Copyright Goodheart-Willcox Co., Inc. 75 Chapter 3 Security Evaluation common misconfigurations on computers that leave the systems vulnerable to hack- ers. Misconfigurations include settings such as open ports, default credentials and passwords, default directories, and even sensitive data, such as looking for patterns of Social Security numbers or keywords that could indicate confidential information. Scanning systems for vulnerabilities and compliance not only allows for identifi- cation and remediation of vulnerabilities and potential threats, but also enables the ability to conduct a configuration review, which is the act of monitoring and assess- ing settings and policies set forth for a system. For example, if a network scan reveals suspect traffic coming from a website that does not have a business purpose, the site can be blocked using firewalls or other tools. If a high number of anomalies are pres- ent on a non-credentialed scan, the local policies may need review and adjustment to provide higher protections. As part of the vulnerability scanning process, scanners generate logs that record events, vulnerabilities, and other security incidents. Logs play an integral part of a comprehensive security assessment. A log review is an assessment and analysis of vulnerability scan logs. Through log review, administrators can obtain a list of vulner- able devices, dates and times of incidents, and data regarding baseline deviation and trends. The logs may also be necessary as part of a forensic analysis of security inci- dents. Effective log management and analysis can help identify long-term problems and potentially detect threats before they become major incidents. Common Vulnerabilities and Exposure Resource The Common Vulnerabilities and Exposure (CVE) is a list of known security threats identified by the US Department of Homeland Security. The CVE divides threats into two categories: vulnerabilities and exposures. This list was established when vendors used their own databases and naming conventions to identify secu- rity vulnerabilities. The CVE list provides a standardized format to identify known vulnerabilities. CVE is maintained by the MITRE Corporation. This corporation over- sees the vendors, researchers, bug-bounty programs, and more that provide informa- tion about vulnerabilities. That information is collected and distributed through a free searchable list. The list is available through the MITRE website. An entry in the CVE uses this type of format: CVE-2020-10001. The first four digits after CVE represent the year of identification, and the next set of numbers is a unique identification number. Within the entry will be a brief description of the security vul- nerability and any references to provide additional resources and information. Another tool called the Common Vulnerability Scoring System (CVSS) provides characteristics and severity of software vulnerability. The Common Vulnerability Scoring System (CVSS) is an open industry standard used to assess system vulner- abilities and their severity. Each vulnerability is assigned a numerical severity score, which enables security teams to prioritize their responses to these vulnerabilities. Penetration Testing Penetration testing, commonly called pen testing, is a process in which white-hat hackers are given permission to access a system in an attempt to penetrate defenses to locate vulnerabilities. Pen testing is a form of ethical hacking, which is an umbrella term that refers to all hacking methods performed and sanctioned by an organization to identify potential vulnerabilities or attack vectors within a system. Penetration tests are recommended as they perform different tasks than a vul- nerability scan. Pen tests exploit weaknesses in a system of an organization whereas a vulnerability scan assesses for potential vulnerabilities in a computer system. A 1.7 1.7 1.7 1.7 1.8