4.3 Flashcards
Vulnerability scanning, threat intelligence, penetration testing, analyzing vulnerabilities, vulnerability remediation
Dynamic analysis is AKA
Fuzzing
Fuzzing is AKA (4)
Fault-injecting
Robustness testing
Syntax testing
Negative testing
True/False
Utilizing fuzzers is very time and resource intensive
True
OSINT stands for
Open-Source Intelligence
Publicly available sources of threat intelligence
(ex. discussion groups, social media, security researcher websites, govt data, commercial data like maps, financial reports, and databases about projects and risks)
OSINT
4 sources of threat intelligence
OSINT
Proprietary/third-party intelligence
Information-sharing organization
Dark web intelligence
Organizations that compile threat information and allow you to purchase it.
Will include threat analytics across many different organizations, viewing the patterns of attacks.
Proprietary/third-party intelligence
Threat intelligence that comes from multiple organizations communicating with each other about their experiences, research, and developments. Members of this group can access the information.
Real-time, high-quality cyber threat information sharing.
Includes classified information and extensive resources.
Information-sharing organization
A threat intelligence source that is only available through specialized software. It comes from an overlay network that uses the Internet for transport, though it’s not accessible openly from the internet.
This includes groups of hackers discussing their tools and techniques, as well as online stores where hackers sell their stolen information.
It is good to monitor this in case your organization’s name pops up as a potential target.
Dark web intelligence
A form of vulnerability testing where an authorized individual simulates an attack against a network or device.
Pentesting
A pentesting document that defines:
The scope and purpose of the test
The schedule (what time, whether it’s onsite or online, internal/external)
Any rules (IP address ranges, emergency contacts, how to handle sensitive information, in-scope and out-of-scope devices/applications)
Rules of engagement
Techniques and strategies that enable continued access to a system after initial compromise
Ex. Backdoor, user account, change/verify default passwords
Persistence
The technique used by attackers to access other parts of the network that are not directly reachable from the attacker’s position via a compromised system (ex. Firewall).
This compromised system is used as a proxy or relay, used to be able to jump to other systems in the same segment.
Pivoting
A process that allows hackers to safely report found vulnerabilities to your team.
Responsible disclosure program
A reward offered for the discovery of vulnerabilities in a system
Bug bounty
A vulnerability defined by an automated vulnerability scanner that doesn’t really exist.
False positive
A vulnerability that is not detected by an automated vulnerability scanner.
False negative
How do you prevent false positives/negatives when vulnerability scanning?
Update signatures
What organization made the CVSS?
NIST
What organization made CVE?
MITRE
How are vulnerabilities scored in the CVSS?
Quantitative scoring of 0 - 10
Different scoring for CVSS 2.0 vs CVSS 3.x
True/False
CVSS is synchronized with CVE
True
A type of vulnerability scan that specializes in desktop or mobile applications
Application scans
A type of vulnerability scan that specializes in web server software
Web application scan
A type of vulnerability scan that specializes in network infrastructure and configuration, such as misconfigured firewalls, open ports, and vulnerable devices.
Network scan
A percentage of the loss of value or business activity if the vulnerability is exploited
For example, if the service might be down half the time, this number is 50%
Or if a buffer overflow completely disables a service, this number is 100%
Exposure factor
True/False
When considering vulnerability priority, it is important to consider the level of access that people have to the vulnerable device/application
True
An isolated test lab would be lower in priority than a public cloud database server
5 types of environmental variables to consider when assigning priority to vulnerabilities
Location (private, public, internal, cloud)
Number and type of users (internal, external)
Revenue-generating?
Criticality of the vulnerable app/device
Ease of exploitation
The amount of risk that an organization is willing to accept by having a particular vulnerability unpatched
Risk tolerance
True/False
You should always implement patches as soon as they come out
False
You need to test them. Test as much as you can, while also making sure that the organization is secure by implementing the patch as quickly as possible.
The most common vulnerability mitigation technique
Patching
4 things that a cybersecurity insurance policy will cover
Lost revenue
Data recovery costs
Money lost to phishing
Privacy lawsuit costs
2 things that a cybersecurity insurance policy will not cover
Intentional acts
Funds transfers
A way to limit the scope of an exploit by separating devices into their own networks/VLANs
May involve using air gaps and internal NGFWs between these separate networks/VLANs
Segmentation
A security method that is implemented when an actual solution is unavailable. This is often temporary.
May include:
Disabling the vulnerable service
Revoking access to the application
Limiting external access
Modifying internal security controls and software firewalls to disallow traffic to that vulnerable service.
Compensating controls
A service or device that the organization’s security committee decided should not receive a patch to a known vulnerability.
Exception/exemption
Why would an organization’s security committee decide to give a service/device an exception to being patched?
The vulnerability might have some criteria for exploitation that is next to impossible to do. The risk is at an acceptable level for the organization, so there is no need to patch it.
The process of making sure that a patch has actually removed a vulnerability, and that all vulnerable systems have been patched.
Validation of remediation
3 methods used during validation of remediation
Rescanning (vulnerability scanning)
Audit (Check remediated systems to make sure the patch was successfully deployed)
Verification (Manually confirm the security of the system)
A system that provides a continuous log of:
The number of identified vulnerabilities
How many systems are patched vs unpatched
New threat notifications
Errors, exceptions, and exemptions to patches
Reporting system
