2. Vulnerability Types and Concepts Flashcards
When assessing the steps to take to protect a system, which of the following should guide your selection of measures?
A)Exploitability of the system
B)Level of difficulty in mounting an attack
C)Asset value
D)Potential for weaponization of the system
When performing risk analysis with regard to protecting a system, asset value (which encompasses the value of the data it holds) should guide the selection of countermeasures or controls to be implemented. The cost of controls should never exceed the cost of suffering a successful attack.
The exploitability of the system, the level of difficulty in mounting a successful attack, and the likelihood that the system could be potentially weaponized are all important considerations, but these factors do not outweigh the cost of the controls versus the projected impact of the risk.
Which of the following cryptographic attacks can be mitigated by salting the password?
A)brute force
B)known plaintext
C)pass the hash
D)side channel
A brute-force attack attempts to discover the key that was used to encrypt the data. This attack can be made easier when a rainbow table is used. This is table of possible key values and their corresponding hash values. By using this table, the hacker eliminates one of the steps in cracking the key, thereby speeding up the process of decrypting the data. This attack can be mitigated by adding a random value to the key after it has been hashed, a process called salting the password.
What is a know-plaintext attack?
A known-plaintext attack is one in which the attacker keeps several samples of plain text and ciphertext. Using these samples, the attacker tries to identify the encryption key that was used to encrypt the text. After determining the key, the attacker can convert the rest of the cipher text into plain text by using the same key.
What is pass the hash?
Pass the hash (PtH) is an attack in which an adversary obtains a “hashed” user credential and uses it to create a new user session on the same network.
Side-channel attack?
In a side-channel attack, the hacker attempts to discover information helpful to cracking the key by observing timing information, power consumption, electromagnetic leaks, and sounds made during the processing.
Your team has arrived at a set of security configurations and applied them to the appropriate machines using a Group Policy object. Later, at regular intervals, the systems will be scanned to ensure the organization is still conforming to its requirement. Which of the following statements BEST describes the requirement it must meet?
A)CIS benchmark
B)security baseline
C)PCI-DSS
D)ISO 27000 series
When sets of security configurations are created, they are called security baselines. When you scan later to ensure compliance, you are performing baseline security scanning.
CIS
While the security baseline you create might conform to an industry security standard, such as the Center for Internet Security (CIS) benchmark, there is no indication in the scenario that this is the case. A generic group of settings is called a security baseline. CIS benchmarks are prescriptive configuration recommendations for more than 25 vendor product families.
ISO 2700 series
The ISO 27000 series comprises security standards published jointly by the ISO and the International Electrotechnical Commission (IEC).
PCI DSS
Payment Card Industry Data Security Standard (PCI DSS). This standard is an information security standard for organizations that process credit card transactions or handle cardholder data from the major credit card vendors.
You are negotiating with an IT service provider. You would like to ensure that your web server is able to maintain 99.99% uptime. This uptime is an expression of what?
A)Maintenance window
B)Maintenance exclusion
C)Responsive control
D)SLO
99.99% uptime is an expression of a service level objective (SLO). SLOs are the critical metrics within a Service Level Agreement (SLA) that a provider must meet for a client. Policies, governance, and SLOs are key components of attack surface management. SLOs begin with a service level indicator (SLI), which is the item for which performance or service is tracked. An example of an SLI could be server uptime – this is the item for which you want service tracked. The corresponding SLO would be expressed as a percentage: server uptime should be 99.99%.
Maintenance Window
A maintenance window is a recurring period during which patches and configuration changes (maintenance) are performed. These maintenance windows are typically used for automatic patch deployment and configuration changes. When scheduling a maintenance window, it is important to consider the impact of downtime to the organization, customers, and operations.
Maintenance Exclusion
A maintenance exclusion (or maintenance exception) is a timeframe or instance when maintenance would be prohibited. This could be the case when a legacy application cannot be updated. Another example of a maintenance exclusion could be a retail organization that forbids configuration changes during a peak sale period. The maintenance exception should be submitted as a request that is subsequently approved by the change management team.
Responsive Controls
Responsive controls come into play after an event has been detected. Examples include a system reboot, activating a business continuity plan, isolating a virus to quarantine, and replacing smart access cards.
Your organization’s management has recently spent time discussing attacks against companies and their infrastructures. During the meeting, the Stuxnet attack was discussed. Against which type of system did this attack occur?
A)Kerberos
B)SCADA
C)VoIP
D)RADIUS
A Stuxnet attack occurs against a Supervisory Control and Data Acquisition (SCADA) system. A SCADA system is also referred to as an industrial control system (ICS). SCADA is a category of software that gathers data in real time from remote locations to control equipment and conditions. It is used to monitor critical systems and control power distribution. In recent years, it has become even more vital to protect these systems. SCADA is used in the power, oil, telecommunications, gas refining, water treatment, nuclear facilities, and waste control industries.
Kerberos and RADIUS
Kerberos is an authentication system that includes clients, servers, and a key distribution center (KDC). The KDC gives clients tickets that the clients use to access servers and other resources.
Remote Authentication Dial-In User Server (RADIUS) is a remote access technology that allows remote users to centrally sign on to access the resources on the local network.
You are the security administrator for your company and have identified a security risk that cannot be corrected with in-house personnel. You decide to hire an outside contractor who will be responsible for handling and managing this security risk. Which risk management principle is being described?
A)Avoid
B)Transfer
C)Accept
D)Mitigate
The risk management principle of transfer (transference) is being described. Transference involves shifting the risk and its consequences to a third party who is then responsible for owning and managing the risk. Purchasing insurance is an example of transference.
Risk management principles: Avoid
The avoid principle (avoidance) involves modifying the security plan to eliminate the risk or its impact. Examples of avoidance would include stopping a risky activity altogether, adding security resources to eliminate the risk, or removing resources to eliminate the risk.
Risk management principles: Acceptance
The risk management principle of accept (acceptance) is when you acknowledge that a risk may occur, but do not change the security plan to prevent the risk. Examples of acceptance would include taking no action at all or developing a contingency or fallback plan. It is recommended that you accept a risk when the cost of the safeguard exceeds the amount of the potential loss.
Risk management principles: Mitigate
The mitigate principle (mitigation) involves reducing the probability or impact of a risk to an acceptable risk threshold. To mitigate a risk, you would take actions to minimize the probability of the risk occurring. Biometric locks on a server room’s doors mitigate the risk of an intruder breaking in where sensitive data is housed.
Which of the following would determine if safeguards that have been installed were properly implemented, performing as expected and producing the appropriate results?
A)Security controls testing
B)Bug bounty
C)Penetration testing and adversary emulation
D)Attack surface reduction
Security controls testing determines if safeguards that have been installed were properly implemented, performing as expected and producing the appropriate results. Security controls are grouped into three main categories: technical, administrative, and physical. For example, a test of a physical security control could be checking to see if an access control card denies entry into a specific area.
Pen Testing
Penetration testing and adversary emulation are critical for attack surface management. The goal of penetration testing is to determine as many vulnerabilities as possible within defined time and scope parameters.
Adversary or Threat emulation
Adversary emulation (also known as threat emulation) adopts current threat intelligence methodologies and tactics to identify, expose and correct vulnerabilities. Adversary emulation is particularly suited to measure the organization’s ability to withstand an attack from advanced persistent threats.
Bug Bounty
A bug bounty is a reward for finding security flaws (bugs) in an application. Organizations will attract ethical hackers to find vulnerabilities. Once found, the ethical hackers are rewarded, often with some prestige or notoriety like being mentioned on a leaderboard. Finding and correcting vulnerabilities helps reduce the attack surface.
Attack surface reduction
Attack surface reduction refers to hardening areas that are potential entry points, including cloud infrastructure. Examples of items that can be addressed include deleting unused accounts, closing unused ports, implementing the principle of least privilege, and removing hardware that is no longer used.
Snort is one of the tools used by your company. What functionality does this tool provide?
A)IDS/IPS
B)Vulnerability scanner
C)Firewall
D)SIEM
Snort provides intrusion detection system (IDS) and intrusion prevention system (IPS) functionality, including logging and real-time traffic analysis.
What systems include firewalls?
Cisco, Palo Alto, and Checkpoint. Firewalls can sometimes include other functionalities, such as IDS and IPS functions.
SIEM Tool include?
SIEM tools include ArcSight, QRadar, Splunk, AlienVault, OSSIM, and Kiwi Syslog.
Vulnerability Scanners include?
Vulnerability scanners include Qualys, Nessus, OpenVAS, Nexpose, Nikto, and Microsoft Baseline Security Analyzer. Regarding OpenVAS and Nikto, OpenVAS is a full-featured vulnerability scanner, while Nikto is best for vulnerability scanning of web servers and their files.
After a number of unsuccessful attempts were made to attack your websites, your organization is looking to increase its knowledge about the latest threats to web applications. As part of this process, management has asked you to identify a list of the top 10 attacks and report these attacks on an ongoing basis. Which organization provides this information?
A)SANS
B)CIS
C)OWASP
D)ISO
The Open Web Application Security Project (OWASP) is a group that monitors attacks, specifically web attacks. OWASP maintains a list of the top 10 attacks on an ongoing basis. This group also holds regular meetings at chapters throughout the world, providing resources and tools including testing procedures, code review steps, and development guidelines.
What is SANS?
The SysAdmin, Audit, Network, and Security (SANS) organization also provides guidelines for secure software development, and they sponsor the Global Information Assurance Certification (GIAC). They also provide training, perform research, and publish best practices for cybersecurity, web security, and application security.
What is CIS used for?
The Center for Internet Security (CIS) is a not-for-profit organization known for compiling CIS Security Controls (CSC). From this research, they publish a list of the top 20 security controls. They also provide hardened system images, training, assessment tools, and consulting services.
ISO
The International Organization for Standardization (ISO) develops and publishes international standards.
Which of the following best practices would be the best application development tool to secure against SQL injection attacks?
A)Session management
B)Parameterized queries
C)Authentication
D)Data protection
Parameterized queries would be the best application development methodology to secure against SQL injection attacks. Parameterized queries allow you to use placeholders (parameters) instead of the actual input values. In the event a malicious user enters an SQL command into a text field, such as “DROP TABLE tablename”, the parameterized query would not read that as a command but rather as a bad email address.
What can you use to protect from Cross-Site injection attacks?
Session management protects against cross-site injection attacks by creating a token. This is accomplished through the creation of a session identifier (session ID) that is exchanged between the user and the web application. Session IDs should be at least 128 bits and should contain sufficient random characters to prevent a brute force attack.
Your organization recently deployed a commerce server in the cloud. They want to ensure that all requirements of PCI-DSS are implemented. Which open-source security tool contains hundreds of controls covering PCI-DSS requirements?
A)Immunity Debugger
B)Prowler
C)Maltego
D)Arachni
Prowler is an open-source tool used to perform best practices assessments and audits, with hundreds of controls covering PCI-DSS requirements.
What is Immunity Debugger tool?
Immunity Debugger is not a cloud tool. It supports a Python-based API and allows for the writing of exploits, analyzation of malware, and reverse engineering of binary files.
Maltego
Maltego is a not a cloud tool. It is a Java-based tool for discovering data from OSINT, private, and commercial data sources and visualizing that information in combined form in a graph format. The results can be used for link analysis and data mining.
Arachni
Arachni is not a cloud tool. It is used for IP scanning and is a high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of modern web applications.
What does nmap - sn function do?
you performed a host discovery scan by executing nmap -sn. This scan performs enumeration on the network for all active hosts.
nmap - sn
(no port scan, also called a ping scan)
The Nmap tool (short for network mapper) is commonly used to perform port scans, OS identification, and version or banner grabbing against services. Its main use is to discover the status of port numbers and IP addresses. It is widely used by administrators for network management and monitoring, and by criminal hackers to discover and investigate attack targets. The -sn switch (also called a ping scan) is the most common switch and is used for host discovery. Note that this type of scan is noisy and sends out packets for discovery, which in turn adds more traffic to the network and is visible to logs and Wireshark.
nmap
List scan
Nmap -pn
no ping scan
nmap -ps
port list TCP version
nmap -pu
port list UDP version
nmap - ss
stealth TCP connect scan
A stealth scan uses the -sS switch, which is one of the two TCP connect scans. (The -sT switch is the other.) A stealth scan is not as loud as a ping scan due to the fact that it sends a SYN packet to the port and. If it is open, it will send back an ACK and then an RST (reset) packet, leaving things quiet.
nmap - st
default TCP connect scan
nmap (compliance)
Compliance scans, by their very nature, are interested in whatever compliance rules your company needs to follow. For instance, if you are a hospital or medical clinic, you need to be in compliance with HIPAA.
Your organization is planning a vulnerability scan and would like to maintain an awareness of the possible contexts in which the scan is performed. In which context would the scan reveal the likelihood of an attack on the router directly attached to the Internet?
A)Segregated
B)External
C)Isolated
D)Internal
The context of a scan describes the position of the attacker when the scan (or subsequent attack) is performed. An external scan is performed from outside the network and simulates an attack on the device directly connected to the Internet.
Internal vulnerability scan
An internal scan is one that is performed from inside the firewall and simulates an attack by an insider or by an attacker who has breached the external network.
Isolated Vulnerability scan?
An isolated scan is one that is performed on a network or part of a network that is isolated from the Internet and perhaps from the internal network as well. A good example of this a virtual network with no connection to the Internet or internal network. This type of scan would probably require some type of internal assistance to the attacker as the scan would require access to the isolated network.
You have been tasked with upgrading the processes in the software development life cycle (SDLC) to the secure SDLC (SSDLC). What would you incorporate into the Planning and Requirements phase of the SDLC to make that section secure?
A)Threat modeling
B)Gap analysis
C)Secure coding
D)Unit testing
In the Planning and Security Requirements phase of the SSDLC, you would add gap analysis. Gap analysis identifies missing security elements and allows for these elements to be included in the development process. Adding gap analysis to the Planning and Requirements phase of the SDLC creates the Planning and Security Requirements phase of the SSDLC.
What model would you use in design phase of SDLC leading into a prototype of SSDLC?
Threat modeling would be added to the Design phase of the SDLC, becoming the Secure Design and Prototyping phase of the SSDLC.
What phase involves int the development phase of of SDLC leading into SSDLC?
Secure coding would be added to the Development phase of the SDLC, becoming the Secure Development phase of the SSDLC.
What is used in the Testing phase of the SDLC resulting into vulnerability testing phase of the SSDLC?
Unit testing would be added to the Testing phase of the SDLC, resulting in the Security and Vulnerability Testing phase of the SSDLC.
Name the 6 SDLC processes?
- Planning and Requirements
- Design
- Development
- Testing
- Deployment
- Maintenance
The corresponding phases of the secure software development lifecycle (SSDLC) process are:
- Planning and Security Requirements
- Secure Design and Prototyping
- Secure Development
- Security and Vulnerability Testing
- Secure Deployment
- Maintenance and Monitoring
SDLC Phase Name: Planning and Requirements
How to migrate to SSDLC?
Gap Analysis
SDLC Phase Name: Planning and Requirements
What is the Secure SDLC Phase Name?
Planning and Security Requirements
SDLC Phase Name: Design
How to migrate to SSDLC?
Threat Modelling
SDLC Phase Name: Design
What is the Secure SDLC Phase Name?
Secure Designing and Prototyping
SDLC Phase Name: Development
How to migrate to SSDLC?
Secure Coding
SDLC Phase Name: Development
What is the Secure SDLC Phase Name?
Secure development
SDLC Phase Name: Testing
How to migrate to SSDLC?
Unit Testing
SDLC Phase Name: Testing
What is the Secure SDLC Phase Name?
Security and Vulnerability Testing
SDLC Phase Name: Deployment
How to migrate to SSDLC?
Build routine security tests
SDLC Phase Name: Deployment
What is the Secure SDLC Phase Name?
Secure Deployment
SDLC Phase Name: Maintenanace
How to migrate to SSDLC?
Bug bounty program
SDLC Phase Name: Deployment
What is the Secure SDLC Phase Name?
Maintenance and Monitoring
The software development team has started developing a new application. They are assigning a privacy impact rating to the data that will be handled and/or generated by the application. Which best practice prescribed by the SDLC model does this support?
A)security requirements definition
B)user acceptance testing
C)manual peer reviews
D)security testing phases
This process described in the scenario supports the security requirements definition. The security requirements of the solution must be identified. Assigning a privacy impact rating to the data helps to guide measures intended to protect the data from exposure.
Security testing phases are undertaken after security requirements have been defined, because only when the requirements have been defined can one know if they have been met.
In manual peer review, software developers attend meetings where each line of code is reviewed, usually using printed copies.
While it is important to make web applications secure, in some cases security features make the application unusable from the user perspective. User acceptance testing is designed to ensure that does not occur.
Your team needs a tool that is an open-source and cross-platform network scanner designed to scan IP addresses and ports. Which of the following tools fits the bill?
A)Angry IP Scanner
B)GNU Debugger
C)Arachni
D)Maltego
Angry IP Scanner is an open-source and cross-platform network scanner designed to scan IP addresses and ports. It can scan IP addresses in any range as well as any of their ports. As a cybersecurity practitioner you would use this to ensure that all open ports are required and as a hacker you would use this scan for open ports to attack.
Arachni
Arachni is not used for IP scanning. It is a high-performance Ruby framework aimed at helping penetration testers and administrators evaluate the security of modern web applications.
What are three types of security controls? (Choose three.)
A)Acceptance
B)Preventative
C)Detective
D)Responsive
Three types of security controls are preventative controls., detective controls, and responsive controls.
Detective controls identify active security issues when they arise or find indicators of compromise. They include monitoring, job rotation, investigations, intrusion detection systems (IDSes), auditing, guards, and CCTV.
Responsive controls come into play after an event has been detected, and may be automated or preconfigured actions prepared in advance. Examples include a system reboot, activating a business continuity plan, isolating a virus to quarantine, and replacing smart access cards.
Corrective controls?
Corrective – Restore normal operations after a security incident
Managerial Controls
Managerial – Establish policies to decrease the chances of a security incident
Operational Controls
Operational – Enact security policies with best practices and procedures
Technical Controls
Technical – Implement hardware- and software-based tools to prevent security incidents
You need to provide your company with a report regarding potential security-related software flaws. You need to use standardized names so that a security analyst contractor can understand the report. Which SCAP component should you use?
A)CVE
B)CVSS
C)CPE
D)CCE
You should use the Common Vulnerabilities and Exposures (CVE), which provides standardized names for security-related software flaws.
Keep in mind that you may need to provide reports on identified vulnerabilities to different audiences. While technical staff may be able to read and comprehend the automatic reports generated by a vulnerability scanner, you may need to create an executive report for other non-technical staff that contains information that is more easily understood.
While having the vulnerability scanner deliver reports automatically may be preferred, it is not the best solution. Understanding automated versus manual distribution issues will ensure that you, as the security analyst, can provide your audience with information they need and understand. Automatic distribution distributes the reports automatically through internal mechanisms, often via email. Manual distribution would require more effort on the security analyst to ensure that the appropriate individuals receive the correct report.
Your organization has implemented a cloud solution and is seeking a tool that could be used to perform security auditing on their environment. Which of the following is such a tool?
A)Scout Suite
B)Metasploit
C)Recon-ng
D)GNU debugger
Using the APIs exposed by cloud providers, Scout Suite gathers configuration data for manual inspection, highlights risk areas, and presents a clear view of the attack surface automatically.
What is GDB?
The GNU Project Debugger (GDB) is a not cloud tool. It is a widely popular program debugger with many features, such as the ability to discover what a program was doing when it crashed.
Metaploit
Metasploit is a not cloud tool, but a framework used in penetration testing that probes systematic vulnerabilities on networks and servers.
Recon-ng
Recon-ng is a not cloud tool. It comes with Kali Linux and automates the information gathering of open-source intelligence (OSINT).
You have a legacy application that should not be patched in the next update cycle. What should you request?
A)Maintenance window
B)Maintenance exclusion
C)Escalation
D)Service level objective
A maintenance exclusion (or maintenance exception) is a timeframe or instance when maintenance would be prohibited. This could be the case when a legacy application cannot be updated. Another example of a maintenance exclusion is a retail organization that forbids configuration changes during a peak sale period. The maintenance exception should be submitted as a request that is subsequently approved by the change management team.
Escalation
Escalation is closely related to prioritization. It is important that an organization has a prioritization and escalation policy. When an incident occurs, it is important to assign it a priority level. The priority level determines the order in which the incident is addressed. In addition, the priority level is usually associated with the team or individual within the organization that is tasked with handling that incident level. If the situation changes, conditions deteriorate, or the effects of an event spread, the priority level can be changed, allowing for escalation to another team.
A perfect example of prioritization and escalation exists in the medical community. For example, a bus carrying many passengers has crashed. First responders assign a priority level to each passenger according to the severity of their injuries. Those who can be treated at the scene are assigned a lower priority than those who must be transported to the hospital via ambulance. If a patient who is waiting for ambulance transport develops a life-threatening complication, that patient’s priority can be escalated for air transport.
SLO
Service level objectives (SLOs) are the critical metrics within a Service Level Agreement (SLA) that a provider must meet for a client. Policies, governance, and SLOs are key components of attack surface management. SLOs begin with a service level indicator (SLI), which is the item for which performance or service is tracked. An example of an SLI could be server uptime – this is the item for which you want service tracked. The corresponding SLO would be expressed as a percentage, such as a desired server uptime of 99.99%.
During a penetration testing planning session, the organization decided to use CVSS scores to help determine the criticality of any discovered vulnerabilities. Which of these metric groups does NOT receive a score in the CVSS system?
A)Environmental
B)Base
C)Temporal
D)Security
There is no Security metric group in the CVSS system.
What are the three CVSS metric groups scores used?
Base group: represents characteristics of a vulnerability that are constant over time and do not depend on the environment. These metrics are mandatory for scoring.
Temporal group: assesses a vulnerability as it changes over time. These metrics are optional for scoring.
Environmental group: represents the characteristics of a vulnerability, taking into account the organizational environment. These metrics are optional for scoring.
Which of the following is a Microsoft threat-modeling tool?
A)STIX
B)CVSS
C)T-MAP
D)STRIDE
STRIDE is an example of a threat modeling framework. It is a Microsoft tool developed to identify a wide variety of threats. STRIDE is an acronym for the six threats it identifies:
Spoofing identities
Tampering with data
Repudiation
Information disclosure
Denial of service
Elevation of privilege
STIX
Structured Threat Information Expression (STIX) is an open-source language platform that is used to exchange threat intelligence amongst interested parties. For example, if a major retailer discovered a threat linked to supply chain management, it might communicate the threat information to its suppliers using STIX.
Tom is analyzing the results of a vulnerability scan and is examining a vulnerability detected on one of his servers that has a CVSS breakdown as follows:
CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N
Which one of the following describes the attack complexity score in this breakdown?
A)The attacker can expect repeatable success when attacking the vulnerable component.
B)The attacker must inject themselves into the logical network path between the target and the resource requested by the victim in order to read and/or modify network communications.
C)The attacker must gather knowledge about the environment in which the vulnerable target/component exists.
D)The attacker must prepare the target environment to improve exploit reliability.
An attacker can expect repeatable success when attacking the vulnerable component because the Access Complexity (AC) metric has a value of L, which stands for Low. The AC metric describes the difficulty of exploiting the vulnerability. It has two possible values:
H – stands for High and means the vulnerability requires special conditions that are hard to find.
L – stands for Low and means the vulnerability does not require special conditions.
When the AC score is high, the attack requires at least one of the following conditions to succeed:
The attacker must gather knowledge about the environment in which the vulnerable target/component exists, for example, a requirement to collect details on target configuration settings, sequence numbers, or shared secrets.
The attacker must prepare the target environment to improve exploit reliability, for example, repeated exploitation to win a race condition, or overcoming advanced exploit mitigation techniques.
The attacker must inject themselves into the logical network path between the target and the resource requested by the victim in order to read and/or modify network communications (e.g., a man in the middle attack).
Your web server’s files and directories were recently spidered, revealing a security issue of which a hacker took advantage. You need a server analysis tool that can index all of the files and directories, commonly known as spidering. Which of the following tools would be best suited for this?
A)Zenmap
B)Nessus
C)Nikto
D)Burp Suite
Nikto is an open-source web server analysis tool and vulnerability scanner. It indexes all of the files and directories regarding the target web server, commonly known as spidering, and locates and reports any potential issues it finds.
Burp Suite
Burp Suite is a collection of web application security tools that includes proxy capabilities and mobile application testing to determine communication with application programming interfaces (APIs) and to discover vulnerabilities in web apps.
Zenmap
Zenmap is the graphical user interface (GUI) version of the Nmap Security Scanner. Zenmap is a free and open-source program designed to make Nmap easier for beginners to learn and use, but it also provides features that are extremely useful for experienced Nmap users. It can be used to determine the differences between multiple Nmap scans, such as two Nmap scans run on different days.
Nessus
Nessus is a scanning tool for remote security that scans a device or network of devices and raises an alert if it comes across any vulnerabilities that malicious hackers could use to get into your network and cause damage.
After completing a vulnerability scan, John received a report that no vulnerabilities existed on a Windows workstation. Later, John discovered that the workstation had a vulnerability in the operating system that was not caught. What type of error occurred?
A)False positive
B)True negative
C)True positive
D)False negative
The type of error that occurred is a false negative. The vulnerability scan indicated no vulnerabilities existed when, in fact, one was present.
Security analysts should analyze reports from a vulnerability scan. This involves reviewing and interpreting scan results. As a result, security analysts need to identify false positives, identify exceptions, and prioritize response actions.
True Negative
A true negative is when a vulnerability scan reports no issue and no issues exist
True Positive
A true positive is when a vulnerability scan reports a vulnerability that does exist
False Positive
A false positive is when a vulnerability scan reports a vulnerability that does not exist.
The software development team is adopting the best practices of the software development life cycle. They need to prevent buffer overflow attacks. Which of the following should they deploy?
A)Manual peer reviews
B)Input validation
C)Security requirements definition
D)Security testing
Input validation ensures that all input is checked for the proper length. Validating input for length helps prevent buffer overflow attacks because buffer overflows present more input than was expected, overflowing the memory reserved for the input.
The other best practices of the SDLC include?
The other best practices of the Software Development Life Cycle (SDLC) include:
Security testing phases – including static code analysis, web application vulnerability scanning, and fuzz testing to identify vulnerabilities.
User acceptance testing – designed to ensure security features do not make the application unusable from the user perspective.
Stress test application – determines the workload that the application can withstand.
Security regression testing – validates that changes have not reduced the security of the application, nor opened new weaknesses that were not there prior to the change.
Your assistant just executed the following Nmap command:
$ nmap -sn 192.168.0.1-254
What is the best description of this scan type?
A)external scan
B)internal scan
C)device fingerprint
D)map scan
The nmap -sn command executes a ping sweep, which can be used to identify all live devices and as such can also be called a map scan, ping scan, or host discovery scan. The -sn switch is the most common switch and is used for host discovery, but does not scan ports. Sample output of this scan is shown below:
nmap -sn 192.168.0.1-254 -O
While the command $ nmap -sn 192.168.0.1- only identifies the devices and their IP addresses, a device fingerprint identifies the operating system and its version. Obtaining this information would require adding the -O switch, which enables operating system discovery.
You are working with a new security analyst on a recent non-credentialed Nessus vulnerability scan. You need to document the number of devices that are impacted by a particular vulnerability. The new security analyst does not know how to obtain this information. Which of the following should you instruct the analyst to obtain?
A)Vulnerabilities Grouped by Plugin
B)Suggested Remediations
C)Vulnerabilities Grouped by Host
D)Credentialed scan
You should instruct the new security analyst to obtain the Vulnerabilities Grouped by Plugin subset of the current scan. This is available from the main report in Nessus. A plugin is a simple program that checks for a given flaw.
You should not instruct the analyst to obtain Vulnerabilities Grouped by Host subset of the current scan. This will list the vulnerabilities for a given host.
You should not instruct the analyst to obtain the Suggested Remediations subset of the current scan. It summarizes the actions to take that address the largest quantity of vulnerabilities on the network.
You should not instruct the analyst to obtain a Credentialed scan. You can obtain the information you need from the current non-credentialed scan.
A consultant has pointed out that the firewall protecting the internal network is allowing the 192.168.5.0/16 network rather than the 192.168.5.0/8 network as the implementation document specifies. In which category of issues should this discovery be recorded?
A)insecure design
B)security misconfiguration
C)identification and authentication failure
D)end-of-life or outdated component
Since the implementation document specifies a desired setting at variance with the actual setting that exists on the device, this is a security misconfiguration.
This is not an example of insecure design. There is no indication that the desired configuration in the design document is incorrect or insecure.
This is not an issue with its roots in an end-of-life or outdated component. An example of that would be if the consultant discovered that the router was so old that the vendor no longer provided support for it.
This is not an issue in the category of identification and authentication failure. An example of this would be if the consultant discovered that the router allowed them to log on as administrator when that should not be allowed.
Users have been complaining about a program constantly crashing. What tool would you use to find information as to why the crashes occur?
A)Metasploit framework
B)GDB
C)Recon-ng
D)Immunity Debugger
The GNU Project Debugger (GDB) is a widely popular debugger with many features. With this program, you can discover what a program was doing when it crashed.
Metasploit Framework?
Metasploit framework (MSF) is a framework used in penetration testing that probes systematic vulnerabilities on networks and servers. It would not help determine why the application crashes occur.
The Immunity Debugger
The Immunity Debugger is a tool that supports a Python-based API. It allows for the writing of exploits, analyzation of malware, and reverse engineering of binary files. It would not help determine why the crashes occur.
Which of the following patching and configuration management concepts should be implemented first when a new patch is issued or a configuration change is necessary?
A)Implementation
B)Testing
C)Rollback
D)Validation
Your first step would be to implement testing when a new patch is issued or a configuration change is necessary. Regarding new patches, it would be impossible for a publisher to account for every possible implementation of a new patch. Therefore, you should install and test new patches and configuration changes on isolated equipment. If the change fails, the effects are localized and not catastrophic to the organization.
Validation checks are performed after the patch is installed or the configuration change is made to see if it performing as it should. Did the configuration change perform as claimed, or did it introduce unforeseen errors elsewhere in the system?
Implementation is the deployment or activation of the patch or configuration change. Implementation should follow a standardized plan with a series of steps in a checklist. As an example, one step in the implementation process could be to perform a system backup or create a system image.
Rollback returns the device or application to the state it was in prior to the patch or configuration change; in essence, rollback is an “undo”. It is highly recommended that you have a rollback plan established that allows you to restore the system to its prior state in the likely event that something goes wrong.
Recently, it has become increasingly hard to manage all the event and audit logs generated by devices and servers on your company’s network. You need to deploy a solution that allows you to consolidate the logs for easier analysis. Which tool should you use?
A)MRTG
B)Splunk
C)Nexpose
D)Sysinternals
You should use Splunk to consolidate the logs for easier analysis. Splunk is a security information and event management (SIEM) tool. Other SIEM products include ArcSight, QRadar, AlienVault, OSSIM, and Kiwi Syslog.
Vulnerability Scanner tool?
Nexpose is a vulnerability scanning tool. Other vulnerability scanning tools include Qualys, Nessus, OpenVAS, Nikto, and Microsoft Baseline Security Analyzer (MBSA).
Sysinternals?
Sysinternals is a technical tool that includes resources and utilities to manage, diagnose, troubleshoot, and monitor a Microsoft Windows environment.
MRTG?
MRTG is an analytical monitoring tool to monitor the traffic load on network links. Other monitoring tools include Nagios, SolarWinds, Cacti, and NetFlow Analyzer.
You have used Nessus to produce comprehensive vulnerability scan reports on all systems. Management specifically wants you to review the reports against Center for Internet Security (CIS) benchmarks. Which type of report should you review?
A)Non-credentialed network scan
B)Compliance audit
C)Credentialed network scan
D)Patch audit
You should review the compliance audit produced by Nessus. A compliance audit supplies vulnerabilities as measured against CIS benchmarks.
A patch audit analyzes systems and devices against patch management system of vendors to determine if the organization has not deployed the available patches.
A credentialed network scan scans the network for vulnerabilities using credentials to ensure that all areas of the devices can be examined.
A non-credential network scan scans the network without credentials so areas that require credentials for access will not be scanned.
You have run a Nessus vulnerability scan on several Linux servers. When you receive the scan report, you suspect that there are several false positives on the report. What should you do FIRST?
A)Verify the false positives to ensure that you can eliminate them from the report.
B)Resolve the false positives in order based on their CVSS value.
C)Configure exceptions in Nessus for the false positives to ensure they are no longer reported.
D)Install the Nessus plug-ins to resolve the false positives.
You should first verify or validate the false positives to ensure that you can eliminate them from the report. While validation of false positives can be very time consuming, it is a necessary step to ensure that they are not true positives. Once they are verified, you can then configure exceptions for them.
Which of the following can be defined as how an organization’s policies and procedures are designed to thwart, identify, and react to vulnerabilities and attacks?
A)Risk management principles
B)Governance
C)Threat modeling
D)Compensating controls
Governance can be defined as how an organization’s policies and procedures are designed to thwart, identify, and react to vulnerabilities and attacks. While risk management is a component of governance, governance is an overall view that aligns legal aspects, requirements of privacy protection, and risk to the enterprise.
Risk Management Principles?
Risk management principles include acceptance, transference, avoidance, and mitigation.
STRIDE
Threat modeling is part of Secure Design and Prototyping stage of the secure software development life cycle (SSDLC). This process tries to identify security risks inherent in the application being developed. One example of a threat modeling framework is STRIDE, which is a Microsoft tool developed to identify a wide variety of potential threats. STRIDE is an acronym for the six threats it identifies:
Spoofing identities
Tampering with data
Repudiation
Information disclosure
Denial of service
Elevation of privilege
Which mechanism validates that the user or entity is who they claim to be?
A)Session management
B)Output encoding
C)Authentication
D)Input validation
E)Authorization
Authentication is the mechanism that validates that the user or entity is who they claim to be. Authentication can be accomplished through a username/password combination, multi-factor authentication (where more than one piece of identifying information is necessary), or through cryptographic authentication, where the user is in possession of a key that is generated through a cryptographic algorithm.
What is the process of identifying IoT and other devices that are not part of the core infrastructure so that hackers cannot use them to compromise an organization’s core network?
A)Penetration testing and adversary emulation
B)Security controls testing
C)Passive discovery
D)Edge discovery
Edge discovery is the process of identifying Internet of Things (IoT) and other devices that are not part of the core infrastructure. Once identified, they can be configured so that hackers cannot use them to compromise an organization’s core network.
Edge discovery is a key component of edge security for attack surface management. Edge security is the process of securing nodes that are outside a company’s network core. The edge of the network needs the same level of security as the core network. Nodes at the edge are not fully covered by the security perimeter of the organization and so are the most vulnerable to cybersecurity risks. Computing on the edge involves computing occurring closer to edge devices rather than the infrastructure of the network. Self-driving cars, sensors, fitness bands, and IoT devices are examples of edge devices. These devices often handle sensitive data, and their compromise can compromise the full network. For this reason, it is essential that these devices are not discoverable by hackers on the Internet. Physical controls involve securing the devices and only allowing authorized personnel to use them. Logical controls involve encryption of device data both in transit and at rest and implementing authorization and authentication.
What are the best practices for EDGE security?
The growth in the use of edge devices has increased the attack surface for an organization. To secure edge devices, you use routers and firewalls as well as wide area network (WAN) devices which are built for security. Some best practices for edge security include:
Keep a zero-trust model throughout the company
Ensure internal configuration and control of edge devices and reject compromised devices
Use AI and ML tools to monitor edge device activity
Ensure edge devices are isolated in a public cloud to avoid discovery
Passive discovery helps with?
Passive discovery helps to protect the network through the use of security appliances, including firewalls, intrusion detection systems (IDSes), intrusion prevention systems (IPSes), malware protection systems, and others. It is the role of these systems to monitor events and, when an event occurs, create an alert for humans to intervene.
Which of the following describes a recurring period when patches and configuration changes are performed?
A)Service level objectives
B)Maintenance window
C)Maintenance exclusion
D)Escalation
A maintenance window is a recurring period during which patches and configuration changes (maintenance) are performed. These maintenance windows are typically used for automatic patch deployment and configuration changes. When scheduling a maintenance window, it is important to consider the impact of downtime to the organization, customers, and operations.
As part of your company’s comprehensive vulnerability scanning policy, you decide to perform a passive vulnerability scan on one of your company’s subnetworks. Which statement is TRUE of this scan?
A)It impacts the hosts and network less than other scan types.
B)It includes the appropriate permissions for the different data types.
C)It is limited to a particular operating system.
D)It allows a more in-depth analysis than other scan types.
A passive scan impacts the hosts and network less than other scan types. It does not provide more information. To perform a more in-depth analysis than other scan types, you would perform an active scan.
You are examining a server that has undergone a SQL injection attack. Which server is most likely the victim of this attack?
A)File server
B)Database server
C)Web server
D)Email server
A database server is most likely the victim in a SQL injection attack. A SQL injection attack inserts a SQL query as the input from the client to the application. The purpose of this attack is to read sensitive data from the database, modify the data, execute administrative operations on the database, recover the content of a given file, and even issue commands to the operating system.
what attack would a web server experience?
The web server is usually the means whereby the SQL injection attack is delivered, but it is not really the victim of the attack. A web server is most likely the victim of cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks.
Your company has a login page that suddenly displays an alert box saying this site has been attacked. You refresh the webpage over and over again, but it is still there. What kind of attack is this?
A)Reflected XSS
B)Stored XSS
C)DOM-based XSS
D)Blind SQL injection
Stored cross-site scripting (XSS) or persistent XSS is what is happening here. It occurs when someone has imbedded malicious code into the site that is always run when someone accesses that website. The attacker usually accesses the site via login, message board, or some other type of input. In this case, someone posted some Java code into the field input, and now that code is always going to run when the site is loaded. It is a simple way to deface a site.
Reflected XSS Attack?
This is not a reflected XSS attack. A reflected XSS attack occurs when an attacker injects code into the browser by a single HTTP response. This is usually done when a malicious link on a normally mundane site sends the user to a malware-laden server that injects code into the browsers. This did not happen in the above scenario as the website itself was defaced.
DOM-based XSS?
Document Object Model (DOM)-based XSS is an injection that modifies the environment in the victim’s browser using a programming interface so that the client-side code runs in an “unexpected” manner. Basically, your browser goes crazy, and the attacker takes control of things. Again, this is not the issue being described because the site itself is affected, not the browser.
Blind SQL Injection?
According to OWASP a “Blind Structured Query Language (SQL) injection is a type of SQL injection attack that asks the database true or false questions and then determines the answer based on the web application’s response. This attack is often used when the web application is configured to show generic error messages but has not mitigated the code that is vulnerable to SQL injection.”
Your organization has implemented an AWS cloud environment. Which of the following is an exploitation framework specifically designed for cloud environments?
A)Pacu
B)GNU Debugger
C)Angry IP
D)Recon-ng
Pacu is a cloud penetration-testing tool that can, like other exploitation frameworks, automate some of the more common attacks. It is designed for AWS deployments.
You would like to use a proxy to analyze API requests and responses to your web server. Which of the following tools would be best suited for this?
A)Zenmap
B)Nikto
C)Burp Suite
D)Nessus
You can use Burp Suite to capture and analyze API requests and responses in an act of reconnaissance. Burp Suite is a collection of web application security tools that includes proxy capabilities and mobile application testing to determine communication with application programming interfaces (APIs) and to discover vulnerabilities in web apps.
Which of the following protects against cross-site injection attacks by creating a token?
A)Authentication
B)Output encoding
C)Data protection
D)Session management
Session management protects against cross-site injection attacks by creating a token. This is accomplished through the creation of a session identifier (session ID) that is exchanged between the user and the web application. Session IDs should be at least 128 bits and should contain sufficient random characters to prevent a brute force attack.
XSS vs SQL injections
The main difference between a SQL and XSS injection attack is that SQL injection attacks are used to steal information from databases whereas XSS attacks are used to redirect users to websites where attackers can steal data from them. SQL injection is data-base focused whereas XSS is geared towards attacking end users.
An attacker was able to hack into the POS system of a retail store and refund a large amount into their bank account. Which service method was most likely used by the broken access control allowing unauthorized access to the POS system?
A)FTP service
B)OS version
C)SNMP service
D)POS application
The Simple Network Management Protocol (SNMP) service may be abused to gain unauthorized access to network devices. It provides a standardized framework for a common language that is used for monitoring and managing devices in a network.
The File Transfer Protocol (FTP) service is not normally applicable to a retail setting. FTP is used to transfer files between servers and workstations. It can be vulnerable, though.
A point-of-sale (POS) application would only check for the application version vulnerability. It is not a way to hack in and of itself as it is just enumeration.
The operating system (OS) version enumerates OS version details and verifies for any vulnerabilities. Again, this is just enumeration, not a way to hack in.
Your organization just completed the purchase of a supplier. Now the cybersecurity team is assessing the new subsidiary to ensure they can support the parent company’s defense-in-depth strategy. Which of the following is NOT a technology consideration?
A)Security appliances
B)Succession planning
C)Security suites
D)Automated reporting capabilities
Succession planning does support a defense-in-depth strategy. It is a personnel consideration, not a technological one.
Technical considerations that contribute to defense-in-depth strategy include:
Automated reporting capabilities – can be scheduled to be delivered to the proper individual in the organization when generated. A variety of report types are available and are tailored for the audience to which they are directed.
Security appliances – hardware devices that are designed to provide some function that supports the securing of the network or detecting
vulnerabilities and attacks.
Security suites – collections of security utilities combined into a single tool.
Outsourcing of security services – security services provided by third parties with more talent and experience than may exist in the organization.
Cryptography services – supporting the three core principles of the confidentiality, integrity, and availability (CIA) triad, cryptosystems also directly provide authentication, confidentiality, integrity, authorization, and non-repudiation.
Other personnel issues that support a defense-in-depth strategy include:
Security training
Dual control
Separation of duties
Proper securing of third party/consultants
Cross training
Mandatory vacation
Which of the following would be exemplified by checking to see if an application block list prevents the installation of a particular executable file?
A)Bug bounty
B)Penetration testing and adversary emulation
C)Passive discovery
D)Security controls testing
Checking to see if an application block list prevents the installation of a particular executable file would be an example of security controls testing. Security controls testing determines if controls have been properly implemented, performing as expected and producing the appropriate results.
Your company implements an industrial control system (ICS). This ICS will connect to two networks, the company network and the control system network. The ICS should transmit only invoicing and billing information on the company network, and the control system network should transmit all ICS-related communication. When constructing such a system, which of the following design concepts would best protect the business and the operations?
A)Use a standard layered approach to secure the ICS.
B)Air-gap the two networks.
C)Include a firewall between the company network and the ICS.
D)Implement secure booting.
To best protect the business and the operations, the company should use a standard layered approach to secure the ICS. Because there are many attack vectors, no one security measure would be sufficient. Attack vectors may include digital attacks from the outside seeking to steal financial information or disrupt the system’s operations, insider errors, malicious insiders, or physical attacks or disruptions. Layered security includes the usual hardware and software additions to provide mitigation against known attacks, and adds employee security awareness training for additional protection.
Which of the following attacks involves analyzing the compiled mobile app or system data to extract source code information to be used in understanding and potentially manipulating the underlying architecture of the mobile application or operating system?
A)Spamming
B)Over-reaching permissions
C)Reverse engineering
D)Sandbox analysis
Reverse engineering involves analyzing the compiled mobile app or system data to extract source code information to be used in understanding and potentially manipulating the underlying architecture of the mobile application or operating system. Attackers use reverse engineering techniques to compromise the OS of a mobile device (i.e., Android, Apple iOS) to root or jailbreak it (gain unrestricted access to the entire root of the OS).
For which of the following overflow types can the likelihood of a compromise be greatly reduced with input validation?
A)For integer overflow only
B)For heap overflow only
C)For buffer overflow only
D)For all of these overflow types
E)For stack overflow only
An overflow attack revolves around malicious code requiring more memory than is allocated by a buffer. A buffer is a memory allocation that is designed to hold a finite amount of data. In other words, the attacker attempts to write more data into an application’s pre-built buffer than that buffer was intended to hold. When an attacker can add data that exceeds the buffer limits, the extra information spills over past the buffer into adjacent memory, where it can then crash the system or execute malicious code.
All types of overflows can be reduced by examining all input prior to accepting it. The input can be examined to ensure it has the correct length and that no malicious character types are present.
Buffer overflow?
occurs when a memory allocation that is designed to hold a finite amount of data is full.
Heap overflow?
occurs when a part of memory dynamically allocated at runtime, typically containing program data, is full.
Stack overflow?
occurs when a part of memory used to store local variables used inside a function and parameters passed through a function and their return addresses, is full.
Integer overflow?
occurs when a mathematical operation attempts to create a numerical value that is too large for the available storage space.
Which of the following are MANDATORY components of the CVSS 3.1 base score calculations? (Choose three.)
A)Impact score
B)Temporal score
C)Environmental score
D)Exploitability score
E)Impact sub score
The Temporal score and the Environmental score are not MANDATORY components of the Common Vulnerability Scoring System (CVSS) Base Score in CVSS v3.1. The Base Score formula depends on sub-formulas for Impact Sub-Score (ISS), Impact, and Exploitability, all of which are defined below:
Impact Sub Score is calculated as follows:
1-[(1-Confidentiality) × (1-Integrity) × (1-Availability)]
The Impact Score is calculated as follows:
If Scope is unchanged, then 6.42 x Impact Sub Score
If Scope is changed, then 7.52 x (Impact Sub Score-0.029)-3.25 x (Impact Sub Score-0.02)
The Exploitability Score is calculated as follows:
8.22 x AttackVector x AttackComplexity x PrivilegesRequired x UserInteraction
The Base Score is then calculated as follows:
If ImpactSubScore <0 then 0, else:
If Scope is unchanged, Roundup(Minimum[Impact+Exploitability),10]
If Scope is changed, Roundup(Minimum[1.08 x (Impact+Exploitability),10])
The Temporal Score, while not a mandatory component, is calculated as follows:
Roundup(BAseScore x ExploitCodeMaturity x RemediationLevel x ReportConfidence)
The Environmental Score, while not a mandatory component, is calculated as follows:
If ModifiedImpact <=0, then 0, else
If ModifiedScopeis unchanged then
Roundup (Roundup [Minimum ([ModifiedImpact + ModifiedExploitability], 10) ] × ExploitCodeMaturity × RemediationLevel × ReportConfidence)
If ModifiedScope is changed, then
Roundup (Roundup [Minimum (1.08 × [ModifiedImpact + ModifiedExploitability], 10) ] × ExploitCodeMaturity × RemediationLevel × ReportConfidence)
To determine the impact function, you must know the impact score. If the Impact score is 0 when calculated with the above formula, then the Impact Function value is also 0. Otherwise, you assign the Impact Function value as 1.176. That is ALWAYS the value.
The formula for calculating the exploitability score is:
Exploitability = 20 x AccessVector x AccessComplexity x Authentication
The formula for calculating the CVSS Base Score is:
BaseScore = ((0.6 x Impact) + (0.4 x Exploitability) 1.5) x ImpactFunction
Most vulnerability scanners provide the CVSS Base Score along with a breakdown of the individual rankings of the six metrics listed above.
Troy is analyzing the results of a vulnerability scan and is examining a vulnerability detected on one of his servers that has a CVSS v3 breakdown as follows:
CVSS3#AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Which one of the following statements is FALSE about this vulnerability?
A)Exploiting the vulnerability requires either physical access to the target or a local (shell) account on the target.
B)Exploiting this vulnerability would not require authentication.
C)Exploiting this vulnerability requires somewhat
specialized access conditions.
D)Exploiting this vulnerability would result in reduced performance or interruptions in resource availability.
Exploiting the vulnerability does NOT require either physical access to the target or a local (shell) account on the target. The Access Vector (AV) metric has a value of A, which stands for Adjacent Network. This means that exploiting the vulnerability requires access to the local network of the target, not the target itself.
The Attack Vector (AV) metric describes how the attacker would exploit the vulnerability. AV is an Exploitability metric in the Base metric group. It has four possible values:
P – stands for Physical and means the attacker must physically touch the vulnerable component to carry out the attack
L – stands for Local and means the attacker must have physical or logical access to the affected system itself
A – stands for Adjacent network and means the attacker must be on a logically adjacent network (such as the local IP subnet) or the same physical network
N – stands for Network and means the attacker can use the vulnerability from any network location on the Internet
Bob is analyzing the results of a vulnerability scan. He examines a vulnerability detected on one of his servers that has a CVSS breakdown as follows:
CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N
For this attack requires that the server’s user install some software. Which base metric indicates that this is the case?
A)PR
B)AV
C)UI
D)AC
The User Interaction (UI) base metric is used to indicate whether or not the attacker requires a human user to do anything for the attack to succeed, such as installing software.
One member of the web application security team has expressed an interest in pursuing the GIAC certification. Which organization sponsors this certification?
A)ISO
B)CIS
C)SANS
D)OWASP
The SysAdmin, Audit, Network, and Security (SANS) organization sponsors the Global Information Assurance Certification (GIAC). They also provide training, perform research, and publish best practices for cybersecurity, web security, and application security. They provide guidelines for secure software development.
A security analyst was provided with a detailed report of a penetration test that was performed against the organization’s resources. It was noted on the report that a vulnerability on a file server has the following detailed CVSS 3.1 vector:
CVSS:3.1/AV:P/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N
Which metric group in this vector should be of the highest concern to the security analyst?
A)Integrity
B)Attack Vector
C)Confidentiality
D)Availability
Of the options listed, the security analyst should be most concerned with the Confidentiality or C metric because it is rated as H, or High. This means that there would be a total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker.
Though it was not listed as an option, the Attack Complexity (AC) value is L (Low), which is the worst possible value for this metric and also a matter of high concern.
The CVSS vector CVSS:3.1/AV:P/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N measures eight base metrics:
Attack Vector (Physical),
Attack Complexity
(Low),
Privileges Required (High),
User Interaction (Required), Scope (Unchanged),
Confidentiality (High), Integrity (Low), and Availability (None).
Laura is operating from her home network. After she accesses a company website, she calls the IT department claiming that she is being presented with a defaced website with suspicious-looking content. Upon investigation of the website, the IT department sees no issues, and a log review shows that no files have been changed. Which of the following answers might explain the cause?
A)ARP poisoning
B)MAC spoofing
C)SQL injection
D)DNS poisoning
DNS cache poisoning is the act of entering false information into a DNS cache so that DNS queries return an incorrect response and users are directed to the wrong website. This attack is also known as DNS spoofing. Because the IT department is not seeing the same things that the user is, it is likely that the user’s DNS cache has been poisoned and her session is being redirected to a different website.
After executing a dynamic vulnerability scan of some code developed in-house using a public code repository, the team is considering following up with a static scan. Which of the following statements is FALSE with respect to static and dynamic code analysis?
A)OWASP ZAP is a dynamic tool
B)dynamic scans are performed while the software is running
C)dynamic analysis involves manually examining the code
D)fuzz testing is a form of dynamic analysis
Dynamic scans do not involve manually examining the code; that is static analysis.
Now that security requirements have been defined, the software development team is ready to start the security testing phase. They want to analyze the code without the code executing and plan to repeat this testing throughout the entire application development life cycle. What type of testing are they planning?
A)Static code analysis
B)Web application vulnerability scanning
C)Use interception proxy to crawl application
D)Fuzzing
Static code analysis is performed without the code executing. Code review and testing must occur throughout the entire application development life cycle. Code review and testing must identify bad programming patterns, security misconfigurations, functional bugs, and logic flaws.
Fuzzing
Fuzz testing, or fuzzing, involves injecting invalid or unexpected input (sometimes called faults) into an application to test how the application reacts. It is usually done with a software tool that automates the process.
Interception Proxy
An interception proxy is an application that stands between the web server and the client and passes all requests and responses back and forth. While it does so, it analyzes the information to test the security of the web application. A web application proxy can also “crawl” the site and its application to discover the links and content contained.
Before executing a vulnerability scan, you are evaluating all relevant considerations. Which of the following considerations should be addressed with subnetting?
A)sensitivity levels
B)segmentation
C)performance
D)regulatory requirements
Segmentation considerations are made to control which sections of the network are scanned. This technique supports ensuring that operations and productivity are not negatively impacted by the scan and that any machines exempted from the scan are not scanned. Segmentation can be accomplished with subnetting and ACLs on the routers to prevent the scan from accessing exempted systems.
Sensitive Levels of a vulnerability Scan?
Sensitivity level considerations involve determining how deeply the machines are scanned and are addressed by choosing an appropriate scan type. For example, a credentialed scan will scan more deeply and render more valuable information than an uncredentialed scan, but it will also impact the machine’s performance and create more network traffic.
Bob is analyzing the results of a vulnerability scan. He examines a vulnerability detected on one of his servers that has a CVSS breakdown as follows:
CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N
Which metric describes whether the issue can be spread among other systems?
A)AV
B)S
C)UI
D)PR
The Scope (S) metric is a determination as to whether a vulnerability in one system or component can have carry-over impact on another system or component. It has two possible values:
Changed (C) – An exploited vulnerability can have carry-over impact on another system.
Unchanged (U) – An exploited vulnerability is limited in damage to only the local security authority.
In this example, the S:U score indicates the vulnerability is limited in scope to the affected system. This is the better score.
The User Interaction (UI) base metric is used to indicate whether or not the user must do anything for the attack to succeed. The UI metric has two possible values:
None (N) – No user interaction is required.
Required (R) – A user must complete some steps for the exploit to succeed. For example, a user might be required to install some software.
The Attack Vector (AV) base metric describes how the attacker would exploit the vulnerability. It has four possible values:
L – stands for Local and means the attacker must have physical or logical access to the affected system.
A – stands for Adjacent network and means the attacker must be on the local network.
N – stands for Network and means the attacker can cause the vulnerability from any network.
P – stand for Physical and requires the attacker to physically touch the device.
Called Authentication in earlier versions of CVSS,
the Privileges Required (PR) metric describes the level of access required to mount this attack. There are three possible values:
None (N): The attacker does not need any privileges to exploit the vulnerability.
Low (L): The attacker is required to have basic privileges in a system to exploit the vulnerability.
High (H): The attacker has to have higher privileges in a system to exploit the vulnerability. The necessity of higher privileges may seem contradictory but the vulnerable component and impacted component might be different.
Barb is analyzing the results of a vulnerability scan. She examines a vulnerability detected on one of the servers that has a CVSS breakdown as follows:
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N
What are the privileges required to mount this attack?
A)The attacker does not need any privileges to exploit the vulnerability.
B)The attacker must be physically present to exploit the vulnerability.
C)The attacker is required to have basic privileges in the system to exploit the vulnerability.
D)The attacker has to have higher privileges in a system to exploit the vulnerability.
The attacker is required to have basic privileges in the system to exploit the vulnerability. Called Authentication in earlier versions of CVSS, the Privileges Required (PR) metric describes the level of access required to mount this attack. There are three possible values:
None (N): The attacker does not need any privileges to exploit the vulnerability.
Low (L): The attacker is required to have basic privileges in a system to exploit the vulnerability.
High (H): The attacker has to have higher-level privileges in a system to exploit the vulnerability. The necessity of higher privileges may seem contradictory, but the vulnerable component and impacted component might be different.
Whether the attacker needs to be physically present or not is not described by the PR metric. The Attack Vector (AV) metric describes how the attacker would exploit the vulnerability. AV is an Exploitability metric in the Base metric group. It has four possible values:
P – stands for Physical and means the attacker must physically touch the vulnerable component to carry out the attack
L – stands for Local and means the attacker must have physical or logical access to the affected system itself
A – stands for Adjacent network and means the attacker must be on a logically adjacent network (such as the local IP subnet) or the same physical network
N – stands for Network and means the attacker can use the vulnerability from any network location on the Internet
For this metric, P is the best ranking and N is the worst.
A cyber incident recently went unpunished because the incident response process contaminated evidence. An investigation revealed that the first responders did not have the proper tools readily available at the time needed. You are assembling a forensics kit so this does not occur again. Which of the following would NOT be included in it?
A)Write blocker
B)Cables
C)SCADA device
D)Digital forensics workstation
A Supervisory Control and Data Acquisition (SCADA) device is a system operating with coded signals over communication channels that provides control of remote equipment. It is not used in forensic investigations.
The items that should be included in a digital forensics kit are:
Digital forensics workstation – A dedicated workstation for processing an investigation that includes special tools and utilities that make the process easier and more productive.
Write blockers – A tool that permits read-only access to data storage devices without compromising the integrity of the data.
Cables – You should carry a variety of cables for connecting to storage devices.
Drive adapters – Adapters can enable connections to drives for which you have no cable.
Wiped removable media – Your kit should have removable media of various types that has been wiped clean. These may include USB flash drives, external hard drives, Multimedia Cards (MMC), Secure Digital (SD) cards, Compact Flash (CF) card, Memory Sticks, xD Picture cards, CDs, CD-RW, DVDs, and Blu-ray discs.
Cameras – Digital cameras with 12 megapixels (MP) or greater image sensors and manual exposure settings (in addition to any automatic or programmed exposure modes) are usually suitable for crime scene and evidence photography.
Crime tape – Flagging or adhesive pre-preprinted tape intended to block the area and prevent any unauthorized individuals from entering.
Tamper-proof seals – Used to ensure that the chain of custody is maintained.
Documentation/forms – Used to document the crime, the crime scene, and the evidence. There may also be interviews with witnesses. Most of these form templates are developed by the company based on standards.
The forms that should be present in the kit are:
Chain of custody form – This form will indicate who has handled the evidence, when they handled it, and the order in which the handler was in possession of the evidence.
Incident response plan – This plan should be formally designed, well communicated, and followed. It should specifically address cyber-attacks against an organization’s IT systems.
Incident form – This form is used to describe the incident in detail. It should include sections to record CMOS, hard drive information, image archive details, analysis platform information, and other details.
Call list/escalation list – This list should indicate under what circumstance individuals should be contacted and should include current contact information.
You are analyzing the results of a vulnerability scan. One of the vulnerabilities detected on one of your servers has the following CVSS breakdown:
CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N
Which of the following is the location of the attack vector?
A)the local system
B)the local network
C)anywhere in the world
D)the corporate network
An attacker would need to be on the local system to exploit this vulnerability using read/write/execute capabilities. The local system access could be physical (such as convincing the user to open the attacker’s program on the system through social engineering) or remote (such as establishing a SSH connection to a console and then executing commands).
You are your organization’s security analyst. Recently, you discovered that an attacker injected malicious code into a web application on your organization’s website. You discovered this attack by reviewing the log data on the web servers. Which type of attack did your organization experience?
A)buffer overflow
B)SQL injection
C)cross-site scripting
D)path traversal
Your organization experienced a cross-site scripting (XSS) attack. An XSS attack occurs when an attacker locates a vulnerability on a website that allows the attacker to inject malicious code into a web application. A persistent XSS attack occurs when data provided to the web application is first stored persistently on the server and later displayed to users without being encoded using HTML on the web client. A non-persistent XSS attack occurs when data provided by a web client is used immediately by server-side scripts to generate results for that user. XSS flaws occur every time an application takes user-supplied data and sends it to a web browser without first confirming or encoding the data.
To locate XSS attacks, you should look for lines in the web server log that contain JavaScript or other scripting languages that forward a user’s session cookie to an external location or web page.
When you study malware to discover how it functions, what operation are you performing?
A)Penetration testing
B)Vulnerability testing
C)Reverse engineering
D)Rules of engagement
Reverse engineering means to take something apart to discover how it works and perhaps to replicate it. In cybersecurity, reverse engineering is used to analyze both hardware and software for various reasons. Among these reasons are:
To discover how malware functions
To determine whether
malware is present in software
To locate software bugs
To locate security problems in hardware
Your company has recently been contracted to work on a project with the U.S. Department of Defense. As a result, your company must ensure that the enterprise follows the guidelines set forth in NIST Special Publication 800-53 Revision 5.
As a security analyst, you are tasked with analyzing the enterprise and making suggestions on the appropriate access controls to implement. When your analysis is complete, you recommend the following controls be added to the enterprise:
Security awareness training for all levels of personnel
Job rotation in all departments
Biometric authentication for the data center
Centralized data backups for all systems
Mantraps for the data center
CCTV at building entry and areas where sensitive data is accessed
You need to provide a report to management regarding these suggested controls that details the type of control provided by them. What type of control is provided by each of these control measures?
You need to identify the type of control each provides. Match each control on the left with the appropriate control type on the right. (Each control should only be matched with one control type.)
Detective managerial control – Job rotation
Detective physical control – CCTV
Corrective logical control – Centralized data backups
Preventative managerial
control – Security awareness training
Preventative logical control – Biometric authentication
Preventative physical control – Mantraps
Detective managerial control – Job rotation
Detective physical control – CCTV
Corrective logical control – Centralized data backups
Preventative managerial
control – Security awareness training
Preventative logical control – Biometric authentication
Preventative physical control – Mantraps
A small business, with two employees, has an e-commerce site that processes credit card transactions, following PCI DSS guidelines. These guidelines call for a separation of duties, but neither of the employees has the time available for auditing transactions. For compliance, the business hires a third party to review the transactions, logs, and other pertinent information. This is an example of which type of control?
A)Operational control
B)Corrective control
C)Preventative control
D)Compensating control
This is an example of a compensating control. Compensating controls are temporary measures that are put in place to satisfy a requirement that is too difficult to implement. In this scenario, a third-party auditor compensates for the lack of the primary control, separation of duties. By itself, auditing is a detective control.
This is an example of a compensating control. Compensating controls are temporary measures that are put in place to satisfy a requirement that is too difficult to implement. In this scenario, a third-party auditor compensates for the lack of the primary control, separation of duties. By itself, auditing is a detective control.
A redirect attack is occurring. Redirects are not inherently a bad thing in and of themselves. For instance, they are a useful function to have when building a website. If a user attempts to access a resource before they are logged in, it is conventional to redirect them to the login page, put the original URL in a query parameter, and then automatically redirect them towards their original destination after they have logged in. But there are always two sides to a coin! This is the exact reason that spammers and phishers use redirects and why they are so enticing. Attackers can bounce a user off a site they want to go to and send them to an exact replica that is a malicious version of the site, where the user will log in and end up downloading malware, disclosing confidential information, and so on. This is a malicious redirecting attack.
This is not an example of remote code execution. Arbitrary or remote code execution occurs when hackers take advantage of a vulnerability to gain access to a system and then place malicious code there, which they subsequently execute remotely.
This is not a server-side request forgery (SSRF). An SSRF attack involves targeting a server that hosts a web application to fetch a remote resource without validating the user-supplied URL. This allows an attacker to make the application send a crafted request to an unexpected destination, even when the system is protected by a firewall, VPN, or additional network access control list. Starting in 2021, SSRF was added to the OWASP Top 10 list that is comprised of the most critical web application security risks to date.
An SQL command injection is one of many types of injection attacks in which malicious SQL statements are injected into an input field in a web request and executed on a database server.
Your team is planning the creation of several security baselines to be applied to the organization’s servers. You discuss aligning these baselines to an industry framework based on the job the server is performing. Which industry framework should be followed by the baseline applied to the commerce server that handles sales?
A)OWASP
B)CIS
C)ISO 27000
D)PCI-DSS
When a server is handling sales, it is typically handling credit card data and cardholder data. The Payment Card Industry Data Security Standard (PCI DSS) is an information security framework for organizations that process credit card transactions or handle cardholder data from the major card vendors.
Recently your web server suffered a brute-force attack targeting the administrator password. What tool could you use to test the viability of a future brute-force attack on the web server?
A)W3AF
B)Nessus
C)Nikto
D)OWASP ZAP
OWASP ZAP was primarily designed to brute force both directory and file names on web application servers.
Your team is planning a vulnerability scan and is trying to decide between an agent or agentless scan. Which of the following is TRUE regarding agent or agentless scanning?
A)agentless systems are based on the push communication style
B)agent-based systems are ideal for networks with limited bandwidth
C)agent-based systems experience quicker set-up and deployment
D)agent-based systems require less maintenance and lower provisioning costs
Agentless systems are based on the push communication style in which the associated software pushes data to a remote system on a periodic basis. Whereas agent-based systems use a pull method in which the agents are interrogated by a central system for data.
As a security analyst for a US government body, you must implement a vulnerability scanning rate that fits within the confines of the Federal Information Security Management Act (FISMA). Of which scanning factor is this a part?
A)Workflow
B)Regulatory reporting requirements
C)Risk appetite
D)Technical constraints
The Federal Information Security Management Act (FISMA) is a part of the regulatory reporting requirements that affect the vulnerability scanning rate. All laws and regulations that affect the organization must be fully analyzed to determine their effect on the scanning rate.
Your team is designing a set of security configurations and are looking for an industry framework to guide them in this design. Which of the following frameworks would be the BEST to consult for your web servers?
A)ISO 27000 series
B)CIS benchmark
C)PCI-DSS
D)OWASP Top Ten
The Open Web Application Security Project (OWASP) identifies the top 10 security issues each year for web servers, and provides recommendations and guidelines to address these vulnerabilities.
Sam is reviewing web server logs after an attack. He discovers that many records contain semicolons and apostrophes in queries from end users. What type of attack should Sam suspect?
A)Cross-site scripting
B)SQL injection
C)LDAP injection
D)Buffer overflow
In an SQL injection attack, the attacker uses a web application to gain access to an underlying, backend database. Semicolons (;) and apostrophes (‘) are characteristics of these attacks. For example, the single quote in SQL is a limiter, meaning it ends any current SQL string. This is important for attackers to craft true conditions or true statements to bypass authentication or pull more information from a database than is allowed.
You are the security administrator for your company. You identify a new security risk and decide to continue with the current security plan. However, you develop a contingency plan to implement if the security risk occurs. Which risk management principle is being described?
A)Avoid
B)Transfer
C)Accept
D)Mitigate
The risk management principle of accept (acceptance) is being described. Acceptance is when you acknowledge that a risk may occur but do not try to prevent it. Examples of acceptance would include taking no action at all or leaving the original security plan unchanged and developing a contingency or fallback plan. It is recommended that you accept a risk when the cost of the safeguard exceeds the amount of the potential loss.
The transfer principle (transference) involves shifting the risk and its consequences to a third party. The third party is then responsible for owning and managing the risk. Purchasing insurance is an example of transference.
The avoid principle (avoidance) involves modifying the security plan to eliminate the risk or its impact. Examples of avoidance would include stopping a risky activity altogether, adding security resources to eliminate the risk, or removing resources to eliminate the risk.
The mitigate principle (mitigation) involves reducing the probability or impact of a risk to an acceptable risk threshold. To mitigate a risk, you would take actions to minimize the probability of the risk occurring. Biometric locks on a server room’s doors mitigate the risk of an intruder breaking in where sensitive data is housed.
To address recent issues in the parking lot, the company has installed a CCTV camera to monitor the lot. What type of control is this?
A)Managerial
B)Preventative
C)Corrective
D)Detective
A camera is a detective control because it allows you to detect when an issue occurs.
On a penetration test of your client’s site, you see a shopping catalog. Upon looking at the pictures of the items in their catalog, you find the address of where the images are located in the web application: /var/coats/images/218.png.
You put that address in your browser’s URL as https://insecure-website.com/var/coats/images/218.png. The image of a coat shows up by itself. You take that image and alter the address path, making some guesses about the file structure to allow a certain type of attack to happen. There is no security against this attack in place. What is this attack called?
A)Cookie manipulation
B)Malicious file upload
C)File inclusion
D)Directory traversal
This is a directory traversal attack, also known as a path traversal attack. Directory traversal is a very common attack against sites. It is an easy way to get around login information or to access private galleries, files, or even username and email lists. Frequently, this attack requires guessing which subdirectory and/or filename is your target. With some detective work, you can follow the normal file and domain structures that are out there. You can do this attack by using two different methods: the (…/) method or by typing in the absolute path (https://interconn.com/wp-content/uploads/2018/03).
Cookie manipulation?
This is not cookie manipulation. Cookies are small pieces of data created and stored in a user’s browser that keep track of important information regarding the user’s session for a particular site. Cookie manipulation, also called cookie poisoning, is when a hacker is able to change data within that cookie to take over that user’s information or bypass security measures on websites.
Before executing a vulnerability scan, you are evaluating all of the relevant considerations. Which of the following considerations is the MOST important?
A)regulatory requirements
B)sensitivity levels
C)performance
D)segmentation
While all considerations are important, it is critical that any organization that is operating in an industry where federal regulations, such as HIPPA or PCI-DSS, are in effect, ensures that the scan supports verification that regulatory requirements are being met.
You just observed a meeting of the risk evaluation team. They were assigning the values of high, medium, and low to some threats they had identified. What part of risk evaluation are they performing?
A)Technical control review
B)Regression analysis
C)Operational control review
D)Technical impact review
They are performing technical impact review. This is the process of assessing the potential impact of an event that is technical in nature. Once all assets have been identified and their value to the organization has been established, specific threats to each asset are identified. An attempt must be made to establish both the likelihood of the threat being realized, as well as the impact to the organization, should that occur. This can be done by assigning values like high, medium, and low to the threats to describe their impact and likelihood.
Recently, while reviewing log data, you discover that a hacker has used a design flaw in an application to obtain unauthorized access to the application. Which type of attack has occurred?
A)privilege escalation
B)buffer overflow
C)backdoor
D)maintenance hook
An escalation of privileges attack occurs when an attacker has used a design flaw in an application to obtain unauthorized access to the application. Privilege escalation includes incidents where a user logs in with valid credentials and then takes over the privileges of another user, or where a user logs in with a standard account and uses a system flaw to obtain administrative privileges.
Race Condition
Race condition – typically targets timing, mainly the delay between time of check (TOC) and time of use (TOU). To eliminate race conditions, application developers should create code that processes exclusive-lock resources in a certain sequence and unlocks them in reverse order.
Insecure direct object references
Insecure direct object references – occurs when a developer exposes a reference to an internal object, such as a file, directory, database record, or key, as a URL or form parameter without implementing the appropriate security control. An attacker can manipulate direct object references to access other objects without authorization. Implementing an access control check helps to protect against these attacks.
Cross-site request forgery (CSRF)
Cross-site request forgery (CSRF) – occurs when a malicious site executes unauthorized commands from a user on a web site that trusts the user. It is also referred to as one-click attack or session riding. Implementing anti-forgery tokens protect against this attack.
Improper error and exception handling
Improper error and exception handling – occurs when developers do not design appropriate error or exception messages in an application. The most common problem because of this issue is the fail-open security check, which occurs when access is granted (instead of denied) by default. Other issues include system crashes and resource consumption. Error handling mechanisms should be properly designed, implemented, and logged for future reference and troubleshooting.
Improper Storage of sensitive data
Improper storage of sensitive data – occurs when sensitive data is not properly secured when it is stored. Sensitive data should be encrypted and protected with the appropriate access control list. Also, when sensitive data is in memory, it should be locked.
Secure cookie storage and transmission
Secure cookie storage and transmission – Cookies store a user’s web site data, often including confidential data, such as usernames, passwords, and financial information. A secure cookie has the secure attribute enabled and is only used via HTTPS, ensuring that the cookie is always encrypted during transmission.
Memory leaks
Memory leaks – occur when an application does not release memory after it is finished working with it. Reviewing coding and designing best practices helps to prevent memory leaks.
Data Remnants
Data remnants – occurs when applications are removed but data remnants, including registry entries, are left behind. Specialty tools and apps are available to ensure that applications have been completely removed from a device.
Your team is preparing for a vulnerability scan, and they are trying to evaluate relevant considerations. Which of the following is NOT a relevant consideration when planning a vulnerability scan?
A)scheduling
B)cost
C)performance
D)operations
The cost of a scan is typically not a main consideration. Even in scenarios where a third party is hired, the cost is typically not a deterrent when identifying vulnerabilities that are considered to be critical.
Which of the following vulnerabilities is likely to only affect virtual machines?
A)CSRF
B)SQL injection
C)VM Escape
D)CSS
VM Escape is likely to only affect virtual machines and virtual infrastructure. In an escape attack, the attacker has access to a single virtual host, and then leverages that access to intrude upon the resources assigned to a different virtual machine.
You have been asked to perform a vulnerability scan on all desktop computers used by the sales department, which are located throughout the network. You do not have a current inventory listing of these computers, so you decide to perform a discovery scan. Which scanning criteria have you already determined based on the type of scan being performed?
A)Vulnerability feed
B)Scope
C)Sensitivity levels
D)Data type
You have determined one or more of the scan’s sensitivity levels because you are performing a discovery scan, which is used to create an inventory of assets based on host or service discovery.
Your vulnerability analysis scan has identified several vulnerabilities and assigned them a CVSS score. Issue A has a score of 4.3, Issue B has a score of 9.1, Issue C has a score of 1.6, and Issue D has a score of 7.7. Which issue should take priority?
A)Issue D
B)Issue B
C)Issue A
D)Issue C
Issue B should take priority because it has the highest CVSS value of 9.1, which is considered a critical issue.
The Common Vulnerability Scoring System (CVSS) is a system of ranking vulnerabilities that are discovered based on pre-defined metrics. This system ensures that the most critical vulnerabilities can be easily identified and addressed after a vulnerability test is met. Scores are awarded on a scale of 0 to 10, with the values having the following ranks:
0 – No issues
0.1 to 3.9 – Low
4.0 to 6.9 – Medium
7.0 to 8.9 – High
9.0 to 10.0 – Critical
