4.3 Flashcards
4 Step process for identifying vulnerabilities
planning-Establish policies, procedures, and mechanisms to systematically track
and evaluate vulnerabilities
testing -Evaluate patches and updates in a controlled environment before
deploying them across the entire enterprise network
implementation -Deploy patches and updates across devices and applications
auditing-Ensure that security patches and configuration changes have been
implemented effectively
Threat intelligence feeds
Provide valuable information about potential or current threats to an
organization’s security
Collected, analyzed, and disseminated by security researchers, organizations, or
automated tools
Threat intelligence
Continuous process to comprehend the specific threats an organization faces
OSINT
open source intelligence
Collected from publicly available sources like reports, forums, news
articles, blogs, and social media
Responsible Disclosure
Ethical practice for disclosing vulnerabilities in software, hardware, or online service
Bug Bounty Programs
Robust responsible disclosure programs incentivizing security researchers
Vulnerability Confirmation
Determining the accuracy of identified potential security weaknesses
● True Positive
○ Real and exploitable vulnerability correctly identified
● False Positive
○ Incorrectly stated vulnerability
● True Negative
○ Correctly identifies the absence of a vulnerability
● False Negative
○ Serious finding – vulnerability exists but remains undetected
CVSS
common vulnerability scoring system
CVE
common vulnerabilities and exposures
system that provides a standadized way to uniquely identify and reference known vulnerabilities in software and hardware
EF
A quantifiable metric to estimate the percentage of asset damageR
Risk Tolerance
The level of risk an organization is willing to accept
■ Determines the urgency of vulnerability remediation
■ High risk tolerance may allow monitoring of certain vulnerabilities
■ Low risk tolerance may require swift remediation of even minor vulnerabilitie
PAtching
Process of applying updates to fix software, system, or application vulnerabilities
■ Patches released by software vendors
■ End users must update their software to apply security patch
Insurance Policy
Procuring a cybersecurity insurance policy as a risk management strategy
■ Mitigates financial losses resulting from cyber incidents (data breach, network
outage, business interruption)
■ Covers mitigation, remediation, recovery costs, legal fees, public relations, and
customer notification
Exception
Temporarily relaxing or bypassing security controls or policies for operational business needs with an understanding of associated risks
Exemption
A permanent waiver of security controls or policies due to specific
reasons, often for legacy systems