Vulnerability Types 1.6 Flashcards

1
Q

Scope of Vulnerabilities

A

Digital, physical, programming, process, procedure, network design, there are many types of ways to exploit a security system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Race Condition

A

A programming conundrum. Sometimes a computer isn’t able to process rapid inputs in succession well. If there is a failure, or lack of a validation system and the computer system is unable to properly execute its intended function. This could lead to system loops, improper data validation, or a complete lack of function all together.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

End-of-life Vulnerability

A

When the vendor stops supporting the software/hardware the product may become vulnerable to new exploits. These exploits can still cause problems for users. Use up to date software.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Embedded System Vulnerabilities

A

Doorbells, microwave ovens, routers etc. are/can be imbedded systems. Often we only see the user interface of these devices. Usually they are using outdated software. They don’t necessarily need to upgrade them but they may still be vulnerable.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Lack of Vendor Support

A

Vendors are slow/lazy/unable to patch known vulnerabilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Improper input handling

A

Poor authentication programming allowing for attackers to do injections, buffer overflows, DDOS, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Improper error handling

A

Errors occur in software but if there is too much information provided in an error message, the attackers can use the information to exploit the error and gain access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Misconfiguration/weak configuration

A

Attackers will find poorly protected access points.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Default configurations

A

Many users never change the default logins. Mirai botnet takes advantage of default configurations for a massive variety of different systems. Cameras, doorbells, garage systems etc. Mirai is open source software…

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Untrained users

A

One untrained user can create a breach. Training is critical. Email training doesn’t work. Training is time consuming, expensive, but worth it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Improperly configured accounts

A

Abandoned and unnecessary accounts. Test accounts, old accounts, can be exploited. Frequently audit your existing user accounts. Make sure they have the proper access and only the authorized users have elevated access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Weak cipher suites

A

Some cipher’s are easier to crack than others. Always use the best cipher suite.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Memory/buffer vulnerabilities

A

Memory leaks can slowly grow and eventually uses all the memory and crashes the system. Integer overflow; a large number placed into a smaller sized space. Where does the extra number go? Poor programming is the only reason this would happen. Buffer overflows etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

System sprawl/undocumented assets

A

More of a problem for big organizations with many computers with different needs. Different operating systems, test platforms, etc. Keeping track of all of these systems is a challenge. It’s easy to miss a forgotten computer under a desk, part of a retired system etc. If these systems are not patched, they become vulnerable.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Architecture/design/access point weaknesses

A

The best security system fails if you don’t have locks on the doors. Examine every access point, including your business partner access etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Zero day threats

A

Unknown/undiscovered vulnerabilities or something that hasn’t had enough testing time to properly secure.

17
Q

Improper certificate and key management

A

There has to be a lot of planning about your keys and certificates. These decisions need to be very well thought out, do not make these decisions on the fly.