CompTIA CySa+ Domain(2): Vulnerability Management
What CVSS vector metric describes the authentication hurdles that an attacker would need to clear to exploit the vulnerability?
Au Authentication Metric
What regulatory standard mandates the following for a vulnerability management program? ● Security controls for govt, or anyone handling govt data ● Systems are classified as low, moderate, or high impact ○ Requirements based on those classifications ● Objectives designed around CIA Triad ● EX: ○ Scan system when new threats emerge ○ Utilize interoperable tools and techniques ○ Analyze scan reports from assessments ○ Remediate vulnerabilities based on risk ○ Share findings with other agencies to mutually eliminate vulnerabilities
FISMA - Federal Information Security Management Act
What is the term used to describe when a scanner reports a vulnerability that does not exist?
False Positive Error Always confirm a vulnerability reported from a scanner
Which Value does the below description describe from the Access Complexity metric? - Exploiting the vulnerability requires "Specialized" conditions that would be difficult to find
High (H)
What CVSS vector metric describes the type of information alteration that might occur if an attacker successfully exploits the vulnerability?
I Integrity Metric
Which Value does the below description describe from the Access Vector metric? - The attacker must have physical or logical access to the affected system
Local(L) - Lowest score
Which Value does the below description describe from the Access Complexity metric? - Exploiting the vulnerability does not require any specialized conditions
Low (L)
Which Value does the below description describe from the Access Complexity metric? - Exploiting the vulnerability requires "somewhat specialized" conditions
Medium (M)
What popular type of scanning tool does the following: ■ Client-side to monitor for updates, registry changes, firewall, hashing, etc ■ Home use, not effective for central network scan
Microsoft's Baseline Security Analyzer
Which Value does the below description describe from the Authentication metric? - Attackers would need to authenticate two or more times to exploit the vulnerability
Multiple (M) - lowest score
Which Value does the below description describe from the Access Vector metric? - The attacker can exploit the vulnerability remotely over a network
Network (N) - the highest score (most dangerous)
What category of vulnerabilities do the following belong to? ● Missing Firmware Updates ● Outdated SSL and TLS versions ● Insecure Cipher Use ● Certificate Problems ● Domain Name Server Issues ● Internal IP Disclosure ● VPN Issues
Network Vulnerabilities
What popular type of scanning tool does the following: ■ Web Application Scanner ■ Looks at the code of the app
Nikto
Which Value does the below description describe from the Authentication metric? - Attackers do not need to authenticate to exploit the vulnerability
None (N) - Highest score
Which Value does the below description describe from the CIA metrics? - There is no confidentiality/integrity/availability impact
None (N) - Lowest score
What type of trends can an analyst use to understand why something is happening? For example, finding more vulnerabilities on "Patch Tuesdays"
Number of vulnerabilities arising over time The age of the vulnerabilities The time required to remediate vulnerabilities
What SCAP standard does the following describe? - Is a language for specifying low level testing procedures used by XCCDF checklists
OVAL - Open Vulnerability and Assessment Language
What is one of the critical components of vulnerability management?
Communicating vulnerability scan results to technologists who have the ability to remediate them and managers responsible for the security of the environment.
Which Value does the below description describe from the CIA metrics? - All information on the system is compromised - The integrity of the system is totally compromised and the attacker may change any information at will - The system is completely shut down
Complete (C) - highest score
Who implements the vulnerability patches/fixes to systems?
System Administrators Larger fixes need to be run by a Change Control Board
What do the first 3 measures of the CVSS standard evaluate?
The expliotability of the vulnerability AV Access Vector Metric AC Access Complexity Metric Au Authentication Metric
What do the last 3 measures of the CVSS standard evaluate?
The impact of the vulnerability C Confidentiality Metric I Integrity Metric A Availability Metric
What is a common way to minimize the scope of scanner in order to increase security and decrease labor?
■ Network segmentation allows you to scan smaller clusters to achieve regulation compliance ● If only one machine is processing credit cards, only it needs to meet PCI DSS standards IF you segment it properly
What are the values used for the CVSS Temporal Remediation Level (RL) Metric?
■ O - Official Fix ■ T - Temporary Fix ■ W - Workaround ■ U - Unavailable ■ ND - Not Defined
What are the 3 most common barriers to Vulnerability Scanning?
■ System Degradation - Scanning takes up resources ■ Customer Commitments - MOUs & SLAs may create expectations around up time, performance & security ■ IT Governance and Change Management Processes - May create bureaucratic hurdles to making configuration changes required to support scanning.
What are the values used for the CVSS Temporal Exploitability Metric?
■ U - Unproven ■ P - Proof-of-Concept ■ F - Functional ■ H - High ■ ND - Not Defined
What are the values used for the CVSS Temporal Report Confidence(RC) Metric?
■ UC - Unconfirmed ■ UR - Uncorroborated ■ C - Confirmed ■ ND - Not Defined
What are the CVSS Score Categories?
○ < 4.0 = low ○ > 4.0 and < 6.0 = medium ○ > 6.0 and < 10.0 = high ○ 10.0 = Critical
What results do analyst have to interpret after scanners identify vulnerabilities?
○ Eliminate False Positives ○ Identify root causes ○ Prioritize Remediation
What are the type of sections that show up in a vulnerability report?
○ Identities ○ Synopsis ○ Description ○ See Also ■ References on the vulnerability ○ Solution ■ List of patches or contingencies for if your system is unsupported ○ Risk Factor ○ CVSS Score ■ 3.0 is newer, and not addressed on the exam. Recognize 2.0 ○ STIG Severity ■ Military - cat 1 is critical, cat 3 is informational ○ References ■ Related vulnerabilities to the plugin ○ Exploitable With ■ Good way to know how prevalent the methods of attack are ○ Plugin Info ■ When the plugin to scan the vulnerability was made ○ Hosts ■ Where the vulnerability exists
What should a vulnerability management program shift toward in regards to scanning and monitoring?
- Ongoing Scanning - Configures scanners to simply scan systems on a rotating basis -Continuous monitoring - incorporates data from agent-based approaches to vulnerability detection and reports security-related configuration changes to the vulnerability management platform as soon as they occur.
What are the 6 different measures of the CVSS standard?
1. AV Access Vector Metric 2. AC Access Complexity Metric 3. Au Authentication Metric 4. C Confidentiality Metric 5. I Integrity Metric 6. A Availability Metric
What 4 common factors can help an analyst prioritize the remediation of vulnerabilities?
1. Criticality of the Systems and Information Affected by the Vulnerability ■ If a system has a lot of PII, financial, or classified data, it needs fixed. ■ If all the data is encrypted, it might be less dangerous if it's accessed. 2. Difficulty of remediation the vulnerability ■If you can fix four vulnerabilities for the same cost as one, well... 3. Severity of the Vulnerability (CVSS scores) 4. Exposure of the Vulnerability ■ If an external facing server has a moderate vulnerability, it might pose a greater risk than a critical vulnerability on an internal server.
What are the 5 basic categories of common vulnerabilities?
1. Server and Host 2. Network 3. Virtualization 4. Web Application 5. IoT - Internet of Things
What 4 questions should an organization answer in order to identify scan targets?
1. What is the data classification of the information stored, processed or transmitted by the system? 2. Is the system exposed to the internet or other public or semipublic networks? 3. What services are offered by the system? 4. Is the system a production, test, or development system?
The scope of a vulnerability scan describes the extent of the scan, including the answers to what 3 questions?
1. What systems and networks will be includes in the vulnerability scan? 2. What technical measures will be used to test whether systems are present on the network? 3. What tests will be performed against systems discovered by a vulnerability scan?
What CVSS vector metric describes the type of disruption that might occur if an attacker successfully exploits the vulnerability?
A Availability Metric
What CVSS vector metric describes the difficulty of exploiting the vulnerability?
AC Access Complexity Metric
What CVSS vector metric describes how an attacker would exploit the vulnerability?
AV Access Vector Metric
What does the following CVSS metric express? AV:N
Access Vector: Network
What does the following CVSS metric express? CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality: Partial Integrity: None Availability: None
Which Value does the below description describe from the Access Vector metric? - The attacker must have access to the local network that the affected system is connected to
Adjacent Network (A) - medium score
What type of scanning has the following characteristics? ■ Installed on each client to provide an "inside-out" perspective of vulnerabilities ■ Data then sent to centralized server for review ■ Can be resource intensive, but provides a very detailed view
Agent-Based Scanning
How is the CVSS Temporal Score different than the CVSS Score?
Base scores stay the same, but the temporal score changes as vulnerabilities are addressed and mitigated
What CVSS vector metric describes the type of information disclosure that might occur if an attacker successfully exploits the vulnerability?
C Confidentiality Metric
What SCAP standard does the following describe? - Provides a standard nomenclature for discussing system configuration issues
CCE - Common Configuration Enumeration
What SCAP standard does the following describe? - Provides a standard nomenclature for describing product names and versions.
CPE - Common Platform Enumeration
What SCAP standard does the following describe? - Provides a standard nomenclature for describing security-related software fixes
CVE - Common Vulnerabilities and Exposure
What SCAP standard does the following describe? - Provides a standardized approach for measuring and describing the severity of security-related software flaws
CVSS - Common Vulnerability Scoring System ● 10 = most critical ● 1 = least critical
What type of reporting tool provides a high-level summary that's easy to understand at a glance and can also: ■ Indicate priorities, trends, etc ■ Host Overview allows you to see which hosts are most vulnerable ■ Overview of Criticality shows the worst vulnerabilities at the top
Dashboards
What are the 3 phases of the Vulnerability Management Lifecycle?
Detection -> Testing -> Remediation ->
What category of vulnerabilities do the following belong to? ● Smart Devices ● SCADA - Supervisory Control and Data Acquisition Systems ● ICS - Industrial Control Systems
IoT - Internet of Things Vulnerabilities
What regulatory standard mandates the following for a vulnerability management program? ● Security controls for credit card processors and merchants ● Most specific of any vulnerability management ● Vendor-driven, not legally mandated ● EX: ○ Internal and external scans must be conducted ○ Scanned at least quarterly, and after all major changes ○ Internal scans by qualified personnel ○ External scans by approved scanning vendor ○ High-risk vulnerabilities must be remediated until a "clean" report is achieved
PCI DSS - Payment Card Industry Data Security Standard
Which Value does the below description describe from the CIA metrics? - Access/modification to some information is possible, but the attacker does not have control over what information is compromised/modified - The performance of the system is degraded
Partial (P) - medium score
What protocol is used to create a standardized approach for communicating security-related information? This standardization is important to the automation of interactions between security components
SCAP - Security Content Automation Protocol Standards include: CCE, CPE, CVE, CVSS, XCCDS, OVAL
What is the goal of a Vulnerability Management Program?
Seek to identify, prioritize and remediate these vulnerabilities before an attacker exploits them to undermine the confidentiality, integrity or availability of enterprise information assets
What category of vulnerabilities do the following belong to? ● Missing Patches ● Unsupported Software ● Buffer Overflows ● Privilege Escalation ● Arbitrary Code Execution ● Remote Code Execution ● Insecure Protocol Use ● Debugging Modes ● PoS Malware - Point of Sale Malware
Server and Host Vulnerabilities
Which Value does the below description describe from the Authentication metric? - Attackers would need to authenticate once to exploit the vulnerability
Single (S) - medium score
What can informational scans provide you (the analyst) as well as an attacker?
Some configurations can allow an attacker to perform some recon on your network/systems. An analyst can see what an attacker can see Keep a record of why or why not was the informational results addressed/not addressed.
What category of vulnerabilities do the following belong to? ● VM Escape ● Management Interface Access ● Virtual Host Patching ● Virtual Guest Issues ● Virtual Network Issues
Virtualization Vulnerabilities
What category of vulnerabilities do the following belong to? ● Injection Attacks ● XSS Cross Site Scripting ● CSRF Cross Site Request Forgery
Web Application Vulnerabilities
What SCAP standard does the following describe? - Is a language for specifying checklists and reporting checklists results
XCCDF - Extensible Configuration Checklist Description Format
A good comprehensive vulnerability management program provides the ability to conduct scans from a variety of scan perspectives. What types of perspectives are there?
○ Insider threat viewpoint - Credentialed scans ○ Attacker threat viewpoint - non-credentialed scans - Can be ran from different locations within the network to see different vulnerabilities - Some regulatory bodies require both internal AND external scans - Useful to get the internal worked out before you hire an external group
When does an analyst document an exception to scans?
○ Known-issues that you don't plan to deal with or have properly mitigated ○ Implement exceptions in the scan so it doesn't keep firing the alerts ○ Document exceptions in the vulnerability management system.
What can cybersecurity professionals do with the configuration settings related to the scan sensitivity level to make sure the scans can run without disrupting the target environment?
○ Plugins can be grouped by "family" to focus on certain environments only. ○ Templates can be used to group settings and plugins for certain situations/environments/times. ■ Useful if you have a light weekly scan, and a heavier monthly scan, etc ■ Prevents config errors ○ Nessus has default policies to meet certain regulatory requirements
What are some common vulnerability scanning tools that do the following: ■ Port scans, vulnerability scans, scheduling, asset management, etc
○ QualysGuard ■ Port scans, vulnerability scans, scheduling, asset management, etc ○ Nessus ■ Port scans, vulnerability scans, scheduling, asset management, etc ■ H as default policies to meet certain regulatory requirements ○ Nexpose ■ Port scans, vulnerability scans, scheduling, asset management, etc ○ OpenVAS ■ Open-source, low cost, good for home network security
What type of access rights should a scanner have while traversing servers,apps, firewalls,etc?
○ Scanner should have read only rights so that if it becomes compromised, it's still limited
What should an analyst do before initiating scans on the scanner software?
○ Scanners must be updated before use ○ They can become vulnerable themselves, but also need the latest signatures to catch up-to-date threats ○ Vulnerabilities are unavoidable, but can be managed
What are the values used for the AC-Access Complexity Metric of the CVSS standard that measures exploitability? H = ? M = ? L = ?
● High - Specialized conditions ● Medium - "somewhat specialized" ● Low - no specialized conditions
What are the values used for the AU - Access Vector Metric of the CVSS standard that measures exploitability? L = ? A = ? N = ?
● L ocal ● A djacent Network ● N etwork (Remote Access)
What are 3 common data sources that an analyst can use to reconcile scan results?
● Logs from servers, applications, network devices, and other sources that might contain information about possible attempts to exploit detected vulnerabilities ● SEIM systems that correlate log entries from multiple sources and provide actionable intelligence ● Configuration Management Systems that provide information on the operating systems and applications installed on a system
What are the values used for the Au Authentication Metric of the CVSS standard that measures exploitability? M = ? S= ? N = ?
● Multiple ● Single ● None
What are the Values used for the last 3 measures in the CVSS standard that measure impact? N = ? P = ? C = ?
● None ● Partial ● Complete (loss)
What two regulatory schemes specifically mandate the implementation of a vulnerability management program?
● PCI DSS ● FISMA
What are some of the factors that influence how often an organization decides to conduct vulnerability scans against its systems?
● Risk Appetite - An Orgs willingness to tolerate risk ● Regulatory Requirements - PCI DSS or FISMA ● Technical Constraints - System Hardware resources ● Business Constraints - Hours of Operation & when scans can be performed ● Licensing limitations - Limit on bandwidth or number of scans simultaneously
