Scor Information Security concepts

Question 1

These controls are aimed at preventing the threat from encountering the vulnerability. Examples are firewalls, physical locks, and security policies.

Answer 1

Preventive

Question 2

These controls identify that the threat has entered the network or system. Examples are log monitoring and correlation, IPSs, and surveillance cameras. Note that by detecting a threat with IPS, it is also detective.

Answer 2

detective

Question 3

These controls are aimed at mitigating or lessening the effects of the threat that is manifested. Examples are virus cleaning procedures or IPS signature updates after a worm outbreak.

Answer 3

corrective

Question 4

These controls are aimed at putting a system back into production after an incident. Most disaster recovery activities fall into this category, although it is often considered a subset of corrective controls.

Answer 4

Recovery

Question 5

These controls are aimed at discouraging security violations. These controls can be seen as a subset of preventive controls. Examples are signage (“Keep Out” type visuals and policies) or the mere presence of controls such as surveillance cameras.

Answer 5

Deterrent

Question 6

CVSS

Answer 6

Common vulnerabilities scoring system

Question 7

How do you calculate risk ?

Answer 7

Threats x Vulnerabilities x Impact = Risk

Question 8

What is a Threat source ?

Answer 8

The intent and method that intentional exploits a vulnerability

Question 9

What is a Threat ?

Answer 9

A threat is the potential for a threat source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.

Question 10

What is Impact ?

Answer 10

Impact is the damage that is caused by the threat.

Question 11

Quantitative risk assessment ?

Answer 11

Quantitative risk assessment involves trying to map a dollar amount to each specific risk,

Question 12

qualitative risk assessment ?

Answer 12

involves assigning a risk level such as low, medium, or high to each specific risk.

Question 13

What is business risk ?

Answer 13

Business rick is varys but is the risk that a business incurs merely as part of doing business.

Question 14

What is Data Risk ?

Answer 14

the risk of corruption or disclosure of important company data

Question 15

What is Systems risk ?

Answer 15

The likelihood that a company information system is not adequately protected from damage, loss, or compromise. An example is a company storing important files in a room prone to flooding.

Question 16

The process that balances the operational and economic costs of protective measures and the achieved gains in mission capability by protecting the IT systems and data that support their organizations’ missions.

Answer 16

Risk Management

Question 17

a common option when the cost of other risk management options such as avoidance may outweigh the cost of the risk itself.

Answer 17

Risk acceptance

Question 18

the action that avoids any exposure to the risk. Risk avoidance is usually the most expensive risk mitigation option.

Answer 18

Risk avoidance

Question 19

limits a company’s risk exposure by taking some action. It is a strategy employing a bit of risk acceptance along with a bit of risk avoidance. It is the most used risk mitigation strategy.

Answer 19

Risk limitation

Question 20

the transference of risk to a willing third party (for example, an insurance company).

Answer 20

Risk transfer

Question 21

If an engineering server’s risk of being hacked is assigned a risk level of very high, which assessment strategy is being used?

quantitative

qualitative

impact

discretionary

non-discretionary

Mandatory

Answer 21

qualitative

Question 22

Risk is a function of which three factors? (Choose three.)

threat

cost of security solution

vulnerabilities

impact

deployment time

support costs

Answer 22

Threat
Vulnerabilities
Impact

Question 23

What are the steps performend during the Vulnerability assessment process ?

Answer 23

Device discovery
Service enumeration
Scanning
Validation

Question 24

CVSS Base metrics is composed of two sets of metrics, what are they

Answer 24

Exploitability metrics and Impact metrics

Question 25

What are the Exploitability metrics that fall under the CVSS base metric ?

Answer 25

Attack Vector (AV)
Attack complexity (AC)
Privileges Required (PR)
User interaction (UI)
Scope (S)

Question 26

What are the Impact metrics that fall under the CVSS base metric ?

Answer 26

Confidentiality impact
Integrity impact
Availability impact

Question 27

What is AV ?

Answer 27

This metric reflects the contrext by which vulnerability exploitation is possible.

Question 28

What are all the vulnerable components in AV ?

Answer 28

Local
Adjacent
Network
Physical

Question 29

what is the AV vulnerable component that best matches

Exploiting the vulnerability requires either physical access to the target or a local (shell) account on the target.

Answer 29

Local

Question 30

what is the AV vulnerable component that best matches

Exploiting the vulnerability requires access to the local network of the target and cannot be performed across an OSI Layer 3 boundary.

Answer 30

Adjacent

Question 31

what is the AV vulnerable component that best matches

The vulnerability is exploitable from remote networks. Such a vulnerability is often termed “remotely exploitable,” and can be thought of as an attack being exploitable one or more network hops away, such as across Layer 3 boundaries from routers.

Answer 31

Network

Question 32

what is the AV vulnerable component that best matches

A vulnerability exploitable with physical access requires the attacker to physically touch and manipulate the vulnerable component.

Answer 32

Physical

Question 33

What is AC

Answer 33

Attack complexity, This metric describes the conditions beyond the attacker’s control that must exist to exploit the vulnerability.

Question 34

What are the metrics that fall under AC and describe them

Answer 34

Low: Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component.

High: A successful attack depends on conditions beyond the attacker’s control. That is, a successful attack cannot be accomplished at will, but requires the attacker to invest in some measurable amount of effort in preparation or execution against the vulnerable component before a successful attack can be expected.

Question 35

What is PR ?

Answer 35

Privileges Required, This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability,

Question 36

What are the diffrerent PR metrics and describe them

Answer 36

None: The attacker is unauthorized before attack, and therefore does not require any access to settings or files to carry out an attack.

Low: The attacker is authorized with privileges that provide basic user capabilities that could normally affect only settings and files that are owned by a user. Alternatively, an attacker with low privileges may have the ability to cause an impact only to non-sensitive resources only.

High: The attacker is authorized with privileges that provide significant (for example, administrative) control over the vulnerable component that could affect component-wide settings and files.

Question 37

What is UI ?

Answer 37

User interaction, this metric indicates whether a user other than the attacker must participate for the exploitation of a vulnerability to succeed

Question 38

What are the different UI metrics ? and describe them

Answer 38

None: The vulnerable system can be exploited without interaction from any user.

Required: Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited.

This is like a user opening up a corroupt file

Question 39

what is base metric Scrope (S) ?

Answer 39

Scope, An important property that is captured by CVSS is the ability for a vulnerability in one software component to impact resources beyond its means, or privileges.

Question 40

what are the different metrics that fall under Scrop or (S) ? and describe them

Answer 40

Unchanged: An exploited vulnerability can only affect resources that are managed by the same authority. In this case, the vulnerable component and the impacted component are the same.

Changed: An exploited vulnerability can affect resources beyond the authorization privileges that are intended by the vulnerable component. In this case, the vulnerable component and the impacted component are different.

Question 41

What is the organizational benefit of incorporating CVSS into risk analysis?

It gives insight into the result of a compromise or attack.

It lowers the threat to detection time.

It is a structured method to assist with prioritizing a vulnerability response.

It makes the engineer read more information than they would have on their own.

Answer 41

It is a structured method to assist with prioritizing a vulnerability response.

Question 42

What three factors contribute to a CVSS score? (Choose three.)

performance

confidentiality

privileges

reliability

availability

Answer 42

Availability
privileges
confidentiality

Question 43

What is confidentiality impact ?

Answer 43

This metric measures the impact to the confidentiality of the information resources that are managed by a software component due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, preventing access by, or disclosure to, unauthorized ones.

Question 44

What is intergrity impact ?

Answer 44

This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information.

Question 45

What is availability impact ?

Answer 45

This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability. While the confidentiality and integrity impact metrics apply to the loss of confidentiality or integrity of data such as information and files used by the impacted component, this metric refers to the loss of availability of the impacted component itself, such as a networked service such as web, database, and email. Because availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of an impacted component.

Question 46

What is CVSS temporal metrics ?

Answer 46

temporal metrics measure the current state of exploit techniques or code availability, the existence of any patches or workarounds, or the confidence that one has in the description of a vulnerability.

Question 47

What metrics fall under the temporal metrics ?

Answer 47

Exploit code maturity
Remediation level (RL)
Report confidence (RC)

Question 48

What is CVSS Environmental metrics ?

Answer 48

environmental metrics enable the analyst to customize the CVSS score depending on the importance of the affected IT asset to a user’s organization, which are measured in terms of complementary/alternative security controls in place: Confidentiality, Integrity, and Availability.

Question 49

What metrics fall under Environmental metrics ?

Answer 49

Security Requirements (CR, IR, AR)
Modified Base Metrics