Chapter 5 - Program Management and Oversight

Question 1

Vulnerability Management

Answer 1

Identifying, prioritizing, and remediating vulnerabilities in our environment.

Question 2

Vulnerability Scanning

Answer 2

Detecting new vulnerabilities as they arise.

Question 3

Asset Inventory

Answer 3

A list of all connected systems on a network.

Question 4

Risk Appetite

Answer 4

An organization’s willingness to tolerate risk within the environment.

Question 5

Regulatory Requirements

Answer 5

Requirements imposed by the government or corporate policy that dictate how often a vulnerability scan should occur.

Question 6

Credentialed Scanning

Answer 6

Allows the vulnerability scanner to authenticate with target systems so that its detection capabilities are extended.

Question 7

Agent-Based Scanning

Answer 7

Agent-Based Scanning involves installing small software agents on each target server. These agents will themselves perform a vulnerability scan from the “inside-out” and then report this information back to the vulnerability management system.

Question 8

Scan Perspectives

Answer 8

Each scan perspective conducts a vulnerability scan from a different location on the network (internet, internal workspace, data center, etc.).

Question 9

What are the three main techniques for Application Testing?

Answer 9

1. Static Testing (analyzing code without executing it)
2. Dynamic Testing (running all the interfaces that the code exposes to the user with a variety of inputs)
3. Interactive Testing (analyzing the source code while testers interact with the application)

Question 10

Common Vulnerability Scoring System (CVSS)

Answer 10

The Common Vulnerability Scoring System is an industry standard for assessing the severity of security vulnerabilities. This score is a number between 0 and 10 that is based on eight different measures.

Question 11

What are the eight metrics used by the Common Vulnerability Scoring System?

Answer 11

1. Attack Vector
2. Attack Complexity
3. Privileges Required
4. User Interaction
5. Confidentiality
6. Integrity
7. Availability
8. Scope

Question 12

Patch Management

Answer 12

A Patch Management program involves the routine patching of security issues/flaws.

Question 13

Legacy Platforms

Answer 13

A Legacy Platform is a system that is no longer receiving support from the original vendor. This means that the vendor will not investigate or correct any security flaws that arise in the product.

Question 14

Weak Configurations

Answer 14

Weak Configuration settings on systems, applications and devices can jeopardize security. Some examples include default settings, default credentials, unnecessary open ports and open permissions.

Question 15

Error Messages

Answer 15

Forgetting to disable debug mode/error messages on public-facing systems can allow attackers to retrieve information about the internal structure of a system/application.

Question 16

Insecure Protocols

Answer 16

Insecure Protocols used on older networks often failed to use encryption and would commonly send data in the clear. Some examples of insecure protocols are Telnet and FTP.

Question 17

Penetration Testing

Answer 17

Penetration Testing are authorized, legal attempts to defeat an organization’s security controls and perform unauthorized activities.

Question 18

Threat Hunting

Answer 18

Threat Hunters use the attacker mindset to search the organization’s technology infrastructure for the artifacts of a successful attack.

Question 19

What are the four types of penetration tests?

Answer 19

1. Physical
2. Offensive
3. Defensive
4. Integrated (collaboration between offensive and defensive experts)

Question 20

What are the three classification types for how much knowledge a penetration tester may have about an environment?

Answer 20

1. Known environment
2. Unknown environment
3. Partially known environment

Question 21

What are some of the common Rules of Engagement for a penetration test?

Answer 21

1. Timeline
2. Locations, systems, applications or other potential targets
3. Data handling requirements
4. Behaviors (to expect from the target)
5. Resources to be committed to the test
6. Legal concerns
7. When and how communications will occur

Question 22

Passive Reconnaissance

Answer 22

Passive Reconnaissance techniques seek to gather information without directly engaging with the target. Some examples of Passive Reconnaissance include performing lookups of domain information (DNS or WHOIS), performing web searches, or reviewing public websites.

Question 23

Active Reconnaissance

Answer 23

Active Reconnaissance techniques directly engage the target in intelligence gathering. Some examples of Active Reconnaissance include port scanning, foot-printing, and vulnerability scanning.

Question 24

Initial Access

Answer 24

Initial Access refers to when a hacker exploits a vulnerability to gain access to an organization’s network.

Question 25

Privilege Escalation

Answer 25

Privilege Escalation uses hacking techniques to shift from the initial access gained by the attacker to more advanced privileges, such as root access on the same system.

Question 26

Pivoting/Lateral Movement

Answer 26

Pivoting/Lateral Movement occurs as the attacker uses the initial system compromise to gain access to other systems on the target network.

Question 27

Persistence

Answer 27

Persistence, in the context of an attack, refers to when hackers install a backdoor that will allow them to regain access to the network at a later date, even if the original vulnerability is patched.

Question 28

Security Tests

Answer 28

Security Tests verify that a control is functioning properly. These tests include automated scans, tool-assisted penetration tests, and manual attempts to undermine security.

Question 29

Security Assessments

Answer 29

Security Assessments are comprehensive reviews of the security of a system, application, or other tested environments. During a Security Assessment, a trained information security professional performs a risk assessment that identifies vulnerabilities in the tested environment that may allow a compromise and make recommendations for remediation, as needed.

Question 30

Security Audits

Answer 30

Security Audits use many of the same techniques followed during security assessments but must be performed by independent auditors. Auditors provide an impartial, unbiased view of the state of security controls.

Question 31

Attestation

Answer 31

An attestation is a formal statement that the auditors have reviewed the controls and found that they are both adequate to meet the control objectives and working properly.

Question 32

Control Objectives for Information and related Technologies (COBIT)

Answer 32

COBIT is a common framework for conducting audits and assessments. COBIT describes the common requirements that organizations should have in place surrounding their information systems.