Security Operations: Examining Vulnerability Analysis

Question 1

What are False Positives and Negatives?

Answer 1

False positives and negatives

The difference between false positives and negatives is that:

False positives are indicators or alerts of the presence of vulnerabilities that don’t actually exist. They can cause unnecessary interruptions, administrative overhead, and alert fatigue.

False negatives are vulnerabilities that are realized but are marked as nonexistent. This gives a false sense of security, as an asset can lack proper security controls

Question 2

What is CVE?

Answer 2

Common Vulnerability Exposure

CVE is a public list of vulnerabilities, and:

Each vulnerability is assigned a CVE identification number.

This list is used in other databases, such as the U.S. National Vulnerability Database (NVD).

Question 3

What is CVSS?

Answer 3

Common Vulnerability Scoring System

CVSS is a method used to supply a qualitative measure of severity. CVSS metric groups include:

Base: The most rudimentary, immutable qualities of a vulnerability.

Temporal: The time-dependent qualities of a vulnerability.

Environmental, or environmental variables: The implementation and environment-specific qualities of a vulnerability.

Question 4

How can you utilize CVE and CVSS?

Answer 4

When you have these vulnerability references, you can utilize them for:

Classification.

Prioritization:

Industry and organizational impact: Enables asset classification and valuation and business-impact analysis (BIA).

Exposure factor: Specifies percentage of asset value that would be lost, if a threat is realized.

Remediation