Lesson 8: Explain Vulnerability Management Flashcards
Define ‘Vulnerability management’
Identifying/reporting, evaluating, and remediating, security vulnerabilities in OSs, applications, and other components of IT operations.
Define ‘Vulnerability scanning’
Utilized to identify potential weaknesses in an organization’s digital assets automatically.
Define a ‘Vulnerability’
Flaws in the operating system’s design, errors in code, or insecure default settings.
What are typical vulnerabilities found in Microsoft Windows OS’?
Buffer overflows, lack of input validation, and privilege flaws.
What are typical vulnerabilities found in Mac OS?
Weak access controls, insecure boot processes, and third-party software.
What are typical vulnerabilities found in Linux OS?
Kernel vulnerabilities, misconfigurations, and unpatched systems are common issues in Linux.
Define a ‘Legacy and End-of-Life (EOL) System’
The manufacturer or vendor no longer supports EOL systems, so they do not receive updates, including critical security patches.
What is the difference between a ‘legacy system’ and an ‘‘End-of-life system’?
Legacy systems typically describe outdated software methods, technology, computer systems, or application programs that continue to be used despite their shortcomings.
Define ‘firmware’
Software that controls hardware.
Define ‘VM escape’
An attacker with access to a VM breaks out of its isolated environment and gains access to the host system or other VMs running on the same host.
Define a ‘Zero-day vulnerability’
Previously unknown software or hardware flaws that attackers can exploit before developers or vendors become aware of or have a chance to fix them.
Define ‘responsible disclosure’
A procedure followed by ethical hackers after a zero day is found, to privately inform the vendor so a patch can be developed before the vulnerability is publicly disclosed.
How can misconfiguration of infrastructure lead to vulnerabilities?
Unauthorized access, data leaks, or even full-system compromises.
What is the most common form of misconfiguration?
Leaving default configurations.
How can troubleshooting lead to vulnerabilities?
Disabling security features or loosening access controls to help isolate a problem without changing back to secure configuration.
Define a ‘Cryptographic vulnerability’
Weaknesses in cryptographic systems, protocols, or algorithms that can be exploited to compromise data.
Define ‘Rooting’
Gaining superuser-level access over an Android-based mobile device.
Define ‘Jailbreaking’
Describes gaining full access to an iOS device by removing the limitations imposed by Apple’s iOS operating system.
Define ‘Sideloading’
Installing applications from sources other than the official app store of the platform
How can an organization prevent rooting/jailbreaking/sideloading?
By disabling access to unverified app stores or installing apps from unofficial sources.
Define an ‘Application race condition’ vulnerability
Software flaws associated with the timing or order of events within a software program, which can be manipulated, causing undesirable or unpredictable outcomes.
What is the outcome of an Application race condition vulnerability?
Data corruption or unauthorized access.
Define a ‘time-of-check to time-of-use (TOCTOU)’ vulnerability
Type of application race condition; A system state changes between the time an app performs the check (verification) stage and the use (execution) stage.
Define a ‘memory injection’ vulnerability
Type of security flaw where an attacker can introduce (inject) malicious code into a running application’s process memory.
What is a direct outcome of an attacker exploiting a memory injection vulnerability?
Threat actor can run malicious code with the same privilege level as the vulnerable process that can lead to full system compromise.
What is the desired goal of a threat actor once a memory injection is successful?
To provide unauthorized access or control over the system; Install malware, exfiltrate sensitive data, or create a backdoor for future access.
What contorts are used to mitigate memory injection vulnerabilities?
Secure coding practices; Input/output validation, encoding, type-casting, access controls, application testing.
Define a ‘buffer’
An area of memory that the application reserves to store expected data.
Define a ‘buffer overflow’ vulnerability
A form of memory injection; An attack in which data goes past the boundary of the destination buffer and begins to corrupt adjacent memory.
How does a threat actor perform a buffer overflow attack?
The attacker passes data that deliberately overfills the buffer.
What does a buffer overflow allow an attacker to do?
Change the return address, allowing the attacker to run arbitrary code on the system.
What 3 controls have been developed to mitigate buffer overflow vulnerabilities?
- Address space layout randomization (ASLR)
- Data Execution Prevention (DEP)
- Type-safe programming languages
Define a ‘Type-safe programming language’
Program that enforces strict type-checking during compilation and ensures variables and data are used correctly.
What is the purpose of using a type-safe programming language?
Prevents memory-related vulnerabilities and injection attacks.
Define a ‘Malicious update’
An update that appears legitimate but contains harmful code; A vulnerability in software repository or supply chain that a threat actor can exploit to add malicious code to a package.
Define an ‘evaluation scope’
The product, system, or service being analyzed for potential security vulnerabilities or the intended target or an attack.
Define a distinct different between a web application attack and other attacks
Must navigate the client-server model; Requiring the attacker to bypass network and application-level security controls.
Define a ‘cross-site scripting (XSS)’ attack
A malicious script injected into a web site designed to compromise clients browsing the site.
Define a ‘nonpersistent cross-site scripting (XSS)’ attack
The malicious script is obfuscated in a spoofed URL that reflects back to the attacker.
Define a ‘stored/persistent cross-site scripting (XSS)’ attack
The script is injected and permanently stored on the target servers, such as in a database or content management system.
Define a ‘Document Object Model (DOM) cross-site scripting (XSS)’ attack
Attacker injects malicious script into a JavaScript Document Object Model (DOM) to execute their attack solely on the client.
What is the difference between an overflow attack and an injection attack?
Overflow attack works against the way a process performs memory management while an injection attack exploits some unsecure way in which the application processes requests and queries.
Define a ‘SQL injection’ attack
Injection of a malicious/unauthorized SQL query via the input data from a client to the application/server.
Define a ‘side-channel’ attack
Attacker observes the implementation and operation of a system, looking for information to use to exploit the system.
How can cloud services be manipulated by an attacker?
Setup fake websites on cloud services for phishing and malware distribution; Cryptojacking cloud resources for cryptomining.
Define a ‘cloud access security broker (CASB)’
Enterprise management software designed to manage, mediate, and monitor access to cloud services by users across all types of devices.
What are the 3 methods of implementing a cloud access security broker (CASB)?
- Forward proxy
- Reverse proxy
- Application programming interface (API)
Define a forward proxy cloud access security broker (CASB)
Requires configuration of users’ devices; Inspects all traffic in real time, even if that traffic is not bound for sanctioned cloud applications.
Define a reverse proxy cloud access security broker (CASB)
Positioned at the cloud network edge and directs traffic to cloud services if the contents of that traffic comply with a policy.
Define an Application programming interface (API) cloud access security broker (CASB)
Brokers connections between the cloud service and the cloud consumer rather than placing a CASB appliance or host inline with cloud consumers and the cloud services.
Define a ‘software bill of materials (SBOM)’
Inventory containing details like component names, versions, and information about the suppliers in a software product.
What is the purpose of a software bill of materials (SBOM)?
Provide transparency and visibility into the software supply chain and potential vulnerabilities; Enables developers, security teams, and end users to understand the functional components of their software.
What is the role of a software bill of materials (SBOM) after a vulnerability has been discolsed?
Supports rapid response and remediation; Security teams can quickly determine whether their software is affected by a disclosed vulnerability.
Define a software dependency check
A Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project’s dependencies.
What is the purpose of utilizing a software dependency check?
Detecting outdated or vulnerable components
Define a ‘HTTP referrer’
Indicates the URL that forwarded a request to the target URL.
What is a ‘network vulnerability scanner’
Hardware or software configured with a list of known weaknesses and exploits and that can scan for their presence in a client PC, Server, application, or network device.
Define a ‘non-credentialed scan’
A scan that uses fewer permissions and many times can only find missing patches or updates.
What is the purpose of a non-credentialed scan?
Appropriate technique for external assessment of the network perimeter or when performing web application scanning to mimic view of an unprivileged attacker with limited network access.
What are typical findings from a non-credentialed scan?
Default passwords for service accounts and device management interfaces.
Define a ‘credentialed’ scan
A scan that uses credentials with some form of privileged access to allow for a more in-depth analysis, especially in detecting when applications or security settings may be misconfigured.
What is the purpose of a credentialed scan?
Shows what an insider attack, or an attack with a compromised user account, may be able to achieve.
Define an ‘application vulnerability scanning’
Designed to identify issues with application code and platform configuration, including web servers and web applications.
Define ‘static analysis’
Reviewing application code without executing it; Either manually or using automated tools.
Define ‘dynamic analysis’
Testing running applications; Examines code behavior during runtime.
What can be discovered through dynamic analysis?
Unvalidated inputs/outputs, broken access controls, and injection vulnerabilities.
Define ‘package monitoring’
Techniques and tools designed to mitigate risks from application vulnerabilities in third-party code, such as libraries and dependencies.
What is the role of package monitoring in vulnerability management?
Tracks and assesses the security of third-party software packages, libraries, and dependencies used within an organization.
What mechanism is used to achieve package monitoring at an enterprise level?
Automated software composition analysis (SCA).
Define ‘Automated software composition analysis (SCA)’
Identifies outdated packages or packages with known vulnerabilities and suggests updates or replacements.
Define a ‘threat feed’
Aggregate data from various real-time sources, are integrated into vulnerability scanning tools to improve their detection capabilities.
Define ‘Tactics, Techniques, and Procedures (TTPs)’
Term to describe the behaviors, processes, actions, and strategies used by a threat actor to develop threats and engage in cyberattacks.
What data does a threat feed contain?
Signatures and pattern-matching rules; Latest vulnerabilities, exploits, and threat actors.
What are the most common threat feeds?
AlienVault’s Open Threat Exchange (OTX), IBM’s X-Force Exchange, and Recorded Future.
Define ‘cyber threat intelligence (CTI)’
Process of investigating, collecting, analyzing, and disseminating information about emerging threats and threat sources.
What are the 3 types of cyber threat intelligence (CTI)?
- Behavioral Threat Research
- Reputational threat intelligence
- Threat Data
Define ‘Behavioral Threat Research’
Commentary describing examples of attacks and TTPs gathered through primary research sources.
Define ‘Reputational threat intelligence’
Blocklists of known threat sources, such as malware signatures, IP address ranges, and DNS domains.
Define ‘Threat Data’
Data from networks and logs that can correlate events with known TTPs, Behavioral threat research, and reputation threat intelligence.
What can cyber threat intelligence (CTI) be coupled with to produce actionable intelligence?
All 3 types of CTI aggregated into a Security Information Event Management (SIEM).
Define a ‘proprietary treat feed’
Threat research and CTI data is available as a paid subscription to a commercial threat intelligence platform.
Define ‘Open-source intelligence (OSINT)’
Publicly available information plus the tools used to aggregate and search it.
What is the function of Open-source intelligence (OSINT)?
Used to identify vulnerabilities and threat information by gathering data from many sources such as blogs, forums, social media platforms, and even the dark web.
Define ‘Shodan’
OSINT tool for investigating Internet-connected devices.
Define ‘Maltego’
OSINT tool for visualizing complex networks of information.
Define ‘Recon-ng’
OSINT tool or web-based reconnaissance activities.
Define ‘theHarvester’
OSINT tool for gathering emails, subdomains, hosts, and employee names from different public sources.
Define the ‘deep web’
Any part of the World Wide Web that is not indexed by a search engine.
What are parts of the deep web?
Dark net, Dark web.
Define the ‘dark net’
Network established as an overlay to Internet infrastructure by software.
What is the purpose of the dark net?
Acts to anonymize usage and prevent a third party from knowing about the existence of the network or analyzing any activity taking place over the network.
What are examples of dark net software?
Onion Router (TOR), Freenet, or I2P.
Define ‘onion routing/onion router(TOR(‘
Uses multiple layers of encryption and relays between nodes to achieve this anonymity.
Define the ‘dark web’
Sites, content, and services accessible only over a dark net.
What are benefits of the dark web?
Privacy and anonymity, access to censored information, and research/information sharing.
Define ‘penetration testing’
A test that uses active tools and security utilities to evaluate security by simulating an attack on a system.
What is the purpose of a pen test?
To verify that a threat exists; Will actively test and bypass security controls, and will finally exploit vulnerabilities on the system.
What is the difference between penetration testing and vulnerability scanning?
Penetration testing involves human ingenuity and creativity, manipulating an application’s functionality to perform actions in ways not intended by its developers, leading to exploitation.
Define ‘Unknown environment (previously known as black box) testing’
When the consultant/attacker has no privileged information about the network and its security systems; Requires the consultant/attacker to perform an extensive reconnaissance phase.
What is the purpose of black box testing?
Useful for simulating the behavior of an external threat.
Define ‘Known environment (previously known as white box) testing’
The consultant/attacker has complete access to information about the network.
What is the purpose of white box testing?
Useful for simulating the behavior of a privileged insider threat.
Define ‘Partially known environment (previously known as gray box) testing’
When the consultant/attacker has some information; Requires partial reconnaissance.
Define a ‘Bug bounty’
Reward scheme operated by software and web services vendors for reporting vulnerabilities.
Define an ‘audit’
Comprehensive reviews/assessment of security controls, policies, and procedures designed to ensure an organization’s security posture aligns with established standards and best practices.
Define a ‘compliance audit’
Assess adherence to regulations; Examining areas like network security, access controls, and data protection measures.
Define ‘Payment Card Industry Data Security Standard (PCI DSS)’
Information security standard for organizations that process credit or bank card payments.
Define ‘Vulnerability analysis’
Evaluating vulnerabilities for their potential impact and exploitability; Considering ease of exploitation, the potential damage from a successful exploit, the value of the vulnerable asset, and the current threat landscape.
Define ‘remediation’
The process of identifying and addressing cyber threats with to mitigate their potential risk.
Define ‘mitigation’
Applying patches, changing configurations, updating software, or replacing vulnerable systems.
Define a ‘Compensating control’
Measures put in place to mitigate the risk of a vulnerability when security teams cannot directly eliminate it or when direct remediation is not immediately possible.
Define the purpose of the ‘Security Content Automation Protocol (SCAP)’
Enables automated vulnerability management, and policy compliance evaluation of systems deployed in an organization.
What is the function of the Security Content Automation Protocol (SCAP)?
Defines ways to compare the live configuration of a system to a target-secure baseline.
Define a ‘Common Vulnerabilities and Exposures (CVE)’
A scheme for identifying vulnerabilities developed by MITRE and adopted by NIST.
How is a CVE identified?
CVE-(year vulnerability was discovered-(order the vulnerability was discovered in the given year); CVE-YYYY-####
Define the ‘Common Vulnerability Scoring System (CVSS)’
Quantifies vulnerability data and then takes into account the degree of risk to different types of systems or information.
What is the scale of the Common Vulnerability Scoring System (CVSS)?
CVSS metrics generate a score from 0 to 10 based on the characteristics of the vulnerability.
What characteristics are used to determine the Common Vulnerability Scoring System (CVSS) of a Common Vulnerabilities and Exposures (CVE)?
whether it can be triggered remotely or needs local access, whether user intervention is required, privileged access, and so on.
Define a ‘false positive’
An instance where a scanner or another assessment tool incorrectly identifies a vulnerability.
Define a ‘false negative’
A vulnerability that is not reported when it should be; Potential vulnerabilities that go undetected in a scan.
How can false negatives be avoided?
By running repeat scans periodically and employing scanners from different vendors.
How does vulnerability analysis support ‘prioritization’ of an organizations security strategy?
By identifying the most critical vulnerabilities that pose the most significant risk to an organization helps an organization focus limited resources on addressing the most significant threats first.
What is ‘prioritization’ in an organizations security strategy based on?
Common Vulnerability Scoring System (CVSS); Factors such as the vulnerability severity, the ease of exploitation, and the potential impact of an attack.
How does vulnerability analysis support the ‘classification’ of an organizations security strategy?
Categorizing vulnerabilities based on their characteristics, to help clarify the scope and nature of an organization’s threats.
Define ‘Exposure factor (EF)’
In risk calculation, represents the extent to which an asset is susceptible to being compromised or impacted by a specific vulnerability.
How does vulnerability analysis support the ‘Exposure Factor’ of an organizations security strategy?
Helps assess the potential impact or loss that could occur if the vulnerability is exploited.
What is the ‘Exposure Factor’ in an organizations security strategy based on?
The likelihood of a vulnerability being exploited and directly impact its overall risk level; Weak authentication mechanisms, inadequate network segmentation, or insufficient access control methods.
Define ‘vulnerability impact’
The potential organizational impact of vulnerabilities; Financial loss, reputational damage, operational disruption, or regulatory penalties.
Define the role of ‘vulnerability impact’ in an organizations security strategy
Crucial for making informed decisions about risk mitigation and disaster recovery.
Define an ‘environmental variables’
The organization’s IT infrastructure and assets; Hardware, software, networks, and systems in use.
What are external environmental variables?
External threat landscape based on industry; Regulatory and compliance.
Define ‘Risk tolerance’
The level of risk an organization is willing to accept.
What does vulnerability response and remediation practices encompass?
Patching, insurance, segmentation, compensating controls, exceptions, and exemptions.
What are typical forms of compensating controls?
Additional monitoring, secondary authentication mechanisms, or enhanced encryption.
Define ‘remediation validation’ and its purpose
Ensures that the remediation actions have been implemented correctly and function as intended.
When examining the website for potential XSS and SQLi vulnerabilities, what are common indicators a cybersecurity analyst should look for?
Input fields that do not sanitize user input and error messages that disclose database information.
What issue poses the highest risk related to unauthorized data access in cloud-hosted applications?
Misconfigured cloud storage access controls.
Based on common operating system vulnerabilities what has insufficient or missing data validation mechanisms that lead to the system interpreting unintended command execution?
Buffer overflow.
When leveraging dependency analysis and SBOM tools in a software development environment, which key factors should the security team prioritize to address potential vulnerabilities more efficiently?
Recognizing outdated software dependencies and Identifying undisclosed open-source components.
