Security Plus - Chapter 5

Question 1

Vulnerability Management

Answer 1

A program used to identify, prioritize, and remediate vulnerabilities.

Question 2

Vulnerability Scanning

Answer 2

Tools used to detect new vulnerabilities as they arise and implement a remediation workflow that addresses the highest priority vulnerabilities.

Question 3

Asset Inventory

Answer 3

A list of all of the assets that are in an environment.

Question 4

Asset Criticality

Answer 4

Determining the level of importance that an asset is to the organization and how the asset should be protected with security controls.

Question 5

Asset Map

Answer 5

The asset inventory as it is distributed throughout the organizations network.

Question 6

Risk Appetite

Answer 6

The willingness to tolerate risk within the environment.

Question 7

Regulatory Requirements

Answer 7

Requirements imposed by governmental agencies to provide guidance on how to apply security controls to protect the organization’s data.
PCI
HIPAA
FISMA

Question 8

Technical Constraints

Answer 8

The lack of technical resources that a tool may have to complete the requested task. Ex. The scanning system may only be capable of performing a certain number of scans per day, and organizations may need to adjust scanning frequency to ensure scans complete successfully.

Question 9

Business Constraints

Answer 9

The lack of business resources that may cause a tool the inability to complete a task. Ex. Running a vulnerability scan may result in high usage of server resources that in turn may cause a slowdown of the network.

Question 10

Licensing Limitations

Answer 10

Licensing of a scanning tool may either be a limitation of the amount of bandwidth the tool is permitted to use or a limit of the number of assets that the tool is permitted to scan.

Question 11

Vulnerability Scan Configuration

Answer 11

All of the functions that are established to schedule, produce reports, determine the types of checks performed, provide credentials to access the targets, installation of scanning agents and conduct scans from a variety of network perspectives.

Question 12

Scan Sensitivity Levels

Answer 12

These settings determine the types of checks that the scanner will perform and should be customized to ensure that the scan meets its objectives while minimizing the possibility of disrupting the target environment.

Question 13

Credentialed Scanning

Answer 13

Scans of network assets with a provided network login to improve the accuracy of the vulnerability scans. These can provide the scanner with the ability to access operating systems, databases, and applications as well. This could cause some disruption to these systems though with this increased scanning ability.

Question 14

Server-Based Scanning

Answer 14

Vulnerability scanning performed by a tool installed on a server within the network.

Question 15

Agent-Based Scanning

Answer 15

Administrators install small software agents on each target server which provides an inside out scan and report information back to vulnerability management platform for analysis and reporting.

Question 16

Scan Perspectives

Answer 16

Conducting scans from different locations within the network, providing a different view into vulnerabilities. Ex. External, Internal, Data Center

Question 17

Controls That May Affect Scan Results

Answer 17

Firewall Settings
Network segmentation
Intrusion Detection Systems
Intrusion Prevention Systems

Question 18

Vulnerability Feeds

Answer 18

Updates of vulnerabilities that are sent to the vulnerability management platform on a regular basis.

Question 19

Security Content Automation Protocol (SCAP)

Answer 19

An effort by the security community led by the National Institute of Standards (NIST), to create a standardized approach for communicating security-related information.

Question 20

SCAP Standards

Answer 20

Common Configuration Enumeration (CCE)
Common Platform Enumeration (CPE)
Common Vulnerabilities and Exposures (CVE)
Common Vulnerability Scoring System (CVSS)
Extensible Configuration Checklist Description Format (XCCDF)
Open Vulnerability and Assessment Language (OVAL)

Question 21

Common Configuration Enumeration (CCE)

Answer 21

Provides a standard nomenclature for discussing system configuration issues.

Question 22

Common Platform Enumeration (CPE)

Answer 22

Provides a standard nomenclature for describing product names and versions.

Question 23

Common Vulnerabilities and Exposures (CVE)

Answer 23

Provides a standard nomenclature for describing security-related software flaws.

Question 24

Common Vulnerability Scoring System (CVSS)

Answer 24

Provides a standardized approach for measuring and describing the severity of security-related software flaws.

Question 25

Extensible Configuration Checklist Description Format (XCCDF)

Answer 25

A language for specifying checklists and reporting checklist results.

Question 26

Open Vulnerability and Assessment Language (OVAL)

Answer 26

A language for specifying low-level testing procedures used by checklists.

Question 27

Network Vulnerability Scanner Examples

Answer 27

Tenable Nessus - Widely respected and one of the first products introduced Qualys - Commercially available and more recent product Rapid 7 Nexpose - Commercially available and more recent OpenVAS free alternative to commercially available

Question 28

Static Application Testing

Answer 28

Analyzes code without executing the code.

Question 29

Dynamic Application Testing

Answer 29

Executes the code as part of the test, running the interfaces that the code exposes to the user with a variety of inputs, searching for vulnerabilities.

Question 30

Interactive Application Testing

Answer 30

Analyzes the source code while testers interact with the application through exposed interfaces.

Question 31

Web Application Scanning

Answer 31

Tools that examine the security of web applications that test for web-specific vulnerabilities like SQL injection, cross site scripting (XSS), and cross-site request forgery (CSRF) vulnerabilities.

Question 32

Vulnerability Report Reviews

Answer 32

Nessus - Vulnerability Name, Overall Severity, Detailed Description, Solution, See Also (References), Output (Description of the remote section), Portal/Hosts (Details on the server that contains the vulnerability), Vulnerability Information (Miscellaneous information about the vulnerability, Risk Information (Useful information for assessing the severity of the vulnerability.

Question 33

Common Vulnerability Scoring System (CVSS)

Answer 33

An industry standard for assessing the severity of security vulnerabilities. It scores vulnerabilities on a variety of measures: Attack Vector Metric - Evaluates the exploitability Attack Complexity Metric - Evaluates the exploitability Privileges Required Metric - Evaluates the exploitability User Interaction Metric - Evaluates the exploitability Confidentiality Metric - Evaluates the impact of the vulnerability CVSS Confidentiality Metric - Evaluates the impact of the vulnerability Integrity Metric - Evaluates the impact of the vulnerability Availability Metric - Evaluates the impact of the vulnerability Scope Metric - Scope of the vulnerability

Question 34

Attack Vector Metric

Answer 34

Describes how an attacker would exploit the vulnerability.

Question 35

Attack Complexity Metric

Answer 35

Describes the difficulty of exploiting the vulnerability.

Question 36

Privileges Required Metric

Answer 36

Describes the type of account access that an attacker needs to exploit the vulnerability.

Question 37

User Interaction Metric

Answer 37

Describes whether the attacker needs to involve another human in the attack.

Question 38

Confidentiality Metric

Answer 38

Describes the type of information disclosure that might occur if an attacker successfully exploits the vulnerability.

Question 39

Integrity Metric

Answer 39

Describes the type of information alteration that might occur if an attacker successfully exploits the vulnerability.

Question 40

Availability Metric

Answer 40

Describes the type of disruption that might occur if an attacker successfully exploits the vulnerability.

Question 41

Scope Metric

Answer 41

Describes whether the vulnerability can affect system components beyond the scope of the vulnerability.

Question 42

CVSS Vector

Answer 42

Single-line format to convey the ratings of a vulnerability on all eight of the metrics described.

Question 43

CVSS Severity Rating Scale

Answer 43

CVSS Score Rating 0.0 None 0.1-3.9 Low 4.0-6.9 Medium 7.0-8.9 High 9.0-10.0 Critical

Question 44

False Positives

Answer 44

When a scanner reports a vulnerability that does not exist.

Question 45

Positive Report

Answer 45

When a scanner reports a vulnerability.

Question 46

Negative Report

Answer 46

When a scanner reports there are no vulnerabilities.

Question 47

False Negative

Answer 47

When a scanner reports there are no vulnerabilities when there actually are some on the system.

Question 48

Information Sources for Interpreting Scan Reports

Answer 48

Log Reviews Security Information and Event Management systems Configuration Management systems

Question 49

Patch Management

Answer 49

The process of applying updates to operating systems, applications, and other systems and tools.

Question 50

Legacy Systems

Answer 50

Systems that are no longer supported by the vendors that produced those systems.

Question 51

Weak Configurations

Answer 51

A cause of vulnerabilities due to the below poor security practices: -Using default settings for setup/configuration pages -Using default credentials or unsecured accounts of standard user and administrator accounts -Leaving open service ports that are not necessary to support normal system operations -Leaving open permissions that allow users to access that violates the principle of least privilege

Question 52

Debug Mode

Answer 52

Gives the developer crucial error information needed to troubleshoot applications in the development process. This could provide an attacker the ability to gain information of the inner workings of an application, on the structure of a database, authentication mechanisms, or other details.

Question 53

Insecure Protocols

Answer 53

Early protocols utilized without security controls established. TelNet and FTP are two examples.

Question 54

Weak Encryption

Answer 54

Utilizing broken cryptographic algorithms which are easily defeated by an attacker.

Question 55

Penetration Testing

Answer 55

A review of an organizations systems to determine if the security controls established by the organization are sufficient enough to maintain the security while a sophisticated attacker attempts to defeat those controls.

Question 56

Adopting the Hacker Mindset

Answer 56

Understanding the process of an attacker, knowing that they only need one vulnerability to be able to compromise an entire network of an organization. To find these vulnerabilities, security professionals must think like the mind of an adversary.

Question 57

Benefits of Penetration Testing

Answer 57

-Provides the organization with an understanding of an attacker, if successful what security controls were not properly configured or established and if they are unsuccessful that we are confident that we have established the proper security controls to thwart the advances of an attacker. -If the attackers are successful, it provides the blueprint for remediation of the attack. The organization would be able to trace the actions of the attacker through the network as they progressed and close the series of open doors and establish the necessary security controls to block future attacks. -The tests can provide the organization with essential, focused information on specific attack targets.

Question 58

Threat Hunting

Answer 58

Searching the organizations technology infrastructure for the artifacts of a successful attack. This assumes attackers have already gained access to the system and the organization finding evidence of this successful attack.

Question 59

Physical Penetration Testing

Answer 59

Identifying and exploiting vulnerabilities in an organization's physical security controls.

Question 60

Offensive Penetration Testing

Answer 60

A proactive approach where security professionals act as an attacker to identify and exploit vulnerabilities in an organization's networks, systems, and applications.

Question 61

Defensive Penetration Testing

Answer 61

Evaluating an organization's ability to defend against cyberattacks. Testing the defenses that are established.

Question 62

Integrated Penetration Testing

Answer 62

Combines both offensive and defensive testing to provide a comprehensive assessment of an organization's security posture.

Question 63

Known Environment Testing

Answer 63

Performed with full knowledge of the underlying technology, configurations, and settings that make up the target.

Question 64

Unknown Environment Testing

Answer 64

Intends to replicate what an actual attacker would encounter.

Question 65

Partially Known Environment Testing

Answer 65

A blend of known and unknown testing. The tester may be provided some information about the environment without giving full access, credentials, of configurations.

Question 66

Rules Of Engagement (ROE)

Answer 66

The agreed upon testing process and permission that the testing firm is given to attack the organizations networks.

Question 67

Elements of the Rules of Engagement

Answer 67

Timeline - When the testing is permitted to be performed. What targets - What locations, systems, applications, and other potential areas that are permitted to be tested. Data handling requirements - How information gathered during the testing will be collected, maintained, provided to the organization, and destroyed at the end of the testing agreement. Behaviors - What the organization can perform in regards to defensive controls for the testers to perform sufficient testing to the organizations satisfaction. What Resources - Understanding what time commitment may be required from administrators, developers, engineers, operations center, and other experts of the targets that may be included in working through the testing. Legal Concerns - Include a review of the laws that cover the target organization, any remote locations, and any service providers that may be in scope. Communications - How often will the testing firm communicate with the organization engaging in the tests. How should testers respond if they are successful in breaching the organization. How should the testers respond in the case of finding evidence that a breach has already occurred. Limitations - Including what systems or targets the testing firm is permitted to access and where they are not permitted to access. Problem handling and resolution - Understanding how the testing firm will provide assistance in the case that the testing causes disruption to systems and services.

Question 68

Passive Reconnaissance

Answer 68

Techniques used to seek to gather information without directly engaging with the target.

Question 69

Active Reconnaissance

Answer 69

Techniques used that directly engage the target in intelligence gathering. Port Scanning Footprinting - Identifying operating systems and applications in use Vulnerability Scanning

Question 70

War Driving or War Flying

Answer 70

The use of vehicles or unmanned vehicles to drive or fly near an organization to identify unsecured wireless network that the attacker may be able to utilize to gain access.

Question 71

Penetration Testing Steps

Answer 71

Initial Access - When the attacker exploits a vulnerability Privilege Escalation - Using hacking techniques to shift from initial access to establishing advanced privileges. Pivoting (Lateral Movement) - Occurs when the attacker moves from one system if the initial access to additional systems within the network. Persistence - Attacker establishes backdoors into the systems and using other mechanisms to regain access to the network even if the initial vulnerability is patched.

Question 72

Major Components of a Security Assessment Program

Answer 72

Security tests Security assessments Security audits

Question 73

Security Tests

Answer 73

Verify that a control is functioning properly. - Automated scans - Tool-assisted penetration tests - Manual attempts to undermine security

Question 74

Security Testing Factors

Answer 74

- Availability of security testing resources - Criticality of systems and applications being protected by the controls. - Sensitivity of information contained on tested systems - Likelihood of a technical failure of the mechanism implementing the control - Likelihood of a misconfiguration of the control - Risk that the system will come under attack - Rate of change of the control configuration - Other changes in the technical environment that may affect performance - Difficulty and time required to perform a control test - Impact of the test on normal business operations

Question 75

Security Assessments

Answer 75

Comprehensive reviews of the security of a system, application, or other tested environment. This can be performed by internal staff members or an authorized external third-party.

Question 76

Security Audit

Answer 76

Comprehensive, impartial, and unbiased view of the security controls of a system, application, or other tested environment performed by an authorized third-party of independent auditors.

Question 77

Internal Audits

Answer 77

Audits performed by internal staff members that are members of the organizations audit team. The reports are intended for internal audiences.

Question 78

External Audits

Answer 78

Audits performed by an outside auditing firm who serves as an independent third party.

Question 79

Independent Third-Party Audits

Answer 79

Audits performed by an external firm on behalf of another organization. Example, a regulatory body may have the authority to initiate an audit of a regulated firm under contract or law.

Question 80

American Institute of Certified Public Accountants (AICPA)

Answer 80

Accounting group that provides a common standard to be used by auditors performing assessments of service organizations.

Question 81

Control Objectives for Information and related Technologies (COBIT)

Answer 81

Framework of the common requirements that organizations should have in place surrounding their information systems.

Question 82

Vulnerability Life Cycle

Answer 82

Identification, Analysis, Response and remediation, Validation of remediation, Reporting

Question 83

Vulnerability Identification

Answer 83

The first stage where the organization becomes aware of the vulnerability that exists within the organization. Ways orgs are made aware of a vulnerability: - Vulnerability scans of the environment - Penetration tests of the organization - Reports from responsible disclosures - Results of system and process audits

Question 84

Vulnerability Analysis

Answer 84

The second stage of the life cycle where the cybersecurity professionals perform an analysis of the report.

Question 85

Steps for Vulnerability Analysis

Answer 85

- Confirm there is a vulnerability and it is not a false positive - Prioritize and categorize the vulnerability using tools such as CVSS and CVE - Supplement the external analysis with the organization's specific details for risk assessment. Assess using the exposure factor, environmental variables, industry and organizational impact, and the organizations risk tolerance.

Question 86

Vulnerability Response and Remediation

Answer 86

Using the outcome of the report to guide the organization to identify the vulnerabilities that are most in need of remediation.

Question 87

Vulnerability Remediation Steps

Answer 87

- Apply a patch or other corrective measure to correct the vulnerability - Use network segmentation to isolate the affected system so that the probability of an exploit becomes remote. - Implement other compensating controls, such as application firewalls or intrusion prevention systems, to reduce the likelihood that an attempted exploit will be successful. - Purchase insurance to transfer the financial risk of the vulnerability to an insurance provider. - Grant an exception or exemption to the system as part of a formal risk acceptance strategy.

Question 88

Validation of Remediation

Answer 88

After completion of the remediation, the cybersecurity professionals should perform a validation that the vulnerability is no longer present.

Question 89

Reporting

Answer 89

Communicating the findings, action taken, and lessons learned to relevant stakeholders within the organization.