Vulnerability Management EXAM 1
Terms in this set (186)
Original
What is a Risk?
a function of THREATS and VULNERABILITIES on a per "asset" basis
What is the Risk formula?
Risk = Threats + Vulnerabilities - Safeguards
What are the 3 main threat sources?
- Structural Failures (like a leaking pipe in a building that floods a server
room, or a fire resulting of an electrical problem)
- Environmental Disasters (like an earthquake, tornado, hurricane, etc.)
- People (outsiders or insiders)
What is a vulnerability?
an inherent weakness
What is Vulnerability Management?
the practice of FINDING and MITIGATING the vulnerabilities in
computers and networks
,True or False? VULNERABILITY MANAGEMENT comes down to whether
you want to remove the vulnerability (fix the problem), or apply a
safeguard(s) to offset the risk.
True
3 Ways to find vulnerabilities:
- ASSESS, AUDIT, or TEST
- MONITOR CONFIGURATIONS and CHANGE to determine what
vulnerabilities may be unintentionally created
- ANALYZE POTENTIAL ATTACKS which discloses vulnerabilities that
cannot be easily seen
What is an Assessment?
A SUBJECTIVE EVALUATION by a human to aid in the
DESIGN/RE-DESIGN of safeguards and can actually IMPACT what the
standards are
How does the proof work in Assessments?
ATTESTATIONS (i.e. declarations of evidence or proof) are solicited
(meaning you are just asking a person, not actually checking yourself) and
documented
What are the 3 main pros to Assessments?
- less INVASIVE and EXPENSIVE to complete than an audit
- less TEDIOUS than an audit
- drives DESIGN and ARCHITECTURE instead of validation of configuration
,What is an Audit?
An OBJECTIVE EVALUATION by a human to determine if the
CONFIGURATION of safeguards is in alignment with a DOCUMENTED
STANDARD (purely checking to see if the organizational/industry standards
(e.g. PCI DSS) are being followed).
How does proof work in Audits?
EVIDENCE of configuration is solicited and DOCUMENTED (meaning you
need to actually SEE THE PROOF via screenshots or something)
What are some reference standards used in audits?
ORGANIZATIONAL policies, procedures, & standards and/or INDUSTRY
standards (e.g. PCI DSS)
What are the 2 pros to Audits?
- uncovers INITIAL IMPLEMENTATIONS or changes that are not in
ALIGNMENT with standards
- provides ASSURANCE to others
What is the main con to Audits?
the standard may not be SPECIFIC enough or may be DATED in content, and
thus only determines COMPLIANCE with the standard and does not DETECT
RISK
What is a Vulnerability Scan?
, a TECHNICAL EVALUATION to determine if the configuration of
safeguards is in ALIGNMENT with a DOCUMENTED STANDARD (lets
TECHNOLOGY/SOFTWARE do the work for us)
How does proof work in a Vulnerability Scan?
EVIDENCE of configuration is TECHNICALLY EXTRACTED, one system at a
time and documented. Based on vendor or public provided verification points.
What are some things you might be looking for in a vulnerability scan?
- PRESENCE of a specific FILE VERSION or REGISTRY VALUE
- MISSING files or registry values
- RESPONSES from querying specific PORTS
What does the Common Vulnerability Scoring System (CVSS) attempt to do?
attempts to ASSIGN SEVERITY SCORES to misconfigurations (aka
VULNERABILITIES) to enable PRIORITIZED remediation
National Vulnerability Database (NVD)
A superset of the CVE database maintained by NIST, that provides the
world with a list of Common Vulnerabilities and Exposures (CVEs) in
operating systems and software applications
True or False? Unauthenticated scans CANNOT see all vulnerabilities, but
many penetration testers often prefer them because it more closely
simulates a true attacker.
True
Terms in this set (186)
Original
What is a Risk?
a function of THREATS and VULNERABILITIES on a per "asset" basis
What is the Risk formula?
Risk = Threats + Vulnerabilities - Safeguards
What are the 3 main threat sources?
- Structural Failures (like a leaking pipe in a building that floods a server
room, or a fire resulting of an electrical problem)
- Environmental Disasters (like an earthquake, tornado, hurricane, etc.)
- People (outsiders or insiders)
What is a vulnerability?
an inherent weakness
What is Vulnerability Management?
the practice of FINDING and MITIGATING the vulnerabilities in
computers and networks
,True or False? VULNERABILITY MANAGEMENT comes down to whether
you want to remove the vulnerability (fix the problem), or apply a
safeguard(s) to offset the risk.
True
3 Ways to find vulnerabilities:
- ASSESS, AUDIT, or TEST
- MONITOR CONFIGURATIONS and CHANGE to determine what
vulnerabilities may be unintentionally created
- ANALYZE POTENTIAL ATTACKS which discloses vulnerabilities that
cannot be easily seen
What is an Assessment?
A SUBJECTIVE EVALUATION by a human to aid in the
DESIGN/RE-DESIGN of safeguards and can actually IMPACT what the
standards are
How does the proof work in Assessments?
ATTESTATIONS (i.e. declarations of evidence or proof) are solicited
(meaning you are just asking a person, not actually checking yourself) and
documented
What are the 3 main pros to Assessments?
- less INVASIVE and EXPENSIVE to complete than an audit
- less TEDIOUS than an audit
- drives DESIGN and ARCHITECTURE instead of validation of configuration
,What is an Audit?
An OBJECTIVE EVALUATION by a human to determine if the
CONFIGURATION of safeguards is in alignment with a DOCUMENTED
STANDARD (purely checking to see if the organizational/industry standards
(e.g. PCI DSS) are being followed).
How does proof work in Audits?
EVIDENCE of configuration is solicited and DOCUMENTED (meaning you
need to actually SEE THE PROOF via screenshots or something)
What are some reference standards used in audits?
ORGANIZATIONAL policies, procedures, & standards and/or INDUSTRY
standards (e.g. PCI DSS)
What are the 2 pros to Audits?
- uncovers INITIAL IMPLEMENTATIONS or changes that are not in
ALIGNMENT with standards
- provides ASSURANCE to others
What is the main con to Audits?
the standard may not be SPECIFIC enough or may be DATED in content, and
thus only determines COMPLIANCE with the standard and does not DETECT
RISK
What is a Vulnerability Scan?
, a TECHNICAL EVALUATION to determine if the configuration of
safeguards is in ALIGNMENT with a DOCUMENTED STANDARD (lets
TECHNOLOGY/SOFTWARE do the work for us)
How does proof work in a Vulnerability Scan?
EVIDENCE of configuration is TECHNICALLY EXTRACTED, one system at a
time and documented. Based on vendor or public provided verification points.
What are some things you might be looking for in a vulnerability scan?
- PRESENCE of a specific FILE VERSION or REGISTRY VALUE
- MISSING files or registry values
- RESPONSES from querying specific PORTS
What does the Common Vulnerability Scoring System (CVSS) attempt to do?
attempts to ASSIGN SEVERITY SCORES to misconfigurations (aka
VULNERABILITIES) to enable PRIORITIZED remediation
National Vulnerability Database (NVD)
A superset of the CVE database maintained by NIST, that provides the
world with a list of Common Vulnerabilities and Exposures (CVEs) in
operating systems and software applications
True or False? Unauthenticated scans CANNOT see all vulnerabilities, but
many penetration testers often prefer them because it more closely
simulates a true attacker.
True
