Chapter 5

Question 1

Vulnerability Management

Answer 1

The process of finding and patching vulnerabilities.

Question 2

Asset Criticality

Answer 2

Determination of the importance of an asset to the business.

Question 3

Asset Inventory

Answer 3

Systematic method of tracking hardware, software, and information assets owned by an organization.

Question 4

Risk Appetite

Answer 4

An organization’s willingness to tolerate risk within the environment.

Question 5

Regulatory Requirements

Answer 5

Requirements created by regulations and laws applicable to an organization.

Question 6

Technical Constraints

Answer 6

May limit the frequency of scanning. The scanning system may only be capable of performing a certain number of scans per day and organizations may need to adjust scan frequency to ensure that all scans complete successfully.

Question 7

Business Constraints

Answer 7

In terms of vulnerability, they may limit the organization form conducting resource-intensive vulnerability scans during periods of high business activity to avoid disruption of critical processes.

Question 8

Licensing limitations

Answer 8

May limit the bandwith consumed by the vulnerability scanner or the number of scans that may be conducted simultaneously.

Question 9

Credentialed Scanning

Answer 9

A type of vulnerability scan where the scanner has login credentials to access the target system.

Question 10

Agent-Based Scanning

Answer 10

The use of software agents installed on target devices to assist with vulnerability scans.

Question 11

Server-based scanning

Answer 11

An approach to vulnerability scanning that relies on servers rather than local agents.

Question 12

Scan Perspective

Answer 12

An aspect that conducts the scan from a different location on the network, providing a different view into vulnerabilities.

Question 13

What controls might affect scan results?

Answer 13

1. Firewall settings
2. Network segmentation
3. Instrusion detections systems (IDS)
4. Instrusion prevention systems (IPS)

Question 14

Vulnerability Feed

Answer 14

A constantly updated list of security weaknesses in software, hardware, or networks that helps cybersecurity professionals stay informed about threats and fixes.

Question 15

Security Content Automation Protocol (SCAP)

Answer 15

Led by the National Institute of Standards and Technology (NIST), to create a standardized approach for communicating security- related information. This standardization is important to the automation of interactions between security components.

Question 16

Common configuration enumeration (CCE)

Answer 16

Provides a standard nomenclature for discussing system configuration issues.

Question 17

Common platform enumeration (CPE)

Answer 17

Provides a standard nomenclature for describing product names and versions.

Question 18

Common vulnerabilities and exposures (CVE)

Answer 18

Provides a standard nomenclature for describing security-related software flaws.

Question 19

Common vulnerability scoring system (CVSS)

Answer 19

Security Content Automation Protocol (SCAP) component that provides a standardized scoring system for describing the characteristics and severity of security vulnerabilities.

Question 20

Extensible Configuration Checklist Description Format (XCCDF)

Answer 20

A specification language used to create security checklists, benchmarks, and rules for configuring systems securely. It helps automate compliance testing and ensures consistent security practices across systems.

Question 21

Open vulnerability and assessment language (OVAL)

Answer 21

A language for specifying low-level testing procedures used by checklists.

Question 22

What are 4 of the most commonly used network vulnerability scanners?

Answer 22

1. Tenable’s Nessus
2. Qualys vulnerability scanner
3. Rapid7’s Nexpose
4. OpenVAS (open source)

Question 23

Static Testing

Answer 23

Analyzes code without executing it.

Question 24

Dynamic Testing

Answer 24

Executes code as part of the test

Question 25

Interactive Testing

Answer 25

combines static and dynamic testing.

Question 26

Attack Vector Metric (AV)

Answer 26

Describes how an attacker would exploit a vulnerability. Possible Values: - Physical (P): Requires physical access. - Local (L): Requires local access (e.g., logged-in user). - Adjacent Network (A): Requires exploitation within the same network segment. - Network (N): Exploitation occurs remotely over a network.

Question 27

Attack Complexity Metric (AC)

Answer 27

Describes the difficulty of exploiting a vulnerability. Possible Values: - Low (L): Straightforward attack; no special conditions required. - High (H): Complex attack; requires specific conditions like user interaction or environmental factors.

Question 28

Privileges Required (PR) Metric

Answer 28

Describes the type of account access that an attacker would need to exploit a vulnerability. Possible Values: - None (N): No access or privileges required. - Low (L): Basic user privileges required. - High (H): Administrative or root privileges required.

Question 29

User Interaction metric (UI)

Answer 29

Describes whether the attacker needs to involve another human in the attack. Possible Values: - None (N): No user interaction needed for exploitation. - Required (R): Exploitation depends on the user performing an action (e.g., clicking a link, opening a file).

Question 30

Confidentiality Metric (C)

Answer 30

Describes the type of information disclosure that might occur if an attacker successfully exploits a vulnerability. Possible Values: - None (N): No sensitive information is disclosed. - Low (L): Limited access to non-critical information. - High (H): Full access to sensitive or critical data.

Question 31

Integrity Metric (I)

Answer 31

Describes the type of information alteration that might occur if an attacker successfully exploits the vulnerability. Possible Values: - None (N): No effect on integrity. - Low (L): Limited, non-critical modifications possible. - High (H): Major changes, compromising critical data or systems.

Question 32

Availability Metric (A)

Answer 32

Describes the type of disruption that might occur if an attacker successfully exploits the vulnerability. Possible Values: - None (N): No impact; system remains fully operational. - Low (L): Limited disruption; system partially usable. - High (H): Complete disruption; system becomes unavailable.

Question 33

Scope Metric (S)

Answer 33

Describes whether the vulnerability can affect system components beyond the scope of the vulnerability. Possible Values: - Unchanged (U): Impact is confined to the vulnerable component's security scope. - Changed (C): Impact affects other systems or components beyond the vulnerable component.

Question 34

CVSS Vector

Answer 34

Uses a single-line format to convey the ratings of a vulnerability on all eight of the metrics. Ex: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Breakdown: - CVSS:3.1: Version of CVSS used (e.g., 3.1). - AV:N: Attack Vector = Network. - AC:L: Attack Complexity = Low. - PR:N: Privileges Required = None. - UI:N: User Interaction = None. - S:U: Scope = Unchanged. - C:H: Confidentiality Impact = High. - I:H: Integrity Impact = High. - A:H: Availability Impact = High.

Question 35

CVSS Qualitative Severity Rating Scale

Answer 35

Score & Rating 0.0 == None 0.1 - 3.9 == Low 4.0 - 6.9 == Medium 7.0 - 8.9 == High 9.0 - 10.0 == Critical

Question 36

False Positive Error

Answer 36

When a scanner reports a vulnerability that does not exist.

Question 37

Positive Report

Answer 37

When a vulnerability scanner reports a vulnerability.

Question 38

Negative Report

Answer 38

When a scanner reports a vulnerability is not present.

Question 39

What are good vulnerability response and remediation practices?

Answer 39

Good vulnerability response and remediation involve identifying, prioritizing, communicating, documenting, patching, validating, and continuously monitoring systems to address security weaknesses effectively

Question 40

Penetration Test Types

Answer 40

There are four major categories of penetration testing: 1. Physical penetration testing 2. Offensive penetration testing 3. Defensive penetration testing 4. Integrated penetration testing

Question 41

Physical Penetration Testing

Answer 41

Assesses physical security measures like locks, breaking into buildings, access controls, and surveillance systems. Purpose: Simulates real-world breaches to identify vulnerabilities in physical defenses.

Question 42

Offensive Penetration Testing

Answer 42

Definition: Simulates attacks to exploit vulnerabilities in systems, networks, or applications. Purpose: Mimics real attackers to uncover weaknesses before exploitation occurs.

Question 43

Defensive Penetration Testing

Answer 43

Evaluates and strengthens defensive measures, focusing on detection and response capabilities. Purpose: Tests how well security controls respond to simulated attacks.

Question 44

Integrated Penetration Testing

Answer 44

Combines physical, offensive, and defensive approaches for comprehensive security assessment. Purpose: Provides an overall evaluation of an organization’s security posture.

Question 45

Environment Tests

Answer 45

Checking for security weaknesses, settings, and risks in different types of computer systems—like online (cloud), physical locations (on-premises), or a mix of both (hybrid)—to make sure everything stays safe and protected. There are three typical classifications: 1. Known Environment 2. Unknown Environment 3. Partially Known Environment

Question 46

Rules of engagement (RoE)

Answer 46

The rules that are agreed to for a penetration test. These rules are defined before the test starts to ensure that the test does not cause inadvertent harm or go beyond the accepted scope.

Question 47

What are the key components of Rules of Engagement (RoE) in cybersecurity?

Answer 47

1. Scope & Authorization *What’s included?* Systems, networks, apps—approved explicitly. 2. Timing Duration *When and how long?* Start time, duration, and limits. 3. Techniques and Methods *What methods?* Approved tools and tactics. 4. Reporting *Who needs to know?* Updates, findings, communication plans. 5. Restrictions *What’s off-limits?* Forbidden actions to ensure safety. 6. Incident Response *What if something goes wrong?* Guidelines for surprises or breaches.

Question 48

Passive Reconnaissance

Answer 48

Seeks to gather information without directly engaging with the target.

Question 49

Active Reconnaissance

Answer 49

This technique directly engages the target in intelligence gathering

Question 50

The Process of a Penetration test

Answer 50

1. Initial Access 2. Privilege escalation 3. Pivoting, or Lateral movement 4. Attackers establish persistence Exploitation Frameworks, such as Metasploit, are used.

Question 51

Three major components of a security assessment program

Answer 51

1. Security Tests 2. Security Assessments 3. Security Audits

Question 52

Security Tests

Answer 52

Verify that a control is functioning properly.

Question 53

Security Assessments

Answer 53

Comprehensive reviews of the security of a system, application, or other tested environment.

Question 54

Security Audits

Answer 54

Use many of the same techniques followed during security assessments but must be performed by independent auditors.

Question 55

Attestation

Answer 55

It’s an official confirmation from auditors that they’ve checked the security controls in place. They’re saying these controls not only meet the intended goals (control objectives) but are also functioning as expected.

Question 56

What are the three main types of audits?

Answer 56

1. Internal Audits 2. External Audits 3. Third-Party Audits

Question 57

Internal Audits

Answer 57

Performed by an organization's internal audit staff and are typically intended for internal audiences.

Question 58

External Audits

Answer 58

Performed by an outside auditing firm who serves as an independent third party. "Big Four" audit firms: 1. Ernst & Young 2. Deloitte 3. PricewaterhouseCoopers(PwC) 4. KPMG

Question 59

Independent Third-Party Audits

Answer 59

A subcategory of external audits; Audits conducted by, or on behalf of, another organization.

Question 60

Control Objectives for Information and related Technologies (COBIT)

Answer 60

Describes the common requirements that organizations should have in place surrounding their information systems.

Question 61

Vulnerability Life Cycle

Answer 61

Identification --> Analysis --> Response and Remediation --> Validation of Remediation --> Reporting (Repeat)

Question 62

Identification (Vulnerability Life Cycle)

Answer 62

First stage in the process. The Organization becomes aware of a vulnerability that exists within their environment.

Question 63

Analysis (Vulnerability Life Cycle)

Answer 63

Second Stage. Cybersecurity professionals perform an analysis of the report previously made. Assessing the severity and impact of the vulnerability.

Question 64

Response and Remediation (Vulnerability Life Cycle)

Answer 64

Third Stage. Involves addressing identified vulnerabilities to mitigate risks and enhance security. Response: Actions taken to analyze, notify, and prioritize vulnerabilities. This phase focuses on understanding the impact and communicating findings to stakeholders. Remediation: Actions taken to fix a vulnerability and secure the system, such as deploying patches, adjusting configurations, or using mitigation strategies.

Question 65

Validation of Remediation (Vulnerability Life Cycle)

Answer 65

Fourth Stage. Professionals make sure that the vulnerability no longer is present. Auditors make sure the issue is resolved.

Question 66

Reporting (Vulnerability Life Cycle)

Answer 66

Final Stage. Involves communicating the findings, actions taken, and lessons learned to relevant stakeholders within the organization.