4.3

Question 1

4 Step process for identifying vulnerabilities

Answer 1

planning-Establish policies, procedures, and mechanisms to systematically track
and evaluate vulnerabilities
testing -Evaluate patches and updates in a controlled environment before
deploying them across the entire enterprise network
implementation -Deploy patches and updates across devices and applications
auditing-Ensure that security patches and configuration changes have been
implemented effectively

Question 2

Threat intelligence feeds

Answer 2

Provide valuable information about potential or current threats to an
organization’s security
Collected, analyzed, and disseminated by security researchers, organizations, or
automated tools

Question 3

Threat intelligence

Answer 3

Continuous process to comprehend the specific threats an organization faces

Question 4

OSINT

Answer 4

open source intelligence
Collected from publicly available sources like reports, forums, news
articles, blogs, and social media

Question 5

Responsible Disclosure

Answer 5

Ethical practice for disclosing vulnerabilities in software, hardware, or online service

Question 6

Bug Bounty Programs

Answer 6

Robust responsible disclosure programs incentivizing security researchers

Question 7

Vulnerability Confirmation

Answer 7

Determining the accuracy of identified potential security weaknesses
● True Positive
○ Real and exploitable vulnerability correctly identified
● False Positive
○ Incorrectly stated vulnerability
● True Negative
○ Correctly identifies the absence of a vulnerability
● False Negative
○ Serious finding – vulnerability exists but remains undetected

Question 8

CVSS

Answer 8

common vulnerability scoring system

Question 9

CVE

Answer 9

common vulnerabilities and exposures
system that provides a standadized way to uniquely identify and reference known vulnerabilities in software and hardware

Question 10

EF

Answer 10

A quantifiable metric to estimate the percentage of asset damageR

Question 11

Risk Tolerance

Answer 11

The level of risk an organization is willing to accept
■ Determines the urgency of vulnerability remediation
■ High risk tolerance may allow monitoring of certain vulnerabilities
■ Low risk tolerance may require swift remediation of even minor vulnerabilitie

Question 12

PAtching

Answer 12

Process of applying updates to fix software, system, or application vulnerabilities
■ Patches released by software vendors
■ End users must update their software to apply security patch

Question 13

Insurance Policy

Answer 13

Procuring a cybersecurity insurance policy as a risk management strategy
■ Mitigates financial losses resulting from cyber incidents (data breach, network
outage, business interruption)
■ Covers mitigation, remediation, recovery costs, legal fees, public relations, and
customer notification

Question 14

Exception

Answer 14

Temporarily relaxing or bypassing security controls or policies for operational business needs with an understanding of associated risks

Question 15

Exemption

Answer 15

A permanent waiver of security controls or policies due to specific
reasons, often for legacy systems

Question 16

Remediation

Answer 16

Involve installing patches, reconfiguring devices, or other actions

Question 17

Auditing

Answer 17

nvolves systematic review of logs, configurations, and patches
● Ensures alignment with established security standards and policies

Question 18

Configuration Auditing

Answer 18

checks for misconfigurations of deviations

Question 19

Verification

Answer 19

Final step in validating remediation
● Involves testing systems to confirm patches and configuration changes

Question 20

Vulnerability Reporting

Answer 20

Process of documenting and communicating security weaknesses in software or
systems to individuals and organizations responsible for addressing the issues
■ Reports should use clear, concise, and transparent language
■ Confidentiality is crucial to prevent exploitation, reputation damage, and legal
repercussion

Question 21

Internal vulnerability reporting

Answer 21

First line of defense in vulnerability management within the organization
■ Identifying, documenting, and communicating vulnerabilities within the
organizational structure
■ Information remains internal
■ Timely reporting reduces exposure to unpatched vulnerabilities
■ Establish clear communication paths and protocols

Question 22

External vulnerability reporting

Answer 22

eporting vulnerabilities outside the organization, involving vendors, partners,
customers, or the public
■ Coordinating with vendors to address vulnerabilities for the benefit of all
customers
■ Sharing non-sensitive details with databases like CVE or vendor knowledge bases
■ Respect privacy when discussing vulnerabilities with external organizations