Lesson 8: Explain Vulnerability Management

Question 1

Define ‘Vulnerability management’

Answer 1

Identifying/reporting, evaluating, and remediating, security vulnerabilities in OSs, applications, and other components of IT operations.

Question 2

Define ‘Vulnerability scanning’

Answer 2

Utilized to identify potential weaknesses in an organization’s digital assets automatically.

Question 3

Define a ‘Vulnerability’

Answer 3

Flaws in the operating system’s design, errors in code, or insecure default settings.

Question 4

What are typical vulnerabilities found in Microsoft Windows OS’?

Answer 4

Buffer overflows, lack of input validation, and privilege flaws.

Question 5

What are typical vulnerabilities found in Mac OS?

Answer 5

Weak access controls, insecure boot processes, and third-party software.

Question 6

What are typical vulnerabilities found in Linux OS?

Answer 6

Kernel vulnerabilities, misconfigurations, and unpatched systems are common issues in Linux.

Question 7

Define a ‘Legacy and End-of-Life (EOL) System’

Answer 7

The manufacturer or vendor no longer supports EOL systems, so they do not receive updates, including critical security patches.

Question 8

What is the difference between a ‘legacy system’ and an ‘‘End-of-life system’?

Answer 8

Legacy systems typically describe outdated software methods, technology, computer systems, or application programs that continue to be used despite their shortcomings.

Question 9

Define ‘firmware’

Answer 9

Software that controls hardware.

Question 10

Define ‘VM escape’

Answer 10

An attacker with access to a VM breaks out of its isolated environment and gains access to the host system or other VMs running on the same host.

Question 11

Define a ‘Zero-day vulnerability’

Answer 11

Previously unknown software or hardware flaws that attackers can exploit before developers or vendors become aware of or have a chance to fix them.

Question 12

Define ‘responsible disclosure’

Answer 12

A procedure followed by ethical hackers after a zero day is found, to privately inform the vendor so a patch can be developed before the vulnerability is publicly disclosed.

Question 13

How can misconfiguration of infrastructure lead to vulnerabilities?

Answer 13

Unauthorized access, data leaks, or even full-system compromises.

Question 14

What is the most common form of misconfiguration?

Answer 14

Leaving default configurations.

Question 15

How can troubleshooting lead to vulnerabilities?

Answer 15

Disabling security features or loosening access controls to help isolate a problem without changing back to secure configuration.

Question 16

Define a ‘Cryptographic vulnerability’

Answer 16

Weaknesses in cryptographic systems, protocols, or algorithms that can be exploited to compromise data.

Question 17

Define ‘Rooting’

Answer 17

Gaining superuser-level access over an Android-based mobile device.

Question 18

Define ‘Jailbreaking’

Answer 18

Describes gaining full access to an iOS device by removing the limitations imposed by Apple’s iOS operating system.

Question 19

Define ‘Sideloading’

Answer 19

Installing applications from sources other than the official app store of the platform

Question 20

How can an organization prevent rooting/jailbreaking/sideloading?

Answer 20

By disabling access to unverified app stores or installing apps from unofficial sources.

Question 21

Define an ‘Application race condition’ vulnerability

Answer 21

Software flaws associated with the timing or order of events within a software program, which can be manipulated, causing undesirable or unpredictable outcomes.

Question 22

What is the outcome of an Application race condition vulnerability?

Answer 22

Data corruption or unauthorized access.

Question 23

Define a ‘time-of-check to time-of-use (TOCTOU)’ vulnerability

Answer 23

Type of application race condition; A system state changes between the time an app performs the check (verification) stage and the use (execution) stage.

Question 24

Define a ‘memory injection’ vulnerability

Answer 24

Type of security flaw where an attacker can introduce (inject) malicious code into a running application’s process memory.

Question 25

What is a direct outcome of an attacker exploiting a memory injection vulnerability?

Answer 25

Threat actor can run malicious code with the same privilege level as the vulnerable process that can lead to full system compromise.

Question 26

What is the desired goal of a threat actor once a memory injection is successful?

Answer 26

To provide unauthorized access or control over the system; Install malware, exfiltrate sensitive data, or create a backdoor for future access.

Question 27

What contorts are used to mitigate memory injection vulnerabilities?

Answer 27

Secure coding practices; Input/output validation, encoding, type-casting, access controls, application testing.

Question 28

Define a ‘buffer’

Answer 28

An area of memory that the application reserves to store expected data.

Question 29

Define a ‘buffer overflow’ vulnerability

Answer 29

A form of memory injection; An attack in which data goes past the boundary of the destination buffer and begins to corrupt adjacent memory.

Question 30

How does a threat actor perform a buffer overflow attack?

Answer 30

The attacker passes data that deliberately overfills the buffer.

Question 31

What does a buffer overflow allow an attacker to do?

Answer 31

Change the return address, allowing the attacker to run arbitrary code on the system.

Question 32

What 3 controls have been developed to mitigate buffer overflow vulnerabilities?

Answer 32

1. Address space layout randomization (ASLR)
2. Data Execution Prevention (DEP)
3. Type-safe programming languages

Question 33

Define a ‘Type-safe programming language’

Answer 33

Program that enforces strict type-checking during compilation and ensures variables and data are used correctly.

Question 34

What is the purpose of using a type-safe programming language?

Answer 34

Prevents memory-related vulnerabilities and injection attacks.

Question 35

Define a ‘Malicious update’

Answer 35

An update that appears legitimate but contains harmful code; A vulnerability in software repository or supply chain that a threat actor can exploit to add malicious code to a package.

Question 36

Define an ‘evaluation scope’

Answer 36

The product, system, or service being analyzed for potential security vulnerabilities or the intended target or an attack.

Question 37

Define a distinct different between a web application attack and other attacks

Answer 37

Must navigate the client-server model; Requiring the attacker to bypass network and application-level security controls.

Question 38

Define a ‘cross-site scripting (XSS)’ attack

Answer 38

A malicious script injected into a web site designed to compromise clients browsing the site.

Question 39

Define a ‘nonpersistent cross-site scripting (XSS)’ attack

Answer 39

The malicious script is obfuscated in a spoofed URL that reflects back to the attacker.

Question 40

Define a ‘stored/persistent cross-site scripting (XSS)’ attack

Answer 40

The script is injected and permanently stored on the target servers, such as in a database or content management system.

Question 41

Define a ‘Document Object Model (DOM) cross-site scripting (XSS)’ attack

Answer 41

Attacker injects malicious script into a JavaScript Document Object Model (DOM) to execute their attack solely on the client.

Question 42

What is the difference between an overflow attack and an injection attack?

Answer 42

Overflow attack works against the way a process performs memory management while an injection attack exploits some unsecure way in which the application processes requests and queries.

Question 43

Define a ‘SQL injection’ attack

Answer 43

Injection of a malicious/unauthorized SQL query via the input data from a client to the application/server.

Question 44

Define a ‘side-channel’ attack

Answer 44

Attacker observes the implementation and operation of a system, looking for information to use to exploit the system.

Question 45

How can cloud services be manipulated by an attacker?

Answer 45

Setup fake websites on cloud services for phishing and malware distribution; Cryptojacking cloud resources for cryptomining.

Question 46

Define a ‘cloud access security broker (CASB)’

Answer 46

Enterprise management software designed to manage, mediate, and monitor access to cloud services by users across all types of devices.

Question 47

What are the 3 methods of implementing a cloud access security broker (CASB)?

Answer 47

1. Forward proxy
2. Reverse proxy
3. Application programming interface (API)

Question 48

Define a forward proxy cloud access security broker (CASB)

Answer 48

Requires configuration of users’ devices; Inspects all traffic in real time, even if that traffic is not bound for sanctioned cloud applications.

Question 49

Define a reverse proxy cloud access security broker (CASB)

Answer 49

Positioned at the cloud network edge and directs traffic to cloud services if the contents of that traffic comply with a policy.

Question 50

Define an Application programming interface (API) cloud access security broker (CASB)

Answer 50

Brokers connections between the cloud service and the cloud consumer rather than placing a CASB appliance or host inline with cloud consumers and the cloud services.

Question 51

Define a ‘software bill of materials (SBOM)’

Answer 51

Inventory containing details like component names, versions, and information about the suppliers in a software product.

Question 52

What is the purpose of a software bill of materials (SBOM)?

Answer 52

Provide transparency and visibility into the software supply chain and potential vulnerabilities; Enables developers, security teams, and end users to understand the functional components of their software.

Question 53

What is the role of a software bill of materials (SBOM) after a vulnerability has been discolsed?

Answer 53

Supports rapid response and remediation; Security teams can quickly determine whether their software is affected by a disclosed vulnerability.

Question 54

Define a software dependency check

Answer 54

A Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project’s dependencies.

Question 55

What is the purpose of utilizing a software dependency check?

Answer 55

Detecting outdated or vulnerable components

Question 56

Define a ‘HTTP referrer’

Answer 56

Indicates the URL that forwarded a request to the target URL.

Question 57

What is a ‘network vulnerability scanner’

Answer 57

Hardware or software configured with a list of known weaknesses and exploits and that can scan for their presence in a client PC, Server, application, or network device.

Question 58

Define a ‘non-credentialed scan’

Answer 58

A scan that uses fewer permissions and many times can only find missing patches or updates.

Question 59

What is the purpose of a non-credentialed scan?

Answer 59

Appropriate technique for external assessment of the network perimeter or when performing web application scanning to mimic view of an unprivileged attacker with limited network access.

Question 60

What are typical findings from a non-credentialed scan?

Answer 60

Default passwords for service accounts and device management interfaces.

Question 61

Define a ‘credentialed’ scan

Answer 61

A scan that uses credentials with some form of privileged access to allow for a more in-depth analysis, especially in detecting when applications or security settings may be misconfigured.

Question 62

What is the purpose of a credentialed scan?

Answer 62

Shows what an insider attack, or an attack with a compromised user account, may be able to achieve.

Question 63

Define an ‘application vulnerability scanning’

Answer 63

Designed to identify issues with application code and platform configuration, including web servers and web applications.

Question 64

Define ‘static analysis’

Answer 64

Reviewing application code without executing it; Either manually or using automated tools.

Question 65

Define ‘dynamic analysis’

Answer 65

Testing running applications; Examines code behavior during runtime.

Question 66

What can be discovered through dynamic analysis?

Answer 66

Unvalidated inputs/outputs, broken access controls, and injection vulnerabilities.

Question 67

Define ‘package monitoring’

Answer 67

Techniques and tools designed to mitigate risks from application vulnerabilities in third-party code, such as libraries and dependencies.

Question 68

What is the role of package monitoring in vulnerability management?

Answer 68

Tracks and assesses the security of third-party software packages, libraries, and dependencies used within an organization.

Question 69

What mechanism is used to achieve package monitoring at an enterprise level?

Answer 69

Automated software composition analysis (SCA).

Question 70

Define ‘Automated software composition analysis (SCA)’

Answer 70

Identifies outdated packages or packages with known vulnerabilities and suggests updates or replacements.

Question 71

Define a ‘threat feed’

Answer 71

Aggregate data from various real-time sources, are integrated into vulnerability scanning tools to improve their detection capabilities.

Question 72

Define ‘Tactics, Techniques, and Procedures (TTPs)’

Answer 72

Term to describe the behaviors, processes, actions, and strategies used by a threat actor to develop threats and engage in cyberattacks.

Question 73

What data does a threat feed contain?

Answer 73

Signatures and pattern-matching rules; Latest vulnerabilities, exploits, and threat actors.

Question 74

What are the most common threat feeds?

Answer 74

AlienVault’s Open Threat Exchange (OTX), IBM’s X-Force Exchange, and Recorded Future.

Question 75

Define ‘cyber threat intelligence (CTI)’

Answer 75

Process of investigating, collecting, analyzing, and disseminating information about emerging threats and threat sources.

Question 76

What are the 3 types of cyber threat intelligence (CTI)?

Answer 76

1. Behavioral Threat Research
2. Reputational threat intelligence
3. Threat Data

Question 77

Define ‘Behavioral Threat Research’

Answer 77

Commentary describing examples of attacks and TTPs gathered through primary research sources.

Question 78

Define ‘Reputational threat intelligence’

Answer 78

Blocklists of known threat sources, such as malware signatures, IP address ranges, and DNS domains.

Question 79

Define ‘Threat Data’

Answer 79

Data from networks and logs that can correlate events with known TTPs, Behavioral threat research, and reputation threat intelligence.

Question 80

What can cyber threat intelligence (CTI) be coupled with to produce actionable intelligence?

Answer 80

All 3 types of CTI aggregated into a Security Information Event Management (SIEM).

Question 81

Define a ‘proprietary treat feed’

Answer 81

Threat research and CTI data is available as a paid subscription to a commercial threat intelligence platform.

Question 82

Define ‘Open-source intelligence (OSINT)’

Answer 82

Publicly available information plus the tools used to aggregate and search it.

Question 83

What is the function of Open-source intelligence (OSINT)?

Answer 83

Used to identify vulnerabilities and threat information by gathering data from many sources such as blogs, forums, social media platforms, and even the dark web.

Question 84

Define ‘Shodan’

Answer 84

OSINT tool for investigating Internet-connected devices.

Question 85

Define ‘Maltego’

Answer 85

OSINT tool for visualizing complex networks of information.

Question 86

Define ‘Recon-ng’

Answer 86

OSINT tool or web-based reconnaissance activities.

Question 87

Define ‘theHarvester’

Answer 87

OSINT tool for gathering emails, subdomains, hosts, and employee names from different public sources.

Question 88

Define the ‘deep web’

Answer 88

Any part of the World Wide Web that is not indexed by a search engine.

Question 89

What are parts of the deep web?

Answer 89

Dark net, Dark web.

Question 90

Define the ‘dark net’

Answer 90

Network established as an overlay to Internet infrastructure by software.

Question 91

What is the purpose of the dark net?

Answer 91

Acts to anonymize usage and prevent a third party from knowing about the existence of the network or analyzing any activity taking place over the network.

Question 92

What are examples of dark net software?

Answer 92

Onion Router (TOR), Freenet, or I2P.

Question 93

Define ‘onion routing/onion router(TOR(‘

Answer 93

Uses multiple layers of encryption and relays between nodes to achieve this anonymity.

Question 94

Define the ‘dark web’

Answer 94

Sites, content, and services accessible only over a dark net.

Question 95

What are benefits of the dark web?

Answer 95

Privacy and anonymity, access to censored information, and research/information sharing.

Question 96

Define ‘penetration testing’

Answer 96

A test that uses active tools and security utilities to evaluate security by simulating an attack on a system.

Question 97

What is the purpose of a pen test?

Answer 97

To verify that a threat exists; Will actively test and bypass security controls, and will finally exploit vulnerabilities on the system.

Question 98

What is the difference between penetration testing and vulnerability scanning?

Answer 98

Penetration testing involves human ingenuity and creativity, manipulating an application’s functionality to perform actions in ways not intended by its developers, leading to exploitation.

Question 99

Define ‘Unknown environment (previously known as black box) testing’

Answer 99

When the consultant/attacker has no privileged information about the network and its security systems; Requires the consultant/attacker to perform an extensive reconnaissance phase.

Question 100

What is the purpose of black box testing?

Answer 100

Useful for simulating the behavior of an external threat.

Question 101

Define ‘Known environment (previously known as white box) testing’

Answer 101

The consultant/attacker has complete access to information about the network.

Question 102

What is the purpose of white box testing?

Answer 102

Useful for simulating the behavior of a privileged insider threat.

Question 103

Define ‘Partially known environment (previously known as gray box) testing’

Answer 103

When the consultant/attacker has some information; Requires partial reconnaissance.

Question 104

Define a ‘Bug bounty’

Answer 104

Reward scheme operated by software and web services vendors for reporting vulnerabilities.

Question 105

Define an ‘audit’

Answer 105

Comprehensive reviews/assessment of security controls, policies, and procedures designed to ensure an organization’s security posture aligns with established standards and best practices.

Question 106

Define a ‘compliance audit’

Answer 106

Assess adherence to regulations; Examining areas like network security, access controls, and data protection measures.

Question 107

Define ‘Payment Card Industry Data Security Standard (PCI DSS)’

Answer 107

Information security standard for organizations that process credit or bank card payments.

Question 108

Define ‘Vulnerability analysis’

Answer 108

Evaluating vulnerabilities for their potential impact and exploitability; Considering ease of exploitation, the potential damage from a successful exploit, the value of the vulnerable asset, and the current threat landscape.

Question 109

Define ‘remediation’

Answer 109

The process of identifying and addressing cyber threats with to mitigate their potential risk.

Question 110

Define ‘mitigation’

Answer 110

Applying patches, changing configurations, updating software, or replacing vulnerable systems.

Question 111

Define a ‘Compensating control’

Answer 111

Measures put in place to mitigate the risk of a vulnerability when security teams cannot directly eliminate it or when direct remediation is not immediately possible.

Question 112

Define the purpose of the ‘Security Content Automation Protocol (SCAP)’

Answer 112

Enables automated vulnerability management, and policy compliance evaluation of systems deployed in an organization.

Question 113

What is the function of the Security Content Automation Protocol (SCAP)?

Answer 113

Defines ways to compare the live configuration of a system to a target-secure baseline.

Question 114

Define a ‘Common Vulnerabilities and Exposures (CVE)’

Answer 114

A scheme for identifying vulnerabilities developed by MITRE and adopted by NIST.

Question 115

How is a CVE identified?

Answer 115

CVE-(year vulnerability was discovered-(order the vulnerability was discovered in the given year); CVE-YYYY-####

Question 116

Define the ‘Common Vulnerability Scoring System (CVSS)’

Answer 116

Quantifies vulnerability data and then takes into account the degree of risk to different types of systems or information.

Question 117

What is the scale of the Common Vulnerability Scoring System (CVSS)?

Answer 117

CVSS metrics generate a score from 0 to 10 based on the characteristics of the vulnerability.

Question 118

What characteristics are used to determine the Common Vulnerability Scoring System (CVSS) of a Common Vulnerabilities and Exposures (CVE)?

Answer 118

whether it can be triggered remotely or needs local access, whether user intervention is required, privileged access, and so on.

Question 119

Define a ‘false positive’

Answer 119

An instance where a scanner or another assessment tool incorrectly identifies a vulnerability.

Question 120

Define a ‘false negative’

Answer 120

A vulnerability that is not reported when it should be; Potential vulnerabilities that go undetected in a scan.

Question 121

How can false negatives be avoided?

Answer 121

By running repeat scans periodically and employing scanners from different vendors.

Question 122

How does vulnerability analysis support ‘prioritization’ of an organizations security strategy?

Answer 122

By identifying the most critical vulnerabilities that pose the most significant risk to an organization helps an organization focus limited resources on addressing the most significant threats first.

Question 123

What is ‘prioritization’ in an organizations security strategy based on?

Answer 123

Common Vulnerability Scoring System (CVSS); Factors such as the vulnerability severity, the ease of exploitation, and the potential impact of an attack.

Question 124

How does vulnerability analysis support the ‘classification’ of an organizations security strategy?

Answer 124

Categorizing vulnerabilities based on their characteristics, to help clarify the scope and nature of an organization’s threats.

Question 125

Define ‘Exposure factor (EF)’

Answer 125

In risk calculation, represents the extent to which an asset is susceptible to being compromised or impacted by a specific vulnerability.

Question 126

How does vulnerability analysis support the ‘Exposure Factor’ of an organizations security strategy?

Answer 126

Helps assess the potential impact or loss that could occur if the vulnerability is exploited.

Question 127

What is the ‘Exposure Factor’ in an organizations security strategy based on?

Answer 127

The likelihood of a vulnerability being exploited and directly impact its overall risk level; Weak authentication mechanisms, inadequate network segmentation, or insufficient access control methods.

Question 128

Define ‘vulnerability impact’

Answer 128

The potential organizational impact of vulnerabilities; Financial loss, reputational damage, operational disruption, or regulatory penalties.

Question 129

Define the role of ‘vulnerability impact’ in an organizations security strategy

Answer 129

Crucial for making informed decisions about risk mitigation and disaster recovery.

Question 130

Define an ‘environmental variables’

Answer 130

The organization’s IT infrastructure and assets; Hardware, software, networks, and systems in use.

Question 131

What are external environmental variables?

Answer 131

External threat landscape based on industry; Regulatory and compliance.

Question 132

Define ‘Risk tolerance’

Answer 132

The level of risk an organization is willing to accept.

Question 133

What does vulnerability response and remediation practices encompass?

Answer 133

Patching, insurance, segmentation, compensating controls, exceptions, and exemptions.

Question 134

What are typical forms of compensating controls?

Answer 134

Additional monitoring, secondary authentication mechanisms, or enhanced encryption.

Question 135

Define ‘remediation validation’ and its purpose

Answer 135

Ensures that the remediation actions have been implemented correctly and function as intended.

Question 136

When examining the website for potential XSS and SQLi vulnerabilities, what are common indicators a cybersecurity analyst should look for?

Answer 136

Input fields that do not sanitize user input and error messages that disclose database information.

Question 137

What issue poses the highest risk related to unauthorized data access in cloud-hosted applications?

Answer 137

Misconfigured cloud storage access controls.

Question 138

Based on common operating system vulnerabilities what has insufficient or missing data validation mechanisms that lead to the system interpreting unintended command execution?

Answer 138

Buffer overflow.

Question 139

When leveraging dependency analysis and SBOM tools in a software development environment, which key factors should the security team prioritize to address potential vulnerabilities more efficiently?

Answer 139

Recognizing outdated software dependencies and Identifying undisclosed open-source components.