4.3 Flashcards
4 Step process for identifying vulnerabilities
planning-Establish policies, procedures, and mechanisms to systematically track
and evaluate vulnerabilities
testing -Evaluate patches and updates in a controlled environment before
deploying them across the entire enterprise network
implementation -Deploy patches and updates across devices and applications
auditing-Ensure that security patches and configuration changes have been
implemented effectively
Threat intelligence feeds
Provide valuable information about potential or current threats to an
organization’s security
Collected, analyzed, and disseminated by security researchers, organizations, or
automated tools
Threat intelligence
Continuous process to comprehend the specific threats an organization faces
OSINT
open source intelligence
Collected from publicly available sources like reports, forums, news
articles, blogs, and social media
Responsible Disclosure
Ethical practice for disclosing vulnerabilities in software, hardware, or online service
Bug Bounty Programs
Robust responsible disclosure programs incentivizing security researchers
Vulnerability Confirmation
Determining the accuracy of identified potential security weaknesses
● True Positive
○ Real and exploitable vulnerability correctly identified
● False Positive
○ Incorrectly stated vulnerability
● True Negative
○ Correctly identifies the absence of a vulnerability
● False Negative
○ Serious finding – vulnerability exists but remains undetected
CVSS
common vulnerability scoring system
CVE
common vulnerabilities and exposures
system that provides a standadized way to uniquely identify and reference known vulnerabilities in software and hardware
EF
A quantifiable metric to estimate the percentage of asset damageR
Risk Tolerance
The level of risk an organization is willing to accept
■ Determines the urgency of vulnerability remediation
■ High risk tolerance may allow monitoring of certain vulnerabilities
■ Low risk tolerance may require swift remediation of even minor vulnerabilitie
PAtching
Process of applying updates to fix software, system, or application vulnerabilities
■ Patches released by software vendors
■ End users must update their software to apply security patch
Insurance Policy
Procuring a cybersecurity insurance policy as a risk management strategy
■ Mitigates financial losses resulting from cyber incidents (data breach, network
outage, business interruption)
■ Covers mitigation, remediation, recovery costs, legal fees, public relations, and
customer notification
Exception
Temporarily relaxing or bypassing security controls or policies for operational business needs with an understanding of associated risks
Exemption
A permanent waiver of security controls or policies due to specific
reasons, often for legacy systems
Remediation
Involve installing patches, reconfiguring devices, or other actions
Auditing
nvolves systematic review of logs, configurations, and patches
● Ensures alignment with established security standards and policies
Configuration Auditing
checks for misconfigurations of deviations
Verification
Final step in validating remediation
● Involves testing systems to confirm patches and configuration changes
Vulnerability Reporting
Process of documenting and communicating security weaknesses in software or
systems to individuals and organizations responsible for addressing the issues
■ Reports should use clear, concise, and transparent language
■ Confidentiality is crucial to prevent exploitation, reputation damage, and legal
repercussion
Internal vulnerability reporting
First line of defense in vulnerability management within the organization
■ Identifying, documenting, and communicating vulnerabilities within the
organizational structure
■ Information remains internal
■ Timely reporting reduces exposure to unpatched vulnerabilities
■ Establish clear communication paths and protocols
External vulnerability reporting
eporting vulnerabilities outside the organization, involving vendors, partners,
customers, or the public
■ Coordinating with vendors to address vulnerabilities for the benefit of all
customers
■ Sharing non-sensitive details with databases like CVE or vendor knowledge bases
■ Respect privacy when discussing vulnerabilities with external organizations
