"Security Updates" for software (e.g., Microsoft Windows operating systems, Adobe Flash Player, etc.) and firmware (e.g., firmware in a home use, consumer 'Wi-Fi Router') are designed to patch (fix) vulnerabilities.
True |
|
False |
A company is the victim of a cyber attack in which a previously unknown vulnerability in a webserver is exploited. Which statement is true?
The company that was attacked will immediately find information on the vulnerability in the National Vulnerability Database (NVD). |
|
This attack is known as a "Zero Day Attack." |
Previously unknown vulnerabilities always have high CVSS scores. |
|
All of the above. |
A systems administrator installs a software update that removes a vulnerability in a database server. This is known as vulnerability _______________.
Repudiation |
|
Elevation |
Propagation |
|
Mitigation |
The Common Vulnerability Scoring System version 3 (CVSS v.3) is composed of the following group(s) of metrics:
Base Metric Group |
|
Temporal Metric Group |
Environmental Metric Group |
|
All of the above |
The __________ group represents the intrinsic characteristics of a vulnerability that are constant over time and across user environments.
Base Metric |
|
Environmental Metric |
Temporal Metric |
|
User Metric |
The __________ group reflects the characteristics of a vulnerability that may change over time but not across user environments.
Base Metric |
|
Temporal Metric |
Environmental Metric |
|
Impact Metric |
The ____________ group represents the characteristics of a vulnerability that are relevant and unique to a particular organization's environment.
Base Metric |
|
Temporal Metric |
Environmental Metric |
|
Exploit Code Maturity Metric |
In CVSS v. 3, all vulnerabilities are scored on the metrics in the Base metric group resulting in a Base Score for each vulnerability. However, scoring a vulnerability on the metrics in Temporal and Environmental metric groups is optional.
True |
|
False |
In CVSS v. 3, while vulnerabilities are typically scored on the Base and Temporal metrics by the broader security community, the scoring on Environmental Metrics is to be done by analysts at the end-user organizations.
True |
|
False |
According to the CVSS v.3 specification, the Exploitability metrics reflect the ease and technical means by which the vulnerability can be exploited. That is, they represent characteristics of the thing that is vulnerable. CVSS v.3 refers to "the thing that is vulnerable" as:
The Impacted Component |
|
The Vulnerable Component |
The Base Component |
|
The Environmental Component |
According to the CVSS v.3 specification, the Impact metrics reflect the direct consequence of a successful exploit, and represent the consequence to the thing that suffers the impact. CVSS v. 3 refers to "the thing that suffers the impact" as:
The Vulnerable Component |
|
The Environmental Component |
The Impacted Component |
|
The Base Component |
The Base Metric Group of CVSS v.3 is further divided into two categories: Exploitability Metrics and Impact Metrics. Match each of the following Exploitability Metrics with its description.
Reflects the context by which the vulnerability is possible
[ Choose ]User interactionAttack complexityAttack vectorPriveleges required
True
False
"Security Updates" for software (e.g., Microsoft Windows operating systems, Adobe Flash Player, etc.) and firmware (e.g., firmware in-home use, consumer 'Wi-Fi Router') are designed to patch (fix) vulnerabilities.
True
A company is the victim of a cyber attack in which a previously unknown vulnerability in a web server is exploited. Which statement is true?
This attack is known as a "Zero Day Attack."
A systems administrator installs a software update that removes a vulnerability in a database server. This is known as vulnerability _______________.
Vulnerability Mitigation
The Common Vulnerability Scoring System version 3 (CVSS v.3) is composed of the following group(s) of metrics:
All of the above
The __________ group represents the intrinsic characteristics of a vulnerability that are constant over time and across user environments.
Base Metric
The __________ group reflects the characteristics of a vulnerability that may change over time but not across user environments.
Exploitability metric
The ____________ group represents the characteristics of a vulnerability that are relevant and unique to a particular organization's environment.
Temporal metric
In CVSS v. 3, all vulnerabilities are scored on the metrics in the Base metric group resulting in a Base Score for each vulnerability. However, scoring a vulnerability on the metrics in Temporal and Environmental metric groups is optional.
True
In CVSS v. 3, while vulnerabilities are typically scored on the Base and Temporal metrics by the broader security community, the scoring on Environmental Metrics is to be done by analysts at the end-user organizations.
True
According to the CVSS v.3 specification, the Exploitability metrics reflect the ease and technical means by which the vulnerability can be exploited. That is, they represent characteristics of the thing that is vulnerable. CVSS v.3 refers to "the thing that is vulnerable" as:
The Vulnerable Component
According to the CVSS v.3 specification, the Impact metrics reflect the direct consequence of a successful exploit and represent the consequence of the thing that suffers the impact. CVSS v. 3 refers to "the thing that suffers the impact" as:
The Impacted Component
The Base Metric Group of CVSS v.3 is further divided into two categories: Exploitability Metrics and Impact Metrics. Match each of the following Exploitability Metrics with its description.
Reflects the context by which the vulnerability is possible: Attack vector
"Security Updates" for software (e.g., Microsoft Windows operating systems, Adobe Flash Player, etc.) and firmware (e.g.,...
1. The __________ group reflects the characteristics of a vulnerability that may change over time but not across user environments. a. Base Metric b. Temporal Metric c. Environmental Metric d. Impact Metric 2. The ____________ group represents the characteristics of a vulnerability that are relevant and unique to a particular organization's environment. a. Base Metric b. Temporal Metric c. Environmental Metric d. Exploit Code Maturity Metric
Risk management in Information Security today Everyday information security professionals are bombarded with marketing messages around risk and threat management, fostering an environment in which objectives seem clear: manage risk, manage threat, stop attacks, identify attackers. These objectives aren't wrong, but they are fundamentally misleading.In this session we'll examine the state of the information security industry in order to understand how the current climate fails to address the true needs of the business. We'll use those lessons as a foundation...
TRUE/FALSE QUESTIONS: Foundations of Information Security and Assurance 1. There is a problem anticipating and testing for all potential types of non-standard inputs that might be exploited by an attacker to subvert a program. 2. Without suitable synchronization of accesses it is possible that values may be corrupted, or changes lost, due to over-lapping access, use, and replacement of shared values. 3. The biggest change of the nature in Windows XP SP2 was to change all anonymous remote procedure call (RPC)...