2. Vulnerability Types and Concepts Flashcards
When assessing the steps to take to protect a system, which of the following should guide your selection of measures?
A)Exploitability of the system
B)Level of difficulty in mounting an attack
C)Asset value
D)Potential for weaponization of the system
When performing risk analysis with regard to protecting a system, asset value (which encompasses the value of the data it holds) should guide the selection of countermeasures or controls to be implemented. The cost of controls should never exceed the cost of suffering a successful attack.
The exploitability of the system, the level of difficulty in mounting a successful attack, and the likelihood that the system could be potentially weaponized are all important considerations, but these factors do not outweigh the cost of the controls versus the projected impact of the risk.
Which of the following cryptographic attacks can be mitigated by salting the password?
A)brute force
B)known plaintext
C)pass the hash
D)side channel
A brute-force attack attempts to discover the key that was used to encrypt the data. This attack can be made easier when a rainbow table is used. This is table of possible key values and their corresponding hash values. By using this table, the hacker eliminates one of the steps in cracking the key, thereby speeding up the process of decrypting the data. This attack can be mitigated by adding a random value to the key after it has been hashed, a process called salting the password.
What is a know-plaintext attack?
A known-plaintext attack is one in which the attacker keeps several samples of plain text and ciphertext. Using these samples, the attacker tries to identify the encryption key that was used to encrypt the text. After determining the key, the attacker can convert the rest of the cipher text into plain text by using the same key.
What is pass the hash?
Pass the hash (PtH) is an attack in which an adversary obtains a “hashed” user credential and uses it to create a new user session on the same network.
Side-channel attack?
In a side-channel attack, the hacker attempts to discover information helpful to cracking the key by observing timing information, power consumption, electromagnetic leaks, and sounds made during the processing.
Your team has arrived at a set of security configurations and applied them to the appropriate machines using a Group Policy object. Later, at regular intervals, the systems will be scanned to ensure the organization is still conforming to its requirement. Which of the following statements BEST describes the requirement it must meet?
A)CIS benchmark
B)security baseline
C)PCI-DSS
D)ISO 27000 series
When sets of security configurations are created, they are called security baselines. When you scan later to ensure compliance, you are performing baseline security scanning.
CIS
While the security baseline you create might conform to an industry security standard, such as the Center for Internet Security (CIS) benchmark, there is no indication in the scenario that this is the case. A generic group of settings is called a security baseline. CIS benchmarks are prescriptive configuration recommendations for more than 25 vendor product families.
ISO 2700 series
The ISO 27000 series comprises security standards published jointly by the ISO and the International Electrotechnical Commission (IEC).
PCI DSS
Payment Card Industry Data Security Standard (PCI DSS). This standard is an information security standard for organizations that process credit card transactions or handle cardholder data from the major credit card vendors.
You are negotiating with an IT service provider. You would like to ensure that your web server is able to maintain 99.99% uptime. This uptime is an expression of what?
A)Maintenance window
B)Maintenance exclusion
C)Responsive control
D)SLO
99.99% uptime is an expression of a service level objective (SLO). SLOs are the critical metrics within a Service Level Agreement (SLA) that a provider must meet for a client. Policies, governance, and SLOs are key components of attack surface management. SLOs begin with a service level indicator (SLI), which is the item for which performance or service is tracked. An example of an SLI could be server uptime – this is the item for which you want service tracked. The corresponding SLO would be expressed as a percentage: server uptime should be 99.99%.
Maintenance Window
A maintenance window is a recurring period during which patches and configuration changes (maintenance) are performed. These maintenance windows are typically used for automatic patch deployment and configuration changes. When scheduling a maintenance window, it is important to consider the impact of downtime to the organization, customers, and operations.
Maintenance Exclusion
A maintenance exclusion (or maintenance exception) is a timeframe or instance when maintenance would be prohibited. This could be the case when a legacy application cannot be updated. Another example of a maintenance exclusion could be a retail organization that forbids configuration changes during a peak sale period. The maintenance exception should be submitted as a request that is subsequently approved by the change management team.
Responsive Controls
Responsive controls come into play after an event has been detected. Examples include a system reboot, activating a business continuity plan, isolating a virus to quarantine, and replacing smart access cards.
Your organization’s management has recently spent time discussing attacks against companies and their infrastructures. During the meeting, the Stuxnet attack was discussed. Against which type of system did this attack occur?
A)Kerberos
B)SCADA
C)VoIP
D)RADIUS
A Stuxnet attack occurs against a Supervisory Control and Data Acquisition (SCADA) system. A SCADA system is also referred to as an industrial control system (ICS). SCADA is a category of software that gathers data in real time from remote locations to control equipment and conditions. It is used to monitor critical systems and control power distribution. In recent years, it has become even more vital to protect these systems. SCADA is used in the power, oil, telecommunications, gas refining, water treatment, nuclear facilities, and waste control industries.
Kerberos and RADIUS
Kerberos is an authentication system that includes clients, servers, and a key distribution center (KDC). The KDC gives clients tickets that the clients use to access servers and other resources.
Remote Authentication Dial-In User Server (RADIUS) is a remote access technology that allows remote users to centrally sign on to access the resources on the local network.
You are the security administrator for your company and have identified a security risk that cannot be corrected with in-house personnel. You decide to hire an outside contractor who will be responsible for handling and managing this security risk. Which risk management principle is being described?
A)Avoid
B)Transfer
C)Accept
D)Mitigate
The risk management principle of transfer (transference) is being described. Transference involves shifting the risk and its consequences to a third party who is then responsible for owning and managing the risk. Purchasing insurance is an example of transference.
Risk management principles: Avoid
The avoid principle (avoidance) involves modifying the security plan to eliminate the risk or its impact. Examples of avoidance would include stopping a risky activity altogether, adding security resources to eliminate the risk, or removing resources to eliminate the risk.
Risk management principles: Acceptance
The risk management principle of accept (acceptance) is when you acknowledge that a risk may occur, but do not change the security plan to prevent the risk. Examples of acceptance would include taking no action at all or developing a contingency or fallback plan. It is recommended that you accept a risk when the cost of the safeguard exceeds the amount of the potential loss.
Risk management principles: Mitigate
The mitigate principle (mitigation) involves reducing the probability or impact of a risk to an acceptable risk threshold. To mitigate a risk, you would take actions to minimize the probability of the risk occurring. Biometric locks on a server room’s doors mitigate the risk of an intruder breaking in where sensitive data is housed.
Which of the following would determine if safeguards that have been installed were properly implemented, performing as expected and producing the appropriate results?
A)Security controls testing
B)Bug bounty
C)Penetration testing and adversary emulation
D)Attack surface reduction
Security controls testing determines if safeguards that have been installed were properly implemented, performing as expected and producing the appropriate results. Security controls are grouped into three main categories: technical, administrative, and physical. For example, a test of a physical security control could be checking to see if an access control card denies entry into a specific area.
Pen Testing
Penetration testing and adversary emulation are critical for attack surface management. The goal of penetration testing is to determine as many vulnerabilities as possible within defined time and scope parameters.
Adversary or Threat emulation
Adversary emulation (also known as threat emulation) adopts current threat intelligence methodologies and tactics to identify, expose and correct vulnerabilities. Adversary emulation is particularly suited to measure the organization’s ability to withstand an attack from advanced persistent threats.
Bug Bounty
A bug bounty is a reward for finding security flaws (bugs) in an application. Organizations will attract ethical hackers to find vulnerabilities. Once found, the ethical hackers are rewarded, often with some prestige or notoriety like being mentioned on a leaderboard. Finding and correcting vulnerabilities helps reduce the attack surface.
Attack surface reduction
Attack surface reduction refers to hardening areas that are potential entry points, including cloud infrastructure. Examples of items that can be addressed include deleting unused accounts, closing unused ports, implementing the principle of least privilege, and removing hardware that is no longer used.