SYO-601 EXAM WITH COMPLETE SOLUTIONS 100%
CORRECT LATEST UPDATE (A+)
NIST - ANSWER National Institute of Standards and Technology
SCAP - ANSWER Security Content Automation Protocol
effort by the security community, with leadership from the National Institute of
Standards and Technology (NIST), to develop a standardized way of communicating
security-related information.
includes 6 standards CCE, CPE, CVE, CVSS, XCCDF, OVAL
Includes
CCE - ANSWER Common Configuration Enumeration
SCAP standard provides a standard nomenclature for discussing system configuration
issues
CPE - ANSWER Common Platform Enumeration
SCAP Standard provides a standard nomenclature for describing product names and
versions
CVE - ANSWER Common Vulnerabilities and Exposures
SCAP standard provides a standard nomenclature for describing security-related
software flaws
CVSS - ANSWER Common Vulnerability Scoring System
SCAP standard - defines a standardized way to measure and describe the severity of
security-related software flaws
XCCDF - ANSWER Extensible Configuration Checklist Description Format
,SCAP standard - checklists and the format for reporting checklist results are defined by
this language
OVAL - ANSWER Open Vulnerability Assessment Language
SCAP standard - the low-level testing done by checklists is defined by this language
Application scanning techniques - ANSWER static testing - code analysis without
executing the code
Dynamic testing: runs code as part of test - it runs all exposed interfaces
Interactive testing: is a mix between static/dynamic testing - source code is analyzed,
testers interactively work with exposed interfaces
XSS - ANSWER Cross-site scripting
It also allows an attacker to forward users to malicious websites and to pilfer cookies.
E-mail can contain an embedded HTML image object or JavaScript image tag as a part
of a malicious cross-site scripting attack. Websites avoid cross-site scripting attack
through the input validation mechanism that detects and blocks inputs, which may have
HTML and JavaScript tags in them. Many sites avoid using < and > characters to avoid
cross-site scripting.
CSRF - ANSWER Cross-site Request Forgery
an attack that forces an end user to execute unwanted actions on a web application in
which he/she is currently authenticated
CVSS metrics (8) - ANSWER Attack Vector Metric (AV)
Attack Complexity Metric (AC)
, Privileges Required Metric (PR)
User Interaction Metric (UI)
Confidentiality Metric (C)
Integrity Metric (I)
Availability Metric (A)
Scope Metric (S)
CVSS Attack Vector Metric - ANSWER describes how the attacker would exploit the
vulnerability
Physical (P) - The attacker must physically touch the vulnerable device. Local (L) - The
attacker must have either physical or logical access to the affected system. Adjacent
Network(A) - The attacker must be on the local network segment that the affected
system is connected to. Network (N) - The attacker can exploit the vulnerability remotely
across a network. CVSS Attack Complexity Metric - ANSWER describes the level of
difficulty to exploit the vulnerability.
High (H) - exploiting the vulnerability requires specialized conditions that would be
difficult to find
Low (L) - Exploiting the vulnerability does not require ant specialized conditions
CVSS Privileges Required Metric - ANSWER describes the type of account access that
an attacker would need to exploit a vulnerability
High (H) - attackers require admin privileges to conduct the attack
Low (L) - attackers require basic user privileges to conduct the attack
None (N) - attackers do not need to authenticate to exploit the vulnerability
CVSS User Interaction Metric - ANSWER says whether the attacker must convince
another human to perform some action(s) that assist in conducting the attack
CORRECT LATEST UPDATE (A+)
NIST - ANSWER National Institute of Standards and Technology
SCAP - ANSWER Security Content Automation Protocol
effort by the security community, with leadership from the National Institute of
Standards and Technology (NIST), to develop a standardized way of communicating
security-related information.
includes 6 standards CCE, CPE, CVE, CVSS, XCCDF, OVAL
Includes
CCE - ANSWER Common Configuration Enumeration
SCAP standard provides a standard nomenclature for discussing system configuration
issues
CPE - ANSWER Common Platform Enumeration
SCAP Standard provides a standard nomenclature for describing product names and
versions
CVE - ANSWER Common Vulnerabilities and Exposures
SCAP standard provides a standard nomenclature for describing security-related
software flaws
CVSS - ANSWER Common Vulnerability Scoring System
SCAP standard - defines a standardized way to measure and describe the severity of
security-related software flaws
XCCDF - ANSWER Extensible Configuration Checklist Description Format
,SCAP standard - checklists and the format for reporting checklist results are defined by
this language
OVAL - ANSWER Open Vulnerability Assessment Language
SCAP standard - the low-level testing done by checklists is defined by this language
Application scanning techniques - ANSWER static testing - code analysis without
executing the code
Dynamic testing: runs code as part of test - it runs all exposed interfaces
Interactive testing: is a mix between static/dynamic testing - source code is analyzed,
testers interactively work with exposed interfaces
XSS - ANSWER Cross-site scripting
It also allows an attacker to forward users to malicious websites and to pilfer cookies.
E-mail can contain an embedded HTML image object or JavaScript image tag as a part
of a malicious cross-site scripting attack. Websites avoid cross-site scripting attack
through the input validation mechanism that detects and blocks inputs, which may have
HTML and JavaScript tags in them. Many sites avoid using < and > characters to avoid
cross-site scripting.
CSRF - ANSWER Cross-site Request Forgery
an attack that forces an end user to execute unwanted actions on a web application in
which he/she is currently authenticated
CVSS metrics (8) - ANSWER Attack Vector Metric (AV)
Attack Complexity Metric (AC)
, Privileges Required Metric (PR)
User Interaction Metric (UI)
Confidentiality Metric (C)
Integrity Metric (I)
Availability Metric (A)
Scope Metric (S)
CVSS Attack Vector Metric - ANSWER describes how the attacker would exploit the
vulnerability
Physical (P) - The attacker must physically touch the vulnerable device. Local (L) - The
attacker must have either physical or logical access to the affected system. Adjacent
Network(A) - The attacker must be on the local network segment that the affected
system is connected to. Network (N) - The attacker can exploit the vulnerability remotely
across a network. CVSS Attack Complexity Metric - ANSWER describes the level of
difficulty to exploit the vulnerability.
High (H) - exploiting the vulnerability requires specialized conditions that would be
difficult to find
Low (L) - Exploiting the vulnerability does not require ant specialized conditions
CVSS Privileges Required Metric - ANSWER describes the type of account access that
an attacker would need to exploit a vulnerability
High (H) - attackers require admin privileges to conduct the attack
Low (L) - attackers require basic user privileges to conduct the attack
None (N) - attackers do not need to authenticate to exploit the vulnerability
CVSS User Interaction Metric - ANSWER says whether the attacker must convince
another human to perform some action(s) that assist in conducting the attack
