Assets and Threats: Quiz 5

Security teams spend a lot of time finding vulnerabilities and thinking of how they can be exploited. They do this with the process known as vulnerability management. Vulnerability management is the process of fin_______ and pat________ vulnerabilities. Vulnerability management helps keep assets safe. It's a method of stopping threats before they can become a problem. Vulnerability management is a four step process. The first step is to ide______ vulnerabilities. The next step is to consider potential exp_________ of those vulnerabilities. Third is to prepare de_________ against threats. And finally, the fourth step is to eva_________ those defenses.

The first layer of defense in depth is the peri______ layer. This layer includes some technologies that we've already explored, like usernames and passwords. Mainly, this is a user authentication layer that filters external access. Its function is to only allow access to trusted partners to reach the next layer of defense.

Second, the net______________ layer is more closely aligned with authorization. The network layer is made up of other technologies like network firewalls and others.

Next, is the en___________ layer. Endpoints refer to the devices that have access on a network. They could be devices like a laptop, desktop, or a server. Some examples of technologies that protect these devices are anti-virus software.

After that, we get to the appl__________ layer. This includes all the interfaces that are used to interact with technology. At this layer, security measures are programmed as part of an appl__________ . One common example is multi-factor authentication. You may be familiar with having to enter both your password and a code sent by SMS. This is part of the appl__________ layer of defense.

And finally, the fifth layer of defense is the data layer. At this layer, we've arrived at the critical data that must be protected, like personally identifiable information. One security control that is important here in this final layer of defense is asset classification.

One of the most popular libraries of vulnerabilities and exposures is the C?? list. The common vulnerabilities and exposures list, is an openly accessible dictionary of known vulnerabilities and exposures. It is a popular resource.

The CVE list tests four criteria that a vulnerability must have before it's assigned an ID. First, it must be inde_____________ of other issues. In other words, the vulnerability should be able to be fixed without having to fix something else. Second, it must be recognized as a potential security ri__________ by whoever reports it. Third, the vulnerability must be submitted with supporting evi________. And finally, the reported vulnerability can only affect one codebase, or in other words, only one program's source code. For instance, the desktop version of Chrome may be vulnerable, but the Android application may not be. If the reported flaw passes all of these tests, it is assigned a CVE ID.

The NIST National Vulnerabilities Database uses what's known as the common vulnerability scoring system, or CVSS, which is a measurement system that scores the sev____________ of a vulnerability. Security teams use CVSS as a way of calculating the impact a vulnerability could have on a system. They also use them to determine how quickly a vulnerability should be patched.

The NIST National Vulnerabilities Database provides a base score of CVEs on a scale of 0-??. Base scores reflect the moment a vulnerability is evaluated, so they don't change over time. In general, a CVSS that scores below a 4.0 is considered to be low risk and doesn't require immediate attention. However, anything above a 9.0 is considered to be a critical risk to company assets that should be addressed right away.

OWASP is a nonprofit foundation that works to improve the security of sof______________. OWASP is an open platform that security professionals from around the world use to share information, tools, and events that are focused on securing the web.

One of OWASP’s most valuable resources is the OWASP Top 10. The organization has published this list since 2003 as a way to spread awareness of the web’s most targeted vulnerabilities. The Top 10 mainly applies to new or custom made software. Many of the world's largest organizations reference the OWASP Top 10 during application development to help ensure their programs address common security mistakes.

bro____________ access control

Access controls limit what users can do in a web application. For example, a blog might allow visitors to post comments on a recent article but restricts them from deleting the article entirely. Failures in these mechanisms can lead to unauthorized information disclosure, modification, or destruction. They can also give someone unauthorized access to other business applications.

crypt__________ failures

Information is one of the most important assets businesses need to protect. Privacy laws such as General Data Protection Regulation (GDPR) require sensitive data to be protected by effective encryption methods. Vulnerabilities can occur when businesses fail to encrypt things like personally identifiable information (PII). For example, if a web application uses a weak hashing algorithm, like MD5, it’s more at risk of suffering a data breach.

Injection

Injection occurs when malicious code is inse__________ into a vulnerable application. Although the app appears to work normally, it does things that it wasn’t intended to do. Injection attacks can give threat actors a bac_________ into an organization’s information system. A common target is a website’s login form. When these forms are vulnerable to injection, attackers can insert malicious code that gives them access to modify or steal user credentials.