Glen E. Clarke - CompTIA Pentest+ Certification For Dummies

A8:2017-Insecure Deserialization: Insecure deserialization flaws may result in an attacker being able to perform remote code execution, replay attacks, injection attacks, and privilege escalation attacks.

A9:2017-Using Components with Known Vulnerabilities: Components are libraries of code that an application may use. Your application may be following secure coding best practices, but once you call a third-party library, that component may be developed in an unsecure manner that exposes your application to security flaws.

A10:2017-Insufficient Logging and Monitoring: Lack of logging and monitoring means that an application or system does not have the capabilities to detect and log breaches in security. Adequate logging and monitoring should be configured within an application or system to help determine the extent of a security breach during incident response.

For the PenTest+ exam, know the different categories of vulnerabilities listed in the 2017 Top 10 Web Application Security Risks document.

The OWASP Top 10 flaws were updated in 2021. Many of the flaws were relabeled and regrouped, with a few changes to the order of the most common flaws:

A01:2021-Broken Access Control: Broken access control moved up from the fifth most common flaw in 2017 to the most common flaw in 2021.

A02:2021-Cryptographic Failures: Previously known as Sensitive Data Exposure in 2017, this common flaw was renamed Cryptographic Failures and was also moved to the second most common web application flaw in 2021.

A03:2021-Injection: Injection attacks have moved down to the third most common flaw in 2021. This flaw also encompasses the cross-site scripting (XSS) category from 2017.

A04:2021-Insecure Design: Insecure design is a new category in 2021 and covers risk-related design flaws in applications. This new category looks to improve on the use of threat modeling and secure design patterns and principles during the development of the application.

A05:2021-Security Misconfiguration: Secure misconfiguration includes the Secure Misconfiguration and XML External Entities (XXE) flaws from the 2017 Top 10 list.

A06:2021-Vulnerable and Outdated Components: This Top 10 category for 2021 is a relabeled version of the Using Components with Known Vulnerabilities flaw in 2017. Note that this flaw has moved up three spots in 2021!

A07:2021-Identification and Authentication Failures: This category was known as Broken Authentication in the 2017 Top 10 listing. Note that it has been renamed and also fell to the seventh position in 2021.

A08:2021-Software and Data Integrity Failures: Another new category for the 2021 Top 10 security flaws list, this flaw pertains to failures when verifying the integrity of components when applying software updates or updates to critical data. Note that Insecure Deserialization from 2017 is included in this category.

A09:2021-Security Logging and Monitoring Failures: Logging and Monitoring has moved up one position in 2021.

A10:2021-Server-Side Request Forgery: A new category for the 2021 Top 10 list is Server-Side Request Forgery. This security flaw enables attackers to invoke requests from a vulnerable web application to another system.

The National Institute of Standards and Technology (NIST) is a federal agency designed to improve science, standards, and technology. Over the years, NIST has created many publications related to information security and recommendations on how to secure different types of systems. In recent years, the NIST has created Special Publication (SP) documents that relate to many aspects of security, security controls, penetration testing, and cybersecurity. Following are some key special publications to be aware of:

NIST SP 800-30: This special publication provides guidance related to risk assessment.

NIST SP 800-53: This special publication provides guidance related to security and privacy controls.

NIST SP 800-39: This special publication provides guidance on risk management strategies.

There are a number of other standards and recommendations published by NIST that are designed to help organizations improve security:

NIST Cybersecurity Framework (CSF): The NIST CSF is designed to help organizations create a solid cybersecurity program. The framework is organized into five functions to help identify assets within the business and reduce the risk against those assets. The five functions are identify, protect, detect, respond, and recover.

NIST SP 800-115: In this special publication the NIST makes recommendations on steps to take when performing information security testing and assessments.

The Open-Source Security Testing Methodology Manual (OSSTMM) is a methodology for security testing that is maintained by the Institute for Security and Open Methodologies (ISECOM). You can download the OSSTMM document from www.isecom.org/OSSTMM.3.pdf .

The Penetration Testing Execution Standard (PTES) is a methodology for performing penetration tests. PTES breaks the penetration test down into seven phases: pre-engagement interactions, intelligence gathering, threat modeling, vulnerability analysis, exploitation, post-exploitation, and reporting. You can learn more about PTES and the technical guidelines to performing a pentest at www.pentest-standard.org/index.php/Main_Page .

The Information Systems Security Assessment Framework (ISSAF) is a methodology that provides technical guidance related to performing a penetration test. There are a number of ISSAF technical documents that discuss a wide range of security assessment categories such as wireless LAN security assessment, Windows security assessments, VPN security assessments, and so on. To see a list of these documents check out the following URL:

https://sourceforge.net/projects/isstf/files/issaf%20document/issaf0.1

Be sure to understand the general purpose of each of the security testing methodologies mentioned here. Specifically note MITRE ATT&CK, OWASP Top 10, and PTES.

This chapter highlights a number of concepts and terminology related to penetration testing that you should be familiar with when preparing for the CompTIA PenTest+ certification exam. Following is a quick review of some of the key points to remember from this chapter:

Two reasons to conduct a penetration test are to better secure the company assets, or to be compliant with regulations governing your organization.

You can have a penetration test performed by internal staff or an external third party. If internal staff is used, be sure those conducting the penetration test are not members of the team responsible for managing or configuring the systems being tested.

You should perform a penetration test annually and be sure to test external and internal assets.

You can follow several different strategies when performing a penetration test. You can do an unknown-environment test (black box test), for which the pentester is given no information about the target environment. You can do a known-environment test (white box test), for which the pentester is given all of the information about the environment being tested. Or you can do a partially known-environment test (gray box test), for which limited information is given to the pentester to ensure the test is focused and timely.