Study Guide - Chapter 8: Responding to Vulnerabilities Flashcards
1- Jen identified a missing patch on a Windows server that might allow an attacker to gain remote control of the system. After consulting with her manager, she applied the patch. From a risk management perspective, what has she done?
- Removed the threat
- Reduced the threat
- Removed the vulnerability
- Reduced the vulnerability
Removed the vulnerability
By applying the patch, Jen has removed the vulnerability from her server. This also has the effect of eliminating this particular risk. Jen cannot control the external threat of an attacker attempting to gain access to her server.
2- You notice a high number of SQL injection attacks against a web application run by your organization and you install a web application firewall to block many of these attacks before they reach the server. How have you altered the severity of this risk?
- Reduced the magnitude
- Eliminated the vulnerability
- Reduced the probability
- Eliminated the threat
Reduced the probability
Installing a web application firewall reduces the probability that an attack will reach the web server. Vulnerabilities may still exist in the web application and the threat of an external attack is unchanged. The impact of a successful SQL injection attack is also unchanged by a web application firewall.
3- Aziz is responsible for the administration of an e‐commerce website that generates $100,000 per day in revenue for his firm. The website uses a database that contains sensitive information about the firm’s customers. He expects that a compromise of that database would result in $500,000 of fines against his firm.
Aziz is assessing the risk of a SQL injection attack against the database where the attacker would steal all of the customer personally identifiable information (PII) from the database. After consulting threat intelligence, he believes that there is a 5% chance of a successful attack in any given year.
What is the asset value (AV)?
- $5,000
- $100,000
- $500,000
- $600,000
$500,000
The asset at risk in this case is the customer database. Losing control of the database would result in a $500,000 fine, so the asset value (AV) is $500,000.
4- Aziz is responsible for the administration of an e‐commerce website that generates $100,000 per day in revenue for his firm. The website uses a database that contains sensitive information about the firm’s customers. He expects that a compromise of that database would result in $500,000 of fines against his firm.
Aziz is assessing the risk of a SQL injection attack against the database where the attacker would steal all of the customer personally identifiable information (PII) from the database. After consulting threat intelligence, he believes that there is a 5% chance of a successful attack in any given year.
What is the exposure factor (EF)?
- 5%
- 20%
- 50%
- 100%
100%
The attack would result in the total loss of customer data stored in the database, making the exposure factor (EF) 100%.
Asset Value
Asset value (AV) refers to the value of an asset affected by a risk
- It may be determined using the cost to acquire the asset, the cost to replace the asset, or the depreciated cost of the asset, depending on the organization’s preferences.
- Losing control of a customer database, for example, could result in a $500,000 fine, so the asset value is $500,000
Exposure Factor
+
- exposure factor (EF) is the percentage of an asset expected to be damaged if a risk materializes. It is used in quantitative risk assessments to determine the potential financial impact of a risk.
- An EF of 100 percent means the risk would completely destroy an asset.
- An EF of 50 percent means the risk would damage half of an asset.
- For example, if an attack would result in the total loss of customer data stored in a database, the exposure factor (EF) would be 100%
5- Aziz is responsible for the administration of an e‐commerce website that generates $100,000 per day in revenue for his firm. The website uses a database that contains sensitive information about the firm’s customers. He expects that a compromise of that database would result in $500,000 of fines against his firm.
Aziz is assessing the risk of a SQL injection attack against the database where the attacker would steal all of the customer personally identifiable information (PII) from the database. After consulting threat intelligence, he believes that there is a 5% chance of a successful attack in any given year.
What is the single loss expectancy (SLE)?
- $5,000
- $100,000
- $500,000
- $600,000
$500,000
We compute the single loss expectancy (SLE) by multiplying the asset value (AV) ($500,000) and the exposure factor (EF) (100%) to get an SLE of $500,000.
SLE
- Single Loss Expectancy (SLE) is the amount of damage expected from a single occurrence of an incident. The SLE is calculated by multiplying the asset value (AV) by the exposure factor (EF).
- Asset Value (AV) refers to the value of the asset affected by a risk. It is the first step in conducting a quantitative risk assessment.
- Exposure Factor (EF) is the percentage of an asset expected to be damaged if a risk materializes
6- Aziz is responsible for the administration of an e‐commerce website that generates $100,000 per day in revenue for his firm. The website uses a database that contains sensitive information about the firm’s customers. He expects that a compromise of that database would result in $500,000 of fines against his firm.
Aziz is assessing the risk of a SQL injection attack against the database where the attacker would steal all of the customer personally identifiable information (PII) from the database. After consulting threat intelligence, he believes that there is a 5% chance of a successful attack in any given year.
What is the annualized rate of occurrence (ARO)?
- 0.05
- 0.20
- 2.00
- 5.00
0.05
Aziz’s threat intelligence research determined that the threat has a 5% likelihood of occurrence each year. This is an ARO of 0.05.
7- Aziz is responsible for the administration of an e‐commerce website that generates $100,000 per day in revenue for his firm. The website uses a database that contains sensitive information about the firm’s customers. He expects that a compromise of that database would result in $500,000 of fines against his firm.
Aziz is assessing the risk of a SQL injection attack against the database where the attacker would steal all of the customer personally identifiable information (PII) from the database. After consulting threat intelligence, he believes that there is a 5% chance of a successful attack in any given year.
What is the annualized loss expectancy (ALE)?
- $5,000
- $25,000
- $100,000
- $500,000
$25,000
We compute the annualized loss expectancy (ALE) by multiplying the SLE ($500,000) and the ARO (0.05) to get an ALE of $25,000.
ALE
- Annualized Loss Expectancy (ALE) is the amount of damage expected from a risk each year. It is calculated by multiplying the single loss expectancy (SLE) and the annualized rate of occurrence (ARO).
- Single Loss Expectancy (SLE) is the amount of damage expected from a single occurrence of an incident. The SLE is calculated by multiplying the asset value (AV) by the exposure factor (EF).
- Asset Value (AV) refers to the value of the asset affected by a risk.
- Exposure Factor (EF) is the percentage of an asset expected to be damaged if a risk materializes.
- Annualized Rate of Occurrence (ARO) refers to the estimated frequency with which a threat is expected to occur in a year. For example, a risk that is expected to occur twice a year has an ARO of 2.0, whereas a risk that is expected once every hundred years has an ARO of 0.01
ARO
- Annualized Rate of Occurrence (ARO) refers to the estimated frequency with which a threat is expected to occur in a year. It is a component used to calculate Annualized Loss Expectancy (ALE).
- The ARO is multiplied by the Single Loss Expectancy (SLE) to calculate the ALE.
- A risk that is expected to occur twice a year has an ARO of 2.0, whereas a risk that is expected once every hundred years has an ARO of 0.01.
- For instance, if threat intelligence research determines that a threat has a 5% likelihood of occurrence each year, the ARO is 0.05.
8- Grace recently completed a risk assessment of her organization’s exposure to data breaches and determined that there is a high level of risk related to the loss of sensitive personal information. She is considering a variety of approaches to managing this risk.
Grace’s first idea is to add a web application firewall to protect her organization against SQL injection attacks. What risk management strategy does this approach adopt?
- Risk acceptance
- Risk avoidance
- Risk mitigation
- Risk transference
Risk mitigation
Installing new controls or upgrading existing controls is an effort to reduce the probability or magnitude of a risk. This is an example of a risk mitigation activity.
12- Which of the following is a formal process that allows organizations to open their systems to inspection by security researchers in a controlled environment?
- Edge discovery
- Passive discovery
- Security controls testing
- Bug bounty
Bug bounty
Bug bounty programs provide a formal process that allows organizations to open their systems to inspection by security researchers in a controlled environment that encourages attackers to report vulnerabilities in a responsible fashion. Edge discovery scanning identifies any systems or devices with public exposure by scanning IP addresses belonging to the organization. Passive discovery techniques monitor inbound and outbound traffic to detect devices that did not appear during other discovery scans. Security controls testing verifies that the organization’s array of security controls are functioning properly.
13- Which of the following is often used to assist with the prevention of XSS and SQL injection attacks?
- Secure session management
- Input validation
- SLOs
- Maintenance windows
Input validation
Input validation helps prevent a wide range of problems, from cross‐site scripting (XSS) to SQL injection attacks. Secure session management ensures that attackers cannot hijack user sessions or that session issues don’t cause confusion among users. Organizations that offer technology services to customers may define service level objectives (SLOs) that set formal expectations for service availability, data preservation, and other key requirements. Many organizations choose to consolidate many changes in a single period of time known as a maintenance window. Maintenance windows typically occur on evenings and weekends or during other periods of time where business activity is low.
14- Which of the following is designed specifically to support penetration testing and the reverse engineering of malware?
- Immunity debugger
- GDB
- SDLC
- Parameterized queries
Immunity debugger
The Immunity debugger is designed specifically to support penetration testing and the reverse engineering of malware. GNU debugger (GDB) is a widely used open source debugger for Linux that works with a variety of programming languages. The software development life cycle (SDLC) describes the steps in a model for software development throughout its life. Parameterized queries prevent SQL injection attacks by precompiling SQL queries so that new code may not be inserted when the query is executed.
15- Jason gathers threat intelligence that notes that an adversary that his organization considers a threat likes to use USB key drops to compromise their targets. What is this an example of?
- His organization’s attack surface
- A possible attack vector
- An example of adversary capability
- A probability assessment
A possible attack vector
Attack vectors, or the means by which an attacker can gain access to their target can include things like USB key drops. You may be tempted to answer this question with adversary capability, but remember the definition: the resources, intent, or ability of the likely threat actor. Capability here doesn’t mean what they can do, but their ability to do so. The attack surface might include the organization’s parking lot in this example, but this is not an example of an attack surface, and there was no probability assessment included in this problem
16- What type of assessment is particularly useful for identifying insider threats?
- Behavioral
- Instinctual
- Habitual
- IOCs
Behavioral
Behavioral assessments are very useful when you are attempting to identify insider threats. Since insider threats are often hard to distinguish from normal behavior, context of the actions performed, such as afterhours logins, misuse of credentials, logins from abnormal locations or in abnormal patterns, and other behavioral indicators, are often used.
17- STRIDE, PASTA, and LIDDUN are all examples of what?
- Zero‐day rating systems
- Vulnerability assessment tools
- Adversary analysis tools
- Threat classification tools
Threat classification tools
STRIDE, PASTA, and LIDDUN are all examples of threat classification tools. LIDDUN focuses on threats to privacy, STRIDE is a Microsoft tool, and PASTA is an attacker‐centric threat modeling tool.
STRIDE
STRIDE is a threat classification model from Microsoft that can classify threats based on what they leverage.
STRIDE is an acronym for:
* Spoofing of user identity
* Tampering
* Repudiation
* Information disclosure
* Denial of service
* Elevation of privilege
Benefits:
* It allows a common framework to describe threats, allowing others to contribute and manage threat information.
* Models serve as a reminder of the types of threats that exist and can help analysts and security practitioners perform better threat analysis by giving them a list of potential threat options
PASTA
PASTA (Process for Attack Simulation and Threat Analysis) model is a threat classification tool. It is also described as an attacker-centric threat modeling tool.
LIDDUN
LIDDUN is a threat classification tool that focuses on threats to privacy.
18- What type of software testing tool executes the code as it is being tested?
- Static analysis
- Dynamic analysis
- Compilation
- Decompilation
Dynamic analysis
Dynamic analysis techniques actually execute the code during the testing process. Static code analysis tools and techniques analyze the structure and content of code without executing the code itself. Compilation is the process of transforming source code into an executable and decompilation attempts to reverse that process. Neither compilation nor decompilation executes the code.
Fagan testing
formal method of code inspection
