CompTIA Cybersecurity Analyst (CySA+) 2.0 Vulnerability Management Questions & Answers

2.1 Given a scenario, implement an information security vulnerability management process. - Answer CompTIA • Identification of requirements - Answer As an organization begins developing a vulnerability management program, it should first undertake the identification of any internal or external requirements for vulnerability scanning. These requirements may come from the regulatory environment(s) in which the organization operates and/or internal policy-driven requirements. Vulnerability Management Programs - Answer They seek to identify, prioritize and remediate vulnerabilities before an attacker exploits them to undermine the confidentiality, integrity, or availability of enterprise information assets. - Regulatory environments - Answer an environment in which an organization exists or operates that is controlled to a significant degree by laws, rules, or regulations put in place by government (federal, state, or local), industry groups, or other organizations. In a nutshell, it is what happens when you have to play by someone else's rules, or else risk serious consequences. A common feature of this is that they have enforcement groups and procedures to deal with noncompliance. Examples include, HIPPA, ISO/IEC 27001, PCI DSS and GLBA. Health Insurance Portability and Accountability Act of 1996 (HIPPA) - Answer United States law enacted in 1996 to provide data privacy and security provisions for safeguarding medical information. It does not specifically require that an organization conduct vulnerability scanning. It establishes penalties (ranging from $100 to 1.5 million) for covered entities that fail to safeguard phi. Gramm-Leach-Bliley Act (GLBA) - Answer A law that requires banks and financial institutions to alert customers of their policies and practices in disclosing customer information. It does not specifically require that an organization conduct vulnerability scanning. PCI DSS (Payment Card Industry Data Security Standard) - Answer A global standard for protecting stored, processed, or transmitted payment card information. ISO/IEC 27001 (The International Organization for Standardization/International Electrotechnical Commission) - Answer Specifies requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented information security management system. It is is arguably the most popular voluntary security standard in the world and covers every important aspect of developing and maintaining good information security. Federal Information Security Management Act of 2002 (FISMA) - Answer is United States legislation that defines a comprehensive framework to protect government information, operations and assets against natural or man-made threats. It requires that government agencies and other organizations OS's on behalf of government agencies comply with a series of security standards. Federal Information Processing Standards (FIPS) - Answer a set of standards that describe document processing, encryption algorithms and other information technology standards for use within non-military government agencies and by government contractors and vendors who work with the agencies. - Corporate policy - Answer is an overall general statement produced by senior management (or a selected policy board or committee) that dictates what role security plays within the organization. Security policy - Answer can be organizational, issue specific, or system specific. Organizational Security Policy - Answer management establishes how a security program will be set up, lays out the program's goals, assigns responsibilities, shows the strategic and tactical value of security, and outlines how enforcement should be carried out. Issue Specific Security Policy - Answer also called a functional policy, addresses specific security issues that management feels need more detailed explanation and attention to make sure a comprehensive structure is built and all employees understand how they are to comply with these security issues. System Specific Security Policy - Answer Presents the management's decisions that are specific to the actual computers, networks and applications - Data classification - Answer An important item of metadata that should be attached to all data is a classification level. This classification tag is important in determining the protective controls we apply to the information. •Private Information whose improper disclosure could raise personal privacy issues •Confidential Data that could cause grave damage to the organization •Proprietary (or sensitive) Data that could cause some damage, such as loss of competitiveness to the organization •Public Data whose release would have no adverse effect on the organization - Asset inventory - Answer -Critical - Non-critical Critical (Critical Asset) - Answer is anything that is absolutely essential to performing the primary functions of your organization. This set would include your web platforms, data servers, and financial systems. They also require a higher degree of attention when it comes to vulnerability scanning; the thoroughness of each scan and the frequency of each scan. Noncritical (Noncritical asset) - Answer though valuable, is not required for the accomplishment of your main mission as an organization. They should still be included in your vulnerability management plan but given limited resources and placed at a lower priority. Common Vulnerabilities - Answer •Missing patches/updates A system could be missing patches or updates for numerous reasons. If the reason is legitimate (for example, an industrial control system that cannot be taken offline), then this vulnerability should be noted, tracked, and mitigated using an alternate control. •Misconfigured firewall rules Whether or not a device has its own firewall, the ability to reach it across the network, which should be restricted by firewalls or other means of segmentation, is oftentimes lacking. •Weak passwords Our personal favorite was an edge firewall that was deployed for an exercise by a highly skilled team of security operators. The team, however, failed to follow its own checklist and was so focused on hardening other devices that it forgot to change the default password on the edge firewall. Even when default passwords are changed, it is not uncommon for users to choose weak ones if they are allowed to. Endpoints - Answer They are almost always end-user devices (mobile or otherwise). They are the most common entry point for attackers into our networks, and the most common vectors are e-mail attachments and web links. Their most common problem is the lack of up-to-date malware protection. • Establish scanning frequency - Answer If you haphazardly do vulnerability scans at random intervals, you will have a much harder time answering the question of whether or not your vulnerability management is being effective. If, on the other hand, you do the math up front and determine the frequencies and scopes of the various scans given your list of assumptions and requirements, you will have much more control over your security posture. - Risk appetite - Answer the amount of risk that its senior executives are willing to assume and tolerate within the environment. - Regulatory requirements - Answer such as PCI DSS or FISMA, may dictate the frequency of vulnerability scans. These requirements may also come from corporate policies. - Technical constraints - Answer limitations on the design of a solution that derive from the technology used in its implementation. See also business constraint. They may limit the frequency of scanning. For example, the scanning system may only be capable of performing a certain number of scans per day, and organizations may need to adjust scan frequency. Capacity - Answer used to denote computational resources expressed in cycles of CPU time, bytes of primary and secondary memory, and bits per second (bps) of network connectivity. -Business Constraints - Answer limitations placed on the solution design by the organization that needs the solution. They may limit the organization from conducting resource-intensive vulnerability scans during periods of high business activity to avoid disruption of critical processes. Licensing Limitations - Answer may curtail the bandwidth consumed by the scanner or the number of scans that may be conducted simultaneously. - Workflow - Answer allows for the prioritization of vulnerabilities and the tracking of remediation through the cycle of detection, remediation and testing. • Configure tools to perform scans according to specification - Answer Once security professionals have determined the basic requirements for their vulnerability management program, they must configure vulnerability management tools to perform scans according to the requirements-based scan specifications. These tasks include identifying the appropriate scope for each scan, configuring scans to meet the organization's requirements, and maintaining the currency of the vulnerability scanning tool. - Determine scanning criteria - Answer Cybersecurity professionals depend on automation to help them perform their duties in an efficient, effective manner. Vulnerability scanning tools allow the automated scheduling of scans to take the burden off administrators. - Sensitivity levels - Answer These settings determine the types of checks that the scanner will perform and should be customized to ensure that the scan meets its objectives while minimizing the possibility of disrupting the target environment. - Vulnerability feed - Answer Services that range from hours to weeks on the vast majority of known vulnerabilities. National Vulnerability Database (NVD) - Answer The U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. It includes databases of security checklist references, security-related software flaws, misconfigurations, product names, and impact metrics. - Scope (Scope of a Vulnerability Scan) - Answer describes the extent of the scan and answers these questions: What systems and networks will be included in the vulnerability scan? What technical measures will be used to test whether systems are present on the network? What tests will be performed against systems discovered by a vulnerability scan? - Credentialed vs. non-credentialed - Answer A non-credentialed vulnerability scan evaluates the system from the perspective of an outsider, such as an attacker just beginning to interact with a target. This is a sort of black-box test in which the scanning tool doesn't get any special information or access into the target. The advantage of this approach is that it tends to be quicker while still being fairly realistic. It may also be a bit more secure because there is no need for additional credentials on all tested devices. The disadvantage, of course, is that you will most likely not get full coverage of the target. Non-credentialed scans look at systems from the perspective of the attacker but are not as thorough as credentialed scans. Credentialed Scan - Answer Scan in which the scanning computer has an account on the computer being scanned that allows the scanner to do a more thorough check looking for problems that can not be seen from the network. Noncredentialed Scan - Answer Vulnerability scan ran without any user credentials that provides a quick view of vulnerabilities by only looking at network services exposed by the host. - Types of data - Answer the information that should or must be included in the report, particularly when dealing with regulatory compliance scans. This information will drive the data that your scan must collect, which in turn affects the tool configuration. - Server-based vs. agent-based - Answer Vulnerability scanners tend to fall into two classes of architectures: those that require a running process (agent) on every scanned device, and those that do not. A server-based (or agentless) scanner consolidates all data and processes on one or a small number of scanning hosts, which depend on a fair amount of network bandwidth in order to run their scans. It has fewer components, which could make maintenance tasks easier and help with reliability. Additionally, it can detect and scan devices that are connected to the network, but do not have agents running on them (for example, new or rogue hosts). Agent-based scanners have agents that run on each protected host and report their results back to the central scanner. Because only the results are transmitted, the bandwidth required by this architectural approach is considerably less than a server-based solution. Also, because the agents run continuously on each host, mobile devices can still be scanned even when they are not connected to the corporate network.