FORMATIVE 9 Flashcards
(25 cards)
Which industry-standard method has created a catalog of known vulnerabilities that provides a score indicating the severity of a vulnerability?
CVSS
CVE
OWASP WSTG
NIST SP 800-115
CVSS
Which vulnerability catalog creates a list of publicly known vulnerabilities, each assigned an ID number, description, and reference?
CVE
CVSS
OWASP WSTG
NIST SP 800-115
CVE
Match the CVSS metric group with the respective information.
includes exploit code maturity, remediation, level, and report confidence
includes exploitability metrics and impact metrics
includes modified base metrics, confidentiality, integrity and availability requirements.
Temporal metric group -
Base metric group -
Environmental metric group -
Temporal metric group - includes exploit code maturity, remediation, level, and report confidence
Base metric group - includes exploitability metrics and impact metrics
Environmental metric group - includes modified base metrics, confidentiality, integrity and availability requirements.
Which three items are included in the base metric group used by CVSS? (Choose three.)
attack complexity
integrity impact
modified base metrics
user interaction
availability requirements
remediation level
attack complexity
integrity impact
user interaction
Which item is included in the environmental metric group used by CVSS?
privileges required
confidentiality requirements
report confidence
availability impact
confidentiality requirements
Which item is included in the temporal metric group used by CVSS?
exploit code maturity
integrity impact
modified base metrics
attack vector
exploit code maturity
Which tool can ingest the results from many penetration testing tools a cybersecurity analyst uses and help this professional produce reports in formats such as CSV, HTML, and PDF?
Dradis
Mimikatz
Nessus
PowerSploit
Dradis
Match the description to the respective control category.
Technical Control
Administrative Control
Operational Control
Physical Control
Key rotation -
Input sanitization -
Secure software
development life cycle -
Role-based access
control -
Time-of-day restrictions -
Job rotation -
Video surveillance -
Biometric controls -
Key rotation - Technical control
Input sanitization - Technical control
Secure software development life cycle - Administrative control
Role-based access control - Administrative control
Time-of-day restrictions -Operational control
Job rotation - Operational control
Video surveillance - Physical control
Biometric controls - Physical control
Which two items are examples of technical controls that can be recommended as mitigations and remediation of the vulnerabilities found during a pen test? (Choose two.)
multifactor authentication
certificate management
RBAC
mandatory vacations
access control vestibule
multifactor authentication
certificate management
A recent pen-test results in a cybersecurity analyst report, including information on process-level remediation, patch management, and secrets management solutions. Which control category is represented by this example?
technical
administrative
operational
physical
technical
Which document provides several cheat sheets and detailed guidance on preventing vulnerabilities such as cross-site scripting, SQL injection, and command injection?
OWASP
CVE
GDPR
CVSS
OWASP
A cybersecurity analyst report should contain minimum password requirements and policies and procedures. These are examples that are included in which control category?
technical
administrative
operational
physical
administrative
Which control category includes information on mandatory vacations and user training in the cybersecurity analyst report?
technical
administrative
operational
physical
operational
When creating a cybersecurity analyst report, which control category includes information concerning the access control vestibule?
technical
administrative
operational
physical
physical
Match the term to the respective description.
a security device triggers an alarm, but there is no malicious activity or actual attack taking place.
malicious activities that are not detected by a network security device.
a successful identification of a security attack or a malicious event
an intrusion detection device identifies an activity as acceptable behavior and the activity is acceptable.
false positive -
false negative -
true negative -
true positive -
false positive - a security triggers an alarm, but there is no malicious activity or actual attack taking place
false negative - malicious activity that are not detected by a network security device
true negative - a successful identification of a security attack or a malicious event
true positive - an intrusion detective device identifies an activity as acceptable behavior and the activity as acceptable
Which kind of event is also called a “benign trigger”?
false positive
false negative
true positive
true negative
false positive
What kind of events diminishes the value and urgency of real alerts?
false positives
false negatives
true negatives
true positives
false positives
Which kinds of events are malicious activities not detected by a network security device?
false positives
false negatives
true negatives
true positives
false negatives
Which kind of event occurs when an intrusion detection device identifies an activity as acceptable behavior and the activity is acceptable?
false positives
false negatives
true negatives
true positives
true negatives
Which kind of event is a successful identification of a security attack?
false negative
false positive
true positive
true negative
true positive
Which example of technical control is recommended to mitigate and prevent vulnerabilities such as cross-site scripting, cross-site request forgery, SQL injection, and command injection?
user input sanitization
process-level remediation
secrets management solution
certificate management
user input sanitization
Which example of administrative controls enables administrators to control what users can do at both broad and granular levels?
RBAC
secure software development life cycle
policies and procedures
minimum password requirements
RBAC
A document entitled “Building an Information Technology Security Awareness and Training Program” succinctly defines why security education and training are so important for users. The document defines ways to improve the security operations of an organization. Which document is being described?
NIST SP 800-50
NIST SP 800-115
OWASP WSTG
CVSS
NIST SP 800-50
How is the score that CVSS provides interpreted?
scores are rated from 0 to 100, with 100 being the most severe
scores are rated from 0 to 100, with 0 being the most severe
scores are rated from 0 to 10, with 10 being the most severe
scores are rated from 0 to 10, with 0 being the most severe
scores are rated from 0 to 10, with 10 being the most severe
