7.0 Vulnerability Management

Question 1

Identifying and managing the risks to a network, including the operating system, applications, and other components of an organization’s IT operations.

Answer 1

Vulnerability management

Question 2

Utilizes automated scanning processes to identify and evaluate potential issues.

Answer 2

Vulnerability scan

Question 3

Real-time, continuously updated sources of information about potential threats and vulnerabilities.

Answer 3

Threat feed

Question 4

We pay you to hack into systems to make sure people can’t hack into systems (a very off quote from Sneakers).

Answer 4

Penetration testing

Question 5

the foundational software that controls hardware and can contain significant vulnerabilities. For instance, the Meltdown and Spectre vulnerabilities identified in 2018 impacted almost all computers and mobile devices. The exposure was associated with the processors used inside the computer and allowed malicious programs to steal data as it was being processed. Another vulnerability, “LoJax,” discovered in the Unified Extensible Firmware Interface (UEFI) firmware in 2018, enabled attackers to persist on a system even after a complete hard drive replacement or OS reinstallation

Answer 5

Firmware Vulnerabilities

Question 6

These feeds are typically free and accessible to all, making them a cost-effective solution for smaller organizations or those with limited budgets. However, they may lack the depth, breadth, or sophistication of analysis found in proprietary feeds.

Answer 6

Open Source threat feeds

Question 7

provide more comprehensive information and advanced analytic insights. However, these feeds come at a cost, and the return on investment will depend on an organization’s specific needs, risk profile, and resources.

Answer 7

Proprietary threat feeds

Question 8

Behavioral Threat Research

Answer 8

is narrative commentary describing examples of attacks and TTPs gathered through primary research sources.

Question 9

is lists of IP addresses and domains associated with malicious behavior, plus signatures of known file-based malware.

Answer 9

Reputational threat intelligence

Question 10

is computer data that can correlate events observed on a customer’s networks and logs with known TTP and threat actor indicators.

Answer 10

Threat Data

Question 11

describes collecting and analyzing publicly available information and using it to support decision-making. In cybersecurity operations, this is used to identify vulnerabilities and threat information by gathering data from many sources such as blogs, forums, social media platforms, and even the dark web. This can include information about new types of malware, attack strategies used by cybercriminals, and recently discovered software vulnerabilities.

Answer 11

Open-source intelligence (OSINT)

Question 12

Threat feed ______________ are collaborative groups that exchange data about emerging cybersecurity threats and vulnerabilities. These organizations collect, analyze, and disseminate threat intelligence from various sources, including their members, security researchers, and public sources. Members of these organizations, often composed of businesses, government entities, and academic institutions, can benefit from the shared intelligence by gaining insights into the latest threats they might not have access to individually. They can use this information to fortify their systems and respond swiftly to emerging threats.

Answer 12

Information-sharing organization

Question 13

another proactive strategy and describe when organizations incentivize discovering and reporting vulnerabilities by rewarding external security researchers or “white hat” hackers.

Answer 13

Bug bounties

Question 14

are comprehensive reviews designed to ensure an organization’s security posture aligns with established standards and best practices. There are various types, including compliance audits, which assess adherence to regulations like GDPR or HIPAA; risk-based audits, which identify potential threats and vulnerabilities in an organization’s systems and processes; and technical audits, which delve into the specifics of the organization’s IT infrastructure, examining areas like network security, access controls, and data protection measures.

Answer 14

Auditing

Question 15

Vulnerability Analysis

Answer 15

Vulnerability analysis supports several critical aspects of an organization’s cybersecurity strategy, including prioritization, vulnerability classification, exposure considerations, organizational impact, and risk tolerance contexts.

Question 16

Prioritization

Answer 16

Vulnerability analysis prioritizes remediation efforts by identifying the most critical vulnerabilities in an organization. Prioritization is typically based on factors such as vulnerability severity, the ease of exploitation, and the potential impact of an attack. Prioritizing vulnerabilities helps an organization focus limited resources on addressing the most significant threats first.

Question 17

Classification

Answer 17

Vulnerability analysis aids in vulnerability classification, categorizing vulnerabilities based on their characteristics, such as the type of system or application affected, the nature of the exposure, or the potential impact. Classification can help clarify the scope and nature of an organization’s threats.

Question 18

Exposure factor

Answer 18

Vulnerability analysis must also consider exposure factors like the accessibility of a vulnerable system or data and environmental factors like the current threat landscape or the specifics of the organization’s IT infrastructure. These factors can significantly influence the likelihood of a vulnerability being exploited and directly impact its overall risk level.

The exposure factor (EF) represents the extent to which an asset is susceptible to being compromised or impacted by a specific vulnerability. It helps assess the potential impact or loss if the vulnerability is exploited. Factors might include weak authentication mechanisms, inadequate network segmentation, or insufficient access control methods.

Question 19

Impacts

Answer 19

Vulnerability analysis assesses the potential organizational impact of vulnerabilities. This could include financial loss, reputational damage, operational disruption, or regulatory penalties. Understanding this impact is crucial for making informed decisions about risk mitigation.

Question 20

Environmental factors

Answer 20

Several environmental variables play a significant role in influencing vulnerability analysis. One of the primary environmental factors is the organization’s IT infrastructure, which includes the hardware, software, networks, and systems in use. These components’ diversity, complexity, and age can affect the number and types of vulnerabilities present. For instance, legacy systems may have known unpatched vulnerabilities, while new emerging technologies might introduce unknown vulnerabilities.

The external threat landscape is another crucial environmental factor. The prevalence of certain types of attacks or the activities of specific threat actors can affect the likelihood of exploitation of particular vulnerabilities. For example, if ransomware attacks rise within the medical industry, that sector can prioritize those vulnerabilities.

The regulatory and compliance environment is another significant factor. Organizations in heavily regulated industries, like healthcare or finance, may need to prioritize vulnerabilities that could lead to sensitive data breaches and result in regulatory penalties. The operational environment, including the organization’s workflows, business processes, and usage patterns, can also influence vulnerability analysis. Certain operational practices increase exposure to specific vulnerabilities or affect the potential impact of a successful exploit. Examples include poor patch management practices, lack of rigorous access controls, lack of awareness training, poor configuration management practices, and insufficient application development policies.

Question 21

Risk tolerance

Answer 21

Vulnerability analysis must align with an organization’s risk tolerance. Risk tolerance refers to the level of risk an organization is willing to accept, which can vary greatly depending on the organization’s size, industry, regulatory environment, and strategic objectives. By aligning vulnerability analysis with risk tolerance, an organization can ensure its vulnerability management efforts align with its overall risk management strategy.

Question 22

A security assessment technique used to identify and evaluate potential weaknesses or vulnerabilities in a computer system, network, or application.

Answer 22

Vulnerability scan

Question 22

A weakness that could be triggered accidentally or exploited intentionally to cause a security breach.

Answer 22

Vulnerability

Question 23

Hardware or software configured with a list of known weaknesses and exploits and that can scan for their presence in a host OS or particular application.

Answer 23

Vulnerability scanner

Question 24

The results of vulnerability scanning that identifies missing patches, deviations from baseline configuration templates, and other related vulnerabilities each of which is categorized and prioritized using an assigned impact warning.

Answer 24

Vulnerability assessment

Question 25

this scan finds a potential vulnerability and then actively attempts to exploit it. This leads to more accurate results but cannot be done on a live system.

Answer 25

Intrusive SCan

Question 26

this scan gives a user account with login rights to various hosts, plus whatever other permissions are appropriate for the testing routines. This sort of test allows much more in-depth analysis, especially in detecting when applications or security settings may be misconfigured. It shows what an insider attack, or an attack with a compromised user account, may achieve. This scan is a more intrusive type of scan than a non-credentialed scanning.

Answer 26

Credentialed Scan option

Question 26

this scan is the more common type of scan performed. This method scans the network and lists all potential vulnerabilities but cannot validate if the system is vulnerable. This type of scan can be performed on live systems and requires the network defender to take additional actions

Answer 26

Non-intrusive

Question 27

This scan proceeds by directing test packets at a host without being logged on to the OS or application. The view is the one the host exposes to an unprivileged user on the network. The test routines may be able to include things such as using default passwords for service accounts and device management interfaces, but they are not given privileged access. While you may discover more weaknesses with a credentialed scan, you will sometimes want to narrow your focus to that of an attacker who does not have specific high-level permissions or total administrative access. Non-credentialed scanning is the most appropriate technique for external assessment of the network perimeter or when performing web application scanning.

Answer 27

Non-credentialed

Question 28

this is associated with vulnerability identification because it tracks and assesses the security of third-party software packages, libraries, and dependencies used within an organization to ensure that they are up-to-date and free from known vulnerabilities that malicious actors could exploit.

Answer 28

Package Monitoring

Question 29

These tools track and monitor the software packages, libraries, and dependencies used in an organization’s codebase. These tools can automatically identify outdated packages or packages with known vulnerabilities and suggest updates or replacements.

Answer 29

Automated software composition analysis (SCA)

Question 30

This is a way of comparing the organizations software inventory against various databases of known vulnerabilities.

Answer 30

National Vulnerability Database (NV

Question 30

(reviewing application code without executing it) This is a type of application vulnerability scanning

Answer 30

static analysis

Question 31

testing running applications, this is a type o application vulnerability scanning

Answer 31

Dynamic Analysis

Question 32

Collects data about network infrastructure appliances, such as switches, access points, routers, firewalls. This is used to monitor load status for CPU/memory, state tables, disk capacity, fan speeds/temperature, network link utilization/error statistics, and so on.

Answer 32

Network monitors

Question 33

A flow collector is a means of recording metadata and statistics about network traffic rather than recording each frame. Network traffic and flow data may come from a wide variety of sources (or probes), such as switches, routers, firewalls, and web proxies. Flow analysis tools can provide features such as the following:

Answer 33

Netflow

Question 34

A system monitor implements the same functionality as a network monitor for a computer host. Like switches and routers, server hosts can report health status using SNMP traps.

Answer 34

System monitors

Question 35

Logs function both as an audit trail of actions and (if monitored regularly) provide a warning of intrusion attempts. Log review is a critical part of security assurance.

Answer 35

System logs

Question 36

mediates the copying of tagged data to restrict it to authorized media and services. As with antivirus scanning, monitoring statistics for ___ policy violations can show whether there are issues, especially where the results show trends over time.

Answer 36

Data loss prevention

Question 37

Software designed to manage security data inputs and provide reporting and alerting. The core function of a ______ tool is to collect and correlate data from network sensors and appliance/host/application logs.

Answer 37

Security information and event management (SIEM)

Question 38

A managerial control that provides insight into the security system’s status.

Answer 38

Reporting

Question 39

Correlation rules that reduce the incidence of false positive alerts and alarms.

Answer 39

Alert tuning

Question 40

implements the same functionality as a network monitor for a computer host. Like switches and routers, server hosts can report health status using SNMP traps.

Answer 40

System monitors and logs

Question 40

Network monitors

Answer 40

collects data about network infrastructure appliances, such as switches, access points, routers, firewalls. This is used to monitor load status for CPU/memory, state tables, disk capacity, fan speeds/temperature, network link utilization/error statistics, and so on. Another important function is a heartbeat message to indicate availability.

Question 41

There are numerous proprietary monitoring solutions for infrastructure, application, database, and cloud environments. Some are designed for on-premises and some for cloud, while some support hybrid monitoring of both types of environments. An application monitor will include a basic heartbeat test to verify that it is responding

Answer 41

Application and cloud monitors

Question 42

rather than installing an agent, hosts can be configured to push log changes to the SIEM server. A process runs on the management server to parse and normalize each log/monitoring source. This method is often used to collect logs from switches, routers, and firewalls, as these are unlikely to support agents. Some variant of the Syslog protocol is typically used to forward logs from the appliance to the SIEM.

Answer 42

Listener/collector

Question 42

this approach means installing an agent service on each host. As events occur on the host, logging data is filtered, aggregated, and normalized at the host and then sent to the SIEM server for analysis and storage. Collection from Windows/Linux/macOS computers will use agent-based collection. The agent must run as a process and could use 50–500 MB of RAM, depending on the amount of activity and processing it does.

Answer 42

Agent-based

Question 43

as well as log data, the SIEM might collect packet captures and traffic flow data from sniffers. A sniffer can record network data using either a switch’s mirror port functionality or some tap on the network media.

Answer 43

Sensor

Question 44

the original file is quarantined and replaced with one describing the policy violation and how the user can re-release it.

Answer 44

Tombstone (DLPx)

Question 45

copying is allowed, but the management system records an incident and may alert an administrator.

Answer 45

Alert only DLP

Question 46

the user is prevented from copying the original file but retains access. The user may or may not be alerted to the policy violation, but it will be logged as an incident by the management engine.

Answer 46

Block DLP

Question 47

ccess to the original file is denied to the user (or possibly any user). This might be accomplished by encrypting the file or moving it to a quarantine area in the file system.

Answer 47

Quarantine DLP

Question 48

allows compatible scanners to determine whether a computer meets a configuration baseline.

Answer 48

Security content automation protocol (SCAP)

Question 49

informs the management system of a notable event such as port failure, chassis overheating, power failure, or excessive central processing unit (CPU) utilization.

Answer 49

Simple Network Management Protocol (SNMP) trap

Question 50

systems gather and analyze data like SIEM systems, but they take the analysis to the next level. this is a solution stack of compatible software programs that allow an organization to collect data about security threats from multiple sources and respond to low-level security events without human assistance.

Answer 50

Security orchestration, automation, and response (SOAR)

Question 50

are linear checklists of required steps and actions that are to be taken to respond to an alert. While _________ do support automated actions, they are often used to document the processes and procedures that are to be used by a human during a manual intervention.

Answer 50

Playbooks

Question 51

consist of a series of conditional steps to perform actions, such as sending notifications or threat containment. They are not used to document the processes and procedures that are to be used by a human during a manual intervention.

Answer 51

Runbooks

Question 52

A detailed list of components used in a piece of software, similar to a lift of ingredients in a recipe. It typically includes information about the softwares libraries, dependencies, versions, and licensing.

Answer 52

Software Bill of Materials