Skip to main content

Search Shelves Books Log in

Details

Revision #1

Created 1 year ago by naruzkurai

Updated 1 year ago by naruzkurai

Actions

Revisions

Export

Contained Web File.html
PDF File.pdf
Plain Text File.txt
Markdown File.md

Book Navigation

[Completed] Professional Google Cybersecurity Specialization C5/8; assets, threats, and vulnerabilities
Introduction to Course 5
Course 5 overview
Da'Queshia: My path to cybersecurity
Understand risks, threats, and vulnerabilities
Tri: Life in asset security
Security starts with asset classification
Common classification requirements
The emergence of cloud security
Elements of a security plan
The NIST Cybersecurity Framework
Security guidelines in action
Wrap-up; terms and definitions from course 5, week 1
Welcome to week 2
Security controls
Principle of least privilege
最小権限の原則
The data lifecycle
Information privacy: Regulations and compliance
Heather: The importance of protecting PII
Fundamentals of cryptography
Public key infrastructure PKI
Symmetric and asymmetric encryption
Symmetric and asymmetric encryption
Non-repudiation and hashing
The evolution of hash functions
Access controls and authentication systems
The rise of SSO and MFA
The mechanisms of authorization
Why we audit user activity
Tim: Finding purpose in protecting assets
Identity and access management
Wrap-up; Terms and definitions from Course 5, Week 2
Welcome to week 3
Vulnerability management
Defense in depth strategy
Common vulnerabilities and exposures
The OWASP Top 10
Open source intelligence
Vulnerability assessments
Approaches to vulnerability scanning
The importance of updates
Omad: My learning journey into cybersecurity
Penetration testing
Protect all entry points
Approach cybersecurity with an attacker mindset
Types of threat actors
Niru: Adopt an attacker mindset
Pathways through defenses
Fortify against brute force cyber attacks
Wrap-up; Terms and definitions from Course 5, Week 3
Welcome to week 4; threats and social engeneering
The criminal art of persuasion
Social engineering tactics
Phishing for information
Types of phishing
Malicious software
An introduction to malware
The rise of cryptojacking
Cross-site scripting (XSS)
Exploitable gaps in databases
Prevent injection attacks; SQL injection categories
A proactive approach to security
Chantelle: The value of diversity in cybersecurity
PASTA: The Process for Attack Simulation and Threat Analysis
Traits of an effective threat model
Wrap-up; terms and definitions from course 5, week 4
Terms and definitions from Course 5
Course wrap-up

Books

[Completed] Profession...

Common vulnerabilities...

Common vulnerabilities and exposures

We've discussed before that security is a team effort.

Did you know the group extends well beyond a single security team?

Protecting information is a global effort!

When it comes to vulnerabilities, there are actually online public libraries.

Individuals and organizations use them to share and document common vulnerabilities and exposures.

We've been focusing a lot on vulnerabilities.

Exposures are similar, but they have a key difference.

While a vulnerability is a weakness of a system, an exposure is a mistake

that can be exploited by a threat.

For example, imagine you're asked to protect an important document.

Documents are vulnerable to being misplaced.

If you laid the document down near an open window, it could be exposed to being blown away.

One of the most popular libraries of vulnerabilities and exposures is the CVE list.

The common vulnerabilities and exposures list, or CVE list, is an openly accessible dictionary

of known vulnerabilities and exposures.

It is a popular resource.

Many organizations use a CVE list to find ways to improve their defenses.

The CVE list was originally created by MITRE corporation in 1999.

MITRE is a collection of non-profit research and development centers.

They're sponsored by the US government.

Their focus is on improving security technologies around the world.

The main purpose of the CVE list is to offer a standard way of identifying

and categorizing known vulnerabilities and exposures.

Most CVEs in the list are reported by independent researchers, technology vendors, and ethical hackers, but anyone can report one.

Before a CVE can make it onto the CVE list, it first goes through a strict review process by a CVE Numbering Authority, or CNA.

A CNA is an organization that volunteers to analyze and distribute information on eligible CVEs.

All of these groups have an established record of researching vulnerabilities and demonstrating security advisory capabilities.

When a vulnerability or exposure is reported to them, a rigorous testing process takes place.

The CVE list tests four criteria that a vulnerability must have before it's assigned an ID.

First, it must be independent of other issues.

In other words, the vulnerability should be able to be fixed without having to fix something else.

Second, it must be recognized as a potential security risk by whoever reports it.

Third, the vulnerability must be submitted with supporting evidence.

And finally, the reported vulnerability can only affect one codebase, or in other words, only one program's source code.

For instance, the desktop version of Chrome may be vulnerable, but the Android application may not be.

If the reported flaw passes all of these tests, it is assigned a CVE ID.

Vulnerabilities added to the CVE list are often reviewed by other online vulnerability databases.

These organizations put them through additional tests to reveal how significant the flaws are and to determine what kind of threat they pose.

One of the most popular is the NIST National Vulnerabilities Database.

The NIST National Vulnerabilities Database uses what's known as the common vulnerability scoring system, or CVSS, which is

a measurement system that scores the severity of a vulnerability.

Security teams use CVSS as a way of calculating the impact a vulnerability could have on a system.

They also use them to determine how quickly a vulnerability should be patched.

The NIST National Vulnerabilities Database provides a base score of CVEs on a scale of 0-10.

Base scores reflect the moment a vulnerability is evaluated, so they don't change over time.

In general, a CVSS that scores below a 4.0 is considered to be low risk and doesn't require immediate attention.

However, anything above a 9.0 is considered to be a critical risk to company assets that should be addressed right away.

Security teams commonly use the CVE list and CVSS scores as part of their vulnerability management strategy.

These references provide recommendations for prioritizing security fixes, like installing software updates before patches.

Libraries like the CVE list, help organizations answer questions. Is a vulnerability dangerous to our business?

If so, how soon should we address it?

These online libraries bring together diverse perspectives from across the world.

Contributing to this effort is one of my favorite parts of working in this field.

Keep gaining experience, and I hope you'll participate too!

No Comments

Back to top