Information Technology /Security+ (SY0-701): Lesson 8: Explain Vulnerability Management Part 4
Security+ (SY0-701): Lesson 8: Explain Vulnerability Management Part 4
This deck covers key concepts of vulnerability management, including dark net, penetration testing, compliance audits, and vulnerability scoring systems.
What is the purpose of the dark net?
Acts to anonymize usage and prevent a third party from knowing about the existence of the network or analyzing any activity taking place over the network.
Tap or swipe ↕ to flip
Swipe ←→Navigate
SSpeak
FFocus
1/30
Key Terms
Term
Definition
What is the purpose of the dark net?
Acts to anonymize usage and prevent a third party from knowing about the existence of the network or analyzing any activity taking place over the netw...
What are examples of dark net software?
Onion Router (TOR), Freenet, or I2P.
Define 'onion routing/onion router(TOR)'
Uses multiple layers of encryption and relays between nodes to achieve this anonymity.
Define the 'dark web'
Sites, content, and services accessible only over a dark net.
What are benefits of the dark web?
Privacy and anonymity, access to censored information, and research/information sharing.
Define 'penetration testing'
A test that uses active tools and security utilities to evaluate security by simulating an attack on a system.
Related Flashcard Decks
Study Tips
- Press F to enter focus mode for distraction-free studying
- Review cards regularly to improve retention
- Try to recall the answer before flipping the card
- Share this deck with friends to study together
| Term | Definition |
|---|---|
What is the purpose of the dark net? | Acts to anonymize usage and prevent a third party from knowing about the existence of the network or analyzing any activity taking place over the network. |
What are examples of dark net software? | Onion Router (TOR), Freenet, or I2P. |
Define 'onion routing/onion router(TOR)' | Uses multiple layers of encryption and relays between nodes to achieve this anonymity. |
Define the 'dark web' | Sites, content, and services accessible only over a dark net. |
What are benefits of the dark web? | Privacy and anonymity, access to censored information, and research/information sharing. |
Define 'penetration testing' | A test that uses active tools and security utilities to evaluate security by simulating an attack on a system. |
What is the purpose of a pen test? | To verify that a threat exists; Will actively test and bypass security controls, and will finally exploit vulnerabilities on the system. |
What is the difference between penetration testing and vulnerability scanning? | Penetration testing involves human ingenuity and creativity, manipulating an application's functionality to perform actions in ways not intended by its developers, leading to exploitation. |
Define 'Unknown environment (previously known as black box) testing' | When the consultant/attacker has no privileged information about the network and its security systems; Requires the consultant/attacker to perform an extensive reconnaissance phase. |
What is the purpose of black box testing? | Useful for simulating the behavior of an external threat. |
Define 'Known environment (previously known as white box) testing' | The consultant/attacker has complete access to information about the network. |
What is the purpose of white box testing? | Useful for simulating the behavior of a privileged insider threat. |
Define 'Partially known environment (previously known as gray box) testing' | When the consultant/attacker has some information; Requires partial reconnaissance. |
Define a 'Bug bounty' | Reward scheme operated by software and web services vendors for reporting vulnerabilities. |
Define an 'audit' | Comprehensive reviews/assessment of security controls, policies, and procedures designed to ensure an organization's security posture aligns with established standards and best practices. |
Define a 'compliance audit' | Assess adherence to regulations; Examining areas like network security, access controls, and data protection measures. |
Define 'Payment Card Industry Data Security Standard (PCI DSS)' | Information security standard for organizations that process credit or bank card payments. |
Define 'Vulnerability analysis' | Evaluating vulnerabilities for their potential impact and exploitability; Considering ease of exploitation, the potential damage from a successful exploit, the value of the vulnerable asset, and the current threat landscape. |
Define 'remediation' | The process of identifying and addressing cyber threats with to mitigate their potential risk. |
Define 'mitigation' | Applying patches, changing configurations, updating software, or replacing vulnerable systems. |
Define a 'Compensating control' | Measures put in place to mitigate the risk of a vulnerability when security teams cannot directly eliminate it or when direct remediation is not immediately possible. |
Define the purpose of the 'Security Content Automation Protocol (SCAP)' | Enables automated vulnerability management, and policy compliance evaluation of systems deployed in an organization. |
What is the function of the Security Content Automation Protocol (SCAP)? | Defines ways to compare the live configuration of a system to a target-secure baseline. |
Define a 'Common Vulnerabilities and Exposures (CVE)' | A scheme for identifying vulnerabilities developed by MITRE and adopted by NIST. |
How is a CVE identified? | CVE-(year vulnerability was discovered-(order the vulnerability was discovered in the given year); CVE-YYYY-#### |
Define the 'Common Vulnerability Scoring System (CVSS)' | Quantifies vulnerability data and then takes into account the degree of risk to different types of systems or information. |
What is the scale of the Common Vulnerability Scoring System (CVSS)? | CVSS metrics generate a score from 0 to 10 based on the characteristics of the vulnerability. |
What characteristics are used to determine the Common Vulnerability Scoring System (CVSS) of a Common Vulnerabilities and Exposures (CVE)? | Whether it can be triggered remotely or needs local access, whether user intervention is required, privileged access, and so on. |
Define a 'false positive' | An instance where a scanner or another assessment tool incorrectly identifies a vulnerability. |
Define a 'false negative' | A vulnerability that is not reported when it should be; Potential vulnerabilities that go undetected in a scan. |