Vulnerability Management Flashcards
(84 cards)
1
Q
What is the first step in the vulnerability management process?
A
Asset inventory (identifying what you have)
2
Q
What is a CVE?
A
Common Vulnerabilities and Exposures (public ID for a specific vulnerability)
3
Q
What does CVSS stand for?
A
Common Vulnerability Scoring System
4
Q
What does CVSS measure?
A
The severity of a vulnerability (scale of 0–10)
5
Q
What is a compensating control?
A
An alternative security measure used when a patch cannot be applied
6
Q
What is patch management?
A
The process of acquiring, testing, and deploying software updates
7
Q
What is a zero-day vulnerability?
A
A vulnerability that is exploited before a patch is available
8
Q
What is the difference between authenticated and unauthenticated scanning?
A
Authenticated scans log in to the system for deeper analysis
9
Q
What is the benefit of an authenticated scan?
A
More accurate results with fewer false positives
10
Q
What is a false positive in vulnerability scanning?
A
An alert for a vulnerability that doesn’t actually exist
11
Q
What is a false negative?
A
A vulnerability that exists but is not detected
12
Q
Why is it important to prioritize vulnerabilities?
A
Limited resources require focusing on the highest risk to the business
13
Q
What factors influence vulnerability prioritization?
A
CVSS score, exploitability, asset value, business impact
14
Q
What is vulnerability remediation?
A
Fixing the vulnerability (e.g., patching, reconfiguring)
15
Q
What is vulnerability mitigation?
A
Reducing the impact or likelihood of exploitation without fully fixing it
16
Q
What is vulnerability acceptance?
A
Choosing to do nothing based on acceptable risk
17
Q
What is the purpose of a vulnerability scanner?
A
To identify known weaknesses in systems and software
18
Q
What is the purpose of a scan baseline?
A
To compare future scans and detect changes over time
19
Q
What is a scan credential?
A
A username/password or key that allows deeper scanning access
20
Q
What is a patch window?
A
A scheduled time frame when updates can be safely applied
21
Q
What is the HIPAA compliance framework for?
A
HIPAA, the Health Insurance Portability and Accountability Act of 1996, is a US federal law that establishes national standards for protecting sensitive patient health information. It aims to safeguard patient privacy, secure health information, and control healthcare administrative costs.
22
Q
What is the PCI DSS compliance framework for?
A
Payment Card Industry Data Security Standard / Credit card payment processing
23
Q
What is the FISMA compliance framework for?
A
FISMA, the Federal Information Security Modernization Act, is a United States federal law designed to protect government information and operations from cyber threats. It establishes a framework of guidelines and security standards for federal agencies and their contractors to safeguard sensitive information
24
Q
What are two examples where vulnerability scanning is required (legal/regulatory)?
A
PCI DSS
FISMA
25
What is the SOX compliance framework for?
SOX compliance refers to adhering to the requirements of the Sarbanes-Oxley (SOX) Act, a U.S. federal law designed to protect investors and the public from fraudulent accounting practices by corporations. It mandates specific financial reporting standards and internal controls to ensure the accuracy and reliability of financial statements.
26
What is the GDPR compliance framework for?
GDPR stands for the General Data Protection Regulation. It is a European Union (EU) law focused on data protection and privacy. It regulates how organizations handle the personal data of individuals within the EU, regardless of whether the organization is located inside or outside the EU.
27
Name three common vulnerability scanning tools.
Nessus, Qualys, OpenVAS.
28
What is the primary goal of vulnerability management?
To identify, assess, prioritize, and mitigate vulnerabilities in systems and networks to reduce the risk of exploitation
29
What is the purpose of a vulnerability management lifecycle?
To systematically manage vulnerabilities through phases: discovery, prioritization, assessment, remediation, verification, and monitoring.
30
What is the main characteristic of the Waterfall development model?
Sequential and linear phases with little iteration
31
Which development model uses iterative cycles and adaptive planning?
Agile
32
What does the term 'shift-left' mean in DevSecOps?
Integrating security early in the development lifecycle
33
What is the purpose of Continuous Integration (CI)?
Automatically test and integrate code frequently to catch issues early
34
What is Continuous Deployment (CD)?
Automatically releasing validated code to production without manual steps
35
What does static code analysis do?
Examines source code without executing it to find vulnerabilities
36
What does dynamic code analysis do?
Analyzes code behavior during execution to detect security issues
37
What organization publishes the OWASP Top 10?
Open Web Application Security Project
38
What is the goal of secure coding practices?
To prevent vulnerabilities like injection, XSS, and buffer overflows
39
In Agile, what is a sprint?
A time-boxed iteration during which a set of features are developed
40
What is fuzzing, and what is its purpose in security operations?
Definition: Fuzzing is a testing technique that involves sending random, malformed, or unexpected inputs to a system or application to identify vulnerabilities or errors.
Purpose: To discover security flaws (e.g., crashes, buffer overflows) that could be exploited by attackers, improving system resilience.
Key Details:
- Used in software testing and vulnerability assessments.
- Tools: AFL (American Fuzzy Lop), Peach Fuzzer.
- Types: Black-box (no code access), white-box (full code access), or grey-box (partial code access).
CySA+ Relevance: Helps identify weaknesses in applications before attackers exploit them.
41
What are the (3) Security Control Categories?
- Technical
- Operational
- Managerial
42
Security Control Categories
What is a Technical control?
Technical controls enforce CIA in the digital space.
Examples: firewall rules, access control lists, IDS, encryption
43
Security Control Categories
What is an Operational control?
Operational controls include the processes that we put in place to manage technology in a secure manner.
Examples: user access reviews, log monitoring, vulnerability mgmt
44
Security Control Categories
What is an Managerial control?
Managerial controls are procedural mechanisms that focus on the mechanics of the risk management process.
Examples: periodic risk assessments, security planning exercises, and the incorporation of security into the org's change mgmt/service acquisition/project mgmt practices.
45
What are the (5) types of Security Controls?
Preventative - stop a security issue before it occurs (firewalls, encrpytion)
Detective - identify security events that have already occurred (IDS)
Responsive - help an org respond to an active security incident (24x7 SOC)
Corrective - remediate security issues that have already occurred (backup restore)
Compensating - mitigate the risk associated with exceptions made to a security policy
46
What are some examples of threat classification models?
Microsoft's STRIDE
PASTA >> Process for Attack Simulation & Threat Analysis
LINDDUN
CVSS
47
Secure Coding Best Practices
What does 'input validation' prevent?
Input validation helps prevent a wide range of problems, from cross-site scripting (XSS) to SQL injection attacks
48
Secure Coding Best Practices
Output encoding
Output encoding translates special characters into an equivalent but safe version before a target app or interpreter reads it.
This helps to prevent XSS attacks by preventing special characters from being inserted that cause the target app to perform an action.
49
Secure Coding Best Practices
Secure session management
Secure session management ensures that attackers cannot hijack user sessions or that session issues don't cause confusion among users
50
Secure Coding Best Practices
Authentication
Authentication limits access to apps to only authenticated users or systems. Use multifactor authentication to help limit the impact of credential compromises
51
Secure Coding Best Practices
Data protection techniques
Data protection techniques, such as encryption, keep data protected against eavesdropping and other confidentiality violations while stored or in transit over a network
52
Secure Coding Best Practices
Parameterized queries
Parameterized queries prevent SQL injection attacks by precompiling SQL queries so that new code may not be inserted when the query is executed
53
What is an immunity debugger?
What is GNU debugger?
An immunity debugger is designed specifically to support penetration testing and the reverse engineering of malware
GNU debugger (GDB) is a widely used open source debugger for Linux t hat works with a variety of programming languages
54
What is risk transference?
Risk transference move some of the risk to a third party
55
Policy / Standard / Procedure / Guideline
Policy, high-level statements of mgmt intent for the infosec program
Standard, describe the detailed implementation requirements for policy
Procedures, offer step-by-step instructions for carrying out security activities
Compliance with policies, standards, and procedures is MANDATORY.
Guidelines, offer OPTIONAL advice that complements other elements of the policy framework.
56
What are some common security policies?
Information Security Policy
Acceptable Use Policy
Data Ownership Policy
Data Retention Policy
Account Management Policy
Password Policy
57
What are 2 tasks admins who are responsible for maintaining vulnerability scanning systems should perform?
Update the scanner software on a regular basis to correct security issues and add new functionality
Update plug-ins frequently to provide the most accurate and up-to-date vulnerability scans
58
What is considered a Critical CVSS score?
9.0 - 10.0
59
What is considered a High CVSS score?
7.0 - 8.9
60
What is considered a 'Medium' CVSS score?
4.0 - 6.9
61
What is considered a 'Low' CVSS score?
0.1- 3.9
62
CVSS - what is AV?
Attack Vector - describes how an attacker would exploit the vuln.
(P) Physical - the attacker must physically touch the vulnerable device
(L) Local - the attacker must have physical or logical access to the affected system
(A) Adjacent Network - The attacker must have access to the local network that the affected system is connected to
(N) Network - the attacker can exploit the vuln remotely over a network >> HIGHEST SCORE IMPACT
63
CVSS - What is AC?
Attack Complexity - describes the difficulty of exploiting the vuln
(H) High - requires "specialized" conditions that would be difficult to find
(L) Low - Does not require any specialized conditions >> HIGHEST SCORE IMPACT
64
CVSS - What is PR?
Privileges required - describes the type of account access that an attacker would need to exloit a vuln
(H) High - admin privs are required
(L) Low - basic user privs required
(N) None - Auth not required >> HIGHEST SCORE IMPACT
65
CVSS - what is UI?
User Interaction - describes whether the attacker needs to involve another human in the attack
(N) None - no other user required >> HIGHEST SCORE IMPACT
(R) Required - user required
66
CVSS - what is S?
Scope - describes whether the vuln can affect system components beyond the scope of the vuln
(U) Unchanged - can only affect resources managed by the same security authority
(C) Changed - can affect resources beyond the scope of the security authority managing the component containing the vuln
67
Common Vulnerabilities
End-of-life or outdated components
Use of unsupported software with known vulnerabilities
Fix/Prevent: Monitor and replace EOL software, apply patches regularly
68
Common Vulnerabilities
Buffer Overflow / Integer Overflow
Occurs when data exceeds buffer storage, leading to crashes or code execution
Fix/Prevent: Use bounds checking and modern programming languages with built-in safety. Seek a patch that corrects the issue.
69
What does a stack overflow target?
The stack, which stores variable information and is managed by the Operating System
70
What does a heap overflow target?
The heap, which stores objects created by code and must be managed by the application developers
71
Common Vulnerabilities
Privilege Escalation
Exploiting flaws to gain higher access than intended
Rootkits are hacking tools designed to automate privilege escalation attacks.
Fix/Prevent: Enforce least privilege, patch privilege-related bugs
72
Common Vulnerabilities
Remote Code Execution (RCE)
Allows attackers to run arbitrary code on the target system over a network connection
Fix/Prevent: Keep software updated, validate input, restrict code execution paths
73
Common Vulnerabilities
Insecure Design
Application lacks security controls by design
Example: telnet, FTP
Fix/Prevent: Perform threat modeling and adopt secure-by-design development practices
74
Common Vulnerabilities
Security Misconfiguration
Systems may be misconfigured in a way that allows attackers to gain info about the system's security settings or even allow them to exploit a misconfigured system
Fix/Prevent: Automate secure configurations, regularly audit systems, disable debug mode
75
Common Vulnerabilities
Cryptographic failures
Weak or misused encryption mechanisms leading to data exposure
Fix/Prevent: Use strong, modern algorithms (e.g., AES, TLS 1.3) and proper key management
76
Common Vulnerabilities
Injection Flaw
Attackers inject malicious code (e.g., SQL, LDAP, XML) into input fields
Example: SQL injection
Fix/Prevent: Use parameterized queries and input validation && least privilege restrictions to database access
77
Common Vulnerabilities
Cross-Site Scripting (XSS)
A vulnerability that allows attackers to inject malicious scripts into web pages viewed by users
Fix/Prevent: Use output encoding and input validation, implement Content Security Policy (CSP)
78
What is persistent XSS?
Attacker is able to actually store the attack code on a server. The code remains on the server, waiting for a user to request the affected content.
Also known as stored XSS attacks.
79
What is Reflected XSS?
Attacker tricks a user into sending the attack to the server as part of a query string or other content.
The server then sends the attack back to the user (reflecting it), causing the code to execute.
80
Common Vulnerabilities
Directory traversal
Manipulates file paths to access restricted files outside the web root
Fix/Prevent:
- Avoid using filenames in user-manipulatable fields
- Input validation should prevent the use of special chars
- Access controls on storage servers should restrict the web server's access to files authorized for public access
81
Common Vulnerabilities
Local/Remote file inclusion (LFI/RFI)
file inclusion attacks actually execute the code contained within a file, allowing the attacker to fool the web server into executing arbitrary code
LFI = execute code stored in a file on the web server
RFI = execute code stored on a remote server, dangerous!!
Fix/Prevent: Sanitize file paths, disable remote file inclusion, and restrict file access
82
Common Vulnerabilities
Cross-Site Request Forgery (CSRF/XSRF)
Forces users to perform unintended actions while authenticated concurrently to other websites/services
Fix/Prevent:
- Use anti-CSRF tokens
- Require re-authentication for sensitive actions
- Check the referring URL in requests and only accept requests that originate from their own site
83
Common Vulnerabilities
Server-Side Request Forgery (SSRF)
Forces the server to make unauthorized requests to internal or external systems
Fix/Prevent: Implement allow-lists and input validation, block unnecessary outbound traffic
84
Common Vulnerabilities
Data Poisoning
Tampering with training or reference data to manipulate system behavior
Fix/Prevent: Validate input data, use secure data sources, monitor for anomalies
