Cysa+ Domain 2

Common Vulnerability Scoring System (CVSS)

An industry standard framework used to numerically assess the severity of security vulnerabilities on a scale from 0 to 10.

False Positive

An error that occurs when a vulnerability scanner incorrectly reports that a vulnerability exists when it actually does not.

Zero-Day Attack

An attack that exploits a vulnerability that is currently unknown to product vendors, meaning no patches are available to correct the issue.

Attack Vector (AV)

A CVSS metric describing how an attacker would exploit the vulnerability.

Privileges Required (PR)

A CVSS metric describing the type of account access an attacker would need to exploit a vulnerability. (A score of None (N) indicates attackers do not need to authenticate to exploit the vulnerability.)

Confidentiality Metric

A CVSS metric that describes the type of information disclosure that might occur if an attacker successfully exploits a vulnerability.

Integrity Metric

A CVSS metric that describes the type of information alteration that might occur if an attacker successfully exploits a vulnerability. (If modification of some information is possible, but the attacker lacks control over what is modified, the value is Low (L).)

Availability Metric

A CVSS metric that describes the type of disruption that might occur if an attacker successfully exploits the vulnerability. (If the system is completely shut down, the metric value is High (H).)

Cross-Site Scripting (XSS)

An attack where an attacker embeds scripting commands on a website that are later executed by an unsuspecting visitor. (A persistent XSS attack occurs when the attacker is able to store the malicious code directly on the server.)

Injection Flaws

Attacks where an attacker sends commands through a web server to a backend system, bypassing normal security controls. (The most common form is the SQL injection attack, targeting backend database servers.)

SQL Injection

An injection attack that exploits web applications to send unauthorized commands to a backend database server. (An attacker uses semicolons and apostrophes in end-user queries found in web server logs.)

Buffer Overflow

An attack that occurs when an attacker manipulates a program into placing more data into an area of memory than is allocated for its use.

Privilege Escalation

Attacks that seek to increase the level of access an attacker has to a target system, often transforming a normal user account into a more privileged account.

Remote Code Execution (RCE)

Code execution vulnerabilities that allow an attacker to run software of their choice on the targeted system over a network connection.

End-of-Life (EOL) Components

Software products for which vendors have discontinued support, meaning the organization must continue running the outdated software at significant risk.

Security Misconfiguration

A state where systems are configured in a way that allows attackers to gain information or exploit the system.

Directory Traversal

An attack where the attacker inserts filesystem path values into a query string to navigate to a file located in an area not normally authorized for public access. (An attacker uses ../payroll/mike.pdf in a query string seeking access to unauthorized payroll records.)

Local File Inclusion (LFI)

A file inclusion attack that seeks to execute code stored in a file located elsewhere on the web server. (An attacker attempts to access the URL www.mycompany.com/app.php?include=C:\\www\\uploads\\attack.exe.)

Remote File Inclusion (RFI)

A file inclusion attack that allows the attacker to execute code that is stored on a remote server.

Cross-Site Request Forgery (CSRF/XSRF)

An attack that exploits the trust remote sites have in a user’s system to execute commands on the user’s behalf. (This type of attack depends on the fact that users are often logged into many websites simultaneously in the same browser.)

Data Poisoning

Attacks that try to manipulate training datasets in a way that causes machine learning algorithms to create inaccurate models

Insecure Design

Vulnerabilities arising from older protocols designed without security in mind. (Protocols like Telnet and File Transfer Protocol (FTP) should be replaced by secure alternatives like Secure Shell (SSH) or SFTP.)

On-Path Attack

An attack, also known as man-in-the-middle (MitM), where an attacker interferes in the communication flow between two systems. (An attacker impersonates a bank's web server, accepts a user's connection, and establishes their own secure connection to the legitimate bank server, acting as an intermediary.)

Internal IP Disclosure

A vulnerability where a server leaks its private IP address to remote systems, often by including the address in the header information of an HTTP response.

Asset Value (AV)

The monetary value of the asset affected by the risk. (An email server's ability to generate sales worth $1,000 per hour)

Annualized Rate of Occurrence (ARO)

The estimated number of times a risk is expected to occur in a year. (An ARO of 2.0 means a risk is expected to occur twice a year)

Exposure Factor (EF)

The percentage of the asset expected to be damaged if the risk materializes. (An EF of 90 percent if 90 percent of the system's capacity would be consumed by an attack)

Single Loss Expectancy (SLE)

The financial damage expected each time a risk occurs, calculated by multiplying AV by EF. (An SLE of $27,000 from an expected loss during a denial-of-service attack)

Annualized Loss Expectancy (ALE)

The total expected financial damage from a risk each year, calculated by multiplying SLE and ARO. (An ALE of $81,000 if the SLE is $27,000 and the ARO is 3.0)

Risk Mitigation

Applying security controls to decrease the probability or magnitude of a risk. (Purchasing cable locks for laptops; Purchasing a third-party DDoS mitigation service)

Risk Avoidance

Changing business practices to completely eliminate the chance that a risk will materialize. (Shutting down an organization's website to eliminate the risk of a DDoS attack)

Risk Transference

Shifting some of the financial impact of a risk to another entity. (Purchasing a property insurance policy to cover laptop theft; Buying cybersecurity insurance to cover a DDoS attack)

Risk Acceptance

Deliberately choosing to take no other action and continuing operations despite the presence of the risk. (Deciding to operate a website knowing a DDoS attack could take it down, because mitigation is too costly)

Technical Controls

Controls that enforce confidentiality, integrity, and availability within the digital space. (Firewall rules, access control lists, or encryption)

Operational Controls

Processes put in place to manage technology in a secure manner. (Log monitoring, vulnerability management, or user access reviews)

Managerial Controls

Procedural mechanisms focusing on the risk management process. (Periodic risk assessments or security planning exercises)

Preventive Controls

Controls intended to stop a security issue before it occurs. (Firewalls and encryption)

Detective Controls

Controls that identify security events that have already occurred. (Intrusion detection systems)

Corrective Controls

Controls that remediate security issues that have already occurred. (Restoring backups after a ransomware attack)

Compensating Controls

Controls used to reduce the risk related to exceptions made to a security policy. (Running an outdated operating system on an isolated network to mitigate its vulnerability)

Indicators of Compromise (IOCs)

Forensic evidence or data used to help identify an attack. (Knowing which IOCs are associated with a given threat actor to prevent further damage)

Static Code Analysis

Reviewing the application's source code to find flaws without executing the code.

Dynamic Code Analysis

Analysis that executes the code and provides it with input to test the software. (Using automated tools to perform volume testing)

Fuzzing (Fuzz Testing)

Sending invalid or random data to an application to test its ability to handle unexpected input. (Monitoring an application to determine if it crashes or fails when given random data)

Debugger

Tools used to support developers in troubleshooting their work, also used by testers for dynamic analysis of executable files

Vulnerability management programs

Programs that identify, prioritize, and fix security weaknesses before attackers can exploit them (E.g., Using a defined workflow for scanning enterprise assets and remediating issues)

PCI DSS

An industry standard prescribing specific security controls for organizations that handle credit card transactions (E.g., Requires organizations to run both internal and external vulnerability scans at least quarterly).

FISMA

A law that requires government agencies and organizations operating on their behalf to comply with specific security standards (E.g., Requires all federal information systems to meet basic vulnerability scanning requirements found in NIST SP 800-53).

Active vulnerability scanning

A method where the scanning tool interacts with the scanned host to find open services and check for possible vulnerabilities (E.g., The tool is considered "noisy" because it attempts to connect to every device on a network looking for open ports).

Passive vulnerability scanning

A method where the scanner monitors network traffic, similar to an intrusion detection system, looking for signatures of outdated systems and applications (E.g., Monitoring network packets to detect vulnerabilities reflected in network traffic).

Credentialed scan

A scan where the administrator provides the scanner with credentials to connect to the target server and retrieve configuration data (E.g., Checking whether a required operating system update is actually installed on the system before reporting a vulnerability).

Agent-based scanning

A method where small software agents are installed on each target server to conduct "inside-out" vulnerability scans (E.g., conduct scans of the server configuration and report information back to the vulnerability management platform).

Internal scan

A vulnerability scan run from within the corporate network (E.g., Providing the view of potential vulnerabilities that a malicious insider might encounter).

External scan

A vulnerability scan run from the Internet (E.g., Providing the view of potential vulnerabilities that an attacker located outside the organization would see).

False positive

When a vulnerability scan mistakenly identifies normal network activity or a system component as a threat or attack (E.g., A remote scan detects the possibility of a vulnerability but is unable to confirm it with confidence).

False negative

When a threat or attack is occurring but the scanner fails to identify or alert on it (E.g., A security flaw is present on a server, but the scan results show the system is clean).

Compensating control

An additional security measure implemented to address a vulnerability when the underlying issue cannot be immediately fixed (E.g., Using a web application firewall (WAF) to block SQL injection attacks against a vulnerable web application).

OWASP

A project community focused on secure coding practices, standards, and open-source tools related to web application security (E.g., Publishes a regularly updated list of significant vulnerabilities like the OWASP Top Ten).

Risk appetite

An organization’s inherent willingness to tolerate risk within its computing environment (E.g., Organizations that are extremely risk-averse may choose to conduct scans more frequently).

CVSS (Common Vulnerability Scoring System)

A standardized method for measuring and describing the severity of security-related software flaws (E.g., Used by cybersecurity analysts to provide relative severity rankings for prioritizing remediation)

CPE (Common Platform Enumeration)

A standard nomenclature used for describing product names and versions (E.g., Used in security reports to ensure standardization when referencing software products)

Ongoing scanning

A shift from scheduled scanning where scanners continually check systems on a rotating basis as scanning resources allow (E.g., A resource-intensive approach that provides earlier detection of vulnerabilities than scheduled weekly or monthly scans).

Continuous monitoring

An approach that incorporates data (often from agents) to report security-related configuration changes to the vulnerability management platform as soon as they occur (E.g., Analyzing configuration changes immediately for potential vulnerabilities).

Interception proxies

Tools used by testers to intercept requests sent from a web browser to a web server before they are released onto the network (E.g., The popular open source tool Zed Attack Proxy (ZAP))