CompTIA CySa+ Domain(2): Vulnerability Management

Ace your homework & exams now with Quizwiz!

What CVSS vector metric describes the authentication hurdles that an attacker would need to clear to exploit the vulnerability?

Au Authentication Metric

What regulatory standard mandates the following for a vulnerability management program? ● Security controls for govt, or anyone handling govt data ● Systems are classified as low, moderate, or high impact ○ Requirements based on those classifications ● Objectives designed around CIA Triad ● EX: ○ Scan system when new threats emerge ○ Utilize interoperable tools and techniques ○ Analyze scan reports from assessments ○ Remediate vulnerabilities based on risk ○ Share findings with other agencies to mutually eliminate vulnerabilities

FISMA - Federal Information Security Management Act

What is the term used to describe when a scanner reports a vulnerability that does not exist?

False Positive Error Always confirm a vulnerability reported from a scanner

Which Value does the below description describe from the Access Complexity metric? - Exploiting the vulnerability requires "Specialized" conditions that would be difficult to find

High (H)

What CVSS vector metric describes the type of information alteration that might occur if an attacker successfully exploits the vulnerability?

I Integrity Metric

Which Value does the below description describe from the Access Vector metric? - The attacker must have physical or logical access to the affected system

Local(L) - Lowest score

Which Value does the below description describe from the Access Complexity metric? - Exploiting the vulnerability does not require any specialized conditions

Low (L)

Which Value does the below description describe from the Access Complexity metric? - Exploiting the vulnerability requires "somewhat specialized" conditions

Medium (M)

What popular type of scanning tool does the following: ■ Client-side to monitor for updates, registry changes, firewall, hashing, etc ■ Home use, not effective for central network scan

Microsoft's Baseline Security Analyzer

Which Value does the below description describe from the Authentication metric? - Attackers would need to authenticate two or more times to exploit the vulnerability

Multiple (M) - lowest score

Which Value does the below description describe from the Access Vector metric? - The attacker can exploit the vulnerability remotely over a network

Network (N) - the highest score (most dangerous)

What category of vulnerabilities do the following belong to? ● Missing Firmware Updates ● Outdated SSL and TLS versions ● Insecure Cipher Use ● Certificate Problems ● Domain Name Server Issues ● Internal IP Disclosure ● VPN Issues

Network Vulnerabilities

What popular type of scanning tool does the following: ■ Web Application Scanner ■ Looks at the code of the app

Nikto

Which Value does the below description describe from the Authentication metric? - Attackers do not need to authenticate to exploit the vulnerability

None (N) - Highest score

Which Value does the below description describe from the CIA metrics? - There is no confidentiality/integrity/availability impact

None (N) - Lowest score

What type of trends can an analyst use to understand why something is happening? For example, finding more vulnerabilities on "Patch Tuesdays"

Number of vulnerabilities arising over time The age of the vulnerabilities The time required to remediate vulnerabilities

What SCAP standard does the following describe? - Is a language for specifying low level testing procedures used by XCCDF checklists

OVAL - Open Vulnerability and Assessment Language

What is one of the critical components of vulnerability management?

Communicating vulnerability scan results to technologists who have the ability to remediate them and managers responsible for the security of the environment.

Which Value does the below description describe from the CIA metrics? - All information on the system is compromised - The integrity of the system is totally compromised and the attacker may change any information at will - The system is completely shut down

Complete (C) - highest score

Who implements the vulnerability patches/fixes to systems?

System Administrators Larger fixes need to be run by a Change Control Board

What do the first 3 measures of the CVSS standard evaluate?

The expliotability of the vulnerability AV Access Vector Metric AC Access Complexity Metric Au Authentication Metric

What do the last 3 measures of the CVSS standard evaluate?

The impact of the vulnerability C Confidentiality Metric I Integrity Metric A Availability Metric

What is a common way to minimize the scope of scanner in order to increase security and decrease labor?

■ Network segmentation allows you to scan smaller clusters to achieve regulation compliance ● If only one machine is processing credit cards, only it needs to meet PCI DSS standards IF you segment it properly

What are the values used for the CVSS Temporal Remediation Level (RL) Metric?

■ O - Official Fix ■ T - Temporary Fix ■ W - Workaround ■ U - Unavailable ■ ND - Not Defined

What are the 3 most common barriers to Vulnerability Scanning?

■ System Degradation - Scanning takes up resources ■ Customer Commitments - MOUs & SLAs may create expectations around up time, performance & security ■ IT Governance and Change Management Processes - May create bureaucratic hurdles to making configuration changes required to support scanning.

What are the values used for the CVSS Temporal Exploitability Metric?

■ U - Unproven ■ P - Proof-of-Concept ■ F - Functional ■ H - High ■ ND - Not Defined

What are the values used for the CVSS Temporal Report Confidence(RC) Metric?

■ UC - Unconfirmed ■ UR - Uncorroborated ■ C - Confirmed ■ ND - Not Defined

What are the CVSS Score Categories?

○ < 4.0 = low ○ > 4.0 and < 6.0 = medium ○ > 6.0 and < 10.0 = high ○ 10.0 = Critical

What results do analyst have to interpret after scanners identify vulnerabilities?

○ Eliminate False Positives ○ Identify root causes ○ Prioritize Remediation

What are the type of sections that show up in a vulnerability report?

○ Identities ○ Synopsis ○ Description ○ See Also ■ References on the vulnerability ○ Solution ■ List of patches or contingencies for if your system is unsupported ○ Risk Factor ○ CVSS Score ■ 3.0 is newer, and not addressed on the exam. Recognize 2.0 ○ STIG Severity ■ Military - cat 1 is critical, cat 3 is informational ○ References ■ Related vulnerabilities to the plugin ○ Exploitable With ■ Good way to know how prevalent the methods of attack are ○ Plugin Info ■ When the plugin to scan the vulnerability was made ○ Hosts ■ Where the vulnerability exists

What should a vulnerability management program shift toward in regards to scanning and monitoring?

- Ongoing Scanning - Configures scanners to simply scan systems on a rotating basis -Continuous monitoring - incorporates data from agent-based approaches to vulnerability detection and reports security-related configuration changes to the vulnerability management platform as soon as they occur.

What are the 6 different measures of the CVSS standard?

1. AV Access Vector Metric 2. AC Access Complexity Metric 3. Au Authentication Metric 4. C Confidentiality Metric 5. I Integrity Metric 6. A Availability Metric

What 4 common factors can help an analyst prioritize the remediation of vulnerabilities?

1. Criticality of the Systems and Information Affected by the Vulnerability ■ If a system has a lot of PII, financial, or classified data, it needs fixed. ■ If all the data is encrypted, it might be less dangerous if it's accessed. 2. Difficulty of remediation the vulnerability ■If you can fix four vulnerabilities for the same cost as one, well... 3. Severity of the Vulnerability (CVSS scores) 4. Exposure of the Vulnerability ■ If an external facing server has a moderate vulnerability, it might pose a greater risk than a critical vulnerability on an internal server.

What are the 5 basic categories of common vulnerabilities?

1. Server and Host 2. Network 3. Virtualization 4. Web Application 5. IoT - Internet of Things

What 4 questions should an organization answer in order to identify scan targets?

1. What is the data classification of the information stored, processed or transmitted by the system? 2. Is the system exposed to the internet or other public or semipublic networks? 3. What services are offered by the system? 4. Is the system a production, test, or development system?

The scope of a vulnerability scan describes the extent of the scan, including the answers to what 3 questions?

1. What systems and networks will be includes in the vulnerability scan? 2. What technical measures will be used to test whether systems are present on the network? 3. What tests will be performed against systems discovered by a vulnerability scan?

What CVSS vector metric describes the type of disruption that might occur if an attacker successfully exploits the vulnerability?

A Availability Metric

What CVSS vector metric describes the difficulty of exploiting the vulnerability?

AC Access Complexity Metric

What CVSS vector metric describes how an attacker would exploit the vulnerability?

AV Access Vector Metric

What does the following CVSS metric express? AV:N

Access Vector: Network

What does the following CVSS metric express? CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N

Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality: Partial Integrity: None Availability: None

Which Value does the below description describe from the Access Vector metric? - The attacker must have access to the local network that the affected system is connected to

Adjacent Network (A) - medium score

What type of scanning has the following characteristics? ■ Installed on each client to provide an "inside-out" perspective of vulnerabilities ■ Data then sent to centralized server for review ■ Can be resource intensive, but provides a very detailed view

Agent-Based Scanning

How is the CVSS Temporal Score different than the CVSS Score?

Base scores stay the same, but the temporal score changes as vulnerabilities are addressed and mitigated

What CVSS vector metric describes the type of information disclosure that might occur if an attacker successfully exploits the vulnerability?

C Confidentiality Metric

What SCAP standard does the following describe? - Provides a standard nomenclature for discussing system configuration issues

CCE - Common Configuration Enumeration

What SCAP standard does the following describe? - Provides a standard nomenclature for describing product names and versions.

CPE - Common Platform Enumeration

What SCAP standard does the following describe? - Provides a standard nomenclature for describing security-related software fixes

CVE - Common Vulnerabilities and Exposure

What SCAP standard does the following describe? - Provides a standardized approach for measuring and describing the severity of security-related software flaws

CVSS - Common Vulnerability Scoring System ● 10 = most critical ● 1 = least critical

What type of reporting tool provides a high-level summary that's easy to understand at a glance and can also: ■ Indicate priorities, trends, etc ■ Host Overview allows you to see which hosts are most vulnerable ■ Overview of Criticality shows the worst vulnerabilities at the top

Dashboards

What are the 3 phases of the Vulnerability Management Lifecycle?

Detection -> Testing -> Remediation ->

What category of vulnerabilities do the following belong to? ● Smart Devices ● SCADA - Supervisory Control and Data Acquisition Systems ● ICS - Industrial Control Systems

IoT - Internet of Things Vulnerabilities

What regulatory standard mandates the following for a vulnerability management program? ● Security controls for credit card processors and merchants ● Most specific of any vulnerability management ● Vendor-driven, not legally mandated ● EX: ○ Internal and external scans must be conducted ○ Scanned at least quarterly, and after all major changes ○ Internal scans by qualified personnel ○ External scans by approved scanning vendor ○ High-risk vulnerabilities must be remediated until a "clean" report is achieved

PCI DSS - Payment Card Industry Data Security Standard

Which Value does the below description describe from the CIA metrics? - Access/modification to some information is possible, but the attacker does not have control over what information is compromised/modified - The performance of the system is degraded

Partial (P) - medium score

What protocol is used to create a standardized approach for communicating security-related information? This standardization is important to the automation of interactions between security components

SCAP - Security Content Automation Protocol Standards include: CCE, CPE, CVE, CVSS, XCCDS, OVAL

What is the goal of a Vulnerability Management Program?

Seek to identify, prioritize and remediate these vulnerabilities before an attacker exploits them to undermine the confidentiality, integrity or availability of enterprise information assets

What category of vulnerabilities do the following belong to? ● Missing Patches ● Unsupported Software ● Buffer Overflows ● Privilege Escalation ● Arbitrary Code Execution ● Remote Code Execution ● Insecure Protocol Use ● Debugging Modes ● PoS Malware - Point of Sale Malware

Server and Host Vulnerabilities

Which Value does the below description describe from the Authentication metric? - Attackers would need to authenticate once to exploit the vulnerability

Single (S) - medium score

What can informational scans provide you (the analyst) as well as an attacker?

Some configurations can allow an attacker to perform some recon on your network/systems. An analyst can see what an attacker can see Keep a record of why or why not was the informational results addressed/not addressed.

What category of vulnerabilities do the following belong to? ● VM Escape ● Management Interface Access ● Virtual Host Patching ● Virtual Guest Issues ● Virtual Network Issues

Virtualization Vulnerabilities

What category of vulnerabilities do the following belong to? ● Injection Attacks ● XSS Cross Site Scripting ● CSRF Cross Site Request Forgery

Web Application Vulnerabilities

What SCAP standard does the following describe? - Is a language for specifying checklists and reporting checklists results

XCCDF - Extensible Configuration Checklist Description Format

A good comprehensive vulnerability management program provides the ability to conduct scans from a variety of scan perspectives. What types of perspectives are there?

○ Insider threat viewpoint - Credentialed scans ○ Attacker threat viewpoint - non-credentialed scans - Can be ran from different locations within the network to see different vulnerabilities - Some regulatory bodies require both internal AND external scans - Useful to get the internal worked out before you hire an external group

When does an analyst document an exception to scans?

○ Known-issues that you don't plan to deal with or have properly mitigated ○ Implement exceptions in the scan so it doesn't keep firing the alerts ○ Document exceptions in the vulnerability management system.

What can cybersecurity professionals do with the configuration settings related to the scan sensitivity level to make sure the scans can run without disrupting the target environment?

○ Plugins can be grouped by "family" to focus on certain environments only. ○ Templates can be used to group settings and plugins for certain situations/environments/times. ■ Useful if you have a light weekly scan, and a heavier monthly scan, etc ■ Prevents config errors ○ Nessus has default policies to meet certain regulatory requirements

What are some common vulnerability scanning tools that do the following: ■ Port scans, vulnerability scans, scheduling, asset management, etc

○ QualysGuard ■ Port scans, vulnerability scans, scheduling, asset management, etc ○ Nessus ■ Port scans, vulnerability scans, scheduling, asset management, etc ■ H as default policies to meet certain regulatory requirements ○ Nexpose ■ Port scans, vulnerability scans, scheduling, asset management, etc ○ OpenVAS ■ Open-source, low cost, good for home network security

What type of access rights should a scanner have while traversing servers,apps, firewalls,etc?

○ Scanner should have read only rights so that if it becomes compromised, it's still limited

What should an analyst do before initiating scans on the scanner software?

○ Scanners must be updated before use ○ They can become vulnerable themselves, but also need the latest signatures to catch up-to-date threats ○ Vulnerabilities are unavoidable, but can be managed

What are the values used for the AC-Access Complexity Metric of the CVSS standard that measures exploitability? H = ? M = ? L = ?

● High - Specialized conditions ● Medium - "somewhat specialized" ● Low - no specialized conditions

What are the values used for the AU - Access Vector Metric of the CVSS standard that measures exploitability? L = ? A = ? N = ?

● L ocal ● A djacent Network ● N etwork (Remote Access)

What are 3 common data sources that an analyst can use to reconcile scan results?

● Logs from servers, applications, network devices, and other sources that might contain information about possible attempts to exploit detected vulnerabilities ● SEIM systems that correlate log entries from multiple sources and provide actionable intelligence ● Configuration Management Systems that provide information on the operating systems and applications installed on a system

What are the values used for the Au Authentication Metric of the CVSS standard that measures exploitability? M = ? S= ? N = ?

● Multiple ● Single ● None

What are the Values used for the last 3 measures in the CVSS standard that measure impact? N = ? P = ? C = ?

● None ● Partial ● Complete (loss)

What two regulatory schemes specifically mandate the implementation of a vulnerability management program?

● PCI DSS ● FISMA

What are some of the factors that influence how often an organization decides to conduct vulnerability scans against its systems?

● Risk Appetite - An Orgs willingness to tolerate risk ● Regulatory Requirements - PCI DSS or FISMA ● Technical Constraints - System Hardware resources ● Business Constraints - Hours of Operation & when scans can be performed ● Licensing limitations - Limit on bandwidth or number of scans simultaneously


Related study sets

Ch. 29 PrepU Mgmnt of Pts w. Complications from Heart Disease

View Set

HESI A2-Biology: Cellular Respiration

View Set

Psych/Mental Health Exit HESI - Saunders

View Set

NUTR 3362 Ch.1: The Basics of Nutrition

View Set

Organizational Behavior Chapter 6 Finalized

View Set

Business Law Final Exam Study Guide

View Set

Chapter 21: Peripheral Vascular System and Lymphatic System

View Set