Security Operations 4.3

Question 1

Vulnerability Scanning

Answer 1

Scans the operating system to see if the potential for an exam exists on a particular system.

Port Scan, Identify Systems, Test from the outside and inside.

Question 2

SAST

Answer 2

Static Code analyser
Identify many security vulnerabilities. Buffer overflows, database injections.

Not everything can be identified through analysis.

Question 2

Dynamic Analysis (Fuzzers)

Answer 2

Random input put into an application to see what the results might be.

Looking for the application to act in a way out of the ordinary.

Question 3

Package Monitoring

Answer 3

Some applications are distributed in a package. Confirm the package is legitimate. Confirm a safe package before deployment - by opening in a sandbox/lab environment.

Question 4

OSINT

Answer 4

Open-source (Publicly available sources)
Internet - Discussion groups, social media
Government data
Commercial Data.

Question 5

Proprietary/Third-party Intelligence.

Answer 5

Third party intelligence company has compiled the threat information and you can buy it. Correlation across different data sources. Constantly monitoring the threat landscape.

Question 6

Information-sharing organisation

Answer 6

Organisations might publicise threats to collaborate against threats.

Public threat intelligence
Private threat intelligence
Need to share critical security details.

Question 7

Cyber threat alliance (CTA).

Answer 7

Members upload specifically formatted threat intelligence.

Question 8

Dark web intelligence.

Answer 8

Use to conduct research on hackers and their activities.

Monitor forums.

Question 9

Penetration testing

Answer 9

Simulating an attack to see if we can gain exploits. Often a compliance mandate.

National institute of standards and technology - NIST

Question 10

Rules of engagement

Answer 10

An important document;

Defines the purpose and scope, make sure everyone is aware of the rest parameters.

Type of testing and schedule - no pen testing on business hours for example

Rules, Emergency, How to handle sensitive information.

Question 11

Exploiting vulnerabilities while pen-testing.

Answer 11

Be careful not to break into the system. Be careful to not cause a denial of service or loss of data.

Question 12

What is the process after gaining access to a system.

Answer 12

After breaking into a network you’d want to use the exploit to move from system to system. This is known as lateral movement.

Persistence (Set up a back door to make sure there is always a way back in).

Question 13

The pivot - Pen testing.

Answer 13

Gain access to the stems that would normally not be accessible. Use a vulnerable system as a proxy or relay.

Question 14

Responsible disclosure program.

Answer 14

Takes time to fix a vulnerability. Software changes, testing, deployment.

Bug bounty programes - A reward for discovering vulnerabilities, Earn money for hacking a system.

Question 15

False positive

Answer 15

A vulnerability is identified that doesn’t really exist. This is a different than a low-severity vulnerability.

Question 16

False Negative

Answer 16

A vulnerability does exist but wasn’t detected by the vulnerability scan.

Question 17

Prioritising vulnerabilities

Answer 17

Not every vulnerability shares the same priority.
This may be difficult to determine.

Question 18

CVSS

Answer 18

Common vulnerability scoring system. 0-10

Question 19

CVE

Answer 19

The vulnerabilities can be crossed referenced online.
Common Vulnerabilities and exposures.

Question 20

Vulnerability classification

Answer 20

After the vulnerability scanner detects the vulnerability it should provide a ranking system which shows the severity of the vulnerability.

Question 21

Exposure Factor

Answer 21

An exposure factor loss of value or business activity. If the vulnerability is exploited expressed as a percentage.

A small DDoS may limit access to a service.

Question 22

Environmental Variables.

Answer 22

Environmental variables.
What type of environment is associated with this vulnerability?

Consider the environment so:
number and type of users
Revenue generating application
Potential for exploit

Question 23

Industry/organisation impact.

Answer 23

The amount of risk acceptable to an organisation is risk tolerance.

Question 24

Patching

Answer 24

The most common mitigation techniques. Patches are often scheduled, monthly, quarterly. Constantly provided.

Unscheduled patches often occur if there is an urgent vulnerability.

Question 25

Insurance

Answer 25

Cyber security insurance coverage.
-Lost revenue
-Data recovery costs
-Money lost to phishing
-Privacy lawsuit costs.

Insurance doesn’t cover everything.

Question 26

Segmentation to limit scope.

Answer 26

Limit scope of a potential exploit by separating devices into their own network via VLANS.

Airgaps may be required.
Use internal NGFW’s
Block unwanted unnecessary traffic between VLANS.

Question 27

What are the two ways to achieve segmentation

Answer 27

Physical segmentation, multiple units, separate infrastructure

Logical segmentation with VLANS.

Question 28

Compensating controls examples in the event of a breach.

Answer 28

Disable the problematic service.
Revoke access to the application
Limit external access
Modify internal security control and software firewalls.

Question 29

Exceptions and exemptions

Answer 29

Not everything can be patched so the change control committee will make decisions on what devices will not receive a patch.

Whilst a vulnerability may exist it may not be easy to exploit for example it may need to be physically accessed to exploit so leaving unpatched does not dramatically increase risk.

Question 30

Validation of remediation

Answer 30

Important to perform a a scan to ensure that the patch really did stop the exploit and all vulnerable systems.

Important to conduct another vulnerability scan to see if the vulnerability still exists.

Question 31

Reporting

Answer 31

Ongoing checks are required. New vulnerabilities are continuously discovered. Necessary once an organisation reaches a certain size.

Continuous reporting:
- Number of identified vulnerabilities
-System patched vs unpatched
-New threat notifications
-Errors, exceptions and exemptions.