a number, a numerical number
, associated with them.
This identifies which operatingsystem it is and also the
(22:51):
version in which it's beingupdated.
So these CPEs are important.
Just because the CPE isimportant, because you can help
you understand is this riskagainst Windows 95 systems?
Well, no, it wouldn't be,because it would be tied to this
Windows 10 system, so youwouldn't have to worry about it.
You have other things to worryabout if you're using Windows 95
, but that being set aside,that's how CPE is set up.
(23:15):
Another one is extensibleconfiguration checklist
description format.
I don't know if somebody wassmoking some marijuana when they
wrote that, because it's likereally painful, or they're a
geek IT geek that just said, hey, let's just get a really long
word and then make anabbreviation for it, or a really
long set of words, not one word, but a set of words and make an
abbreviation.
So XCCDF is a specific languagefor writing security checklists
(23:37):
, benchmarks and relateddocuments.
Is a specific language forwriting security checklists,
benchmarks and related documents.
It does allow for the creationand maintenance and
dissemination of securityinformation.
That's consistent with amachine-readable format.
Again, that's the key factor.
It's machine-readable.
It allows it to be basicallyingested and used in that format
.
I've never dealt with it myselfpersonally, but Salt was on the
(23:59):
CISSP book was recommending itand so therefore I thought, well
, we better put it out there,because I was not really
connected with it prior toactually this podcast I'd heard
of I shouldn't say I've heard ofsomething like it, but it's new
.
So it's not new, but it'sprobably been out there for a
while.
It's new to me.
But it's XCCDF, which isExtensible Configuration
(24:20):
Checklist Description Format.
They talk about checklistsunder FISMA that you may use and
then also it basically helpsyou upload something to
demonstrate you've madecompliance with, specifically,
security requirements.
So if you're in the governmentspace, maybe you have dealt with
these types of XCCDF formats,but again, it's machine readable
(24:41):
.
That's the key factor on thatpiece.
Next one is open vulnerabilityassessment language, or
otherwise known as OVL, and it'san.
Ovl is a community standard topromote open and public
available security content andthe standard way for transfer is
information across the entirespectrum of security tools and
services.
It's obviously written in XML,which I understand XML better
(25:02):
than XCDF formats?
Yeah, I don't know that andit's using various tools to
automate the vulnerabilityassessment process.
Overall.
It's part of a broader set ofstandards that help in
automating the overallvulnerability management
lifecycle and it's an importantfactor when you're dealing with
creating security policies.
So, again, ovl, it's acommunity standard to promote
(25:23):
open and public availablesecurity content.
I've seen it.
I haven't really done much withit, but it's something else
that you may get exposed to onthe CISSP exam.
So one thing I want to bring upis we talked about CVEs and we
talked about whether they'rebrought up.
How does all that work?
So I want to kind of break downhow are the CVEs determined?
(25:44):
Because you need to kind ofunderstand that whole concept.
And when you're dealing withCVEs, there's the discovery
right.
We talked about how it's eitherdiscovered by an individual or
researcher or a company, orpotentially even an automated
system that will find the CVE.
Now, companies obviouslyMicrosoft and so forth they're
constantly looking for updates,but you also have individuals
that could be a researcherthat's looking at a potential
(26:06):
risk.
You could have someone thatjust stumbles across it.
They are then discovered.
Now you'll also have it wherethe reasonable disclosure piece
of this is that a researcherwill see this problem, say,
hypothetically, they will thengo to Microsoft and say, hey,
we're not going to release thisto the public, but you need to
get it fixed.
But you have a period of timeto get it fixed and they'll work
(26:26):
with the company Microsoft isan example in this situation to
come up with a fix for thatproduct.
And that's what they call thereasonable disclosure piece of
this.
Now, sometimes the softwarecompanies don't get it fixed in
time and so I've seenresearchers go well, hey, you
know what, we gave it to you,you did nothing with it, we're
releasing it to the public.
And then it forces their handto get it done.
(26:47):
So that's something that youmay hear about or read about,
that you'll see happen and gowonder why they did that.
So reporting, reporting how thisis all set up from a reporting
standpoint is that once adiscovery is made, then at that
point in time a CVE numberingauthority is going to assign a
CVD ID.
Now, this organization hasauthorized to do that.
(27:11):
Now, for an example we'll giveyou Microsoft is a CNA and they
can assign CVEs specifically forvulnerabilities found in
products Other companies may nothave a CNA and so they would
force that up with, potentiallywith CISA, to help them in this
overall process.
But then they would say, hey,this is the problem, we're going
to give it a CVE number andthen they will put that out to
(27:31):
the community.
The CNA will analyze the report, confirm its vulnerability.
They will then assess theimpact and the affected
components and whether it's anew issue or the issue is
related to an existing CVE.
Once it's confirmed, then theCNA will create a unique CVE ID.
I know there's acronymseverywhere, sorry, but basically
(27:52):
the CNA will create a new CVE.
If you say, hey, it's not new,it is new, it's not a used one,
they will then create this newnumber, and this new number
would be, in this case, cve 2021, 345678910, whatever that
number is or 2020, in this caseit would be CVE 2024 dash,
blankety, blankety, blankety,blank.
(28:13):
So they give it a number andthey put it to a date.
Once it's done, then they willthen put it in a national
vulnerability database, which isalso called NVD, a National
Vulnerability Database, orNovember Victor Delta, and this
includes a description of thevulnerability parties that are
affected and then any sort ofreferences and advisories that
go along with it.
The common scoring obviouslythe CVSS, which we talked about
(28:36):
earlier will be then alsoapplied to it to understand the
overall exposure that you may bedealing with.
So, again, the overall CVE andCVSS process are an important
factor, and the NationalVulnerability Database does
house all this information, andI highly recommend that you
become aware of this location,if you haven't been already,
because it's a great place to gocheck out CVEs and if they will
(28:58):
potentially affect you.
Okay, so, real quickly, we'regoing to go over the TCP
handshake and some key thingsyou need to be aware of.
And why am I doing that?
Well, the main reason is that,as we get into this next part of
network scanning, there aresome various scans that are
going to take place and you'regoing to need to be aware of the
overall TCP process.
Now I know many of you alreadyare.
You've probably been studyingfor your CISSP, you got it, so
(29:19):
I'm just real quickly going togo through these.
But if you go to CISSP, cyberTraining, you can actually see
the content as well.
I'm in the process of uploadingsome of the documents in there
as well.
I haven't got to all of thatyet, but, as you'll see the
documents for each of thepodcasts, you can actually look
at the content there as well.
So the TCP Handshake is set upto help go through this overall
(29:42):
process.
Right, so we talk about the TCPand that's the TCP.
Ip is your overall connectionthat you have with another
server, another computer,whatever that might be, that
initiates this connection.
Well, it's broken down intosome various pieces and we're
going to go over those veryquickly.
You have SYN, which isbasically initiates the content
(30:03):
using a SYN packet.
It'll send a picture, a SYNpacket, to a server.
It begins the conversation andthis includes various sequence
numbers and so on and so forth,but the bottom line is it's to
start the conversation.
Then you have a SYN ACK.
Okay, that's ACK, and this iswhat happens when the server is
willing to establish theconnection with you.
So you go hi, I'm here.
(30:24):
The server goes okay, yeah,I'll talk to.
And it sends you back a SYN ACKand that has its own sequence
number to basically be able totrack the conversation of the
communication connection.
Then the client will send backwith an ACK.
Oh, yeah, okay, so cool, youwant to talk to me.
So now I'm going to go.
Okay, I'm going to talk to youtoo.
And it sends back a SYNAC, thisACK packet, and this has again
(30:50):
another sequence number, againmore information's in there, but
it basically completes whatthey call the three-way
handshake establishing theoverall connection.
So that is the basics of a TCPIP connection.
Now there are other I can'tremember the name, they call
them triggers, but there's likeflags.
I'm missing it.
I think there's a differentterm for it and I'm just having
a total brain fart right now.
But there's other parts to theTCP handshake.
(31:13):
You have reset, you have FIN,you have FINAC.
So those are some other ones.
Now there's a couple in therethat's like urgent, there's post
.
But the next ones that you'lldeal with the overall TCP
connection is reset, fin andFINAC, and the same process by
which you did the three-wayhandshake that began the
connection.
You're going to do somethingvery similar when you're tearing
it down and you send the reset,the reset at any point.
(31:34):
This reset will receive apacket.
It's unexpected or out of thecurrent state.
It may respond with a resetpacket and it basically
terminates the connection orattempts to terminate the
connection that's in place,saying hey, there's a problem
and so we need to fix it.
The FIN is when the devicewants the end establishment to
end the connection completely.
It'll send the FIN packet andthe receiving device will
(31:57):
respond with an ACK and send itsown FIN packet and then, once
that is done, they'll respondwith a FIN ACK, basically
gracefully terminating theconnection between the two.
So the ultimate point of thisis that you have this breakdown
Again, like we talked about SIN,sinac and ACK.
You're going to have your FINand your FINAC are going to be
when you want to shut down theprocess altogether, and that's
(32:19):
an important factor.
So all of those are terms youneed to be aware of as you're
dealing with network scanning,because when you're dealing with
a network scan, there arevarious pieces that come into
play.
So I'm going to go over acouple of very quick network
scans that you may deal with.
One is a SIN scan.
Now, a SIN scan is known as ahalf-open scan and it's
basically a network probing typetechnique.
(32:41):
Now I will tell you that if badguys are doing SIN scans they
can come with depending on howbroad they do it.
They can be under the wire witha SIN scan, but if they are
going in there with likeblasting the network, then these
will trigger a lot of alarms.
A SIN scan will.
But they're looking for if thetarget's going to respond.
(33:02):
You know they're doing this TCPhandshake.
They're looking for someonewho's going to respond with a
SYN act and it basically meansthat the port is listening or
it's open.
So it's like you send out a SYNgoing hey, is anybody there?
And it sends back oh, hey, I'mhere, come talk to me.
Then at that point in time thescanner will send a reset to
basically close the connectionbefore the handshake is overall
completed.
(33:22):
But they're enumerating, tryingall completed, but they're
enumerating, trying to determinewhat is out there and what
potentially could they go after.
Now, this method is a stealthymethod, but it doesn't because
it doesn't establish a full TCPconnection.
And again, if you're doing avery narrow band with a very
small target subset, it can gounnoticed right, because there's
always there's SYNcommunications that are going on
(33:42):
everywhere.
But the problem is is if itgoes to be too large it would be
.
It gets into the position likea SYN flood where you're just
filling it up with SYNcommunications on the wire.
Then obviously you'd bediscovered very quickly.
But it's one of those pieceswhere your network scanning tool
.
If you're using SYN forenumeration, you want to keep it
in very small subnets, verysmall areas, because you
(34:05):
wouldn't want to broadcast it toa lot of different people, and
hence that's part of the SYNscan.
Now your TCP connect scanning.
This works as a morestraightforward method where a
full TCP connection isestablished and attempts to do
this three-way handshake bysending the various SYN and
SYN-ACK packets and obviouslyending that with an ACK.
If it is established the portis open, then hey, they're great
(34:31):
.
They then, at that point intime, can potentially scan the
system with that connection.
Now, depending upon what is onthat device, for some level of
security systems a TCPconnection to it from an unknown
IP address could cause an alarm.
So the full TCP connection,depending upon your environment,
may or may not be the bestoption, depending upon if you're
(34:53):
internal or if you're externaland so forth.
So those are just variousaspects, but that is the TCP
connect scanning.
Then there's the TCP actscanning.
Now this is used to map outfirewall rules regarding
filtered and unfiltered states.
Now the scanner will send outan ACK packet to a target port
and it looks for the response.
If the port is unfiltered, itwill receive a reset response.
(35:16):
If it is filtered, there willbe no response.
So basically, if it's open,it'll send a reset to you.
Now, this is not used to findopen ports, but rather to
understand the rules that areassociated with these ports, and
it can help the type alsodetermine what type of firewall
you're dealing with.
And and one of the aspects yourun into is, if you're trying to
work your way through afirewall, you would want to.
One of the key aspects isknowing who, what are the types
(35:38):
of equipment that you're goingagainst.
You want to be able tofingerprint the different
devices, both from a hardwarestandpoint and from a software
standpoint, because then it canhelp you understand what kind of
vulnerabilities may beassociated with that potential
system.
So that's TCP act scanning.
Udp scanning is used to identifyopen UDP ports and since UDP is
(35:59):
connectionless, this scan sendsout UDP packets to the target
port.
Now if it does that, if an ICMPport is reached, an unreachable
error is returned.
Okay, so basically, your pingright, your ping is your ICMP.
If it's returned, then thatport is closed.
If there's no response, theport is presumed open or
(36:19):
potentially filtered.
And again, udp scanning I'venever done it much myself,
honestly, and because, mainly,it's not very reliable from what
I understand, and so it'ssomething to consider and plus,
it creates a lot of noise.
So, okay, xmas or Christmasscanning the Christmas scanning
is named for as it would lightup the various packet flag, as
(36:41):
it sends a fin, a push and anurgent flags and it basically
causes it to come light up likea Christmas tree.
It sends a TCP packet withthese flags to the target port,
so the flags are set already onthe TCP packet.
If a reset is sent, is received, then the port is considered
closed.
If there's no response, theport is considered open, and
(37:02):
they're used to infer a statebasically of how the port is,
whether it's a lack of responseor how the port is open or not
open, and they're used to infera state basically of how the
port is, whether it's a lack ofresponse or how the port is open
or not open.
Like SYN scans, they're lesslikely to be logged but can
easily be detected by modern IDStype systems.
That is what they call aChristmas scam.
So that's all I have for youtoday and again, the bottom line
(37:23):
here is that we are here atCISSP Cyber Training and want to
provide you with the tools youneed to be successful to pass
the CISSP the first time, and soI recommend, highly recommend
if you are interested in passingthe CISSP or taking the test
you want to be able to go toCISSP Cyber Training.
Go to the website.
Look at all my free contentthat I have out there available
for you.
There's various things outthere that you can use.
(37:44):
You don't have to buy myproduct, that's fine, don't mind
.
I mean, obviously I'd like youto, but if you don't, that's
good, that's no problem.
You can get a lot of the freestuff that's there.
It will help you walk youthrough what you need to know.
If you do your own self-studywith the book, it will walk you
(38:09):
through those steps as well.
If you are signed up for myemail, you'll be able to get 360
free cissp questions availableto you.
That's just by signing up formy email list.
You'll get that, and that is agreat first step in helping you
get ready for the cissp exam.
If you're interested in taking alittle bit step further, you
can get one of my package dealsand it will give you all of this
information available to you.
Uh, depending on which packageyou purchase to include my my
blueprint, which walks youthrough step-by-step, the one
problem I had with the CISSP Ididn't know how to study for
(38:32):
this test.
I just didn't, and so Istruggled and I failed the first
time.
So I'd highly recommend thatyou go and you look at it,
consider the blueprint, considerone of the packages, and then
what you can do is go throughstep-by by step.
As long as you're methodicalwith your plan and you follow
the blueprint, you will pass theCISSP.
The part where this falls downis is that when you get busy
with life and you decide youdon't really want to study it
(38:55):
because it's too hard, then youmay not pass the CISSP, just to
be honest.
All right, so we're justletting you know.
Have a wonderful day.
No-transcript.
Popular Podcasts
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.