Módulo 07 - Vulnerability Management Flashcards
Define: Vulnerability Management
A: The process of
1. identifying,
2. evaluating,
3. treating
4. reporting
vulnerabilities to prevent exploitation
Define: End-of-Life (EOL) Systems
A: Products or systems that are no longer supported by the manufacturer or vendor, receiving no updates or security patches, making them vulnerable to new threats.
Define: Legacy Systems
A: Outdated computer systems or applications that are still in use despite their limitations, often due to the high cost or risk associated with replacing them.
Define: Firmware Vulnerabilities
A: Security flaws within the foundational software that controls hardware, which can be exploited to gain unauthorized access or persist on a system undetected.
Define: Meltdown and Spectre
A: Critical vulnerabilities discovered in 2018 affecting nearly all CPUs, allowing malicious programs to steal data being processed on the computer.
Define: LoJax
A: A malware discovered in 2018 that infects the UEFI firmware, allowing attackers to maintain persistence even after hard drive replacements or OS reinstallations.
Define: Vulnerability Scanning
A: The use of specialized tools to automatically identify potential security weaknesses in an organization’s digital assets.
Define: Shellshock
A: A significant vulnerability in the Bash shell affecting Unix-based systems, including macOS, allowing attackers to execute arbitrary commands.
Define: Heartbleed
A: A serious vulnerability in the OpenSSL cryptographic library that allowed attackers to read protected memory on affected servers.
Q: Acronym: UEFI
A: Unified Extensible Firmware Interface.
Q: Acronym: SMB
A: Server Message Block.
Q: Acronym: MMS
A: Multimedia Messaging Service.
Q: Acronym: OpenSSL
A: Open Secure Sockets Layer.
True or False:
The Stagefright vulnerability affected iOS devices.
A: False:
Stagefright affected Android devices by allowing code execution via specially crafted MMS messages.
True or False:
Heartbleed was a vulnerability in the OpenSSL library that compromised secret keys.
A: True:
Heartbleed allowed attackers to read sensitive memory contents, exposing secret keys.
True or False:
Firmware updates are unnecessary as firmware cannot be exploited.
A: False:
Firmware can contain vulnerabilities; updating it is crucial for security.
True or False:
macOS is completely safe from vulnerabilities due to its Unix-based architecture.
A: False:
macOS can have vulnerabilities, such as those exploited by the Shellshock bug.
Define: WannaCry Ransomware
A: A 2017 global ransomware attack that exploited the EternalBlue vulnerability to encrypt data and demand ransom payments.
Define: Stagefright Vulnerability
A: A critical flaw in the Android media playback engine that allowed remote code execution via MMS messages.
Define: Watering Hole Attack
A: A strategy where attackers compromise a website likely to be visited by their targets to distribute malware.
Define: Conficker Worm
A: A worm exploiting the MS08-067 vulnerability in Windows, leading to one of the largest infections in history.
Define: EternalBlue
A: An exploit developed by the NSA and leaked by the Shadow Brokers group, targeting vulnerabilities in Microsoft’s SMB protocol, notably used in the WannaCry attack.
Acronym:
Bash
A: Bourne Again Shell.
Define: Vulnerability Scanning
A: The process of automatically identifying vulnerabilities systems, such as
1. open ports
2. insecure configurations
3. missing patches.
Define: Threat Feed
A: A continuously updated source of information about potential cyber threats and vulnerabilities, providing actionable intelligence for vulnerability management.
Define: Penetration Testing
A: A proactive method where ethical hackers simulate real-world attacks to exploit vulnerabilities and evaluate an organization’s security posture.
Define: Bug Bounty Programs
A: Initiatives that incentivize external security researchers to discover and responsibly report vulnerabilities in exchange for rewards.
Define: Responsible Disclosure Programs
A: Guidelines established by organizations to encourage individuals to report vulnerabilities responsibly, allowing for fixes before exploitation.
Define: Security Audits
A: Comprehensive reviews of an organization’s security controls and practices, often aligned with standards like ISO 27001 or NIST.
Define: Cyber Threat Intelligence (CTI)
A: Data about threats and attackers gathered from various sources, used to improve an organization’s cybersecurity posture.
Acronym:
GDPR
A: General Data Protection Regulation.
Define: Deep Web
A: Parts of the internet not indexed by search engines, such as unlinked pages or those requiring registration.
Define: Dark Web
A: Hidden parts of the deep web accessible only through specific software like TOR, often associated with illicit activities but also used for privacy and research.
Bug Bounty vs. Penetration Testing
A: Bug bounty has external researchers testing for vulnerabilities,
penetration is performed by internal or hired team.
Define: Behavioral Threat Research
A: Analysis of TTP tactics and procedures used by attackers, gathered through direct observation and research.
Acronym:
TTP
A: Tactics, Techniques, and Procedures.
Acronym:
SIEM
A: Security Information and Event Management.
List:
Types of Vulnerability Identification Methods
- Vulnerability scanning
- Penetration testing
- Bug bounty programs
- Auditing
List:
Threat Feed Type
- Third-party threat feeds
- Open-source intelligence (OSINT)
- Closed/proprietary threat feeds
- Information-sharing organizations
List:
Common OSINT Tools
- Shodan
- Maltego
- Recon-ng
- theHarvester
List:
Types of Cybersecurity Audits
- Compliance audits
- Risk-based audits
- Technical audit
What’s audited in a Security Audit?
- Policies
- Procedures
- System configuration
- Supply chain evaluation
- Monitoring and support practices
Acronym: NVD
A: National Vulnerability Database
Define:
Package Monitoring
The process of tracking and assessing the security of third-party software packages, libraries, and dependencies to ensure they are up-to-date and free from known vulnerabilities.
True or False:
A credentialed vulnerability scan requires administrative access to hosts for deeper analysis.
A: True.
Credentialed scans provide more in-depth analysis by accessing internal configurations and settings with user account privileges.
True or False:
Non-credentialed scans can validate vulnerabilities by attempting exploitation.
A: False.
Non-credentialed scans cannot exploit vulnerabilities; they only assess what is exposed to unprivileged users.
List:
Types of vulnerability scan [Types to perform]
- Intrusive [Tries to exploit]
- Non-intrusive [List potential vulnerabilities]
- Credentialed
- Non-credentialed
List:
Methods in application vulnerability scanning
- Static analysis
- Dynamic analysis
List:
Components monitored in package monitoring.
- Third-party software packages
- Libraries
- Dependencies
What type of vulnerability scan would you perform to simulate an external attacker without internal access to the system?
Non-credentialed scan.
What does automated software composition analysis (SCA) track in package monitoring?
It tracks software packages, libraries, and dependencies for outdated versions or known vulnerabilities.
Acronym:
SCA
A: Software Composition Analysis
Define:
Network Monitors
Tools that collect data about network infrastructure appliances.
like CPU/memory usage, disk capacity, and link utilization.
Define:
NetFlow
Reports metadata and statistics about network traffic,
Analyzes traffic patterns and detection of anomalies.
Define:
System Logs
Logs that provide audit trails of actions on a system, used to diagnose availability issues, monitor authorized and unauthorized access, and proactively identify threats and vulnerabilities.
Define:
Cloud Monitors
Tools that monitor the performance and health of cloud services, assessing bandwidth, virtual machine status, application health, and error or alert conditions.
Define:
Endpoint Protection Platforms (EPPs)
Modern antivirus solutions that detect malware using signatures and AI-based behavior analytics, often integrated with user and entity behavior analytics (UEBA).
True or False:
NetFlow tracks every individual packet transmitted over the network.
False.
NetFlow records metadata and statistics about network traffic, not individual packets.
Acronym:
SNMP
Simple Network Management Protocol
Acronym:
UEBA
User and Entity Behavior Analytics
Acronym:
DLP
Data Loss Prevention
List:
How do data loss prevention (DLP) tools do what they do?
- Mediating data transfers
- Restricting copying to authorized media
- Monitoring DLP policy violations
- Highlighting trends over time
List:
Features of NetFlow analysis tools.
- Based on traffic trends and patterns
- Identifies rogue user behavior or malware in transit
- Detects C&C traffic
List:
Three main types of SIEM data collection methods.
- Agent-based: Installed on hosts to process data locally.
- Listener/collector: Hosts push logs directly to the SIEM server.
- Sensor: Collects packet captures and traffic flow data from network sniffers.
Acronym:
SOAR
Security Orchestration, Automation, and Reporting
Define:
Log Aggregation
The process of normalizing data from various sources to ensure consistency and searchability within a SIEM system.
Define:
Alert Fatigue
A condition where analysts become overwhelmed by low-priority alerts, potentially missing critical incidents due to high false-positive rates.
Define:
Security Orchestration and Automation Reporting
Automation responses to incidents and integrating workflows across tools
What is a policy server [DLP]?
Configures:
1. Classification
2. Confidentiality
3. Privacy rules
Also:
1. Logs incidents
2. Compiles reports
What is a tombstone mechanism in DLP?
A remediation mechanism that replaces the quarantined file with one explaining the policy violation and instructions on how to regain access.
Compare:
Alert-only remediation vs. Block remediation in DLP.
Alert-only: Allows copying but logs the incident and may notify an administrator.
Block: Prevents the user from copying the file, with or without notifying the user.
List:
Components of a DLP solution.
- Policy server: Configures rules and logs incidents
- Endpoint agents: Enforces policies on client devices.
- Network agents: Scans communications and enforces policies at network borders.
List:
Common remediation mechanisms in DLP.
- Alert only.
- Block.
- Quarantine.
- Tombstone.
List:
The five phases of the penetration testing life cycle.
- Perform reconnaissance
- Scan/enumerate
- Gain access
- Maintain access
- Report
What does SOW stand for in penetration testing?
Scope of Work.
What does ROE stand for in penetration testing documentation?
Rules of Engagement.
What is a Rules of Engagement document?
A document detailing how the penetration test will be carried out, including data handling, test type, and notification processes.
Compare:
Red team vs. Purple team in security operations
Red team: Focuses solely on offensive tactics (ethical hacking).
Purple team: Combines offensive and defensive roles, bridging red and blue teams.
Black box vs. White box penetration testing
Black box: No prior knowledge of the network, simulating external attacks.
White box: Full knowledge of the network, enabling comprehensive testing.
Define:
Penetration test (pen test)
A method using authorized hacking techniques to discover vulnerabilities in an organization’s security systems.
Define:
Physical penetration testing
A test simulating real-world scenarios to evaluate physical security systems like access controls and surveillance.
What does CI/CD mean in continuous penetration testing?
Continuous Integration/Continuous Deployment.
List:
The steps of a penetration test.
- Verify a threat exists.
- Bypass security controls.
- Actively test security controls.
- Exploit vulnerabilities.
