IAAS 2 MIDTERM

avatar
Created by
CJ Dayag

Cards (73)

  • Vulnerability Management
    The process by which identify, prioritize, and remediate vulnerabilities before an attacker exploits them to undermine the confidentiality, integrity, or availability of enterprise information assets
  • Regulatory Requirements
    • PCI DSS
    • FISMA
  • PCI DSS
    Payment Card Industry Data Security Standard, prescribes specific security controls for merchants who handle credit card transactions and service providers who assist merchants with these transactions
  • FISMA
    Federal Information Security Management Act, requires that government agencies and other organizations operating systems on behalf of government agencies comply with a series of security standards
  • PCI DSS Vulnerability Scan
    1. Organizations must run both internal and external vulnerability scans
    2. Organizations must run scans on at least a quarterly basis and "after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades"
    3. Internal scans must be conducted by qualified personnel
    4. External scans must be conducted by an Approved Scanning Vendor (ASV) authorized by PCI SSC
  • FISMA requires compliance with security standards
  • Corporate Requirements
    Cybersecurity professionals widely agree that vulnerability management is a critical component of any information security program and, for this reason, many organizations mandate vulnerability scanning in corporate policy, even if this requirement is not imposed by regulatory requirements
  • Scanning process
    1. What is the data classification of the information stored, processed, or transmitted by the system?
    2. Is the system exposed to the Internet or other public or semipublic networks?
    3. What services are offered by the system?
    4. Is the system a production, test, or development system?
  • Scanning Tools
    Cybersecurity professionals use scanning tools to search the network for connected systems, whether they were previously known or unknown, and build an asset inventory
  • Vulnerability scanning tools
    Allow the automated scheduling of scans to take the burden off administrators
  • Configuring vulnerability scans
    1. The organization's risk appetite is its willingness to tolerate risk within the environment
    2. Regulatory requirements, such as PCI DSS or FISMA, may dictate a minimum frequency for vulnerability scans
    3. Technical constraints may limit the frequency of scanning
    4. Business constraints may limit the organization from conducting resource-intensive vulnerability scans during periods of high business activity to avoid disruption of critical processes
    5. Licensing limitations may curtail the bandwidth consumed by the scanner or the number of scans that may be conducted simultaneously
  • Scan Sensitivity
    Cybersecurity professionals configuring vulnerability scans should pay careful attention to the configuration settings related to the scan sensitivity level
  • Configuring scan sensitivity
    1. Administrators typically create a new scan by beginning with a template
    2. Administrators may also improve the efficiency of their scans by configuring the specific plug-ins that will run during each scan
  • Scan Perspective
    Comprehensive vulnerability management programs provide the ability to conduct scans from a variety of scan perspectives. Each scan perspective conducts the scan from a different location on the network, providing a different view into vulnerabilities
  • Authenticated Scanning
    Credentialed scans typically only retrieve information from target servers and do not make changes to the server itself. Administrators should enforce the principle of least privilege by providing the scanner with a read-only account on the server
  • Maintaining Scanners
    1. Administrators should conduct regular maintenance of their vulnerability scanner to ensure that the scanning software and vulnerability feeds remain up-to-date
    2. Scanning systems themselves aren't immune from vulnerabilities, even vulnerability scanners can have security issues
  • SCAP
    The Security Content Automation Protocol is an effort by the security community, led by the National Institute of Standards and Technology (NIST), to create a standardized approach for communicating security-related information
  • SCAP Standards
    • Common Configuration Enumeration (CCE)
    • Common Platform Enumeration (CPE)
    • Common Vulnerabilities and Exposure (CVE)
    • Common Vulnerability Scoring System (CVSS)
    • Extensible Configuration Checklist Description Format (XCCDF)
    • Open Vulnerability and Assessment Language (OVAL)
  • Vulnerability Remediation Workflow
    Organizations should develop a remediation workflow that allows for the prioritization of vulnerabilities and the tracking of remediation through the cycle of detection, remediation, and testing
  • Vulnerability Reporting

    Modern vulnerability management tools provide very strong reporting capabilities. These reports may be manually generated on-demand to answer specific questions, or administrators may set up automated reports that generate on a scheduled basis and are pushed out to those who need to see them
  • Factors in the remediation prioritization decision-making process
    • Criticality of the Systems and Information Affected by the Vulnerability
    • Severity of the Vulnerability
    • Exposure of the Vulnerability
    • Difficulty of Remediating the Vulnerability
  • Implementing and Testing Remediation
    Before deploying any remediation activity, cybersecurity professionals and other technologists should thoroughly test their planned fixes in a sandbox environment
  • Nessus Vulnerability Scanner
    Vulnerability scanning is often a high priority for cybersecurity professionals, but other technologists in the organization may not see it as an important activity. Cybersecurity analysts should be aware of the barriers raised by others to vulnerability scanning and ways to address those concerns
  • Common barriers to overcome
    • Service Degradations
    • Customer Commitments
    • IT Governance and Change Management Processes
  • Interpreting Scan Results

    Vulnerability scan reports provide analysts with a significant amount of information that assists with the interpretation of the report
  • CVSS
    The Common Vulnerability Scoring System is an industry standard for assessing the severity of security vulnerabilities. It provides a technique for scoring each vulnerability on a variety of measures
  • CVSS Metrics
    • Access Vector
    • Access Complexity
    • Authentication
    • Confidentiality
    • Integrity
    • Availability
  • CVSS is used by cybersecurity analysts to prioritize response actions
  • Cybersecurity analysts must validate the results of vulnerability scans
  • Authentication hurdles
    Criteria that an attacker would need to clear to exploit a vulnerability
  • Confidentiality metric
    Describes the type of information disclosure that might occur if an attacker successfully exploits the vulnerability
  • Integrity metric

    Describes the type of information alteration that might occur if an attacker successfully exploits the vulnerability
  • Availability metric
    Describes the type of disruption that might occur if an attacker successfully exploits the vulnerability
  • CVSS Temporal Score
  • Cybersecurity analysts interpreting reports often perform their own investigations to confirm the presence and severity of vulnerabilities
  • These investigations may include the use of external data sources that supply additional information valuable to the analysis
  • False positive error

    When a scanner reports a vulnerability that does not exist
  • Cybersecurity analysts should confirm each vulnerability reported by a scanner
  • Database administrators, system engineers, network technicians, software developers, and other experts have domain knowledge that is essential to the evaluation of a potential false positive report
  • Documented exceptions
    Cases where an organization may decide not to remediate a vulnerability