7. Vulnerability Scanning Flashcards
What is vulnerability management?
vulnerability management
The process of handling security vulnerabilities in modern computing systems and applications.
Core goal of vulnerability management
vulnerability management
Ensuring the security of systems by developing and implementing measures to address vulnerabilities.
Steps in vulnerability management
vulnerability management
Analyzing vulnerabilities, developing patches, releasing and applying patches to systems.
Challenges in vulnerability management
vulnerability management
Dealing with complex software, multiple operating systems, numerous applications, and regular patching of various components.
Components of a mature vulnerability management process
vulnerability management
Vulnerability scanning, patch application, remediation tracking, and result reporting.
Regulatory requirements for vulnerability management
vulnerability management
Compliance with standards such as PCI DSS for credit card handling and FISMA for U.S. government agencies.
Types of vulnerability tests in an organization
vulnerability management
Network vulnerability scans, application scans, and specialized testing for web applications.
Supplementing vulnerability scans with other measures
vulnerability management
Reviewing system and application configurations, as well as logs, to validate scan results and identify false positives.
Importance of understanding organizational rules and requirements
vulnerability management
Designing a vulnerability management program that aligns with specific regulations and policies applicable to the organization.
What is the first step in developing a vulnerability management program?
Identify scan targets
Identify the requirements for the program.
Why is a reliable asset inventory important for vulnerability management?
Identify scan targets
It helps in creating a specific list of systems and networks to scan.
How can a vulnerability management solution be used for scanning targets?
Identify scan targets
Run a lightweight scan or use a platform like Nessus to identify systems on the local network.
What are the key considerations for prioritizing assets in vulnerability management?
Identify scan targets
Importance of data classification, level of risk exposure, and criticality to business operations.
Why is asset prioritization important even when scanning all systems regularly?
Identify scan targets
It helps in planning remediation efforts and allocating resources effectively.
DMZ Placement
Scan Perspective
Placing the scanner in the DMZ provides the clearest view of vulnerabilities on the target system.
Internet Placement
Scan Perspective
Placing the scanner on the internet gives an attacker’s view of the network, helping prioritize remediation efforts.
Firewall Impact
Scan Perspective
Firewall settings and filtering affect vulnerability scans by altering the systems and services visible to the scanner.
Intrusion Prevention Systems (IPS)
Scan Perspective
Active IPS on the network significantly influences scan results as vulnerability scanning traffic passes through it.
Agent-Based Scans
Scan Perspective
Agents installed on servers can probe server configurations deeply and report vulnerabilities to the central management system.
Credentialed Scanning
Scan Perspective
Providing credentials to the scanner allows it to log in and retrieve configuration information, offering an alternative to agent-based scanning.
SCAP (Security Content Automation Protocol)
SCAP
A protocol for creating a consistent language and format to discuss security issues and enable information sharing.
CVSS (Common Vulnerability Scoring System)
SCAP
A widely used system in the security community for evaluating the severity of security vulnerabilities.
CCE (Common Configuration Enumeration)
SCAP
Provides a consistent language for sharing system configurations.
CPE (Common Platform Enumeration)
SCAP
Offers a standardized system for naming product names and versions.
CVE (Common Vulnerabilities and Exposures)
SCAP
Provides a language for describing vulnerabilities.
XCCDF (Extensible Configuration Checklist Description Format)
SCAP
A language for creating and sharing checklists and processing security checklists’ results.
OVAL (Open Vulnerability and Assessment Language)
SCAP
Provides a programmatic way to describe testing procedures.
CVSS
CVSS
Common Vulnerability Scoring System used to assess vulnerability severity on a 10-point scale.
Attack Vector
CVSS
Describes the type of access an attacker needs to exploit a vulnerability (e.g., physical, local, adjacent network, network).
Attack Complexity
CVSS
Measures the difficulty of exploiting a vulnerability (high or low).
Privileges Required
CVSS
Determines the level of user access an attacker must have to exploit a vulnerability (high, low, or none).
User Interaction
CVSS
Assesses the level of human involvement needed for an attack to succeed (required or none).
Exploitability
CVSS
Combination of Attack Vector, Attack Complexity, Privileges Required, and User Interaction metrics to describe the vulnerability’s susceptibility to exploitation.
Confidentiality
CVSS
Evaluates the impact on information confidentiality (none, partial, high).
Integrity
CVSS
Assesses the impact on information integrity (none, low, high).
Availability
CVSS
Measures the impact on system availability (none, low, high).
Scope
CVSS
Determines whether a vulnerability can affect components beyond the vulnerable component (changed or unchanged).
Base CVSS Score
CVSS
The initial score assigned to a vulnerability based on the evaluation of eight different metrics.
Scan Reports
CVSS
CVSS scores are commonly seen in scan reports to provide information about vulnerability severity.
What is the role of a cybersecurity analyst?
Analysing scan reports
Analyzing reports from vulnerability scans and presenting information to different audiences.
What factors should be considered when analyzing scan reports?
Analysing scan reports
Severity of vulnerability, criticality of affected systems, sensitivity of information, difficulty of remediation, and exposure of vulnerable systems.
Why is it important to validate vulnerabilities before requesting remediation?
Analysing scan reports
To confirm the existence of the vulnerability and ensure its proper rating in the prioritization process.
How can you validate a vulnerability reported in a scan?
Analysing scan reports
Review the details in the scanner report, including input and output sections, to understand the issue and verify its presence.
What should you do when encountering false positive reports?
Analysing scan reports
Investigate the reasons behind the report, but be aware that false positives can occur. Clearing them is important to maintain accuracy.
How should you handle vulnerabilities that have already been acknowledged or mitigated?
Analysing scan reports
Track these exceptions in the scanner or a configuration management database to avoid reporting known vulnerabilities.
What are the possible outcomes of vulnerability reports?
Analysing scan reports
True positive (vulnerability exists), false positive (vulnerability does not exist), true negative (no vulnerability found), and false negative (vulnerability missed).
What is the purpose of validating scan results?
Correlating scan results
To eliminate false positive reports and remove documented exceptions.
What should you do to correlate scan reports with other information?
Correlating scan results
Consult industry standards, best practices, compliance obligations, and technical information within your organization.
Why should you consult industry standards and guidance?
Correlating scan results
They provide specific guidance on vulnerabilities requiring urgent remediation, such as PCI DSS’s guidance on vulnerability scanning.
What sources of technical information can contribute to scan results?
Correlating scan results
Configuration management systems, log repositories, and other data sources within your organization.
Why should you monitor scan result trends?
Correlating scan results
To identify recurring vulnerabilities and potential underlying issues that need to be addressed.
What is the importance of preventing vulnerabilities rather than remediating them?
Correlating scan results
It’s better to address vulnerabilities beforehand by providing security training to developers and implementing input validation libraries to protect code from attacks.