Free Book - External Exposure & Attack Surface Management for Dummies
Passive scanning is a reconnaissance workflow that typically does not involve direct interaction with a digital asset, for example parsing open-source intelligence (OSINT) such as DNS enumeration or Google searches. Passive scanning may also include singular direct interaction with a digital asset through tool categories like open-source network mappers or port scanners to gather running service software versions. Passive scanning can build a basic, but unvalidated list of the externally exposed assets and alert on the possible presence of common vulnerabilities and exposures (CVE). Also see "Active Testing".
The Payment Card Industry Data Security Standard (PCI DSS) is a global standard that applies to any business that accepts, processes, stores, transmits, or impacts the security of cardholder data.
Automated pen testing is designed to mimic penetration testing with digital tools and software. This process is commonly used by attackers to continuously scan an organization’s entire attack surface.
Automated pen testing removes many of the drawbacks of manual pen testing, including cost, scale, and the need to track the continuously changing threat environment in real time. It’s also used to reveal the unknown unknowns and shadow risk of an organization’s IT system, which are main targets for an attacker.
Penetration or pen testing is a security practice where a real-world attack on a subset of an organization’s IT ecosystem is simulated in order to discover the security gaps that an attacker could exploit. Such testing was born in the 1960s with the goal of revealing to the organization how a skilled and motivated attacker could get past, or penetrate, an organization’s defenses. Pen testing is now a requirement for several regulatory regimes including Payment Card Industry (PCI), Federal Information Security Modernization Act (FISMA and Health Insurance Portability and Accountability Act (HIPAA).
While manual pen testing can provide useful insights, the process is costly, time consuming and inherently unscalable as it is based on a simulated attack conducted by a skilled individual. Pen testing is only done on assets that are already known to, and protected by, IT and security teams. Other drawbacks to manual pen testing include that it is typically done only periodically and produces a point-in-time snapshot of the known enterprise assets that is typically outdated by the time that the analysis is complete.
The path of least resistance in cybersecurity is an attacker’s easiest route to reaching a target asset. When an attacker is considering an attack, they will typically look for the easiest way to succeed such as externally-exposed systems and assets that are mostly overlooked by organizations. IT assets owned, created or used by lines of business, third parties, partners or subsidiaries can easily become such a path.
A proactive security approach is the practice of taking measures to predict and prevent a breach before it ever happens. Proactive security teams fix security gaps before they can be exploited and mitigate their highest risks to stay ahead of potential attackers. Meanwhile, a reactive approach involves detecting incidents in-process or after the fact and responding, for example by implementing security solutions in response to a breach that already occured. Proactive security emphasizes prediction and prevention over detection and response.
In cybersecurity, passive DNS is used for detecting malicious activities like domain hijacking and botnets. It stores historical DNS information and provides insights into domain names and IP addresses. Passive DNS solutions enhance security posture and protect against emerging threats.
Passive DNS derives from collecting DNS query information in a database via network sniffing. While traditional DNS records are transient, passive DNS stores a collection and archive of historical DNS records. This contains a wealth of information about DNS queries on the Internet. Analysis of passive DNS data is used for insights into old DNS records, new values, and differences; it can also find possible attack vectors.
An attacker or defender with this information can see where, how, and when your organization’s domain names and IP addresses have changed over time and who is changing them.