Section 22.212 Analysing Vulnerabilities Flashcards
Objective 4.3 Explain various activities associated with vulnerability management
Vulnerability Confirmation
Determining the accuracy of identified potential security weaknesses
Vulnerability Confirmation
True Positive
Real and exploitable vulnerability correctly identified
Vulnerability Confirmation
False Positive
Incorrectly stated vulnerability
Vulnerability Confirmation
True Negative
Correctly identifies the absence of a vulnerability
Vulnerability Confirmation
False Negative
Serious finding – vulnerability exists but remains undetected
Prioritising Vulnerabilities
■ Ranking identified vulnerabilities by severity and potential impact
■ Factors include ease of exploitation, potential damage, system importance
■ Use scoring systems like Common Vulnerability Scoring System (CVSS)
■ Ensure focus on the most critical security threats
Classifying Vulnerabilities
■ Categorizing vulnerabilities based on type, potential impact, and affected systems
■ Streamlines management and response efforts
■ Vulnerabilities might be classified into categories such as…
● Software flaws
● Configuration errors
● Security policy gaps
CVE (Common Vulnerabilities and Exposures)
System that provides a standardised way to uniquely identify and
reference known vulnerabilities in software and hardware
● Provides solutions and mitigation strategies
● Help assess security and prioritize vulnerability fixes
Organisational Impact of Vulnerabilities
Assessing potential impact on confidentiality, integrity, and availability
■ Consider industry-specific impact
■ Impact on reputation, business continuity, regulatory fines, customer trust
Exposure Factor (EF)
A quantifiable metric to estimate the percentage of asset damage
■ Helps understand potential loss due to vulnerability exploitation
■ Supports qualitative risk management in the organisation
Risk Tolerance
The level of risk an organization is willing to accept
■ Determines the urgency of vulnerability remediation
■ High risk tolerance may allow monitoring of certain vulnerabilities
■ Low risk tolerance may require swift remediation of even minor vulnerabilities
■ Alignment of vulnerability management with overall business strategies and objectives
