Docsity
Log inSign up
Docsity
Prepare for your exams
Prepare for your exams

Study with the several resources on Docsity

Earn points to download
Earn points to download

Earn points by helping other students or get them with a premium plan

Guidelines and tips
Guidelines and tips
Sell on Docsity
Sell on Docsity
Docsity AI
Docsity AI
Log inSign up

Prepare for your exams

Study with the several resources on Docsity

Find documents

Prepare for your exams with the study notes shared by other students like you on Docsity

Search for your university

Find the specific documents for your university's exams

Docsity AINEW

Summarize your documents, ask them questions, convert them into quizzes and concept maps

Explore questions

Clear up your doubts by reading the answers to questions asked by your fellow students

Earn points to download

Earn points by helping other students or get them with a premium plan

Share documents
download point icon20 Points

For each uploaded document

Answer questions
download point icon5 Points

For each given answer (max 1 per day)

All the ways to get free points
Get points immediately

Choose a premium plan with all the points you need

Study Opportunities

Choose your next study program

Get in touch with the best universities in the world. Search through thousands of universities and official partners

Community

Ask the community

Ask the community for help and clear up your study doubts

Free resources

Our save-the-student-ebooks!

Download our free guides on studying techniques, anxiety management strategies, and thesis advice from Docsity tutors

CompTIA Cybersecurity Analyst (CySA+) 2.0 Vulnerability Management, Exams of Computer Security

Harvard UniversityComputer Security

CompTIA Cybersecurity Analyst (CySA+) 2.0 Vulnerability Management

Typology: Exams

2024/2025

Available from 01/20/2025

DrShirley
DrShirley 🇺🇸

3.3

(4)

4.6K documents

1 / 15

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
CompTIA Cybersecurity Analyst (CySA+)
2.0 Vulnerability Management
2.1 Given a scenario, implement an information security
vulnerability management process. -
CompTIA
• Identification of requirements -
As an organization begins developing a vulnerability management program, it should
first undertake the identification of any internal or external requirements for vulnerability
scanning. These requirements may come from the regulatory environment(s) in which the
organization operates and/or internal policy-driven requirements.
Vulnerability Management Programs -
They seek to identify, prioritize and remediate vulnerabilities before an attacker
exploits them to undermine the confidentiality, integrity, or availability of enterprise
information assets.
- Regulatory environments -
an environment in which an organization exists or operates that is controlled to a
significant degree by laws, rules, or regulations put in place by government (federal, state, or
local), industry groups, or other organizations. In a nutshell, it is what happens when you
have to play by someone else's rules, or else risk serious consequences. A common feature of
this is that they have enforcement groups and procedures to deal with noncompliance.
Examples include, HIPPA, ISO/IEC 27001, PCI DSS and GLBA.
Health Insurance Portability and Accountability Act of 1996 (HIPPA) -
United States law enacted in 1996 to provide data privacy and security provisions for
safeguarding medical information. It does not specifically require that an organization
conduct vulnerability scanning. It establishes penalties (ranging from $100 to 1.5 million) for
covered entities that fail to safeguard phi.
Gramm-Leach-Bliley Act (GLBA) -
A law that requires banks and financial institutions to alert customers of their policies
and practices in disclosing customer information. It does not specifically require that an
organization conduct vulnerability scanning.
PCI DSS (Payment Card Industry Data Security Standard) -
A global standard for protecting stored, processed, or transmitted payment card
information.
ISO/IEC 27001 (The International Organization for Standardization/International
Electrotechnical Commission) -
Specifies requirements for establishing, implementing, operating, monitoring,
reviewing, maintaining and improving a documented information security management
system. It is is arguably the most popular voluntary security standard in the world and covers
every important aspect of developing and maintaining good information security.
1 | P a g e
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff

Partial preview of the text

Download CompTIA Cybersecurity Analyst (CySA+) 2.0 Vulnerability Management and more Exams Computer Security in PDF only on Docsity!

CompTIA Cybersecurity Analyst (CySA+)

2.0 Vulnerability Management

2.1 Given a scenario, implement an information security vulnerability management process. - CompTIA

  • Identification of requirements - As an organization begins developing a vulnerability management program, it should first undertake the identification of any internal or external requirements for vulnerability scanning. These requirements may come from the regulatory environment(s) in which the organization operates and/or internal policy-driven requirements. Vulnerability Management Programs - They seek to identify, prioritize and remediate vulnerabilities before an attacker exploits them to undermine the confidentiality, integrity, or availability of enterprise information assets.
  • Regulatory environments - an environment in which an organization exists or operates that is controlled to a significant degree by laws, rules, or regulations put in place by government (federal, state, or local), industry groups, or other organizations. In a nutshell, it is what happens when you have to play by someone else's rules, or else risk serious consequences. A common feature of this is that they have enforcement groups and procedures to deal with noncompliance. Examples include, HIPPA, ISO/IEC 27001, PCI DSS and GLBA. Health Insurance Portability and Accountability Act of 1996 (HIPPA) - United States law enacted in 1996 to provide data privacy and security provisions for safeguarding medical information. It does not specifically require that an organization conduct vulnerability scanning. It establishes penalties (ranging from $100 to 1.5 million) for covered entities that fail to safeguard phi. Gramm-Leach-Bliley Act (GLBA) - A law that requires banks and financial institutions to alert customers of their policies and practices in disclosing customer information. It does not specifically require that an organization conduct vulnerability scanning. PCI DSS (Payment Card Industry Data Security Standard) - A global standard for protecting stored, processed, or transmitted payment card information. ISO/IEC 27001 (The International Organization for Standardization/International Electrotechnical Commission) - Specifies requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented information security management system. It is is arguably the most popular voluntary security standard in the world and covers every important aspect of developing and maintaining good information security.

Federal Information Security Management Act of 2002 (FISMA) - is United States legislation that defines a comprehensive framework to protect government information, operations and assets against natural or man-made threats. It requires that government agencies and other organizations OS's on behalf of government agencies comply with a series of security standards. Federal Information Processing Standards (FIPS) - a set of standards that describe document processing, encryption algorithms and other information technology standards for use within non-military government agencies and by government contractors and vendors who work with the agencies.

  • Corporate policy - is an overall general statement produced by senior management (or a selected policy board or committee) that dictates what role security plays within the organization. Security policy - can be organizational, issue specific, or system specific. Organizational Security Policy - management establishes how a security program will be set up, lays out the program's goals, assigns responsibilities, shows the strategic and tactical value of security, and outlines how enforcement should be carried out. Issue Specific Security Policy - also called a functional policy, addresses specific security issues that management feels need more detailed explanation and attention to make sure a comprehensive structure is built and all employees understand how they are to comply with these security issues. System Specific Security Policy - Presents the management's decisions that are specific to the actual computers, networks and applications
  • Data classification - An important item of metadata that should be attached to all data is a classification level. This classification tag is important in determining the protective controls we apply to the information. •Private Information whose improper disclosure could raise personal privacy issues •Confidential Data that could cause grave damage to the organization •Proprietary (or sensitive) Data that could cause some damage, such as loss of competitiveness to the organization •Public Data whose release would have no adverse effect on the organization
  • Asset inventory - -Critical
  • Non-critical

limitations on the design of a solution that derive from the technology used in its implementation. See also business constraint. They may limit the frequency of scanning. For example, the scanning system may only be capable of performing a certain number of scans per day, and organizations may need to adjust scan frequency. Capacity - used to denote computational resources expressed in cycles of CPU time, bytes of primary and secondary memory, and bits per second (bps) of network connectivity. -Business Constraints - limitations placed on the solution design by the organization that needs the solution. They may limit the organization from conducting resource-intensive vulnerability scans during periods of high business activity to avoid disruption of critical processes. Licensing Limitations - may curtail the bandwidth consumed by the scanner or the number of scans that may be conducted simultaneously.

  • Workflow - allows for the prioritization of vulnerabilities and the tracking of remediation through the cycle of detection, remediation and testing.
  • Configure tools to perform scans according to specification - Once security professionals have determined the basic requirements for their vulnerability management program, they must configure vulnerability management tools to perform scans according to the requirements-based scan specifications. These tasks include identifying the appropriate scope for each scan, configuring scans to meet the organization's requirements, and maintaining the currency of the vulnerability scanning tool.
  • Determine scanning criteria - Cybersecurity professionals depend on automation to help them perform their duties in an efficient, effective manner. Vulnerability scanning tools allow the automated scheduling of scans to take the burden off administrators.
  • Sensitivity levels - These settings determine the types of checks that the scanner will perform and should be customized to ensure that the scan meets its objectives while minimizing the possibility of disrupting the target environment.
  • Vulnerability feed - Services that range from hours to weeks on the vast majority of known vulnerabilities. National Vulnerability Database (NVD) - The U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. It includes databases of security checklist references, security-related software flaws, misconfigurations, product names, and impact metrics.
  • Scope (Scope of a Vulnerability Scan) - describes the extent of the scan and answers these questions: What systems and networks will be included in the vulnerability scan? What technical measures will be used to test whether systems are present on the network? What tests will be performed against systems discovered by a vulnerability scan?
  • Credentialed vs. non-credentialed - A non-credentialed vulnerability scan evaluates the system from the perspective of an outsider, such as an attacker just beginning to interact with a target. This is a sort of black- box test in which the scanning tool doesn't get any special information or access into the target. The advantage of this approach is that it tends to be quicker while still being fairly realistic. It may also be a bit more secure because there is no need for additional credentials on all tested devices. The disadvantage, of course, is that you will most likely not get full coverage of the target. Non-credentialed scans look at systems from the perspective of the attacker but are not as thorough as credentialed scans. Credentialed Scan - Scan in which the scanning computer has an account on the computer being scanned that allows the scanner to do a more thorough check looking for problems that can not be seen from the network. Noncredentialed Scan - Vulnerability scan ran without any user credentials that provides a quick view of vulnerabilities by only looking at network services exposed by the host.
  • Types of data - the information that should or must be included in the report, particularly when dealing with regulatory compliance scans. This information will drive the data that your scan must collect, which in turn affects the tool configuration.
  • Server-based vs. agent-based - Vulnerability scanners tend to fall into two classes of architectures: those that require a running process (agent) on every scanned device, and those that do not. A server-based (or agentless) scanner consolidates all data and processes on one or a small number of scanning hosts, which depend on a fair amount of network bandwidth in order to run their scans. It has fewer components, which could make maintenance tasks easier and help with reliability. Additionally, it can detect and scan devices that are connected to the network, but do not have agents running on them (for example, new or rogue hosts). Agent-based scanners have agents that run on each protected host and report their results back to the central scanner. Because only the results are transmitted, the bandwidth required by this architectural approach is considerably less than a server-based solution. Also, because the agents run continuously on each host, mobile devices can still be scanned even when they are not connected to the corporate network. Server based Scanner -

necessary access across the network infrastructure. It is generally best to have a dedicated account for the scanning tool or, alternatively, to execute it within the context of the user responsible for running the scan. In either case, minimally privileged accounts should be used to minimize risks (that is, do not run the scanner as root unless you have no choice).

  • Execute scanning - Modern scanners cannot find weaknesses they're not aware of or do not understand. Although they can only identify weaknesses they're aware of, the most popular vulnerability scanners have amassed enormous libraries of vulnerabilities. We'll discuss three popular vulnerability scanners on the market: Tenable Network Security's Nessus, Greenbone Network's OpenVAS, and the Nikto Web Scanner. Authenticated Scan - is vulnerability testing performed as a logged-in Credentialed user. The method is also known as logged-in scanning. It determines how secure a network is from an inside vantage point. Unauthenticated Scan - A form of vulnerability scan that tests the target systems without having passwords or other special information that would grant the scanner special privileges. This allows the scan to run from the perspective of an attacker but also limits the ability of the scanner to fully evaluate possible vulnerabilities. Nessus - A popular and powerful scanner, began its life as an open source and free utility in the late 1990s and has since become a top choice for conducting vulnerability scans. With over 80,000 plug-ins, it allows users the ability to schedule and conduct scans across multiple networks based on custom policies. Its real power, however, lies with its multitude of features for vulnerability identification, misconfiguration detection, default password usage, and compliance determination. OpenVAS - is a free framework that consists of several analysis tools for both vulnerability identification and management. It is a fork of the original Nessus project that began shortly after Tenable closed development of the Nessus framework. It is similar to Nessus in that it supports browser-based access to its Manager, which uses the Scanner to conduct assessments based on a collection of over 47,000 Network Vulnerability Tests (NVTs). Nikto Web Scanner - a web server vulnerability scanner. Its main strength is finding vulnerabilities such as SQL and command injection susceptibility, cross-site scripting (XSS), and improper server configuration. Although it lacks a graphical interface as a command-line executed utility, it's able to perform thousands of tests very quickly and provide details on the nature of the weaknesses.
  • Generate reports - Report generation is an important part of the incident response process and is particularly critical for vulnerability management. All vulnerability scanners perform reporting functions of some kind, but they don't all come with customization options. Nessus provides its reports in common formats such as PDF, HTML, and CSV. Additionally, you

can also use Nessus's own formats. As an administrator, it's important that you consider what kinds of reporting your utility is capable of and how you might automate the reporting process. Getting the pertinent information to the right people in a timely fashion is the key to successfully capitalizing on vulnerability scans.

  • Automated vs. manual distribution - Modern vulnerability management tools provide very strong reporting capabilities. These reports may be manually generated on-demand to answer specific questions, or administrators may set up automated reports that generate on a scheduled basis and are pushed out to those who need to see them. Additionally, administrators may set up alerting mechanisms to immediately notify key personnel of critical new vulnerabilities as soon as they are detected.
  • Remediation -
  • Prioritizing - As cybersecurity analysts work their way through vulnerability scanning reports, they must make important decisions about prioritizing remediation to use their limited resources to resolve the issues that pose the greatest danger to the organization. There is no cut-and-dry formula for prioritizing vulnerabilities. Rather, analysts must take several important factors into account when choosing where to turn their attention first.
  • Criticality
    • Difficulty of implementation Criticality (of the System and Information Affected by the Vulnerability) - These measures should take into account CIA requirements, depending on the nature of the vulnerability. For example, if the vulnerability allows a denial-of-service attack, CYSA should consider the impact to the organization if the system became unusable due to an attack. If the vulnerability allows the theft of stored information from a database, CYSA should consider the impact on the organization if that information were stolen. EXAM TIP The Common Vulnerability Scoring System (CVSS) is the de facto standard for assessing the severity of vulnerabilities. Therefore, you should be familiar with CVSS and its metric groups: base, temporal, and environmental. Difficulty of Remediating the Vulnerability - If fixing a vulnerability will require an inordinate commitment of human or financial resources, that should be factored into the decision-making process. Cybersecurity analysts may find that they can fix five issues rated numbers 2 through 6 in priority order for the same investment that would be required to address the top issue. This doesn't mean that they should necessarily choose to make that decision based on cost and difficulty alone, but it is a consideration in the prioritization process. Severity of the Vulnerability - The more severe an issue is, the more important it is to correct that issue. Analysts may turn to the Common Vulnerability Scoring System (CVSS), (a component of SCAP), to provide relative severity rankings for different vulnerabilities.

Organizational Governance - The system of processes and rules an organization uses to direct and control its operations. It aims to strike a sensible balance between the priorities of company stakeholders. In some cases, governance may interrupt the application of remedial steps because those actions might negatively affect other business areas. Business Process Interruption - There's never a good time to apply a patch or take other remedial actions. Highly efficient business and industrial processes such as just-in-time manufacturing have allowed businesses to reduce process time and increase overall efficiency. Underpinning these systems are production IT systems that themselves are optimized to the business. A major drawback, however, is that some systems might be more susceptible to disruption due to their optimized states. This fear of unpredictably or instability in the overall process is often enough for company leadership to delay major changes to production systems, or to avoid them altogether. Degrading Functionality - The most common barrier to vulnerability scanning raised by technology professionals. Vulnerability scans consume network bandwidth and tie up the resources on systems that are the targets of scans. This may degrade system functionality and poses a risk of interrupting business processes. CySA's may address these concerns by tuning scans to consume less bandwidth and coordinating scan times with operational schedules.

  • Ongoing Scanning and Continuous Monitoring - Where feasible, you should schedule automated vulnerability scanning to occur daily. Depending on the types of networks you operate and your security policies, you might opt to perform these more often, always using the most updated version of the scanning tool. You should pay extra attention to critical vulnerabilities and aim to remediate them within 48 hours. Recognizing that maintaining software, libraries, and reports might be tedious for administrators, some companies have begun to offer web-based scanning solutions. Qualys and Tenable, for example, both provide cloud-enabled web application security scanners that can be run from any number of cloud service providers. Promising increased scalability and speed across networks of various sizes, these companies provide several related services based on subscription tier. 2.2 Given a scenario, analyze the output resulting from a vulnerability scan. -
  • Analyze reports from a vulnerability scan - Understanding why vulnerabilities exist and how they can be exploited will assist you in analyzing the final scan report.
  • Review and interpret scan results
    • Identify false positives
    • Identify exceptions
    • Prioritize response actions
  • Review and interpret scan results -

Automated vulnerability reporting is never perfectly accurate. The CySA must review and make sense of it before passing it on to others in the organization. The two most important outcomes of this process are to identify false positives and exceptions to policies. Once entries in these categories are removed from consideration, one must then prioritize response actions.

  • Identify false positives - Reporting a problem when no such issue exists is a challenge when dealing with any type of scanner. With vulnerability scanners they are particularly frustrating because the effort required to remediate a suspected issue might be resource intensive.
  • Identify exceptions - These always exists on even networks. There is no way for the authors of a vulnerability test to know the details of your network, so they must create rules that are sometimes less granular, which may lead to false positives. In this case, it might be useful to customize your own test once that false positive is discovered. Another reason for a false positive could be that you've already determined the appropriate compensating control for an issue but have not correctly disposed of the alert.
  • Prioritize response actions - The aim is to have the most accurate information about your network because it means more confidence in the decisions made by your technical staff and company leadership. With vulnerability accurately identified and the most appropriate courses of action developed and refined through open lines of communication. You can rank responses that have minimal impact throughout the company.
  • Validate results and correlate other data points - Armed with the feedback from the vulnerability scan reports, it can straightforward to verify its results.
  • Compare to best practices or compliance
  • Reconcile results
  • Review related logs and/or other data sources
  • Determine trends
  • Compare to Best Practices or Compliance - Several benchmarks across industry, academia, and government are available for you to improve your network's security. On military networks, the most widely used set of standards is developed by the Defense Information Systems Agency (DISA). Its Security Technical Implementation Guides (STIGs), combined with the National Security Agency (NSA) guides, are the configuration standards used on DoD information systems.
  • Reconcile Results - The steps you take to configure a device, validate its configuration, verify its operation, and of course test vulnerabilities. Taking notes on how you uncovered and dealt with a vulnerability will aid in continuity, and it might be required based on the industry in which you operate.
  • Review Related Logs and/or Other Data Sources -
  • Network infrastructure - the actual hardware, software, and networking components that support the processing and transfer of information. The most commonly vulnerable component are the WAPs. Particularly in environments where employees can bring (and connect) their own devices, it is challenging to strike the right balance between security and functionality. The Wired Equivalent Privacy (WEP) protocol has been known to be insecure since at least 2004 and has no place in our networks. For best results, use the Wi-Fi Protected Access 2 (WPA2) protocol.
  • Network appliances - Modern interconnected networks use a complex combination of infrastructure components and network devices to provide widespread access to secure communications capabilities. These networks and their component parts are also susceptible to security vulnerabilities that may be detected during a vulnerability scan.
  • Virtual infrastructure - One of the biggest advantages of this computing is its efficiency. Many of our physical network devices spend a good part of their time sitting idle and thus underutilized. By utilizing this computing for devices and placing them on the same shared hardware, we can balance loads and improve performance at a reduced cost.
  • Virtual hosts
  • Virtual networks
  • Management interface Virtual Hosts - Their most common vulnerability is VM sprawl. Since, unlike their physical counterparts, VMs can easily multiply. They should be completely isolated from the OS of the Host in which they are running. This should be implemented because if a process in the VM was able to breach this isolation and interact directly with the host, that process would have access to any other VMs running on that host, likely with elevated privileges. Virtual Networks - They are commonly implemented in 2 ways: ways: internally to a host using network virtualization software within a hypervisor, and externally through the use of protocols such as the Layer 2 Tunneling Protocol (L2TP). A vulnerability in the hypervisor would allow an attacker to escape a VM. Once outside of the machine, the attacker could have access to the virtual networks implemented by the hypervisor. This could lead to eavesdropping, modification of network traffic, or denial of service. Still, at the time of this writing there are very few known actual threats to virtual networks apart from those already mentioned when we discussed common vulnerabilities in VMs. Management Interface - Management interfaces are used for accessing devices remotely. Typically, a management interface is disconnected from the in-band network and is connected to the device's internal network. Because virtual devices have no physical manifestation, there must be some mechanism by which we can do the virtual equivalent of plugging an Ethernet cable into the back of a server or adding memory to it.

The most common vulnerability in these interfaces is their misconfiguration. Even competent technical personnel can forget to harden or properly configure this critical control device if they do not strictly follow a security technical implementation guide.

  • Mobile devices - A portable computing device such as a smartphone or tablet computer. Common vulnerabilities are lack of patches/updates, weak passwords and the app stores from which they load new software. Compounding this problem is the fact that Android apps can be loaded from any store or even websites. Many users looking for a cool app and perhaps trying to avoid paying for it will resort to these shady sources. iOS users, though better protected by Apple's ecosystem, are not immune either, particularly if they jailbreak their devices.
  • Interconnected networks - One of the largest data breaches in recent history was accomplished in late 2013 with Target, not by attacking the retailer directly, but by using a heating, ventilation, and air conditioning (HVAC) vendor's network as an entry point. The vendor had access to the networks at Target stores to monitor and manage HVAC systems, but the vulnerability induced by the interconnection was not fully considered by security personnel. In a world that grows increasingly interconnected and interdependent, we should all take stock of which of our partners might present our adversaries with a quick way into our systems.
  • Virtual Private Networks (VPNs) - Many organizations use these Networks to provide employees with secure remote access to the organization's network. As with any application protocol, administrators must ensure that the services offered by the organization are fully patched to current levels. In addition, they require the use of cryptographic ciphers and suffer from similar issues as SSL and TLS when they support the use of insecure ciphers.
  • Industrial Control Systems (ICSs) - A cyber-physical system that allows specialized software to control the physical behaviors of some system. They are used in automated automobile assembly lines, building elevators, and even HVAC systems. Much of the software that runs an them is burned into the firmware of devices such as programmable logic controllers (PLC). This is a source of vulnerabilities because updating this software cannot normally be done automatically or even centrally. Patching and updating, which is pretty infrequent to begin with, typically requires that the device be brought offline and manually updated by a qualified technician. Between the cost and effort involved and the effects of interrupting business processes, it should not come as a surprise to learn that many of its components are never updated or patched. Another common vulnerability for them is passwords, since the manufacturer sets a trivial password in the firmware, documenting it so all users (and perhaps abusers) know what it is, and sometimes making it difficult if not impossible to change. In many cases they are stored in plain text. SCADA (Supervisory Control and Data Acquisition Devices) -