2. Vulnerability Types and Concepts Flashcards

Question

Snort is one of the tools used by your company. What functionality does this tool provide? A)IDS/IPS B)Vulnerability scanner C)Firewall D)SIEM

Answer 1

Snort provides intrusion detection system (IDS) and intrusion prevention system (IPS) functionality, including logging and real-time traffic analysis.

Answer 2

Cisco, Palo Alto, and Checkpoint. Firewalls can sometimes include other functionalities, such as IDS and IPS functions.

Answer 3

SIEM tools include ArcSight, QRadar, Splunk, AlienVault, OSSIM, and Kiwi Syslog.

Answer 4

Vulnerability scanners include Qualys, Nessus, OpenVAS, Nexpose, Nikto, and Microsoft Baseline Security Analyzer. Regarding OpenVAS and Nikto, OpenVAS is a full-featured vulnerability scanner, while Nikto is best for vulnerability scanning of web servers and their files.

Answer 5

The Open Web Application Security Project (OWASP) is a group that monitors attacks, specifically web attacks. OWASP maintains a list of the top 10 attacks on an ongoing basis. This group also holds regular meetings at chapters throughout the world, providing resources and tools including testing procedures, code review steps, and development guidelines.

Answer 6

The SysAdmin, Audit, Network, and Security (SANS) organization also provides guidelines for secure software development, and they sponsor the Global Information Assurance Certification (GIAC). They also provide training, perform research, and publish best practices for cybersecurity, web security, and application security.

Answer 7

The Center for Internet Security (CIS) is a not-for-profit organization known for compiling CIS Security Controls (CSC). From this research, they publish a list of the top 20 security controls. They also provide hardened system images, training, assessment tools, and consulting services.

Answer 8

The International Organization for Standardization (ISO) develops and publishes international standards.

Answer 9

Parameterized queries would be the best application development methodology to secure against SQL injection attacks. Parameterized queries allow you to use placeholders (parameters) instead of the actual input values. In the event a malicious user enters an SQL command into a text field, such as “DROP TABLE tablename”, the parameterized query would not read that as a command but rather as a bad email address.

Answer 10

Session management protects against cross-site injection attacks by creating a token. This is accomplished through the creation of a session identifier (session ID) that is exchanged between the user and the web application. Session IDs should be at least 128 bits and should contain sufficient random characters to prevent a brute force attack.

Answer 11

Prowler is an open-source tool used to perform best practices assessments and audits, with hundreds of controls covering PCI-DSS requirements.

Answer 12

Immunity Debugger is not a cloud tool. It supports a Python-based API and allows for the writing of exploits, analyzation of malware, and reverse engineering of binary files.

Answer 13

Maltego is a not a cloud tool. It is a Java-based tool for discovering data from OSINT, private, and commercial data sources and visualizing that information in combined form in a graph format. The results can be used for link analysis and data mining.

Answer 14

Arachni is not a cloud tool. It is used for IP scanning and is a high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of modern web applications.

Answer 15

you performed a host discovery scan by executing nmap -sn. This scan performs enumeration on the network for all active hosts.

Answer 16

(no port scan, also called a ping scan) The Nmap tool (short for network mapper) is commonly used to perform port scans, OS identification, and version or banner grabbing against services. Its main use is to discover the status of port numbers and IP addresses. It is widely used by administrators for network management and monitoring, and by criminal hackers to discover and investigate attack targets. The -sn switch (also called a ping scan) is the most common switch and is used for host discovery. Note that this type of scan is noisy and sends out packets for discovery, which in turn adds more traffic to the network and is visible to logs and Wireshark.

Answer 17

no ping scan

Answer 18

port list TCP version

Answer 19

port list UDP version

Answer 20

stealth TCP connect scan A stealth scan uses the -sS switch, which is one of the two TCP connect scans. (The -sT switch is the other.) A stealth scan is not as loud as a ping scan due to the fact that it sends a SYN packet to the port and. If it is open, it will send back an ACK and then an RST (reset) packet, leaving things quiet.

Answer 21

default TCP connect scan

Answer 22

Compliance scans, by their very nature, are interested in whatever compliance rules your company needs to follow. For instance, if you are a hospital or medical clinic, you need to be in compliance with HIPAA.

Answer 23

The context of a scan describes the position of the attacker when the scan (or subsequent attack) is performed. An external scan is performed from outside the network and simulates an attack on the device directly connected to the Internet.

Answer 24

An internal scan is one that is performed from inside the firewall and simulates an attack by an insider or by an attacker who has breached the external network.

Answer 25

An isolated scan is one that is performed on a network or part of a network that is isolated from the Internet and perhaps from the internal network as well. A good example of this a virtual network with no connection to the Internet or internal network. This type of scan would probably require some type of internal assistance to the attacker as the scan would require access to the isolated network.

Answer 26

In the Planning and Security Requirements phase of the SSDLC, you would add gap analysis. Gap analysis identifies missing security elements and allows for these elements to be included in the development process. Adding gap analysis to the Planning and Requirements phase of the SDLC creates the Planning and Security Requirements phase of the SSDLC.

Answer 27

Threat modeling would be added to the Design phase of the SDLC, becoming the Secure Design and Prototyping phase of the SSDLC.

Answer 28

Secure coding would be added to the Development phase of the SDLC, becoming the Secure Development phase of the SSDLC.

Answer 29

Unit testing would be added to the Testing phase of the SDLC, resulting in the Security and Vulnerability Testing phase of the SSDLC.

Answer 30

1. Planning and Requirements 2. Design 3. Development 4. Testing 5. Deployment 6. Maintenance

Answer 31

1. Planning and Security Requirements 2. Secure Design and Prototyping 3. Secure Development 4. Security and Vulnerability Testing 5. Secure Deployment 6. Maintenance and Monitoring

Answer 32

Gap Analysis

Answer 33

Planning and Security Requirements

Answer 34

Threat Modelling

Answer 35

Secure Designing and Prototyping

Answer 36

Secure Coding

Answer 37

Secure development

Answer 38

Unit Testing

Answer 39

Security and Vulnerability Testing

Answer 40

Build routine security tests

Answer 41

Secure Deployment

Answer 42

Bug bounty program

Answer 43

Maintenance and Monitoring

Answer 44

This process described in the scenario supports the security requirements definition. The security requirements of the solution must be identified. Assigning a privacy impact rating to the data helps to guide measures intended to protect the data from exposure. Security testing phases are undertaken after security requirements have been defined, because only when the requirements have been defined can one know if they have been met. In manual peer review, software developers attend meetings where each line of code is reviewed, usually using printed copies. While it is important to make web applications secure, in some cases security features make the application unusable from the user perspective. User acceptance testing is designed to ensure that does not occur.

Answer 45

Angry IP Scanner is an open-source and cross-platform network scanner designed to scan IP addresses and ports. It can scan IP addresses in any range as well as any of their ports. As a cybersecurity practitioner you would use this to ensure that all open ports are required and as a hacker you would use this scan for open ports to attack.

Answer 46

Arachni is not used for IP scanning. It is a high-performance Ruby framework aimed at helping penetration testers and administrators evaluate the security of modern web applications.

Answer 47

Three types of security controls are preventative controls., detective controls, and responsive controls. Detective controls identify active security issues when they arise or find indicators of compromise. They include monitoring, job rotation, investigations, intrusion detection systems (IDSes), auditing, guards, and CCTV. Responsive controls come into play after an event has been detected, and may be automated or preconfigured actions prepared in advance. Examples include a system reboot, activating a business continuity plan, isolating a virus to quarantine, and replacing smart access cards.

Answer 48

Corrective – Restore normal operations after a security incident

Answer 49

Managerial – Establish policies to decrease the chances of a security incident

Answer 50

Operational – Enact security policies with best practices and procedures

Answer 51

Technical – Implement hardware- and software-based tools to prevent security incidents

Answer 52

You should use the Common Vulnerabilities and Exposures (CVE), which provides standardized names for security-related software flaws. Keep in mind that you may need to provide reports on identified vulnerabilities to different audiences. While technical staff may be able to read and comprehend the automatic reports generated by a vulnerability scanner, you may need to create an executive report for other non-technical staff that contains information that is more easily understood. While having the vulnerability scanner deliver reports automatically may be preferred, it is not the best solution. Understanding automated versus manual distribution issues will ensure that you, as the security analyst, can provide your audience with information they need and understand. Automatic distribution distributes the reports automatically through internal mechanisms, often via email. Manual distribution would require more effort on the security analyst to ensure that the appropriate individuals receive the correct report.

Answer 53

Using the APIs exposed by cloud providers, Scout Suite gathers configuration data for manual inspection, highlights risk areas, and presents a clear view of the attack surface automatically.

Answer 54

The GNU Project Debugger (GDB) is a not cloud tool. It is a widely popular program debugger with many features, such as the ability to discover what a program was doing when it crashed.

Answer 55

Metasploit is a not cloud tool, but a framework used in penetration testing that probes systematic vulnerabilities on networks and servers.

Answer 56

Recon-ng is a not cloud tool. It comes with Kali Linux and automates the information gathering of open-source intelligence (OSINT).

Answer 57

A maintenance exclusion (or maintenance exception) is a timeframe or instance when maintenance would be prohibited. This could be the case when a legacy application cannot be updated. Another example of a maintenance exclusion is a retail organization that forbids configuration changes during a peak sale period. The maintenance exception should be submitted as a request that is subsequently approved by the change management team.

Answer 58

Escalation is closely related to prioritization. It is important that an organization has a prioritization and escalation policy. When an incident occurs, it is important to assign it a priority level. The priority level determines the order in which the incident is addressed. In addition, the priority level is usually associated with the team or individual within the organization that is tasked with handling that incident level. If the situation changes, conditions deteriorate, or the effects of an event spread, the priority level can be changed, allowing for escalation to another team. A perfect example of prioritization and escalation exists in the medical community. For example, a bus carrying many passengers has crashed. First responders assign a priority level to each passenger according to the severity of their injuries. Those who can be treated at the scene are assigned a lower priority than those who must be transported to the hospital via ambulance. If a patient who is waiting for ambulance transport develops a life-threatening complication, that patient’s priority can be escalated for air transport.

Answer 59

Service level objectives (SLOs) are the critical metrics within a Service Level Agreement (SLA) that a provider must meet for a client. Policies, governance, and SLOs are key components of attack surface management. SLOs begin with a service level indicator (SLI), which is the item for which performance or service is tracked. An example of an SLI could be server uptime – this is the item for which you want service tracked. The corresponding SLO would be expressed as a percentage, such as a desired server uptime of 99.99%.

Answer 60

There is no Security metric group in the CVSS system.

Answer 61

Base group: represents characteristics of a vulnerability that are constant over time and do not depend on the environment. These metrics are mandatory for scoring. Temporal group: assesses a vulnerability as it changes over time. These metrics are optional for scoring. Environmental group: represents the characteristics of a vulnerability, taking into account the organizational environment. These metrics are optional for scoring.

Answer 62

STRIDE is an example of a threat modeling framework. It is a Microsoft tool developed to identify a wide variety of threats. STRIDE is an acronym for the six threats it identifies: Spoofing identities Tampering with data Repudiation Information disclosure Denial of service Elevation of privilege

Answer 63

Structured Threat Information Expression (STIX) is an open-source language platform that is used to exchange threat intelligence amongst interested parties. For example, if a major retailer discovered a threat linked to supply chain management, it might communicate the threat information to its suppliers using STIX.

Answer 64

An attacker can expect repeatable success when attacking the vulnerable component because the Access Complexity (AC) metric has a value of L, which stands for Low. The AC metric describes the difficulty of exploiting the vulnerability. It has two possible values: H – stands for High and means the vulnerability requires special conditions that are hard to find. L – stands for Low and means the vulnerability does not require special conditions. When the AC score is high, the attack requires at least one of the following conditions to succeed: The attacker must gather knowledge about the environment in which the vulnerable target/component exists, for example, a requirement to collect details on target configuration settings, sequence numbers, or shared secrets. The attacker must prepare the target environment to improve exploit reliability, for example, repeated exploitation to win a race condition, or overcoming advanced exploit mitigation techniques. The attacker must inject themselves into the logical network path between the target and the resource requested by the victim in order to read and/or modify network communications (e.g., a man in the middle attack).

Answer 65

Nikto is an open-source web server analysis tool and vulnerability scanner. It indexes all of the files and directories regarding the target web server, commonly known as spidering, and locates and reports any potential issues it finds.

Answer 66

Burp Suite is a collection of web application security tools that includes proxy capabilities and mobile application testing to determine communication with application programming interfaces (APIs) and to discover vulnerabilities in web apps.

Answer 67

Zenmap is the graphical user interface (GUI) version of the Nmap Security Scanner. Zenmap is a free and open-source program designed to make Nmap easier for beginners to learn and use, but it also provides features that are extremely useful for experienced Nmap users. It can be used to determine the differences between multiple Nmap scans, such as two Nmap scans run on different days.

Answer 68

Nessus is a scanning tool for remote security that scans a device or network of devices and raises an alert if it comes across any vulnerabilities that malicious hackers could use to get into your network and cause damage.

Answer 69

The type of error that occurred is a false negative. The vulnerability scan indicated no vulnerabilities existed when, in fact, one was present. Security analysts should analyze reports from a vulnerability scan. This involves reviewing and interpreting scan results. As a result, security analysts need to identify false positives, identify exceptions, and prioritize response actions.

Answer 70

A true negative is when a vulnerability scan reports no issue and no issues exist

Answer 71

A true positive is when a vulnerability scan reports a vulnerability that does exist

Answer 72

A false positive is when a vulnerability scan reports a vulnerability that does not exist.

Answer 73

Input validation ensures that all input is checked for the proper length. Validating input for length helps prevent buffer overflow attacks because buffer overflows present more input than was expected, overflowing the memory reserved for the input.

Answer 74

The other best practices of the Software Development Life Cycle (SDLC) include: Security testing phases – including static code analysis, web application vulnerability scanning, and fuzz testing to identify vulnerabilities. User acceptance testing – designed to ensure security features do not make the application unusable from the user perspective. Stress test application – determines the workload that the application can withstand. Security regression testing – validates that changes have not reduced the security of the application, nor opened new weaknesses that were not there prior to the change.

Answer 75

The nmap -sn command executes a ping sweep, which can be used to identify all live devices and as such can also be called a map scan, ping scan, or host discovery scan. The -sn switch is the most common switch and is used for host discovery, but does not scan ports. Sample output of this scan is shown below:

Answer 76

While the command $ nmap -sn 192.168.0.1- only identifies the devices and their IP addresses, a device fingerprint identifies the operating system and its version. Obtaining this information would require adding the -O switch, which enables operating system discovery.

Answer 77

You should instruct the new security analyst to obtain the Vulnerabilities Grouped by Plugin subset of the current scan. This is available from the main report in Nessus. A plugin is a simple program that checks for a given flaw. You should not instruct the analyst to obtain Vulnerabilities Grouped by Host subset of the current scan. This will list the vulnerabilities for a given host. You should not instruct the analyst to obtain the Suggested Remediations subset of the current scan. It summarizes the actions to take that address the largest quantity of vulnerabilities on the network. You should not instruct the analyst to obtain a Credentialed scan. You can obtain the information you need from the current non-credentialed scan.

Answer 78

Since the implementation document specifies a desired setting at variance with the actual setting that exists on the device, this is a security misconfiguration. This is not an example of insecure design. There is no indication that the desired configuration in the design document is incorrect or insecure. This is not an issue with its roots in an end-of-life or outdated component. An example of that would be if the consultant discovered that the router was so old that the vendor no longer provided support for it. This is not an issue in the category of identification and authentication failure. An example of this would be if the consultant discovered that the router allowed them to log on as administrator when that should not be allowed.

Answer 79

The GNU Project Debugger (GDB) is a widely popular debugger with many features. With this program, you can discover what a program was doing when it crashed.

Answer 80

Metasploit framework (MSF) is a framework used in penetration testing that probes systematic vulnerabilities on networks and servers. It would not help determine why the application crashes occur.

Answer 81

The Immunity Debugger is a tool that supports a Python-based API. It allows for the writing of exploits, analyzation of malware, and reverse engineering of binary files. It would not help determine why the crashes occur.

Answer 82

Your first step would be to implement testing when a new patch is issued or a configuration change is necessary. Regarding new patches, it would be impossible for a publisher to account for every possible implementation of a new patch. Therefore, you should install and test new patches and configuration changes on isolated equipment. If the change fails, the effects are localized and not catastrophic to the organization. Validation checks are performed after the patch is installed or the configuration change is made to see if it performing as it should. Did the configuration change perform as claimed, or did it introduce unforeseen errors elsewhere in the system? Implementation is the deployment or activation of the patch or configuration change. Implementation should follow a standardized plan with a series of steps in a checklist. As an example, one step in the implementation process could be to perform a system backup or create a system image. Rollback returns the device or application to the state it was in prior to the patch or configuration change; in essence, rollback is an “undo”. It is highly recommended that you have a rollback plan established that allows you to restore the system to its prior state in the likely event that something goes wrong.

Answer 83

You should use Splunk to consolidate the logs for easier analysis. Splunk is a security information and event management (SIEM) tool. Other SIEM products include ArcSight, QRadar, AlienVault, OSSIM, and Kiwi Syslog.

Answer 84

Nexpose is a vulnerability scanning tool. Other vulnerability scanning tools include Qualys, Nessus, OpenVAS, Nikto, and Microsoft Baseline Security Analyzer (MBSA).

Answer 85

Sysinternals is a technical tool that includes resources and utilities to manage, diagnose, troubleshoot, and monitor a Microsoft Windows environment.

Answer 86

MRTG is an analytical monitoring tool to monitor the traffic load on network links. Other monitoring tools include Nagios, SolarWinds, Cacti, and NetFlow Analyzer.

Answer 87

You should review the compliance audit produced by Nessus. A compliance audit supplies vulnerabilities as measured against CIS benchmarks. A patch audit analyzes systems and devices against patch management system of vendors to determine if the organization has not deployed the available patches. A credentialed network scan scans the network for vulnerabilities using credentials to ensure that all areas of the devices can be examined. A non-credential network scan scans the network without credentials so areas that require credentials for access will not be scanned.

Answer 88

You should first verify or validate the false positives to ensure that you can eliminate them from the report. While validation of false positives can be very time consuming, it is a necessary step to ensure that they are not true positives. Once they are verified, you can then configure exceptions for them.

Answer 89

Governance can be defined as how an organization’s policies and procedures are designed to thwart, identify, and react to vulnerabilities and attacks. While risk management is a component of governance, governance is an overall view that aligns legal aspects, requirements of privacy protection, and risk to the enterprise.

Answer 90

Risk management principles include acceptance, transference, avoidance, and mitigation.

Answer 91

Threat modeling is part of Secure Design and Prototyping stage of the secure software development life cycle (SSDLC). This process tries to identify security risks inherent in the application being developed. One example of a threat modeling framework is STRIDE, which is a Microsoft tool developed to identify a wide variety of potential threats. STRIDE is an acronym for the six threats it identifies: Spoofing identities Tampering with data Repudiation Information disclosure Denial of service Elevation of privilege

Answer 92

Authentication is the mechanism that validates that the user or entity is who they claim to be. Authentication can be accomplished through a username/password combination, multi-factor authentication (where more than one piece of identifying information is necessary), or through cryptographic authentication, where the user is in possession of a key that is generated through a cryptographic algorithm.

Answer 93

Edge discovery is the process of identifying Internet of Things (IoT) and other devices that are not part of the core infrastructure. Once identified, they can be configured so that hackers cannot use them to compromise an organization’s core network. Edge discovery is a key component of edge security for attack surface management. Edge security is the process of securing nodes that are outside a company’s network core. The edge of the network needs the same level of security as the core network. Nodes at the edge are not fully covered by the security perimeter of the organization and so are the most vulnerable to cybersecurity risks. Computing on the edge involves computing occurring closer to edge devices rather than the infrastructure of the network. Self-driving cars, sensors, fitness bands, and IoT devices are examples of edge devices. These devices often handle sensitive data, and their compromise can compromise the full network. For this reason, it is essential that these devices are not discoverable by hackers on the Internet. Physical controls involve securing the devices and only allowing authorized personnel to use them. Logical controls involve encryption of device data both in transit and at rest and implementing authorization and authentication.

Answer 94

The growth in the use of edge devices has increased the attack surface for an organization. To secure edge devices, you use routers and firewalls as well as wide area network (WAN) devices which are built for security. Some best practices for edge security include: Keep a zero-trust model throughout the company Ensure internal configuration and control of edge devices and reject compromised devices Use AI and ML tools to monitor edge device activity Ensure edge devices are isolated in a public cloud to avoid discovery

Answer 95

Passive discovery helps to protect the network through the use of security appliances, including firewalls, intrusion detection systems (IDSes), intrusion prevention systems (IPSes), malware protection systems, and others. It is the role of these systems to monitor events and, when an event occurs, create an alert for humans to intervene.

Answer 96

A maintenance window is a recurring period during which patches and configuration changes (maintenance) are performed. These maintenance windows are typically used for automatic patch deployment and configuration changes. When scheduling a maintenance window, it is important to consider the impact of downtime to the organization, customers, and operations.

Answer 97

A passive scan impacts the hosts and network less than other scan types. It does not provide more information. To perform a more in-depth analysis than other scan types, you would perform an active scan.

Answer 98

A database server is most likely the victim in a SQL injection attack. A SQL injection attack inserts a SQL query as the input from the client to the application. The purpose of this attack is to read sensitive data from the database, modify the data, execute administrative operations on the database, recover the content of a given file, and even issue commands to the operating system.

Answer 99

The web server is usually the means whereby the SQL injection attack is delivered, but it is not really the victim of the attack. A web server is most likely the victim of cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks.

Answer 100

Stored cross-site scripting (XSS) or persistent XSS is what is happening here. It occurs when someone has imbedded malicious code into the site that is always run when someone accesses that website. The attacker usually accesses the site via login, message board, or some other type of input. In this case, someone posted some Java code into the field input, and now that code is always going to run when the site is loaded. It is a simple way to deface a site.

Answer 101

This is not a reflected XSS attack. A reflected XSS attack occurs when an attacker injects code into the browser by a single HTTP response. This is usually done when a malicious link on a normally mundane site sends the user to a malware-laden server that injects code into the browsers. This did not happen in the above scenario as the website itself was defaced.

Answer 102

Document Object Model (DOM)-based XSS is an injection that modifies the environment in the victim’s browser using a programming interface so that the client-side code runs in an “unexpected” manner. Basically, your browser goes crazy, and the attacker takes control of things. Again, this is not the issue being described because the site itself is affected, not the browser.

Answer 103

According to OWASP a “Blind Structured Query Language (SQL) injection is a type of SQL injection attack that asks the database true or false questions and then determines the answer based on the web application’s response. This attack is often used when the web application is configured to show generic error messages but has not mitigated the code that is vulnerable to SQL injection.”

Answer 104

Pacu is a cloud penetration-testing tool that can, like other exploitation frameworks, automate some of the more common attacks. It is designed for AWS deployments.

Answer 105

You can use Burp Suite to capture and analyze API requests and responses in an act of reconnaissance. Burp Suite is a collection of web application security tools that includes proxy capabilities and mobile application testing to determine communication with application programming interfaces (APIs) and to discover vulnerabilities in web apps.

Answer 106

Session management protects against cross-site injection attacks by creating a token. This is accomplished through the creation of a session identifier (session ID) that is exchanged between the user and the web application. Session IDs should be at least 128 bits and should contain sufficient random characters to prevent a brute force attack.

Answer 107

The main difference between a SQL and XSS injection attack is that SQL injection attacks are used to steal information from databases whereas XSS attacks are used to redirect users to websites where attackers can steal data from them. SQL injection is data-base focused whereas XSS is geared towards attacking end users.

Answer 108

The Simple Network Management Protocol (SNMP) service may be abused to gain unauthorized access to network devices. It provides a standardized framework for a common language that is used for monitoring and managing devices in a network. The File Transfer Protocol (FTP) service is not normally applicable to a retail setting. FTP is used to transfer files between servers and workstations. It can be vulnerable, though. A point-of-sale (POS) application would only check for the application version vulnerability. It is not a way to hack in and of itself as it is just enumeration. The operating system (OS) version enumerates OS version details and verifies for any vulnerabilities. Again, this is just enumeration, not a way to hack in.

Answer 109

Succession planning does support a defense-in-depth strategy. It is a personnel consideration, not a technological one.

Answer 110

Automated reporting capabilities – can be scheduled to be delivered to the proper individual in the organization when generated. A variety of report types are available and are tailored for the audience to which they are directed. Security appliances – hardware devices that are designed to provide some function that supports the securing of the network or detecting vulnerabilities and attacks. Security suites – collections of security utilities combined into a single tool. Outsourcing of security services – security services provided by third parties with more talent and experience than may exist in the organization. Cryptography services – supporting the three core principles of the confidentiality, integrity, and availability (CIA) triad, cryptosystems also directly provide authentication, confidentiality, integrity, authorization, and non-repudiation. Other personnel issues that support a defense-in-depth strategy include: Security training Dual control Separation of duties Proper securing of third party/consultants Cross training Mandatory vacation

Answer 111

Checking to see if an application block list prevents the installation of a particular executable file would be an example of security controls testing. Security controls testing determines if controls have been properly implemented, performing as expected and producing the appropriate results.

Answer 112

To best protect the business and the operations, the company should use a standard layered approach to secure the ICS. Because there are many attack vectors, no one security measure would be sufficient. Attack vectors may include digital attacks from the outside seeking to steal financial information or disrupt the system's operations, insider errors, malicious insiders, or physical attacks or disruptions. Layered security includes the usual hardware and software additions to provide mitigation against known attacks, and adds employee security awareness training for additional protection.

Answer 113

Reverse engineering involves analyzing the compiled mobile app or system data to extract source code information to be used in understanding and potentially manipulating the underlying architecture of the mobile application or operating system. Attackers use reverse engineering techniques to compromise the OS of a mobile device (i.e., Android, Apple iOS) to root or jailbreak it (gain unrestricted access to the entire root of the OS).

Answer 114

An overflow attack revolves around malicious code requiring more memory than is allocated by a buffer. A buffer is a memory allocation that is designed to hold a finite amount of data. In other words, the attacker attempts to write more data into an application’s pre-built buffer than that buffer was intended to hold. When an attacker can add data that exceeds the buffer limits, the extra information spills over past the buffer into adjacent memory, where it can then crash the system or execute malicious code. All types of overflows can be reduced by examining all input prior to accepting it. The input can be examined to ensure it has the correct length and that no malicious character types are present.

Answer 115

occurs when a memory allocation that is designed to hold a finite amount of data is full.

Answer 116

occurs when a part of memory dynamically allocated at runtime, typically containing program data, is full.

Answer 117

occurs when a part of memory used to store local variables used inside a function and parameters passed through a function and their return addresses, is full.

Answer 118

occurs when a mathematical operation attempts to create a numerical value that is too large for the available storage space.

Answer 119

The Temporal score and the Environmental score are not MANDATORY components of the Common Vulnerability Scoring System (CVSS) Base Score in CVSS v3.1. The Base Score formula depends on sub-formulas for Impact Sub-Score (ISS), Impact, and Exploitability, all of which are defined below: Impact Sub Score is calculated as follows: 1-[(1-Confidentiality) × (1-Integrity) × (1-Availability)] The Impact Score is calculated as follows: If Scope is unchanged, then 6.42 x Impact Sub Score If Scope is changed, then 7.52 x (Impact Sub Score-0.029)-3.25 x (Impact Sub Score-0.02) The Exploitability Score is calculated as follows: 8.22 x AttackVector x AttackComplexity x PrivilegesRequired x UserInteraction The Base Score is then calculated as follows: If ImpactSubScore <0 then 0, else: If Scope is unchanged, Roundup(Minimum[Impact+Exploitability),10] If Scope is changed, Roundup(Minimum[1.08 x (Impact+Exploitability),10]) The Temporal Score, while not a mandatory component, is calculated as follows: Roundup(BAseScore x ExploitCodeMaturity x RemediationLevel x ReportConfidence) The Environmental Score, while not a mandatory component, is calculated as follows: If ModifiedImpact <=0, then 0, else If ModifiedScopeis unchanged then Roundup (Roundup [Minimum ([ModifiedImpact + ModifiedExploitability], 10) ] × ExploitCodeMaturity × RemediationLevel × ReportConfidence) If ModifiedScope is changed, then Roundup (Roundup [Minimum (1.08 × [ModifiedImpact + ModifiedExploitability], 10) ] × ExploitCodeMaturity × RemediationLevel × ReportConfidence) To determine the impact function, you must know the impact score. If the Impact score is 0 when calculated with the above formula, then the Impact Function value is also 0. Otherwise, you assign the Impact Function value as 1.176. That is ALWAYS the value. The formula for calculating the exploitability score is: Exploitability = 20 x AccessVector x AccessComplexity x Authentication The formula for calculating the CVSS Base Score is: BaseScore = ((0.6 x Impact) + (0.4 x Exploitability) 1.5) x ImpactFunction Most vulnerability scanners provide the CVSS Base Score along with a breakdown of the individual rankings of the six metrics listed above.

Answer 120

Exploiting the vulnerability does NOT require either physical access to the target or a local (shell) account on the target. The Access Vector (AV) metric has a value of A, which stands for Adjacent Network. This means that exploiting the vulnerability requires access to the local network of the target, not the target itself.

Answer 121

P – stands for Physical and means the attacker must physically touch the vulnerable component to carry out the attack L – stands for Local and means the attacker must have physical or logical access to the affected system itself A – stands for Adjacent network and means the attacker must be on a logically adjacent network (such as the local IP subnet) or the same physical network N – stands for Network and means the attacker can use the vulnerability from any network location on the Internet

Answer 122

The User Interaction (UI) base metric is used to indicate whether or not the attacker requires a human user to do anything for the attack to succeed, such as installing software.

Answer 123

The SysAdmin, Audit, Network, and Security (SANS) organization sponsors the Global Information Assurance Certification (GIAC). They also provide training, perform research, and publish best practices for cybersecurity, web security, and application security. They provide guidelines for secure software development.

Answer 124

Of the options listed, the security analyst should be most concerned with the Confidentiality or C metric because it is rated as H, or High. This means that there would be a total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Though it was not listed as an option, the Attack Complexity (AC) value is L (Low), which is the worst possible value for this metric and also a matter of high concern. The CVSS vector CVSS:3.1/AV:P/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N measures eight base metrics: Attack Vector (Physical), Attack Complexity (Low), Privileges Required (High), User Interaction (Required), Scope (Unchanged), Confidentiality (High), Integrity (Low), and Availability (None).

Answer 125

DNS cache poisoning is the act of entering false information into a DNS cache so that DNS queries return an incorrect response and users are directed to the wrong website. This attack is also known as DNS spoofing. Because the IT department is not seeing the same things that the user is, it is likely that the user’s DNS cache has been poisoned and her session is being redirected to a different website.

Answer 126

Dynamic scans do not involve manually examining the code; that is static analysis.

Answer 127

Static code analysis is performed without the code executing. Code review and testing must occur throughout the entire application development life cycle. Code review and testing must identify bad programming patterns, security misconfigurations, functional bugs, and logic flaws.

Answer 128

Fuzz testing, or fuzzing, involves injecting invalid or unexpected input (sometimes called faults) into an application to test how the application reacts. It is usually done with a software tool that automates the process.

Answer 129

An interception proxy is an application that stands between the web server and the client and passes all requests and responses back and forth. While it does so, it analyzes the information to test the security of the web application. A web application proxy can also "crawl" the site and its application to discover the links and content contained.

Answer 130

Segmentation considerations are made to control which sections of the network are scanned. This technique supports ensuring that operations and productivity are not negatively impacted by the scan and that any machines exempted from the scan are not scanned. Segmentation can be accomplished with subnetting and ACLs on the routers to prevent the scan from accessing exempted systems.

Answer 131

Sensitivity level considerations involve determining how deeply the machines are scanned and are addressed by choosing an appropriate scan type. For example, a credentialed scan will scan more deeply and render more valuable information than an uncredentialed scan, but it will also impact the machine’s performance and create more network traffic.

Answer 132

The Scope (S) metric is a determination as to whether a vulnerability in one system or component can have carry-over impact on another system or component. It has two possible values: Changed (C) – An exploited vulnerability can have carry-over impact on another system. Unchanged (U) – An exploited vulnerability is limited in damage to only the local security authority. In this example, the S:U score indicates the vulnerability is limited in scope to the affected system. This is the better score. The User Interaction (UI) base metric is used to indicate whether or not the user must do anything for the attack to succeed. The UI metric has two possible values: None (N) – No user interaction is required. Required (R) – A user must complete some steps for the exploit to succeed. For example, a user might be required to install some software. The Attack Vector (AV) base metric describes how the attacker would exploit the vulnerability. It has four possible values: L – stands for Local and means the attacker must have physical or logical access to the affected system. A – stands for Adjacent network and means the attacker must be on the local network. N – stands for Network and means the attacker can cause the vulnerability from any network. P – stand for Physical and requires the attacker to physically touch the device. Called Authentication in earlier versions of CVSS, the Privileges Required (PR) metric describes the level of access required to mount this attack. There are three possible values: None (N): The attacker does not need any privileges to exploit the vulnerability. Low (L): The attacker is required to have basic privileges in a system to exploit the vulnerability. High (H): The attacker has to have higher privileges in a system to exploit the vulnerability. The necessity of higher privileges may seem contradictory but the vulnerable component and impacted component might be different.

Answer 133

The attacker is required to have basic privileges in the system to exploit the vulnerability. Called Authentication in earlier versions of CVSS, the Privileges Required (PR) metric describes the level of access required to mount this attack. There are three possible values: None (N): The attacker does not need any privileges to exploit the vulnerability. Low (L): The attacker is required to have basic privileges in a system to exploit the vulnerability. High (H): The attacker has to have higher-level privileges in a system to exploit the vulnerability. The necessity of higher privileges may seem contradictory, but the vulnerable component and impacted component might be different. Whether the attacker needs to be physically present or not is not described by the PR metric. The Attack Vector (AV) metric describes how the attacker would exploit the vulnerability. AV is an Exploitability metric in the Base metric group. It has four possible values: P – stands for Physical and means the attacker must physically touch the vulnerable component to carry out the attack L – stands for Local and means the attacker must have physical or logical access to the affected system itself A – stands for Adjacent network and means the attacker must be on a logically adjacent network (such as the local IP subnet) or the same physical network N – stands for Network and means the attacker can use the vulnerability from any network location on the Internet For this metric, P is the best ranking and N is the worst.

Answer 134

A Supervisory Control and Data Acquisition (SCADA) device is a system operating with coded signals over communication channels that provides control of remote equipment. It is not used in forensic investigations.

Answer 135

Digital forensics workstation – A dedicated workstation for processing an investigation that includes special tools and utilities that make the process easier and more productive. Write blockers – A tool that permits read-only access to data storage devices without compromising the integrity of the data. Cables – You should carry a variety of cables for connecting to storage devices. Drive adapters – Adapters can enable connections to drives for which you have no cable. Wiped removable media – Your kit should have removable media of various types that has been wiped clean. These may include USB flash drives, external hard drives, Multimedia Cards (MMC), Secure Digital (SD) cards, Compact Flash (CF) card, Memory Sticks, xD Picture cards, CDs, CD-RW, DVDs, and Blu-ray discs. Cameras – Digital cameras with 12 megapixels (MP) or greater image sensors and manual exposure settings (in addition to any automatic or programmed exposure modes) are usually suitable for crime scene and evidence photography. Crime tape – Flagging or adhesive pre-preprinted tape intended to block the area and prevent any unauthorized individuals from entering. Tamper-proof seals – Used to ensure that the chain of custody is maintained. Documentation/forms – Used to document the crime, the crime scene, and the evidence. There may also be interviews with witnesses. Most of these form templates are developed by the company based on standards.

Answer 136

The forms that should be present in the kit are: Chain of custody form – This form will indicate who has handled the evidence, when they handled it, and the order in which the handler was in possession of the evidence. Incident response plan – This plan should be formally designed, well communicated, and followed. It should specifically address cyber-attacks against an organization's IT systems. Incident form – This form is used to describe the incident in detail. It should include sections to record CMOS, hard drive information, image archive details, analysis platform information, and other details. Call list/escalation list – This list should indicate under what circumstance individuals should be contacted and should include current contact information.

Answer 137

An attacker would need to be on the local system to exploit this vulnerability using read/write/execute capabilities. The local system access could be physical (such as convincing the user to open the attacker’s program on the system through social engineering) or remote (such as establishing a SSH connection to a console and then executing commands).

Answer 138

Your organization experienced a cross-site scripting (XSS) attack. An XSS attack occurs when an attacker locates a vulnerability on a website that allows the attacker to inject malicious code into a web application. A persistent XSS attack occurs when data provided to the web application is first stored persistently on the server and later displayed to users without being encoded using HTML on the web client. A non-persistent XSS attack occurs when data provided by a web client is used immediately by server-side scripts to generate results for that user. XSS flaws occur every time an application takes user-supplied data and sends it to a web browser without first confirming or encoding the data. To locate XSS attacks, you should look for lines in the web server log that contain JavaScript or other scripting languages that forward a user's session cookie to an external location or web page.

Answer 139

Reverse engineering means to take something apart to discover how it works and perhaps to replicate it. In cybersecurity, reverse engineering is used to analyze both hardware and software for various reasons. Among these reasons are: To discover how malware functions To determine whether malware is present in software To locate software bugs To locate security problems in hardware

Answer 140

Detective managerial control – Job rotation Detective physical control – CCTV Corrective logical control – Centralized data backups Preventative managerial control – Security awareness training Preventative logical control – Biometric authentication Preventative physical control – Mantraps

Answer 141

This is an example of a compensating control. Compensating controls are temporary measures that are put in place to satisfy a requirement that is too difficult to implement. In this scenario, a third-party auditor compensates for the lack of the primary control, separation of duties. By itself, auditing is a detective control.

Answer 142

A redirect attack is occurring. Redirects are not inherently a bad thing in and of themselves. For instance, they are a useful function to have when building a website. If a user attempts to access a resource before they are logged in, it is conventional to redirect them to the login page, put the original URL in a query parameter, and then automatically redirect them towards their original destination after they have logged in. But there are always two sides to a coin! This is the exact reason that spammers and phishers use redirects and why they are so enticing. Attackers can bounce a user off a site they want to go to and send them to an exact replica that is a malicious version of the site, where the user will log in and end up downloading malware, disclosing confidential information, and so on. This is a malicious redirecting attack. This is not an example of remote code execution. Arbitrary or remote code execution occurs when hackers take advantage of a vulnerability to gain access to a system and then place malicious code there, which they subsequently execute remotely. This is not a server-side request forgery (SSRF). An SSRF attack involves targeting a server that hosts a web application to fetch a remote resource without validating the user-supplied URL. This allows an attacker to make the application send a crafted request to an unexpected destination, even when the system is protected by a firewall, VPN, or additional network access control list. Starting in 2021, SSRF was added to the OWASP Top 10 list that is comprised of the most critical web application security risks to date. An SQL command injection is one of many types of injection attacks in which malicious SQL statements are injected into an input field in a web request and executed on a database server.

Answer 143

When a server is handling sales, it is typically handling credit card data and cardholder data. The Payment Card Industry Data Security Standard (PCI DSS) is an information security framework for organizations that process credit card transactions or handle cardholder data from the major card vendors.

Answer 144

OWASP ZAP was primarily designed to brute force both directory and file names on web application servers.

Answer 145

Agentless systems are based on the push communication style in which the associated software pushes data to a remote system on a periodic basis. Whereas agent-based systems use a pull method in which the agents are interrogated by a central system for data.

Answer 146

The Federal Information Security Management Act (FISMA) is a part of the regulatory reporting requirements that affect the vulnerability scanning rate. All laws and regulations that affect the organization must be fully analyzed to determine their effect on the scanning rate.

Answer 147

The Open Web Application Security Project (OWASP) identifies the top 10 security issues each year for web servers, and provides recommendations and guidelines to address these vulnerabilities.

Answer 148

In an SQL injection attack, the attacker uses a web application to gain access to an underlying, backend database. Semicolons (;) and apostrophes (') are characteristics of these attacks. For example, the single quote in SQL is a limiter, meaning it ends any current SQL string. This is important for attackers to craft true conditions or true statements to bypass authentication or pull more information from a database than is allowed.

Answer 149

The risk management principle of accept (acceptance) is being described. Acceptance is when you acknowledge that a risk may occur but do not try to prevent it. Examples of acceptance would include taking no action at all or leaving the original security plan unchanged and developing a contingency or fallback plan. It is recommended that you accept a risk when the cost of the safeguard exceeds the amount of the potential loss. The transfer principle (transference) involves shifting the risk and its consequences to a third party. The third party is then responsible for owning and managing the risk. Purchasing insurance is an example of transference. The avoid principle (avoidance) involves modifying the security plan to eliminate the risk or its impact. Examples of avoidance would include stopping a risky activity altogether, adding security resources to eliminate the risk, or removing resources to eliminate the risk. The mitigate principle (mitigation) involves reducing the probability or impact of a risk to an acceptable risk threshold. To mitigate a risk, you would take actions to minimize the probability of the risk occurring. Biometric locks on a server room’s doors mitigate the risk of an intruder breaking in where sensitive data is housed.

Answer 150

A camera is a detective control because it allows you to detect when an issue occurs.

Answer 151

This is a directory traversal attack, also known as a path traversal attack. Directory traversal is a very common attack against sites. It is an easy way to get around login information or to access private galleries, files, or even username and email lists. Frequently, this attack requires guessing which subdirectory and/or filename is your target. With some detective work, you can follow the normal file and domain structures that are out there. You can do this attack by using two different methods: the (…/) method or by typing in the absolute path (https://interconn.com/wp-content/uploads/2018/03).

Answer 152

This is not cookie manipulation. Cookies are small pieces of data created and stored in a user’s browser that keep track of important information regarding the user’s session for a particular site. Cookie manipulation, also called cookie poisoning, is when a hacker is able to change data within that cookie to take over that user’s information or bypass security measures on websites.

Answer 153

While all considerations are important, it is critical that any organization that is operating in an industry where federal regulations, such as HIPPA or PCI-DSS, are in effect, ensures that the scan supports verification that regulatory requirements are being met.

Answer 154

They are performing technical impact review. This is the process of assessing the potential impact of an event that is technical in nature. Once all assets have been identified and their value to the organization has been established, specific threats to each asset are identified. An attempt must be made to establish both the likelihood of the threat being realized, as well as the impact to the organization, should that occur. This can be done by assigning values like high, medium, and low to the threats to describe their impact and likelihood.

Answer 155

An escalation of privileges attack occurs when an attacker has used a design flaw in an application to obtain unauthorized access to the application. Privilege escalation includes incidents where a user logs in with valid credentials and then takes over the privileges of another user, or where a user logs in with a standard account and uses a system flaw to obtain administrative privileges.

Answer 156

Race condition – typically targets timing, mainly the delay between time of check (TOC) and time of use (TOU). To eliminate race conditions, application developers should create code that processes exclusive-lock resources in a certain sequence and unlocks them in reverse order.

Answer 157

Insecure direct object references – occurs when a developer exposes a reference to an internal object, such as a file, directory, database record, or key, as a URL or form parameter without implementing the appropriate security control. An attacker can manipulate direct object references to access other objects without authorization. Implementing an access control check helps to protect against these attacks.

Answer 158

Cross-site request forgery (CSRF) – occurs when a malicious site executes unauthorized commands from a user on a web site that trusts the user. It is also referred to as one-click attack or session riding. Implementing anti-forgery tokens protect against this attack.

Answer 159

Improper error and exception handling – occurs when developers do not design appropriate error or exception messages in an application. The most common problem because of this issue is the fail-open security check, which occurs when access is granted (instead of denied) by default. Other issues include system crashes and resource consumption. Error handling mechanisms should be properly designed, implemented, and logged for future reference and troubleshooting.

Answer 160

Improper storage of sensitive data – occurs when sensitive data is not properly secured when it is stored. Sensitive data should be encrypted and protected with the appropriate access control list. Also, when sensitive data is in memory, it should be locked.

Answer 161

Secure cookie storage and transmission – Cookies store a user's web site data, often including confidential data, such as usernames, passwords, and financial information. A secure cookie has the secure attribute enabled and is only used via HTTPS, ensuring that the cookie is always encrypted during transmission.

Answer 162

Memory leaks – occur when an application does not release memory after it is finished working with it. Reviewing coding and designing best practices helps to prevent memory leaks.

Answer 163

Data remnants – occurs when applications are removed but data remnants, including registry entries, are left behind. Specialty tools and apps are available to ensure that applications have been completely removed from a device.

Answer 164

The cost of a scan is typically not a main consideration. Even in scenarios where a third party is hired, the cost is typically not a deterrent when identifying vulnerabilities that are considered to be critical.

Answer 165

VM Escape is likely to only affect virtual machines and virtual infrastructure. In an escape attack, the attacker has access to a single virtual host, and then leverages that access to intrude upon the resources assigned to a different virtual machine.

Answer 166

You have determined one or more of the scan's sensitivity levels because you are performing a discovery scan, which is used to create an inventory of assets based on host or service discovery.

Answer 167

Issue B should take priority because it has the highest CVSS value of 9.1, which is considered a critical issue. The Common Vulnerability Scoring System (CVSS) is a system of ranking vulnerabilities that are discovered based on pre-defined metrics. This system ensures that the most critical vulnerabilities can be easily identified and addressed after a vulnerability test is met. Scores are awarded on a scale of 0 to 10, with the values having the following ranks: 0 – No issues 0.1 to 3.9 – Low 4.0 to 6.9 – Medium 7.0 to 8.9 – High 9.0 to 10.0 – Critical