5 Security Assessment and Testing Flashcards
What is the purpose of vulnerability management?
To ensure that security controls are operating properly and that the environment contains no exploitable vulnerabilities
Vulnerability management involves identifying, analyzing, responding to, and validating vulnerabilities in a system.
List the identification methods associated with vulnerability management.
- Vulnerability scan
- Penetration testing
- Responsible disclosure program
- Bug bounty program
- System/process audit
These methods help in discovering vulnerabilities in systems and applications.
What is the Common Vulnerability Scoring System (CVSS)?
A standard for assessing the severity of vulnerabilities
CVSS provides a way to convey the impact of vulnerabilities in a consistent manner.
What activities are involved in vulnerability response and remediation?
- Patching
- Insurance
- Segmentation
- Compensating controls
- Exceptions and exemptions
These activities are aimed at mitigating identified vulnerabilities.
How is the validation of remediation conducted?
- Rescanning
- Audit
- Verification
This ensures that vulnerabilities have been effectively addressed.
What tools are used for security alerting and monitoring?
- Security Content Automation Protocol (SCAP)
- Vulnerability scanners
These tools help in detecting and managing vulnerabilities in real-time.
Define threat hunting.
Proactive search for threats within an organization’s environment
Threat hunting involves actively looking for signs of malicious activity or potential vulnerabilities.
What are the rules of engagement in third-party risk assessment?
Guidelines that define how assessments are conducted with third parties
These rules ensure that both parties understand their roles and responsibilities during the assessment process.
List the types of audits and assessments.
- Internal (Compliance, Audit committee, Self-assessments)
- External (Regulatory, Examinations, Assessment, Independent third-party audit)
These audits evaluate the effectiveness of security programs and compliance with regulations.
What is penetration testing?
An assessment tool that simulates attacks to test security controls
This testing can be physical, offensive, defensive, integrated, or based on the knowledge of the environment.
True or False: Cybersecurity professionals are responsible for maintaining security controls against all threats.
True
They must address threats from hackers, malicious code, and social engineering.
Fill in the blank: Regular security assessment and testing is essential to ensure that controls are operating properly and that the environment contains no _______.
[exploitable vulnerabilities]
Regular assessments help in identifying and mitigating risks.
What is the purpose of vulnerability management programs?
To identify, prioritize, and remediate vulnerabilities in environments
Vulnerability management is essential for maintaining cybersecurity in complex technical environments.
What is vulnerability scanning?
A process used to detect new vulnerabilities as they arise
Vulnerability scanning is a critical component of vulnerability management programs.
What factors should organizations consider when identifying scan targets?
- Data classification
- Internet exposure
- Services offered
- System type (production, test, development)
These factors help determine which systems to include in vulnerability scans.
What is an asset inventory in vulnerability management?
A comprehensive list of systems connected to the network
It helps determine critical and noncritical systems for scanning.
What influences the frequency of vulnerability scans?
- Risk appetite
- Regulatory requirements
- Technical constraints
- Business constraints
- Licensing limitations
Organizations must balance these factors when planning their scan schedules.
True or False: Vulnerability scans can only be configured to run once a month.
False
Administrators can automate scan scheduling to meet various organizational needs.
What is the importance of scan sensitivity levels?
They determine the types of checks the scanner performs
Proper configuration minimizes disruption to the target environment.
What is the role of credentialed scans?
To improve scan accuracy by allowing access to server configurations
Credentialed scans check for vulnerabilities more reliably than noncredentialed scans.
Fill in the blank: Vulnerability management solutions often provide _______ scanning options.
[credentialed]
Credentialed scans enhance the detection capabilities of vulnerability management systems.
What is an agent-based scanning approach?
A method where small software agents are installed on target servers to conduct scans
This provides an ‘inside-out’ view of vulnerabilities.
What are the different perspectives from which scans can be conducted?
- External scan
- Internal scan
- Inside datacenter scan
Each perspective provides different views into vulnerabilities.
What is the Security Content Automation Protocol (SCAP)?
A standardized approach for communicating security-related information
SCAP facilitates automation in security components interactions.
List the SCAP standards.
- Common Configuration Enumeration (CCE)
- Common Platform Enumeration (CPE)
- Common Vulnerabilities and Exposures (CVE)
- Common Vulnerability Scoring System (CVSS)
- Extensible Configuration Checklist Description Format (XCCDF)
- Open Vulnerability and Assessment Language (OVAL)
These standards help in automating security assessments and reporting.
What should be regularly maintained in vulnerability management solutions?
The scanning software and vulnerability feeds
Regular maintenance ensures effectiveness and up-to-date security measures.
True or False: Vulnerability scanners do not require frequent updates.
False
Scanners must frequently update their plug-ins to remain effective against new vulnerabilities.
How should organizations start their vulnerability scanning programs?
By beginning small and gradually expanding scope and frequency
This approach helps avoid overwhelming the scanning infrastructure.
What is a common issue with intrusive plug-ins during scans?
They may disrupt activity on a production system
Administrators often limit scans to nonintrusive plug-ins to avoid issues.
What is the principle of least privilege in credentialed scanning?
Providing the scanner with a read-only account on the server
This minimizes the risk of security incidents related to scanner access.
What does SCAP stand for?
Security Content Automation Protocol
SCAP is a framework that includes standards for vulnerability management and compliance.
What is the purpose of CVE?
To provide a standard naming system for flaws
Common Vulnerabilities and Exposures (CVE) is widely used to identify and catalog vulnerabilities.
Name three types of vulnerability scanners.
- Network vulnerability scanner
- Application scanner
- Web application scanner
What is the function of network vulnerability scanners?
To probe network-connected devices for known vulnerabilities.
List four examples of network vulnerability scanners.
- Tenable’s Nessus
- Qualys vulnerability scanner
- Rapid7’s Nexpose
- OpenVAS
What are the three techniques used in application testing?
- Static testing
- Dynamic testing
- Interactive testing
What vulnerabilities do web application scanners test for?
- SQL injection
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF)
What is Nikto?
A popular open source web application scanning tool.
What is the role of vulnerability scan reports?
To provide detailed information about each identified vulnerability.
What does the severity category in a vulnerability report indicate?
The overall severity of the vulnerability, such as low, medium, high, or critical.
What is the Common Vulnerability Scoring System (CVSS)?
An industry standard for assessing the severity of security vulnerabilities.
How many measures does CVSS use to rate vulnerabilities?
Eight different measures.
What does the attack vector metric (AV) describe?
How an attacker would exploit the vulnerability.
What is the score for the ‘Network’ attack vector in CVSS?
0.85
What does the attack complexity metric (AC) indicate?
The difficulty of exploiting the vulnerability.
What does the privileges required metric (PR) evaluate?
The type of account access required to exploit a vulnerability.
Fill in the blank: The user interaction metric (UI) describes whether the attacker needs to involve another human in the _______.
attack
What does the confidentiality metric (C) measure?
The type of information disclosure that might occur if exploited.
What does the integrity metric (I) assess?
The type of information alteration that might occur if exploited.
What does the availability metric (A) describe?
The type of disruption that might occur if exploited.
What does the scope metric (S) indicate?
Whether the vulnerability can affect system components beyond its scope.
What version of CVSS is currently in use?
Version 3.1
What is the significance of the CVSS vector?
It conveys the ratings of a vulnerability across all eight metrics.
What does a CVSS base score represent?
The overall risk posed by a vulnerability.
What does the CVSS vector provide?
Detailed information on the nature of the risk posed by a vulnerability
What is the purpose of calculating the CVSS base score?
To represent the overall risk posed by the vulnerability
What is the formula for calculating the impact sub-score (ISS)?
ISS = 1 - [(1 - Confidentiality) * (1 - Integrity) * (1 - Availability)]
How do you calculate the impact score from the impact sub-score?
If the scope metric is Unchanged, Impact = 6.42 * ISS
What is the impact score for an ISS of 0.56 when the scope is Unchanged?
3.60
What is the formula for calculating the exploitability score?
Exploitability = 8.22 * Attack Vector * Attack Complexity * Privileges Required * User Interaction
What is the base score calculation if the scope metric is Changed?
Impact + Exploitability * 1.08
What is the highest possible base score in CVSS?
10
What CVSS score range is categorized as ‘High’ risk?
7.0–8.9
What is a false positive in vulnerability scanning?
When a scanner reports a vulnerability that does not exist
What are the two types of positive reports from a scanner?
- True positive report
- False positive report
What are the two types of negative reports from a scanner?
- True negative report
- False negative report
What should analysts do to confirm vulnerabilities reported by scanners?
Perform their own investigations and use external data sources
Name three valuable information sources for reconciling scan results.
- Log reviews
- Security information and event management (SIEM) systems
- Configuration management systems
True or False: Vulnerability scans should take place in a vacuum.
False
What is the purpose of using SIEM systems in vulnerability analysis?
To correlate log entries from multiple sources and provide actionable intelligence
Fill in the blank: A scanner report that a vulnerability is not present may be a _______.
False negative report
What is the CVSS Qualitative Severity Rating Scale used for?
To categorize CVSS scores into risk categories
What is the impact of a vulnerability if the impact score is 0?
The base score is 0
What is the primary goal of penetration testing?
To bridge the gap between the use of technical tools and the skills of skilled attackers
Penetration tests are authorized attempts to defeat an organization’s security controls.
What mindset must penetration testers adopt?
The hacker mindset
This involves thinking like an adversary to find vulnerabilities to exploit.
What is the CIA triad in cybersecurity?
Confidentiality, Integrity, Availability
These are central goals for cybersecurity professionals.
What is a key difference between penetration testers and cybersecurity defenders?
Penetration testers need to find one vulnerability; defenders need to block all attacks
Attackers can succeed once, while defenders must succeed every time.
What are some security controls a physical security assessment might evaluate?
- Security cameras in high-risk areas
- Auditing of cash register receipts
- Theft detectors at entrances/exits
- Exit alarms on emergency exits
- Burglar alarms for after-hours access
These controls aim to prevent threats like shoplifting and robbery.
What is the primary benefit of conducting penetration testing?
It provides visibility into the organization’s security posture
This visibility is not obtainable by other means.
What does penetration testing help organizations determine?
If attackers with similar skills could penetrate defenses
It helps assess the security against equivalently talented attackers.
What is the presumption of compromise in threat hunting?
The assumption that attackers have already breached the organization
This leads to searching for evidence of successful attacks.
What are the four major categories of penetration testing?
- Physical penetration testing
- Offensive penetration testing
- Defensive penetration testing
- Integrated penetration testing
Each category serves a different purpose in assessing security.
What are the three classifications of penetration testing environments?
- Known environment tests
- Unknown environment tests
- Partially known environment tests
These classifications indicate the level of information provided to testers.
What is a known environment test?
Tests performed with full knowledge of the target’s technology and configurations
It allows for comprehensive testing but may not reflect an external attacker’s view.
What is an unknown environment test?
Tests conducted without prior knowledge of the target
This simulates an attacker’s experience but can be time-consuming.
What is the purpose of rules of engagement (RoE) in penetration testing?
To define the parameters and expectations of the testing process
RoE includes timelines, targets, data handling, and legal concerns.
What is required before conducting a penetration test?
Appropriate permission from the target organization
This is often documented as a signed agreement.
What is the significance of a ‘get out of jail free’ card?
A document providing permission to conduct the penetration test
It protects testers legally if issues arise during testing.
What is passive reconnaissance?
Gathering information without directly engaging with the target
This technique is often used in the initial phase of penetration testing.
What is the first phase of a penetration test?
Reconnaissance
This phase involves gathering as much information as possible about the target organization.
What are the two types of reconnaissance techniques?
Passive reconnaissance and Active reconnaissance
Each type has different methods of gathering information.
What is passive reconnaissance?
Techniques that gather information without directly engaging with the target
Examples include DNS and WHOIS queries, web searches, and reviewing public websites.
What are common techniques used in passive reconnaissance?
- DNS lookups
- WHOIS queries
- Web searches
- Reviewing public websites
These techniques allow testers to gather information without alerting the target.
What is active reconnaissance?
Techniques that directly engage the target in intelligence gathering
This includes port scanning, footprinting, and vulnerability scanning.
What is the goal of penetration testers regarding wireless networks?
To identify wireless networks that may allow access to the internal network without physical access
This can be done through techniques like war driving and war flying.
What is war driving?
Driving by facilities with equipment to eavesdrop on or connect to wireless networks
Testers use high-end antennas for this purpose.
What is war flying?
Using drones or unmanned aerial vehicles (UAVs) to identify wireless networks
This technique is an expansion of war driving.
What is the process called that penetration testers follow during a test?
The same process used by attackers, including phases like initial access, privilege escalation, and pivoting
This is discussed in the context of the Cyber Kill Chain.
What occurs during initial access in penetration testing?
Exploiting a vulnerability to gain access to the organization’s network
This is the first step in the attack process.
What is privilege escalation?
Shifting from initial access gained by the attacker to more advanced privileges
This could involve gaining root access on the same system.
What does pivoting refer to in penetration testing?
Lateral movement to gain access to other systems on the target network
This follows the initial compromise of a system.
What is persistence in the context of penetration testing?
Establishing mechanisms that allow attackers to regain access to the network later
This often involves installing backdoors.
What tools do penetration testers commonly use?
Exploitation frameworks like Metasploit
These tools simplify the process of exploiting vulnerabilities.
What are the close-out activities after a penetration test?
- Presenting results to management
- Cleaning up traces of work
This includes removing installed tools and providing a report on vulnerabilities discovered.
What should the close-out report provide?
Details on vulnerabilities discovered and advice on improving cybersecurity posture
This report is essential for the target organization to enhance its security.
What is the cornerstone maintenance activity for an information security team?
Their security assessment and testing program
What are the three major components of a security assessment program?
- Security tests
- Security assessments
- Security audits
What do security tests verify?
That a control is functioning properly
List factors to consider when scheduling security controls for review.
- Availability of security testing resources
- Criticality of the systems and applications
- Sensitivity of information
- Likelihood of technical failure
- Likelihood of misconfiguration
- Risk of attack
- Rate of change of the control configuration
- Other changes in the technical environment
- Difficulty and time required for testing
- Impact on normal business operations
What should security teams design after assessing factors for security controls?
A comprehensive assessment and testing strategy
True or False: Security testing programs often begin in a structured manner.
False
What is the main work product of a security assessment?
An assessment report addressed to management
What is the purpose of responsible disclosure programs?
To create a collaborative environment for identifying and remediating security vulnerabilities
What do bug bounty programs offer to incentivize vulnerability reporting?
Financial rewards (or ‘bounties’)
What distinguishes security audits from security assessments?
Security audits must be performed by independent auditors
What are the three main types of audits?
- Internal audits
- External audits
- Independent third-party audits
Who typically performs internal audits?
An organization’s internal audit staff
What is the primary advantage of external audits?
High degree of external validity due to independence
What is the difference between external audits and independent third-party audits?
The requester of the audit; external audits are requested by the organization, while independent third-party audits are requested by regulators or customers
What standard does the AICPA provide to alleviate the burden of multiple third-party audits?
Statement on Standards for Attestation Engagements document 18 (SSAE 18)
What is COBIT?
A framework describing common requirements for information systems
What does ISO 27001 describe?
A standard approach for setting up an information security management system
Fill in the blank: The __________ provides a common standard for auditors performing assessments of service organizations.
SSAE 18
What is the primary outcome of an audit?
An attestation by the auditor
What are the main stages of the vulnerability life cycle?
Identification, Analysis, Response and Remediation, Validation of Remediation, Reporting
What is Vulnerability Identification?
The process where the organization becomes aware of a vulnerability in their environment.
List some sources of vulnerability identification.
- Vulnerability scans
- Penetration tests
- Reports from responsible disclosure or bug bounty programs
- Results of system and process audits
What is the purpose of Vulnerability Analysis?
To confirm the existence of a vulnerability and prioritize it using external assessment tools.
What tools are used for vulnerability prioritization?
- CVSS
- CVE
What factors should be considered in Vulnerability Analysis?
- Organization’s exposure factor
- Environmental variables
- Industry and organizational impact
- Organization’s risk tolerance
What are the main responses to a vulnerability during the Response and Remediation phase?
- Apply a patch
- Use network segmentation
- Implement compensating controls
- Purchase insurance
- Grant an exception
What does Validation of Remediation involve?
Rescanning the affected system to verify that the vulnerability is no longer present.
Who may perform the validation of remediation for serious vulnerabilities?
Internal or external auditors
What is the purpose of Reporting in the vulnerability life cycle?
To communicate findings, actions taken, and lessons learned to stakeholders.
What should be included in the reporting stage?
- Summary of identified vulnerabilities
- Details on remediation actions
- Trends and patterns observed
- Recommendations for improvements
True or False: Regular reporting does not affect the organization’s commitment to cybersecurity.
False
Fill in the blank: The first stage in the vulnerability life cycle is _______.
Identification
Fill in the blank: The final stage in the vulnerability life cycle is _______.
Reporting
What is the role of cybersecurity professionals during the Response and Remediation phase?
To respond to identified vulnerabilities and implement corrective measures.
What is the significance of trends and patterns in reporting?
They help identify areas requiring further attention, such as recurring vulnerabilities.
List the core tasks involved in Vulnerability Analysis.
- Confirming existence
- Prioritizing and categorizing
- Supplementing with organization-specific details
What is a compensating control?
Measures like application firewalls or intrusion prevention systems to reduce exploit likelihood.
What role does security assessment and testing play in cybersecurity?
It plays a crucial role in the ongoing management of a cybersecurity program.
What is the purpose of vulnerability scanning?
To identify potential security issues in systems, applications, and devices.
What does vulnerability scanning allow teams to do?
Remediate issues before they are exploited by attackers.
Name some vulnerabilities that may be detected during vulnerability scans.
- Improper patch management
- Weak configurations
- Default accounts
- Insecure protocols and ciphers
What is the primary objective of penetration testing?
To discover security issues by simulating an attack.
How do penetration tests benefit security controls?
They provide a roadmap for improving security controls.
True or False: Vulnerability scanning only identifies issues once they have been exploited.
False
Fill in the blank: Penetration testing puts security professionals in the role of _______.
[attackers]
What might alter an organization’s security posture?
Changes in their environment.
What is one of the key techniques discussed for maintaining effective security controls?
Security assessment and testing.
What is the CVSS score range for a ‘None’ rating?
0.0
Indicates no impact or vulnerability.
What CVSS score range corresponds to a ‘Low’ rating?
0.1–3.9
Indicates minimal impact or vulnerability.
What is the CVSS score range for a ‘Medium’ rating?
4.0–6.9
Indicates moderate impact or vulnerability.
What CVSS score range signifies a ‘High’ rating?
7.0–8.9
Indicates significant impact or vulnerability.
What is the CVSS score range for a ‘Critical’ rating?
9.0–10.0
Indicates severe impact or vulnerability.
What are false positives in vulnerability reports?
False positives occur when a vulnerability scanner identifies a non-existent vulnerability.
This can lead to unnecessary remediation efforts and wasted resources.
What are false negatives in vulnerability reports?
False negatives occur when a vulnerability scanner fails to identify an existing vulnerability.
This can result in undetected security risks and potential exploitation.
Why is it important to understand false positives and false negatives?
Understanding these concepts helps in accurately interpreting vulnerability reports and making informed decisions about remediation.
It is crucial for effective risk management and maintaining security posture.
Fill in the blank: A _______ occurs when a vulnerability scanner identifies a vulnerability that does not exist.
[false positive]
Fill in the blank: A _______ occurs when a vulnerability scanner misses an existing vulnerability.
[false negative]
True or False: False positives can lead to increased operational costs.
True
This is due to unnecessary remediation efforts and resource allocation.
True or False: False negatives are less critical than false positives.
False
False negatives can leave systems vulnerable to attacks, making them very critical.
What impact do false positives have on security teams?
They can overwhelm security teams with alerts, leading to alert fatigue and potentially overlooking real threats.
This can create a less effective security environment.
What impact do false negatives have on an organization’s security?
They can leave the organization exposed to vulnerabilities that could be exploited by attackers.
This can result in data breaches or other security incidents.
What are good practices for vulnerability response and remediation?
Patching, insurance, segmentation, compensating controls, exceptions, and exemptions.
Fill in the blank: Good vulnerability response and remediation practices include _______, insurance, segmentation, compensating controls, exceptions, and exemptions.
[patching]
True or False: Segmentation is a good practice in vulnerability response and remediation.
True
List three components of good vulnerability response and remediation practices.
- Patching
- Insurance
- Segmentation
What are the four major categories of penetration testing?
- Physical penetration testing
- Offensive penetration testing
- Defensive penetration testing
- Integrated penetration testing
These categories represent different approaches and focuses within penetration testing.
What are the three classification types of penetration testing?
- Known environment tests
- Unknown environment tests
- Partially known environment tests
These classifications help in understanding the context and scope of the penetration tests.
What is physical penetration testing?
A type of penetration testing focused on physical security measures and vulnerabilities.
What is offensive penetration testing?
A type of penetration testing aimed at simulating an attack to exploit vulnerabilities.
What is defensive penetration testing?
A type of penetration testing that evaluates the effectiveness of security measures in preventing attacks.
What is integrated penetration testing?
A type of penetration testing that combines elements of offensive and defensive testing.
Fill in the blank: Known environment tests involve testing in a _______.
[known environment]
Fill in the blank: Unknown environment tests are conducted in a _______.
[unknown environment]
Fill in the blank: Partially known environment tests involve testing in a _______.
[partially known environment]
True or False: The categories of penetration testing and the classification types are unrelated.
False
How can you identify the type(s) of penetration test being discussed?
By reading a scenario describing the test and analyzing the context.
What is the difference between passive and active reconnaissance techniques?
Passive techniques do not directly engage the target, whereas active reconnaissance directly engages the target.
What is the primary difference between an external audit and an independent third-party audit?
The request source for the audit
An external audit is requested by the organization itself or its governing body, whereas an independent third-party audit is requested by an outside entity such as a regulator or customer.
Who typically requests an independent third-party audit?
A regulator, customer, or other outside entity
True or False: An independent third-party audit is requested by the organization being audited.
False
Fill in the blank: An __________ audit is a subcategory of external audits that differs in the requesting party.
independent third-party
What is the common term for audits requested by the organization or its governing body?
External audit
What does Attack Complexity (AC) measure?
The complexity involved in successfully exploiting a vulnerability
It indicates whether the attack requires specialized conditions to succeed.
What are Attack Requirements (AT)?
The specific conditions or resources needed to successfully execute an attack
This may include tools, knowledge, or access to certain systems.
What does Privileges Required (PR) indicate?
The level of access an attacker must have to exploit a vulnerability
It can range from none to high, depending on the vulnerability.
What is User Interaction (UI) in the context of exploitability metrics?
The necessity for a user to perform a specific action for an attack to succeed
Examples include clicking a link or opening a file.
