Unit 3 - Module 3 - Vulnerabilities

Question 1

What do you call a weakness that can be explioted by a threat?

Answer 1

Vulnerability

Question 2

What do you call a way of taking advantage of a vulnerability?

Answer 2

Exploit

Question 3

What would you call this list’s management protocol?

1) Idenfity vulnerabilites
2) Consider potential exploits
3) Prepare defenses against threats
4) Evaluate those defenses

Answer 3

Vulnerability Management

Question 4

What do you call an exploit that was previously unknown?

Answer 4

Zero-day

Question 5

What do you call a layered approach to vulnerability management that reduces risk?

Answer 5

Defense in depth

Question 6

What are the 5 defense layers?

Answer 6

1) Perimeter Layer
2) Network Layer
3) Endpoint Layer
4) Application Layer
5) Data Layer

Question 7

What do you call a mistake that can be exploited by a threat?

Answer 7

Exposure

Question 8

What is the openly accessible dictionary of known vulnerabilities and exposures?

Answer 8

Common Vulnerabilities and Exposures list ( CVE list )

Question 9

Who is a collection of non-profit research and development centers?

Answer 9

MITRE

Question 10

What do you call the organization that volunteers to analyze and distribute information on eligible CVEs?

Answer 10

CVE Numbering Authority ( CNA )

Question 11

What is this list criteria?

1) Independent of other issues
2) Reconized as a potential security risk
3) Submitted with supporting evidence
4) Only affect one codebase

Answer 11

Criteria for CVE list

( Submitting vulnerabilitys for the public to know )

Question 12

What do you call the measurement system that scores the severity of a vulnerability?

Answer 12

Common Vulnerability Scoring System (CVSS)

Question 13

What is a nonprofit open platform foundation that works to improve the security of software?

Answer 13

OWASP

Question 14

What foundation has these 10 common vulnerabilities listed for businesses to be aware of?

1) Broken Access Control
2) Cryptographic Failures
3) Injection
4) Insecure design
5) Security Misconfiguration
6) Vulnerable and outdated components
7) Identification and authentication failures
8) Software and data integrity failures
9) Security logging and monitoring failures
10) Server-side request forgery

Answer 14

OWASP

Question 15

What do you call the internal review process of an organization’s security systems?

Answer 15

Vulnerability Assessment

Question 16

What assessment process is this?

1) Identification
2) Vulnerability Analysis
3) Risk Assesssment
4) Remediation

Answer 16

Vulnerability Assessment Process

Question 17

What do you call a software that automatically compares known vulnerabilites and exposures against the technologies on the network?

Answer 17

Vulnerability Scanner

Question 18

What layer is made up of technologies like network firewalls and others?

Answer 18

Network Layer

Question 19

What layer authenticates systems that validates users access?

Answer 19

Perimeter Layer

Question 20

What layer describes devices on a network, like laptops, desktops, or servers?

Answer 20

Endpoint Layer

Question 21

What layer involves the software that users interact with?

Answer 21

Application Layer

Question 22

What layer includes any information that’s stored, in transit, or in use?

Answer 22

Data Layer

Question 23

What do you call a software and operating system update tha taddresses security vulnerabilities witin a program or product?

Answer 23

Patch Update

Question 24

What is the advantage and disadvantage of manual updates?

Answer 24

Advantage - Being able to control, it’s useful when updates are not throughly testsed by developers.

Disadvantage - Critical updates can be forgotten or disregarded.

Question 25

What penetration testing is when the tester has the same priviledged access that an internal developer would have?

Answer 25

Open-box testing

Question 26

What penetration testing is when the tester has little to no access to internal systems?

Answer 26

Closed-box testing

Question 27

What penetration testing is when the tester has limited access and knowledge of an internal system?

IE) Customer service rep has limited knowledge

Answer 27

Partial knowledge testing

Question 28

What do you call the process of strengthening a system to reduce its vulnerabilities and attack surface?

Answer 28

Security Hardening

Question 29

What do you call the internal review process of an organization’s security systems?

Answer 29

Vulnerability Assessments

Question 30

What do you call external security vendors and freelance hackers that some companies incentivize to find and report vulnerabilities?

Answer 30

Bug Bounty

Question 31

What do you call a person who might use their skills to achieve a political goal?

They’re an activist

Answer 31

Hacktivist

Question 32

What do you call a threat actor that maintains unauthorized access to a system for an extended period of time?

Answer 32

Advanced Persistent Threat (APT)

Question 33

What are 7 ways a threat actors gain access?

Answer 33

1) Direct Access - Referring to instances when they have physical access to a system
2) Removeable media - Portable hardware, like USB flash drives
3) Social Media plateforms - Used for communication and content sharing
4) Email - Both personal and business accounts
5) Wireless Networks - on permises
6) Cloud Services - Usually provided by third-party organizations
7) Supply Chains - Third party vendors that can persent a backdoor into systems

Question 34

What do you call the pathways attackers use to penetrate security defences?

Answer 34

Attack Vectors