Security assessors are traditionally trained to only focus on the critical or high severity findings. Limiting your focus to only those findings could leave your customer exposed to attack, effectively negating the value of your security assessment. Jerod introduces you to the concept of vulnerability chaining, providing a real-world example where security researchers used this technique to develop an exploit capable of compromising thousands of network devices around the world.
- [Instructor] In your analysis,…make sure that you don't automatically…dismiss lower severity vulnerabilities.…We've seen multiple instances…of where security researchers were able…to chain lower severity vulnerabilities together…in order to compromise a target.…One such example was an attack against D-Link routers.…In October 2018, security researchers…chained together three lower severity vulnerabilities…in a coordinated attack against vulnerable devices,…directory traversal, CVE-2018-10822,…administrative password stored in plaintext, CVE-2018-10824,…and arbitrary code execution, CVE-2018-10823.…
By exploiting the first vulnerability,…the researchers were able to browse to sensitive directories…on the devices.…The admin password was stored in plaintext in a file…in one of these directories.…Once the researchers logged into the device…using the admin credentials,…they were able to find…and exploit a remote code execution vulnerability…that was only visible to authenticated users.…Any one of these vulnerabilities…
Note: This course aligns with the National Institute of Standards and Technology (NIST) special publication on information security testing (SP 800-115).
- Identifying the five major types of security assessments
- Defining the security assessment life cycle
- Setting up your testing environment
- Planning a security assessment
- Reviewing documentation, logs, and more
- Identifying test targets
- Testing for password and other security vulnerabilities
- Drafting and delivering your report
Skill Level Beginner
Security Testing: Nmap Security Scanningwith Mike Chapple1h 46m Intermediate
Troubleshooting Your Network with Wiresharkwith Lisa Bock2h 35m Intermediate
DevSecOps: Automated Security Testingwith James Wickett1h 35m Intermediate
What you should know1m 49s
1. Understanding Security Assessments
2. Your Testing Environment
3. Planning Your Assessment
4. Review Techniques
5. Identifying Your Targets
6. Vulnerability Validation
7. Additional Considerations
Next steps3m 39s
- Mark as unwatched
- Mark all as unwatched
Are you sure you want to mark all the videos in this course as unwatched?
This will not affect your course history, your reports, or your certificates of completion for this course.Cancel
Take notes with your new membership!
Type in the entry box, then click Enter to save your note.
1:30Press on any video thumbnail to jump immediately to the timecode shown.
Notes are saved with you account but can also be exported as plain text, MS Word, PDF, Google Doc, or Evernote.