Chapter 5 - Program Management and Oversight Flashcards
Vulnerability Management
Identifying, prioritizing, and remediating vulnerabilities in our environment.
Vulnerability Scanning
Detecting new vulnerabilities as they arise.
Asset Inventory
A list of all connected systems on a network.
Risk Appetite
An organization’s willingness to tolerate risk within the environment.
Regulatory Requirements
Requirements imposed by the government or corporate policy that dictate how often a vulnerability scan should occur.
Credentialed Scanning
Allows the vulnerability scanner to authenticate with target systems so that its detection capabilities are extended.
Agent-Based Scanning
Agent-Based Scanning involves installing small software agents on each target server. These agents will themselves perform a vulnerability scan from the “inside-out” and then report this information back to the vulnerability management system.
Scan Perspectives
Each scan perspective conducts a vulnerability scan from a different location on the network (internet, internal workspace, data center, etc.).
What are the three main techniques for Application Testing?
- Static Testing (analyzing code without executing it)
- Dynamic Testing (running all the interfaces that the code exposes to the user with a variety of inputs)
- Interactive Testing (analyzing the source code while testers interact with the application)
Common Vulnerability Scoring System (CVSS)
The Common Vulnerability Scoring System is an industry standard for assessing the severity of security vulnerabilities. This score is a number between 0 and 10 that is based on eight different measures.
What are the eight metrics used by the Common Vulnerability Scoring System?
- Attack Vector
- Attack Complexity
- Privileges Required
- User Interaction
- Confidentiality
- Integrity
- Availability
- Scope
Patch Management
A Patch Management program involves the routine patching of security issues/flaws.
Legacy Platforms
A Legacy Platform is a system that is no longer receiving support from the original vendor. This means that the vendor will not investigate or correct any security flaws that arise in the product.
Weak Configurations
Weak Configuration settings on systems, applications and devices can jeopardize security. Some examples include default settings, default credentials, unnecessary open ports and open permissions.
How can error messages be used by attackers
Forgetting to disable debug mode/error messages on public-facing systems can allow attackers to retrieve information about the internal structure of a system/application.
Insecure Protocols
Insecure Protocols used on older networks often failed to use encryption and would commonly send data in the clear. Some examples of insecure protocols are Telnet and FTP.
Penetration Testing
Penetration Testing are authorized, legal attempts to defeat an organization’s security controls and perform unauthorized activities.
Threat Hunting
Threat Hunters use the attacker mindset to search the organization’s technology infrastructure for the artifacts of a successful attack.
What are the four types of penetration tests?
- Physical
- Offensive
- Defensive
- Integrated (collaboration between offensive and defensive experts)
What are the three classification types for how much knowledge a penetration tester may have about an environment?
- Known environment
- Unknown environment
- Partially known environment
What are some of the common Rules of Engagement for a penetration test?
- Timeline
- Locations, systems, applications or other potential targets
- Data handling requirements
- Behaviors (to expect from the target)
- Resources to be committed to the test
- Legal concerns
- When and how communications will occur
Passive Reconnaissance
Passive Reconnaissance techniques seek to gather information without directly engaging with the target. Some examples of Passive Reconnaissance include performing lookups of domain information (DNS or WHOIS), performing web searches, or reviewing public websites.
Active Reconnaissance
Active Reconnaissance techniques directly engage the target in intelligence gathering. Some examples of Active Reconnaissance include port scanning, foot-printing, and vulnerability scanning.
Initial Access
Initial Access refers to when a hacker exploits a vulnerability to gain access to an organization’s network.
Privilege Escalation
Privilege Escalation uses hacking techniques to shift from the initial access gained by the attacker to more advanced privileges, such as root access on the same system.
Pivoting/Lateral Movement
Pivoting/Lateral Movement occurs as the attacker uses the initial system compromise to gain access to other systems on the target network.
Persistence
Persistence, in the context of an attack, refers to when hackers install a backdoor that will allow them to regain access to the network at a later date, even if the original vulnerability is patched.
Security Tests
Security Tests verify that a control is functioning properly. These tests include automated scans, tool-assisted penetration tests, and manual attempts to undermine security.
Security Assessments
Security Assessments are comprehensive reviews of the security of a system, application, or other tested environments. During a Security Assessment, a trained information security professional performs a risk assessment that identifies vulnerabilities in the tested environment that may allow a compromise and make recommendations for remediation, as needed.
Security Audits
Security Audits use many of the same techniques followed during security assessments but must be performed by independent auditors. Auditors provide an impartial, unbiased view of the state of security controls.
Attestation
An attestation is a formal statement that the auditors have reviewed the controls and found that they are both adequate to meet the control objectives and working properly.
Control Objectives for Information and related Technologies (COBIT)
COBIT is a common framework for conducting audits and assessments. COBIT describes the common requirements that organizations should have in place surrounding their information systems.