COMPTIA SECURITY + WEEK 3 CHAPTER 5 & 6 Flashcards
What is the main focus of Domain 4.0 in the CompTIA Security+ exam?
Security Operations
List the identification methods associated with vulnerability management.
- Vulnerability scan
- Penetration testing
- Responsible disclosure program
- Bug bounty program
- System/process audit
What does the Common Vulnerability Scoring System (CVSS) do?
It provides a standardized method for rating the severity of vulnerabilities.
What are the key components of vulnerability response and remediation?
- Patching
- Insurance
- Segmentation
- Compensating controls
- Exceptions and exemptions
What is included in the validation of remediation?
- Rescanning
- Audit
- Verification
What tools are used for security alerting and monitoring?
- Security Content Automation Protocol (SCAP)
- Vulnerability scanners
What is the purpose of threat hunting?
To proactively search for and identify potential security threats.
What are the types and purposes of audits and assessments?
- Attestation
- Internal (Compliance, Audit committee, Self-assessments)
- External (Regulatory, Examinations, Assessment, Independent third-party audit)
What role do vulnerability management programs play?
They identify, prioritize, and remediate vulnerabilities in environments.
What factors influence the determination of scan frequency?
- Organization’s risk appetite
- Regulatory requirements
- Technical constraints
- Business constraints
- Licensing limitations
What is the significance of asset inventory in vulnerability management?
It helps guide decisions about scan types, frequency, and prioritization of remediation.
What is the difference between credentialed and noncredentialed scanning?
Credentialed scanning uses login credentials to access and verify configurations, while noncredentialed scanning does not.
True or False: Credentialed scans can make changes to the target server.
False
What is a potential issue with intrusive plug-ins during vulnerability scanning?
They may disrupt activity on a production system or damage content.
What are the benefits of using agent-based scanning?
- Provides an ‘inside-out’ view of vulnerabilities
- Conducts scans of server configurations
What is the purpose of conducting scans from various perspectives?
To provide different views into vulnerabilities from multiple network locations.
What should administrators regularly maintain in vulnerability management solutions?
The scanning software and vulnerability feeds.
What is the Security Content Automation Protocol (SCAP)?
A standardized approach for communicating security-related information.
Fill in the blank: The _______ is used to assess the severity of vulnerabilities.
Common Vulnerability Scoring System (CVSS)
What is the role of vulnerability plug-in feeds?
To ensure that scanners are updated with the latest vulnerabilities.
What is one method to improve the efficiency of vulnerability scans?
Disabling unnecessary plug-ins.
How can organizations ensure that vulnerability management solutions are effective?
By regularly updating the scanner and its vulnerability feeds.
What should administrators do when configuring vulnerability scans?
Conduct regular configuration reviews to match current requirements.
What does the term ‘scan sensitivity levels’ refer to?
Settings that determine the types of checks performed by the scanner.
What is the Security Content Automation Protocol (SCAP)?
An effort led by NIST to create a standardized approach for communicating security-related information
SCAP facilitates automation between security components.
List the components of SCAP standards.
- Common Configuration Enumeration (CCE)
- Common Platform Enumeration (CPE)
- Common Vulnerabilities and Exposures (CVE)
- Common Vulnerability Scoring System (CVSS)
- Extensible Configuration Checklist Description Format (XCCDF)
- Open Vulnerability and Assessment Language (OVAL)
These components provide standard nomenclature for various aspects of security vulnerabilities.
What is the purpose of the Common Vulnerabilities and Exposures (CVE)?
To provide a standard naming system for security-related software flaws
The term CVE is often confused with Common Vulnerability Enumeration, an older definition.
What types of vulnerability scanners should a cybersecurity toolkit include?
- Network vulnerability scanner
- Application scanner
- Web application scanner
These scanners are essential for preventive scanning and testing.
What is the primary function of network vulnerability scanners?
To probe network-connected devices for known vulnerabilities
They identify device types and configurations before launching targeted tests.
Name a well-known commercial network vulnerability scanner.
Tenable’s Nessus
Nessus was one of the earliest products in this field.
What is the function of application testing tools?
To analyze custom-developed software for common security vulnerabilities
They help ensure security during the software development process.
What are the three techniques used in application testing?
- Static testing
- Dynamic testing
- Interactive testing
Each technique has its own approach to identifying vulnerabilities.
What do web application vulnerability scanners test for?
Web-specific vulnerabilities such as SQL injection, XSS, and CSRF
They combine network scans with detailed probing of web applications.
What is the purpose of reviewing and interpreting vulnerability scan reports?
To gain detailed information about identified vulnerabilities
The reports assist analysts in understanding and addressing vulnerabilities.
What does the attack vector metric (AV) describe in CVSS?
How an attacker would exploit a vulnerability
It is scored based on the criteria of physical, local, adjacent, or network access.
What is the CVSS score range for assessing vulnerability severity?
0 to 10
Higher scores indicate more severe vulnerabilities.
What metric describes the difficulty of exploiting a vulnerability in CVSS?
Attack complexity metric (AC)
It is scored as high or low based on the conditions required to exploit.
What does the privileges required metric (PR) indicate in CVSS?
The type of account access needed to exploit a vulnerability
It can be high, low, or none.
True or False: The user interaction metric (UI) indicates whether another human’s action is needed for exploitation.
True
This metric can be categorized as none or required.
What does the confidentiality metric (C) in CVSS assess?
The type of information disclosure that might occur
It is scored as none, low, or high.
What does the integrity metric (I) measure in CVSS?
The type of information alteration that might occur if exploited
It is scored similarly to confidentiality.
What does the availability metric (A) indicate in CVSS?
The type of disruption that might occur if exploited
It is assessed as none, low, or high.
What is the scope metric (S) in CVSS?
It describes whether the vulnerability affects resources beyond the managing security authority
The metric is categorized as unchanged or changed.
What version of CVSS is currently in use?
Version 3.1
This version is a minor update from version 3.0.
What is the main difference between a vulnerability that affects resources managed by the same security authority versus one that affects resources beyond that scope?
The first affects only resources managed by the same authority, while the second can impact resources beyond that authority’s management.
What is the current version of CVSS discussed in the text?
CVSS version 3.1.
What does the CVSS vector convey?
It conveys the ratings of a vulnerability across eight metrics.
What are the nine components of a CVSS vector?
CVSS version, Attack Vector, Attack Complexity, Privileges Required, User Interaction, Scope, Confidentiality, Integrity, Availability.
What is the score for the Attack Vector rated as ‘Network’ in the example?
0.85.
What is the formula used to calculate the Impact Sub-Score (ISS)?
The ISS summarizes the three impact metrics.
How do you calculate the Impact Score when the Scope metric is Unchanged?
Multiply the ISS by 6.42.
What is the highest possible CVSS base score?
10.
What is a common method to summarize CVSS results?
Using risk categories based on the CVSS Qualitative Severity Rating Scale.
What CVSS score range is categorized as ‘High’ risk?
7.0–8.9.
What is a false positive in the context of vulnerability scanning?
When a scanner reports a vulnerability that does not exist.
What kind of reports can a vulnerability scanner generate?
Positive reports (true positives or false positives) and negative reports (true negatives or false negatives).
In vulnerability verification, what might analysts need to do?
Simulate an exploit or verify that a patch is missing.
What should analysts consult alongside vulnerability scan reports?
Log reviews, SIEM systems, and configuration management systems.
What is a common alert from a vulnerability scan regarding security patches?
That one or more systems are running an outdated version of an operating system or application.
What is the typical solution for unsupported operating systems?
Upgrade to a version that is currently supported.
What are examples of weak configuration settings highlighted by vulnerability scans?
- Default settings posing security risks
- Default credentials or unsecured accounts
- Open service ports
- Open permissions violating the principle of least privilege.
What security risk is associated with debug modes in applications?
They can provide attackers with detailed information about the application structure.
What is an example of an insecure protocol mentioned in the text?
Telnet.
What are secure alternatives to Telnet and FTP?
- Secure Shell (SSH) for Telnet
- Secure File Transfer Protocol (SFTP)
- FTP-Secure (FTPS).
What are the two critical choices to make when implementing encryption?
- The algorithm for encryption and decryption
- The encryption key to use.
What is the consequence of using a weak encryption algorithm?
It may be easily defeated by an attacker.
What are the two important choices to make when implementing encryption?
The algorithm to use to perform encryption and decryption, and the encryption key to use with that algorithm.
What is the impact of using a weak encryption algorithm?
It may be easily defeated by an attacker.
What is penetration testing?
Authorized, legal attempts to defeat an organization’s security controls and perform unauthorized activities.
What mindset do penetration testers adopt?
The hacker mindset.
What is the primary goal of penetration testing?
To gain a complete picture of an organization’s security vulnerability.
List examples of physical security controls that could be evaluated in a security assessment.
- Security cameras in high-risk areas
- Auditing of cash register receipts
- Theft detectors at the main entrance/exit
- Exit alarms on emergency exits
- Burglar alarm wired to detect openings
True or False: Penetration testers need to evaluate the effectiveness of every security control.
False.
What does a penetration tester need to find to succeed?
One flaw in the existing controls or one scenario that was overlooked.
What is the significance of the hacker mindset in penetration testing?
It allows testers to think like a criminal to find vulnerabilities.
Why do organizations perform penetration testing despite having security controls?
It provides visibility into the organization’s security posture that isn’t available by other means.
What knowledge does penetration testing provide about an organization’s defenses?
Whether an attacker with equivalent skills could penetrate the defenses.
What is the presumption of compromise in threat hunting?
The assumption that attackers have already successfully breached an organization.
What are the four major categories of penetration testing?
- Physical penetration testing
- Offensive penetration testing
- Defensive penetration testing
- Integrated penetration testing
What are the three typical classifications used to describe penetration testing?
- Known environment tests
- Unknown environment tests
- Partially known environment tests
What is a known environment test?
Tests performed with full knowledge of the underlying technology, configurations, and settings of the target.
What is an unknown environment test?
Tests intended to replicate what an attacker would encounter, without prior access to information about the environment.
What is a partially known environment test?
A blend of known and unknown environment testing, providing some information to testers without full access.
What are the key elements of the rules of engagement (RoE) in penetration testing?
- Timeline for the engagement
- Locations, systems, applications included or excluded
- Data handling requirements
- Expected behaviors from the target
- Resources committed to the test
- Legal concerns
- Communication methods
What must be obtained before conducting a penetration test?
Appropriate permission in the form of a signed agreement or similar documentation.
Fill in the blank: Penetration testing complements and builds on other cybersecurity activities, providing __________ into an organization’s security posture.
[knowledge]
What do penetration tests provide in terms of remediation?
An important blueprint for remediation if attackers are successful.
What do threat hunters search for in an organization’s infrastructure?
Artifacts of a successful attack.
What is the main goal of threat hunting?
To search for evidence of successful attacks.
What is the relationship between penetration testing and threat hunting?
Both adopt the attacker’s mindset but have different objectives.
What must penetration testers obtain before conducting a test?
Appropriate permission
This should be documented in a signed agreement or memo from senior management.
What is the purpose of a ‘get out of jail free’ card in penetration testing?
To provide documentation that helps avoid legal trouble if something goes wrong
This document proves that permission was granted by the appropriate authority.
What should scoping agreements and rules of engagement define?
The testing limitations and methodologies
It should clarify what will be tested and what will not.
What is the primary goal of the reconnaissance phase in penetration testing?
To gather information about the target organization
This includes both known and unknown-environment tests.
What are passive reconnaissance techniques?
Techniques that gather information without directly engaging the target
Examples include DNS lookups and web searches.
What are active reconnaissance techniques?
Techniques that directly engage the target in intelligence gathering
Examples include port scanning and vulnerability scanning.
What technique do penetration testers use to identify wireless networks?
War driving
This involves driving by facilities to eavesdrop on or connect to wireless networks.
What is privilege escalation in penetration testing?
Shifting from initial access to more advanced privileges
This may include gaining root access on a system.
What is pivoting in the context of a penetration test?
Lateral movement to gain access to other systems on the target network
This follows the initial compromise of a system.
What do penetration testers do at the conclusion of a test?
Conduct close-out activities, including presenting results and cleaning up traces
This involves removing tools and persistence mechanisms.
What are the three major components of a security assessment program?
- Security tests
- Security assessments
- Security audits
What is the purpose of security tests?
To verify that a control is functioning properly
These tests include automated scans and manual penetration tests.
What factors should be considered when scheduling security controls for review?
- Availability of testing resources
- Criticality of systems
- Sensitivity of information
- Likelihood of technical failure
- Risk of attack
What is a responsible disclosure program?
A program that allows researchers to share information about vulnerabilities with vendors
This fosters collaboration for timely identification and remediation of security vulnerabilities.
What is the main work product of a security assessment?
An assessment report addressed to management
It contains results and recommendations in nontechnical language.
What distinguishes security audits from security assessments?
Audits must be performed by independent auditors
Audits aim to provide an unbiased view of security controls.
What are the three main types of audits?
- Internal audits
- External audits
- Independent third-party audits
What is the role of the chief audit executive (CAE) in internal audits?
To report directly to the president or governing board
This ensures independence from the functions they evaluate.
Which firms are considered the ‘Big Four’ for external audits?
- Ernst & Young
- Deloitte
- PricewaterhouseCoopers (PwC)
- KPMG
What is the Statement on Standards for Attestation Engagements document 18 (SSAE 18)?
A standard for auditors performing assessments of service organizations
It allows organizations to conduct an external assessment instead of multiple third-party audits.
What is one common framework for conducting audits?
Control Objectives for Information and related Technologies (COBIT)
COBIT outlines common requirements for information systems.
What is the first stage in the vulnerability life cycle?
Vulnerability Identification
This stage involves becoming aware of vulnerabilities in the environment.
What is the first stage of the vulnerability life cycle?
Vulnerability Identification
This stage involves becoming aware of vulnerabilities through various sources.
Name three sources from which vulnerabilities can be identified.
- Vulnerability scans
- Penetration tests
- Reports from bug bounty programs
What is the purpose of vulnerability analysis?
To confirm the existence of the vulnerability and prioritize it using tools like CVSS and CVE
This analysis includes organization-specific details.
What does CVSS stand for?
Common Vulnerability Scoring System
What is one method cybersecurity professionals can use to respond to a vulnerability?
Apply a patch or other corrective measure
Other methods include network segmentation and implementing compensating controls.
What is the purpose of validating remediation?
To ensure that the vulnerability is no longer present in the system
This is typically done by rescanning the affected system.
What does the reporting stage of the vulnerability life cycle involve?
Communicating findings, actions taken, and lessons learned to relevant stakeholders
This ensures decision-makers are informed about the organization’s security posture.
True or False: Vulnerability scanning can only identify issues in applications, not in systems or devices.
False
What is the significance of penetration testing?
It places security professionals in the role of attackers to discover security issues
Results provide a roadmap for improving security controls.
Fill in the blank: When a scan detects a vulnerability that does not exist, it is known as a _______.
false positive
What is the goal of threat hunting?
To discover existing compromises within an organization
List two types of vulnerability reports.
- False positives
- False negatives
What is the role of bug bounty programs?
To incentivize vulnerability reporting by providing financial rewards
This encourages ethical behavior from hackers.
What is one key activity performed during the vulnerability analysis stage?
Prioritizing and categorizing the vulnerability
What are the stages of the vulnerability life cycle?
- Vulnerability Identification
- Vulnerability Analysis
- Vulnerability Response and Remediation
- Validation of Remediation
- Reporting
What do security audits assess?
The adequacy and effectiveness of an organization’s security controls
Audits can be conducted by internal or third-party auditors.
What is one consequence of improper patch management?
It can lead to vulnerabilities that attackers exploit
What is the purpose of the Common Vulnerabilities and Exposures (CVE) standard?
To consistently describe vulnerabilities
What is one of the first actions taken during penetration testing?
Conduct reconnaissance efforts
What does the term ‘lateral movement’ refer to in penetration testing?
Expanding access to other systems after gaining initial access
True or False: Remediation actions can include purchasing insurance.
True