CHAPTER 2 Managing Risk: Threats, Vulnerabilities, and Exploits AKEY STEP WHEN MANAGING RISKS is to first understand and manage the source. This includes threats and vulnerabilities, and especially threat/vulnerability pairs. Once you understand these elements, it’s much easier to identify mitigation techniques. Exploits are a special type of threat/vulnerability pair that often includes buffer overflow attacks.Fortunately, the U.S. federal government has initiated several steps to help protect information technology (IT) resources. The National Institute of Standards and Technology has done a lot of research on risk management. The results of this research are freely available in the form of Special Publications. Additionally, the Department of Homeland Security oversees several other initiatives related to IT security.Chapter 2 TopicsThis chapter covers the following topics and concepts:•What threats are and how they can be managed•What vulnerabilities are and how they can be managed•What exploits are and how they can be managed•Which risk management initiatives the U.S. federal government sponsorsChapter 2 GoalsWhen you complete this chapter, you will be able to:•Describe the uncontrollable nature of threats•List unintentional and intentional threats•Identify best practices for managing threats•Identify threat/vulnerability pairs•Define mitigation•List and describe methods used to mitigate vulnerabilities•Identify best practices for managing vulnerabilities•Define exploit•Describe the perpetrator’s role in vulnerabilities and exploits•Identify mitigation techniques•Identify best practices for managing exploits•Identify the purpose of different U.S. federal government risk management initiativesUnderstanding and Managing ThreatsAthreatis any activity that represents a possible danger. This includes any circumstances or events with the potential to adversely impact confidentiality, integrity, or availability of a business’s assets.Threats are a part of the equation that creates risk:Risk = Vulnerability × ThreatAny attempt to manage risk requires a thorough knowledge of threats. This section includes the following topics:•The uncontrollable nature of threats•Unintentional threats•Intentional threats•Best practices for managing threats within your IT infrastructureThe Uncontrollable Nature of ThreatsIt’s important to realize a few basic facts about threats. These include:•Threats can’t be eliminated.•Threats are always present.•You can take action to reduce the potential for a threat to occur.•You can take action to reduce the impact of a threat.•You cannot affect the threat itself.Consider the threat of a car thief. Car thieves steal cars, and you can’t prevent that. However, you can take steps to either enhance or reduce the threat against your car. To increase the chances of a thief stealing your car, you can park it in a busy parking lot. Leave the keys in and the car running. Leave a $20 bill on the dashboard. Leave a few expensive items on the front seat. It’s just a matter of time before your car is stolen.However, you can take different steps to reduce the potential threat and impact. Remove the keys and lock the doors. Install a car alarm. Hide valuables in the trunk. A car thief might still visit that parking lot, but it is less likely that your car will be stolen.Sometimes a car thief looks for a specific model, year, and color of car. If your car is a match, the thief will likely steal it no matter what you do. However, you can reduce the impact of the loss. If you have insurance, it will reimburse you if your car is never recovered.Threats to IT are similar. Lightning strikes hit buildings. Malware authors constantly write new programs. Script kiddies run malware programs just to see what they can do. Professional attackers spend 100 percent of their work time trying to break into government and corporate networks. You can’t stop them.However, there are many things you can do to reduce the potential harm that these threats can do to your network. You can take steps to reduce the impact of these threats.Unintentional ThreatsUnintentional threatsare threats that don’t have a perpetrator. They don’t occur because someone is specifically trying to attack. Natural events and disasters, human errors, and simple accidents are all considered unintentional.There are four primary categories of unintentional threats. They are:•Environmental—Threats affecting the environment. This includes weather events such as floods, tornadoes, and hurricanes. Earthquakes and volcanoes are environmental threats too. Illnesses or an epidemic can cause a loss to the labor force and reduce the availability of systems.•Human—Errors caused by people. A simple keystroke error can cause incorrect or invalid data to be entered. A user may forget to enter key data. A technician could fail to follow a backup procedure resulting in an incomplete backup. An administrator may write incomplete or incorrect backup procedures. Undiscovered software bugs can also cause serious problems.•Accidents—Anything from a minor mishap to a major catastrophe. A backhoe digging a new trench for new cables can accidentally cut power or data cables. An employee might accidentally start a fire in a break room.•Failures—Equipment problems. A hard drive can crash. A server can fail. A router can stop routing traffic. The air conditioner might stop blowing cool air, causing multiple systems to overheat and fail. Any of these failures can result in the loss of availability of data or services.TIPYou can use a hot, warm, or cold site to provide an alternate location for IT functions.Although these threats are unintentional, you can address them with a risk management plan. Here are some common methods:•Managing environmental threats—You can purchase insurance to reduce the impact of many environmental threats. A business may decide to move to reduce the threat. For example, a business in the area of the Mount St. Helens volcano can relocate to avoid eruptions. Companies in a hurricane zone can transfer operations elsewhere.•Reducing human errors—Automation and input validation are common methods used to reduce errors. Any process that can be automated will consistently run the same way. Input validation checks data to ensure it is valid before it is used. For example, if a program expects a first name, the input validator checks whether the data looks like a valid name. Rules for a valid first name may be no more than 20 characters, no numbers, and only specific special characters. Input validation can’t check to ensure that data is accurate, but it can ensure that data is valid.•Preventing accidents—Contact the 1-800-MISS-DIG company in Michigan, or similar companies or agencies in other states, to identify underground cables before digging. You can stress safety to prevent common accidents.•Avoiding failures—Use fault-tolerant and redundant systems to protect against the immediate impact of failures. A RAID system can help ensure data availability, and failover clusters ensure users can access servers at all times.Intentional ThreatsIntentional threatsare acts that are hostile to the organization. One or more perpetrators are involved in carrying out the threat. Perpetrators are generally motivated by one of the following:•Greed—Many attackers want to make money through the attacks. Attackers steal data and use it to perform acts of fraud. They steal customer data from databases and commit identity theft. Criminals steal proprietary data from competitors. Social engineers try to trick users into giving up passwords for financial sites.•Anger—When anger is the motivator, the attacker often wants the victim to pay a price. Anger can result in attempts to destroy assets or disrupt operations. These threats often result in a loss of availability.•Desire to damage—Some attackers just want to cause damage. The result is the same as if an attacker is motivated by anger. It can result in a loss of availability.Although the preceding list helps you understand what motivates attackers, the items don’t identify who the attackers are. Some people still have the image of a bored teenager launching random threats from his or her room. However, attackers are much more sophisticated today.Some of the more common attackers today are:•Criminals—Opportunities to make money from online attacks have resulted in a growth in criminal activity. Furthermore, criminal activity is far more organized today. This activity includes fraud and theft. For example,roguewaretricks users into installing bogus antivirus software. Then they must pay to get it removed. Criminals have extorted millions of dollars using rogueware. More recently, this has morphed intoransomware. Criminals restrict access to the system and display messages to the user demanding ransoms to get access to his or her computer and/or files.•Advanced persistent threats (APTs)—Attackers focus on a specific target. APTs have high levels of expertise and almost unlimited resources. Nation states or terrorist groups often sponsor them. They attack both government and private targets. Operation Aurora is an example of an APT attack. Investigations indicate the APT attack originated from China. It attacked several private companies such as Google. A McAfee white paper titled “Revealed: Operation Shady RAT” discusses 71 different APT attacks. Twenty-one of these were government targets. Fifty were private companies.•Vandals—Some attackers are intent on doing damage. They damage just for the sake of damaging something. Their targets are often targets of opportunity.•Saboteurs—A saboteur commits sabotage. This could be sabotage against a competing company or against another country. The primary goal is to cause a loss of availability.•Disgruntled employees—Dissatisfied employees often present significant threats to a company. There are countless reasons why an employee may be dissatisfied; for example, an employee who did not receive a pay raise might be disgruntled. Employees with a lot of access can cause a lot of damage.•Activists—Occasionally, activists present a threat to a company. Activists often operate with a mindset of “the end justifies the means.” In other words, if your company does something the activist doesn’t approve of, the activist considers it acceptable to attack.•Other nations—International espionage is a constant threat. For example, McAfee’s “Operation Shady RAT” white paper details espionage activities widely believed to come from China. Attackers use remote access tools (RATs) to collect information. They have infiltrated several governments and private companies. Many countries include cyberwarfare as a part of their offensive and defensive strategies.•Hackers—Hackers attempt to breach systems. Depending on the goal of the hacker, the motivation may range from innocent curiosity to malicious intent.TIPThere is a technical difference between a hacker and a cracker.Hackershave historically been known as “white-hat hackers” or “ethical hackers”—the good guys. They hack into systems to learn how it can be done, but not for personal gain.Crackershave been known as “black-hat hackers” or “malicious hackers”—the bad guys. They hack into systems to damage, steal, or commit fraud. Many black-hat hackers present themselves as white-hat hackers claiming that their actions are innocent. However, most mainstream media put all hackers in the same black-hat category. The general perception is that all hackers are bad guys.Best Practices for Managing Threats Within Your IT InfrastructureThere are many steps you can take to manage threats within your IT infrastructure. The following list represents steps that IT security professionals consider best practices:•Create a security policy—Senior management identifies and supports the role of security and creates asecurity policy.This policy provides a high-level overview of the goals of security but not details of how to implement security techniques. Managers use this policy to identify resources and create plans to implement the policy. Security policies are an important first step in reducing the impact from threats. Once the security policy is approved, it needs to be implemented and enforced.•Purchase insurance—Purchase insurance to reduce the impact of threats. Companies commonly purchase insurance for fire, theft, and losses due to environmental events.•Use access controls—Require users to authenticate. Grant users access only to what they need. This includes the following two principles:•Principle of least privilege—Grant users only the rights and permissions they need to perform their job and no more. This prevents users from accidentally or intentionally causing problems.•Principle of need to know—Grant users access only to the data they need to perform their job and no more. For example, a person may have a security clearance for Secret data. However, that person doesn’t automatically receive access to all Secret data. Instead, the person is granted access only to what he or she needs for the job. This helps prevent unauthorized access.•Use automation—Automate processes as much as possible to reduce human errors.•Include input validation—Test data to determine if it is valid before any applications use it.•Provide training—Use training to increase safety awareness and reduce accidents. You can also use training to increase security awareness to reduce security incidents.•Use antivirus software—Make sure you install antivirus software on all systems. Schedule virus definition updates to occur automatically.•Protect the boundary—Protect the boundary between the intranet and the Internet with a firewall, at a minimum. You can also use intrusion detection systems for an added layer of protection.TIPA security policy may include several individual policies. For example, it could include a password policy, an acceptable use policy, and a firewall policy.NOTEPrivileges includerightsandpermissions. Rights refer to actions users can perform on objects. For example, a user might have the right to change the system time. Permissions refer to object access. For example, a user might have permission to read and modify a file. Theprinciple of least privilegeincludes both rights and permissions. Theprinciple of need to knowfocuses on data permissions.CSI Computer Crime and Security Survey 2010/2011The Computer Security Institute (CSI) completes regular surveys that identify many of the trends related to IT security. The 2010/2011 report includes responses from 5,412 security practitioners.Some of the notable findings in this report were:•Malware infections are the most commonly seen attack. Over 67 percent of respondents reported malware infections. This is an increase of 3 percent from the previous year. The lowest was 50 percent in 2007.•About 29 percent reported zombies within their network. A zombie is a computer joined to a botnet. This is an increase of 5 percent from the previous year.•Most respondents attribute losses to outsiders. Almost 60 percent indicated they did not believe any of their losses were due to malicious insiders.•Only about 25 percent reported insider abuse of network access or e-mail usage. This is a significant reduction from a high of 59 percent in 2007.•Of respondents reporting incidents, 45.6 percent reported they were the subject of at least one targeted attack. The trend is more attacks from advanced persistent threats (APTs).•Losses due to financial fraud declined from almost 19 percent to about 8 percent during the period.•Respondents indicated that regulatory compliance efforts had a positive effect on their security programs.•Almost half of the organizations reported they were using cloud computing, but only 10 percent indicated they were using cloud-specific security tools.Understanding and Managing VulnerabilitiesAvulnerabilitycan be a weakness in an asset or the environment. You can also consider a weakness as a flaw in any system or any business process.A vulnerability leads to a risk, but by itself it does not become a loss. The loss occurs when a threat exploits the vulnerability. This is also referred to as a threat/vulnerability pair.Figure 2-1shows the flow of a threat to a loss. You can use mitigation techniques to reduce the vulnerability, the loss, or both.FIGURE 2-1The flow of threat/vulnerability pairs.This section presents the following topics:•Threat/vulnerability pairs•Vulnerabilities can be mitigated•Mitigation techniques•Best practices for managing vulnerabilities within your IT infrastructureThreat/Vulnerability PairsAthreat/vulnerability pairoccurs when a threat exploits a vulnerability. The vulnerabilities provide a path for the threat that results in a harmful event or a loss. It’s important to know that both the threat and the vulnerability must come together to result in a loss.Vulnerabilities depend on your organization. For example, if you’re hosting public-facing servers, the servers have several potential weaknesses. However, if you don’t have any public-facing servers, there aren’t any vulnerabilities for the organization in this area. Thus, the risk is zero.Table 2-1shows some examples of threat/vulnerability pairs and the potential losses. This table only scratches the surface. The list of vulnerabilities for any single network can be quite extensive.TABLE 2-1Examples of threat/vulnerability pairs and potential losses. THREAT VULNERABILITY HARMFUL EVENT OR LOSS Fire Lack of fire detection and suppression equipment Can be total loss of business Hurricane, earthquake, tornado Location Can be total loss of business Malware Lack of antivirus software Outdated definitions Infection (impact of loss determined by payload of malware) Equipment failure Data not backed up Loss of data availability (impact of loss determined by value of data) Stolen data Access controls not properly implemented Loss of confidentiality of data Denial of service (DoS) or distributed denial of service (DDoS) attack Public-facing servers not protected with firewalls and intrusion detection systems Loss of service availability Users Lack of access controls Loss of confidentiality Social engineer Lack of security awareness Loss depends on the goals and success of attacker Vulnerabilities Can Be MitigatedYou can mitigate or reduce vulnerabilities, which reduces potential risk. The risk reduction comes from one of the following:•Reducing the rate of occurrence•Reducing the impact of the lossIt’s rare that a vulnerability is completely eliminated. Instead, it’s more common that the risk is reduced to an acceptable level. The remaining risk is referred to as theresidual risk.Table 2-2matches the threat/vulnerabilities pairs fromTable 2-1with possible mitigation steps.TABLE 2-2Common threat/vulnerability pairs and possible mitigation steps. THREAT VULNERABILITY MITIGATION Fire Lack of fire detection and suppression equipment Install fire detection and suppression equipment Purchase insurance Hurricane, earthquake, tornado Location Purchase insurance Designate alternate sites Malware Lack of antivirus software Outdated definitions Install antivirus software Update definitions at least weekly Equipment failure Data not backed up Back up data regularly Keep copies of backup off-site Stolen data Access controls not properly implemented Implement both authentication and access controls Use principle of “need to know” DoS or DDoS attack Public-facing servers not protected with firewalls and intrusion detection systems Implement firewalls Implement intrusion detection systems Users Lack of access controls Implement both authentication and access controls Social engineer Lack of security awareness Provide training Raise awareness through posters, occasional e-mails, and mini-presentations Mitigation TechniquesYou can use a wide variety of mitigation techniques in any enterprise. As you explore the techniques in this section, keep the following elements in mind:•The value of the technique•The initial cost of the technique•Ongoing costsFor example, antivirus software has an initial cost. This initial cost includes a subscription for updates for a period of time, such as a year. When the subscription expires, it must be renewed.When estimating the value and cost of any of these techniques, you can consider the value of the resource and the impact of the loss. For example, training in basic social engineering tactics may cost $10,000 a year. However, if users don’t receive the training, the company may lose $100,000. This indicates the value of the training is $90,000.However, there are other variables to consider when estimating the value of a mitigation technique. A company may have lost $100,000 last year. If people are trained, the company estimates it will only lose $5,000 this year. This would give a value of $85,000 to the training. This is calculated as:Last Year’s Loss – Training Cost – This Year’s Loss, or$100,000 – $10,000 – $5,000 = $85,000.The following list identifies many common mitigation techniques you can use in any enterprise:•Policies and procedures—Written policies and procedures provide standards. These standards make it clear what should be implemented and how. Many organizations start by creating a security policy as mentioned earlier. You should review policies and procedures on a regular basis.•Documentation—Documentation is useful in a wide number of areas. Up-to-date documentation of networks makes problems easier to troubleshoot. Once problems occur, you can repair them more quickly. This results in improved availability times. As the network and systems change, you need to be sure to update documentation.•Training—Training helps employees understand that security is everyone’s responsibility. Some training is geared to all users; other training must be targeted to specific users. For example, you should train all end users about social engineers. Train administrators on current threats and vulnerabilities. Train management on risk management strategies. Training is an ongoing event—as things change, you should offer updated training classes.•Separation of duties—Theseparation of dutiesprinciple ensures that any single person does not control all the functions of a critical process. It’s designed to prevent fraud, theft, and errors. For example, accounting separates accounts receivable from accounts payable. One division accepts and approves bills. The other division pays the approved bills. Separation of duties also helps prevent conflicts of interest.•Configuration management—When system configuration is standardized, systems are easier to troubleshoot and maintain. One method ofconfiguration managementis to use baselines. For example, you configure a system and then create a system image. You can deploy the image to 100 other systems, so every system is identical. Maintenance of each of these systems is the same. When technicians learn one system, they learn them all. Without a baseline, the systems may be configured 100 different ways. Technicians need to learn how each system is configured before they can provide effective support. Images are updated as the configuration changes.Configuration management also ensures that systems are not improperly modified. Most organizations have change management processes in place. This ensures that only authorized changes are made. Compliance auditing is done to ensure that unauthorized changes don’t occur.•Version control—When multiple people work on the same document or the same application, data can be lost or corrupted.Version controlsystems are commonly used with the development of applications. They track all changes and can reduce wasted time and effort, especially if changes need to be reversed. The process requires programmers to check out modules or files before modifying them. After the file is modified, it can be checked in and someone else can modify the file. Some version control software allows multiple changes to be merged into a single file.•Patch management—Over time, you may discover bugs in software. Software bugs are vulnerabilities that can be exploited. When the bugs are discovered, they are patched by vendors; however, attackers also find out about the bugs. Systems that aren’t patched are vulnerable to attack. A comprehensivepatch managementpolicy governs how patches are understood, tested, and rolled out to systems and clients. It should include compliance audits to verify that clients are current. Patch management can also include the ability to quarantine unpatched clients. Patch management is an almost continuous process.•Intrusion detection system—Anintrusion detection system (IDS)is designed to detect threats. It cannot prevent a threat. A passive IDS will log the event and may provide an alert. An active IDS may modify the environment to block the attack after it is detected. Many IDS systems use definitions the way antivirus software uses signatures. A network-based intrusion detection system (NIDS) provides overall network protection. A host-based intrusion detection system (HIDS) can protect individual systems.NOTESymantec’s Ghost is a common tool used to deploy multiple clients. Ghost allows you to capture images and store them on a DVD or on a Ghost casting server. You can then deploy the image to any client from the DVD. You can also cast the image to multiple clients simultaneously from the server.NOTEMicrosoft releases patches on the second Tuesday of every month. This has become known asPatch Tuesday.When the patches aren’t deployed, attackers can exploit the bugs.•Incident response—When a company is prepared and able to respond to an incident, it has a better chance to reduce the impact. An important step when responding to an incident is containment, which ensures the incident doesn’t spread to other systems. An incident response team tries to identify what happened. They look for the vulnerabilities that allowed the incident. They then seek ways to reduce the vulnerability in the future. On the other hand, some companies would like to quickly put the incident behind them. They try to fix the immediate issue without addressing the underlying problem. When you address underlying problems, you reduce the chance of recurring incidents for the same issue.•Continuous monitoring—Security work is never finished.Continuous monitoringis necessary. You implement controls and then check and audit to ensure they are still in place. You deploy patches. Later, through compliance audits, you verify that all systems are patched. Through access controls you lock down systems and data. Later, you check to ensure they haven’t been modified. You record a wide range of activity in logs and then monitor these logs for trends and suspicious events. Luckily, there are many tools that you can use to audit and monitor systems within a network.•Technical controls—Controls that use technology to reduce vulnerabilities. IT professionals implement the controls and computers enforce them. For example, after an IT professional installs antivirus software, the software prevents infections. Some other examples oftechnical controlsinclude intrusion detection systems, access controls, and firewalls. As you discover new vulnerabilities, you can implement new technical controls.•Physical controls—Physical controlsprevent unauthorized personnel from having physical access to areas or systems. For example, you should locate servers in server rooms and keep the server room doors locked. Place network devices in wiring closets and keep the wiring closet doors locked. Physical security can also include guards, cameras, and other monitoring equipment. For mobile equipment, such as laptops, you can use cable or hardware locks.Best Practices for Managing Vulnerabilities Within Your IT InfrastructureVulnerabilities are the portion of the threat/vulnerability pair that you can control. Therefore, it’s very important to take steps to manage vulnerabilities. Here are some of the best practices you can use to do this:•Identify vulnerabilities—Several tools are available that you can use to identify vulnerabilities. For example, audits and system logs help identify weaknesses. Use all the available tools, and examine all seven domains of the typical IT infrastructure.•Match the threat/vulnerability pairs—The vulnerabilities you want to address first are the ones that have matching threats. Some vulnerabilities may not have a matching threat. If so, the weakness may not need to be addressed. For example, you may have an isolated network used for testing that does not have any access to the Internet. Weaknesses that can be exploited only from Internet threats can’t reach this network and may be ignored.•Use as many of the mitigation techniques as feasible—Several mitigation techniques were listed in this section. It’s certainly possible to use all of these techniques. Depending on your IT infrastructure, you may use more. With multiple techniques in place, you create multiple layers of security.•Perform vulnerability assessments—Vulnerability assessments can help you identify weaknesses. You can perform them internally or hire external experts to perform them.Understanding and Managing ExploitsLosses occur when threats exploit vulnerabilities. If you want to reduce losses due to risks, you’ll need to have a good understanding of what exploits are and how to manage them. This section covers the following topics:•What an exploit is•How perpetrators initiate an exploit•Where perpetrators find information about vulnerabilities and exploits•Mitigation techniques•Best practices for managing exploits within your IT infrastructureWhat Is an Exploit?Anexploitis the act of taking advantage of a vulnerability. It does so by executing a command or program against an IT system to take advantage of a weakness. The result is a compromise to the system, an application, or data. You can also think of an exploit as an attack executed by code.In this context, an exploit primarily attacks a public-facing server. In other words, it attacks servers that are available on the Internet. Common Internet servers are:•Web servers•Simple Mail Transfer Protocol (SMTP) e-mail servers•File Transfer Protocol (FTP) serversFigure 2-2shows how these public-facing servers are often configured in a network. They are placed within two firewalls configured as ademilitarized zone (DMZ). A DMZ is also known as abuffer area, or aperimeter zone. The firewall connected to the Internet allows access to these public-facing servers. The firewall connected to the internal network restricts traffic from the Internet.Since the servers in the DMZ are public facing, they are accessible to anyone with a public Internet Protocol (IP) address. This includes attackers or black-hat hackers.While internal servers are susceptible to attacks from employees, it isn’t common for an employee to use an exploit to attack an internal server. Employees can attack and cause damage. However, it’s much easier for an employee to steal data or perform acts of sabotage. An insider usually won’t take the time to write a program to attack an internal system. Insiders have the advantage of at least some basic employee privileges and internal knowledge. It’s also common that the internal network is trusted, so the company gives less attention to exploits on the internal network.FIGURE 2-2Public-facing servers in a DMZ bounded by two firewalls.Abuffer overflowis a common type of exploit. A buffer overflow can occur when an attacker sends more data or different data than a system or application expects. The vulnerability exists when the system or application is not prepared to reject it. This can cause the system to act unreliably. Additionally, if the exploit’s creator is especially skilled, the exploit runs extra instructions, gaining the attacker additional privileges on a system.Normally, the system will validate data and reject data that isn’t expected. Occasionally, a bug allows invalid data to be used.For example, imagine a simple calculation: X / Y = Z. The program expects the value of X and Y to be provided. It will then divide the two to calculate the value of Z. However, if zero is given as the value of Y, Z cannot be calculated. You can’t divide anything by zero. If the program didn’t check to ensure that Y was a valid number, the program could fail when a user enters zero. If the error isn’t handled gracefully, an attacker may be able to exploit the failure.NOTEWhile a divide-by-zero error is simple to explain, it’s unlikely this will cause a problem today. Most applications will detect the problem and never try to divide by zero. However, there are many more advanced errors that aren’t predicted.Buffer overflow errors allow attackers to insert additional data. This additional data can be malware that will remain in the system’s memory until it’s rebooted. It could insert a worm that spreads through the network. It could be code that seeks and destroys data on the system. It could cause the server to shut down and no longer be able to reboot.When a vendor finds buffer overflow vulnerabilities, it patches the code to prevent the error in the future. You should download this patch and apply it to plug the hole.The Nimda VirusThe Nimda virus is an example of an older virus that took advantage of a buffer overflow problem in Microsoft’s Internet Information Services (IIS). This virus helps explain many of the lessons learned with IT risk management.First, IIS was installed by default when Windows 2000 Server was installed. Since IIS was installed by default, it often wasn’t managed. An unmanaged service is easier to attack.When the buffer overflow was discovered, Microsoft released a patch. This patch corrected the problem as long as it was applied. However, patch management was in its infancy at that time. Many companies didn’t have effective patch management programs and didn’t apply patches consistently. Many system administrators concluded incorrectly that because they weren’t using IIS, their systems weren’t vulnerable. However, because IIS was installed by default, their systems were, in fact, vulnerable.Nimda was released on the Internet and had a multipronged approach. The buffer overflow allowed it to exploit an IIS system. It had a worm component that allowed it to seek and infect other systems on the internal network. It also looked for other IIS servers on the Internet susceptible to the same buffer overflow. It slowed network activity to a crawl and destroyed data.Two of the basic security practices that were reinforced by Nimda are:•Reduce the attack surface of servers—Unneeded services and protocols should not be installed. If they were installed, they should be removed. If IIS wasn’t installed on a server, it couldn’t have been attacked by Nimda.•Keep systems up to date—If IIS servers had been updated with the released patch, they wouldn’t have been susceptible to the attack.Other exploits include:•SQL injection attacks—SQL injection attackstake advantage of dynamic SQL. Many Web sites require users to enter data in a text box or Web address. If the user-supplied data is used directly in a SQL statement, a SQL injection attack can occur. Instead of giving the data that’s expected, a SQL injection attack gives a different string of SQL code. This different code can compromise the database. SQL injection attacks are easy to avoid by using parameters and stored procedures that first review the code. However, all database developers aren’t aware of the risks.NOTEStructured Query Language (SQL) is the language used to query and modify databases. It has specific rules that you must follow. Dynamic SQL is a SQL statement that accepts input from a user directly. For example, the statement may beSELECT FROM Users Where LName = ‘txt.Name’.In this example, the value oftxt.Nameis retrieved from the text box namedtxt.Nameand used when the program is run. Permitting input directly from a user without any input filtering is not recommended.•Denial of service (DoS) attacks—Denial of service (DoS) attacksare designed to prevent a system from providing a service. For example, aSYN flood attackis very common. Normally TCP uses a three-way handshake to start a connection. A host sends a packet with the SYN flag set. The server responds with the SYN and ACK flags set. The host then responds with the ACK flag set to complete the handshake. In the SYN flood attack, the host never responds with the third packet. It’s as if the host stuck out his hand to shake, the server put his hand out, and then the host pulled his hand away. The server is left hanging. When this is repeatedly done in a short time period, it consumes the server’s resources and can cause it to crash.•Distributed denial of service (DDoS) attacks—Distributed denial of service (DDoS) attacksare initiated from multiple clients at the same time. For example, many criminals and attackers run botnets from a command and control center. A botnet controls multiple hosts asclonesorzombies. These clones can be given a command at any time to attack, and they all attack at the same time. The attack could be as simple as constantly pinging the same server. If thousands of clients are pinging a server at the same time, it can’t respond to other requests as easily.How Do Perpetrators Initiate an Exploit?Most exploits are launched by programs developed by attackers. The attackers create and run the programs against vulnerable computers.You’ve probably heard aboutscript kiddies.These are attackers with very little knowledge, sometimes just young teenagers. However, they can download scripts and small programs and launch attacks. They don’t have to be very intelligent about computers or even about the potential harm they can do. Some programs are so simple, the script kiddie can just enter an IP address and click Go to launch an attack.However, the attackers most companies are worried about are much more sophisticated. They have programming skills. They know how to target specific servers. They know methods to infiltrate networks. They erase evidence to cover their tracks. They are professional attackers.Imagine a country hostile to the United States with extensive computer expertise. They could create their own internal secret department with separate divisions. Each division could be assigned specific jobs or tasks. Each of the divisions could work together to launch exploits as soon as they become known. This department could have the following divisions:•Public server discovery—Every system on the Internet has a public IP address. This division could use ping scanners to identify any systems that are operational with public IP addresses. IP addresses are assigned geographically, so servers can also be mapped to geographical locations.•Server fingerprinting—This division could use several methods to learn as much about the discovered server as possible. They can use a ping to identify if the systems are running UNIX or Microsoft operating systems. They can use port scans to identify what ports are open. Based on what ports are open, they can identify the running protocols. For example, port 80 is the well-known port for Hypertext Transfer Protocol (HTTP), so if port 80 is open, HTTP is probably running. If HTTP is running, it is probably a Web server. The department can use other techniques to determine if it’s an Apache Web server or an IIS Web server.•Vulnerability discovery—Investigators and hackers in this division could constantly be on the lookout for any new weaknesses. They could just try new things to see what can be done. They could lurk on newsgroups to hear about new bugs that aren’t widely known. They could subscribe to professional journals or read blogs by IT security experts. When they discover a vulnerability, they would pass it on to programmers or attackers to exploit.•Programmers—Once vulnerabilities are discovered, programmers can write code or applications to exploit them. It could be just a few lines of code that are embedded into a Web page and downloaded when a user visits the Web site. It could be a virus that is released to exploit the weakness. It could be an application that is installed on zombie computers waiting for the botnet command to attack.•Attackers—Attackers initiate the exploit. For example, attackers may discover a new vulnerability for Apache servers. The attackers may want to target servers in Washington D.C. They could get a list of servers in D.C. running Apache from other divisions. They can then launch an attack on those servers. This group might regularly launch legacy attacks that current patches block. Most systems will be patched, but if group members find an unpatched system, they can exploit it. Say they launch an attack on 10,000 computers. Even if they have only a 1 percent success rate, they’ve exploited 100 computers.NOTEAttackers often use diversion when launching attacks. Instead of launching the attack from their own computer, they will often take control of one or more other computers on the Internet. They then direct the attack from that remote-controlled computer.This secret department in a hostile country is presented as fictitious. However, cyberattacks from one country against another are not fiction. The news reports cyberattacks regularly. Operation Aurora and Operation Shady RAT (mentioned previously in this chapter) are two recent examples. If you wanted to commit cyberwarfare against a hostile country, how would you do so? It’s very possible you would design a similar department with similar divisions.Even if it is a single perpetrator launching an attack, the steps listed above would be separated. The attacker would take time through reconnaissance to learn as much about a target as possible. The attacker may develop a program to automate the attack. The actual attack is usually quick.It’s important to realize that attackers very often spend 100 percent of their work time on attacks. Since many attacks often return significant amounts of money, they aren’t shy about working more than 40 hours a week. They take time to discover targets. They take time to identify weaknesses. They take time to plan the attacks. When the opportunity presents itself, they swoop in and attack just as quickly as an owl will attack a field mouse.Where Do Perpetrators Find Information About Vulnerabilities and Exploits?There are a surprising number of sources for perpetrators to learn about vulnerabilities and exploits. A primary source is from security professionals sharing information with each other.Of course, when security professionals write about or discuss an exploit, the danger is that they are educating the enemy. This leads some people to say that the weaknesses shouldn’t be discussed at all. However, when nothing is said, systems are attacked without IT professionals having a clue about the vulnerabilities.The general mindset that currently prevails is that the vulnerabilities should be discussed with a focus on mitigation. In other words, don’t publicly share the details on how to exploit a vulnerability. However, freely share the details on how to prevent the vulnerability.Even sharing details about how to prevent a vulnerability provides the attackers with information. They can use this to learn the weakness and exploit it. However, the alternative is worse. If information on how to reduce the weakness isn’t shared, more systems will be wide open.The following list identifies some sources that attackers can use to gain information:•Blogs—Many security professionals regularly blog about their findings. When they suspect vulnerabilities, they often discuss them. Many full-time security professionals are cautious about what they post. They realize they have a mixed audience and try to avoid giving too many details.•Forums—IT and security professionals often share ideas on different forums. Sometimes users have problems they don’t understand, so they post their problems on the forum. Some of these problems expose vulnerabilities that can be exploited.•Security newsletters—Many security newsletters are regularly released to anyone on the e-mail list. Anyone can sign up. While companies use newsletters to advertise and promote their products, they also provide valuable content. This includes content about threats and vulnerabilities. Even the newsletters published by the U.S. government can be used by attackers. Some of these newsletters are discussed later in this chapter, including how to subscribe.•2600: Hacker quarterly—You can subscribe to this or pick up the printed version in some bookstores. They frequently include code and details that can be used to exploit vulnerabilities.•Common Vulnerabilities and Exposures (CVE) list—The CVE is discussed in more detail later in this chapter. When someone discovers a vulnerability, it can be submitted to the MITRE Corporation for inclusion in this list. The entry about the vulnerability will include information on resources for more details.•Reverse engineering—Patch Tuesday was mentioned earlier as the day that Microsoft releases patches. It is the second Tuesday of every month. The day after is known asExploit Wednesdayby some. Attackers often reverse engineer the patches to discover the vulnerability. Once the weakness is understood, exploits are written to attack the weakness.A good philosophy to adopt is this: If a known vulnerability exists, a bad guy knows about it. Remember, it only takes one bad guy who knows about the vulnerability to attack an unprotected system. You must protect all of the systems to stay protected.NOTEMany corporate clients of Microsoft have advance notice that patches will be released. This allows the companies to perform advance testing of the patches. When the patches are formally released, the companies are ready to apply them immediately.Mitigation TechniquesMitigation techniques are the individual steps you need to take to protect any system that is vulnerable. Together these steps are often referred to ashardening a server.Hardening a server makes it more secure from the default installation.Some of the specific mitigation techniques you can take to protect public-facing servers are:•Remove or change defaults—If an operating system or application has any defaults, ensure they are removed or changed as soon as the system is installed. As an example, change default passwords to secure passwords. It’s also common to change the name of privileged accounts such as the Administrator account. This thwarts attempts to guess the password.•Reduce the attack surface—Theattack surfacerefers to how much can be attacked on a server. For example, if 10 services are running on a server, but you only need seven, you reduce the attack surface by disabling the three unneeded services. The overall attack surface is reduced by removing all unneeded services and protocols. If a service isn’t needed, it should be disabled. If the protocol isn’t needed, it should be removed. Every service and protocol that is running adds more risk to the system. When you remove unneeded ones, you reduce the risk without impacting the quality of the service.•Keep systems up to date—Use a patch management system to ensure that systems are patched. Patches should be applied as quickly as possible after they are released. Every hour that passes gives the attackers more time to reverse engineer the patch and begin their attacks. Compliance audits ensure that patches are consistently applied to all systems.•Enable firewalls—Firewalls filter traffic coming into a network. DMZs use firewalls to create network buffer areas. You can also enable host-based firewalls on each server as an added layer of protection.•Enable intrusion detection systems (IDSs)—An active IDS can detect attacks and take steps to stop them.•Enable intrusion prevention systems (IPSs)—Anintrusion prevention system (IPS)is placed in-line with traffic. It can detect and block malicious traffic. This prevents attacks from reaching the internal network.•Install antivirus software—Antivirus software should be installed on all systems, including servers, before they are connected to the network. Many servers require different versions of antivirus software. For example, a Microsoft Exchange mail server needs a specialized version of antivirus software so the mail stores can be examined.Best Practices for Managing Exploits Within Your IT InfrastructureThere are several best practices you can use to reduce your risks from exploits. Many of these are directly related to basic risk management practices:•Harden servers—Methods were mentioned in the previous section. They include basic steps such as reducing the attack surface and keeping systems up to date.•Use configuration management—Ensure systems are configured with consistent security settings. Use security baselines to ensure systems are configured the same way. A security baseline can come from an image created with a tool like Symantec’s Ghost. You can also achieve it by applying settings to all systems with technology like Microsoft’s Group Policy. Perform compliance audits to ensure that systems stay configured the same way.•Perform risk assessments—Performing risk assessments allows you to learn about the relevant threats and vulnerabilities. You can then identify and evaluate countermeasures.•Perform vulnerability assessments—Vulnerability assessments were mentioned earlier in this chapter. You can also use them as a best practice to manage exploits.U.S. Federal Government Risk Management InitiativesThe U.S. federal government has taken many steps to help companies manage IT risks. The initiatives covered in this section are:•The National Institute of Standards and Technology (NIST)•The Department of Homeland Security (DHS)•The National Cybersecurity and Communications Integration Center (NCCIC)•The United States Computer Emergency Readiness Team (US-CERT)•The MITRE Corporation and the CVE listFigure 2-3shows the relationships among many of these organizations. There are two primary paths: One is under the U.S. Department of Commerce. The other is under the Department of Homeland Security.NIST is directly under the Department of Commerce. The Information Technology Laboratory (ITL), part of NIST, publishes special publications. The Department of Homeland Security includes the Office of Cybersecurity and Communications.FIGURE 2-3Relationships among organizations involved in U.S. federal government risk management initiatives.Within this office is the National Cybersecurity and Communications Integration Center. The Office of Cybersecurity and Communications provides funding for the civilian company the MITRE Corporation. MITRE maintains the Common Vulnerabilities and Exposures list. The US-CERT is located within the NCCIC.National Institute of Standards and TechnologyTheNational Institute of Standards and Technology (NIST)is a division of the U.S. Department of Commerce. NIST’s mission is to promote U.S. innovation and industrial competitiveness. It does this by advancing measurement science, standards, and technology.NIST includes the Information Technology Laboratory (ITL). ITL develops standards and guidelines. The goal is improved security and privacy of information on computer systems.NOTEITL and ITIL are two different programs. The Information Technology Infrastructure Library (ITIL) was developed by the United Kingdom (UK). It is managed by the UK Office of Government Commerce (OGC). ITIL is a collection of books that provides guidance and best practices for the successful operation of IT. The ITL managed by NIST is a U.S. program.The Special Publication 800 (SP 800) series includes several reports that document ITL’s work. It includes research, guidance, and outreach efforts in computer security. It is intended to be a collaborative effort combining the work of industry, government, and academic organizations. Many of the publications in the SP 800 series are available on the Internet. NIST has revised many of these documents and the number doesn’t reflect the relative date of the current version.The following list includes some of these:•SP 800-153, “Guidelines for Securing Wireless Local Area Networks (WLANs)”•SP 800-124, “Guidelines for Managing the Security of Mobile Devices in the Enterprise”•SP 800-123, “Guide to General Server Security”•SP 800-122, “Guidelines for Protecting the Confidentiality of Personally Identifiable Information (PII)”•SP 800-121, “Guide to Bluetooth Security”•SP 800-119, “Guidelines for Secure Deployment of IPv6”•SP 800-115, “Technical Guide to Information Security Testing and Assessment”•SP 800-100, “Information Security Handbook: A Guide for Managers”•SP 800-94, “Guide to Intrusion Detection and Prevention Systems”•SP 800-83, “Guide to Malware Incident Prevention and Handling for Desktops and Laptops”•SP 800-61, “Computer Security Incident Handling Guide”•SP 800-55, “Performance Measurement Guide for Information Security”•SP 800-51, “Guide to Using Vulnerability Naming Schemes”•SP 800-50, “Building an Information Technology Security Awareness and Training Program”•SP 800-40, “Creating a Patch and Vulnerability Management Program”•SP 800-30, “Guide for Conducting Risk Assessments”•SP 800-12, “An Introduction to Computer Security: The NIST Handbook”NOTEYou can access the full list of Special Publications including links to all of them from the NIST Web site at of Homeland SecurityTheDepartment of Homeland Security (DHS)is responsible for protecting the United States from threats and emergencies. Its primary goal is to keep America safe, and it focuses on protecting the United States from terrorist attacks. DHS is also responsible for responding to natural disasters, such as hurricanes and earthquakes.Congress passed the Homeland Security Act of 2002 in November 2002. This act established the DHS. The Homeland Security Act of 2002 and the DHS were created in response to the terrorist bombings of September 11, 2001.The DHS includes many agencies. Some of them are:•United States Secret Service•United States Coast Guard•U.S. Immigration and Customs Enforcement•U.S. Customs and Border Protection•Federal Emergency Management AgencyNational Cybersecurity and Communications Integration CenterTheNational Cybersecurity and Communications Integration Center (NCCIC)operates within the DHS. It works together with private, public, and international parties to secure cyberspace and America’s cyberassets.Previously, cybersecurity was scattered in different departments. Today, the NCCIC serves as the central point of contact. The NCCIC oversees several programs:•National Cyber Awareness System—This is an e-mail alert system that allows you to subscribe to different types of e-mails.•United States Computer Emergency Readiness Team (US-CERT) Operations—This division is tasked with analyzing and reducing cyberthreats and vulnerabilities. As issues become known, US-CERT disseminates information and can coordinate incident response activities. See the following section for more information about US-CERT.•Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)—This group works to reduce risks to critical infrastructure sectors. This includes roads, water, communications, energy, and more.NOTECybergenerally refers to any computer assets, but usually refers to assets on the Internet. The global network of computers on the Internet is commonly referred to ascyberspace.Cyberwarfare, or cyberwar, refers to the attacks and counterattacks carried out against other countries or other companies.US Computer Emergency Readiness TeamTheUnited States Computer Emergency Readiness Team (US-CERT)is a part of the NCCIC. US-CERT’s primary mission is to provide response support and defense against cyberattacks. Its focus is on providing support for the federal civil executive branch of government, or any sites with a .gov domain name. However, US-CERT also collaborates and shares information with several other entities, including:•State and local governments•International partners•Other federal agencies•Other public and private sectorsInformation gathered by US-CERT is shared with the public through the National Cyber Awareness System. These include their Web site, mailing lists, and Really Simple Syndication (RSS) channels.You can sign up to receive e-mails and alerts from US-CERT from this link: You can sign up for any or all of the following feeds:NOTEOne of the great benefits of the National Cyber Awareness System is that the e-mails don’t include advertisements. Also, because they are from the U.S. government, the information is not slanted to sell or promote specific products.•Alerts—These alerts include timely information about current security issues, vulnerabilities, and exploits. Alerts are released as needed. They are written for system administrators and experienced users. You can view past alerts at•Bulletins—These bulletins provide summaries of security issues and vulnerabilities from the previous week. They are published weekly and are written for system administrators and experienced users. You can view past bulletins at•Current Activity—These provide information about high-impact types of security activity. Depending on current threats, these e-mails can be sent several times a day or several times a week. You can view past updates at•Tips—These tips are targeted to home, corporate, and new users. They are published every two weeks and provide tips on many security topics. You can view past security tips at MITRE Corporation and the CVE ListThe MITRE Corporation manages four Federally Funded Research and Development Centers (FFRDCs). These FFRDCs conduct research for several major departments of the U.S. government.The MITRE Corporation maintains the CVE list. MITRE is the editor of the list and is responsible for assigning numbers. The U.S. Department of Homeland Security sponsors the CVE.Common Vulnerabilities and Exposures (CVE) ListThe CVE is an extensive list of known vulnerabilities and exposures. As new discoveries are made, they are submitted as candidates for the list. The primary benefit of the list is standardized naming and descriptions.Before the CVE, one company may have addressed a problem as Exploit234a. The same problem could have been addressed by another company as X42A. Both companies may have published papers regarding the same problem, but it was difficult to determine if one problem was different from the other.NOTEMITRE is an acronym, but the initials are not relevant. Many of the original employees came from the Massachusetts Institute of Technology (MIT). These employees work on research and engineering (RE). However, MITRE is not a part of MIT.The CVE provides one name for any single vulnerability or exposure. The format is CVE-yyyy-nnnn, whereyyyyis the year the vulnerability was added to the list andnnnnis a unique number for the year. Effective January 1, 2014, the number can include up to six digits. Previously, only four digits were allowed, limiting this to 9,999 CVE-IDs. With six digits, MITRE can assign up to 99,999 CVE-IDs. CVEs include a brief description. They also include one or more references users can access for more information. The following example shows a CVE from 2013:•Name—CVE-2013-1247•Description—Cross-site scripting (XSS) vulnerability in the wireless configuration module in Cisco Prime Infrastructure allows remote attackers to inject arbitrary Web script or Hypertext Markup Language (HTML) via an SSID that is not properly handled during display of the Extensible Markup Language (XML) windowing table, also known as Bug ID CSCuf04356.•References—URL: uses the CVE names and descriptions in the National Vulnerability Database (NVD). The NVD listings include the same information from the CVE but add in impact and severity scores. This page ( includes links to search for the CVE on MITRE’s CVE list or on NIST’s NVD list.Standard for Information Security Vulnerability NamesThe CVE is considered the standard for information security vulnerability names. MITRE launched the CVE in 1999, and it was quickly embraced. Some of the relevant milestones are:•Year 2000—Over 40 products were declared compatible with CVE. CVE is used by 29 organizations.•Year 2001—Over 300 products and services were declared compatible. CVE is used by more than 150 companies.•Year 2002—NIST recommends the use of CVE by U.S. agencies. NIST SP 800-51, “Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme,” is released. SP 800-51 was updated and renamed in 2011. The current name is “Guide to Using Vulnerability Naming Schemes.”•Year 2003—The CVE Compatibility process is started. This allows products and services to achieve official compatibility status.•Year 2004—The U.S. Defense Information Systems Agency (DISA) requires use of products that use CVE identifiers.•Year 2007—NVD implemented several upgrades to the CVE-based database. These increased usability and improved the scoring system. Many other entities have since adopted the NVD. This has increased the use of the CVE as a standard.The FBI/SANS Top 20 List of the Most Critical Internet Security Vulnerabilities also references the CVE list.CHAPTER SUMMARYThreats are always present and can’t be eliminated. You reduce the potential for a threat to do harm, or you reduce the impact of a threat, but not the threat itself. However, you can take many steps to reduce vulnerabilities. The most important vulnerabilities are those that are likely to match up as a threat/vulnerability pair. Once you identify likely threat/vulnerability pairs, you can implement mitigation techniques.The U.S. federal government has many resources that organizations can use to manage risk. The National Institute of Standards and Technology (NIST) has published several Special Publications. The SP 800 series includes many publications targeted for IT security. The Department of Homeland Security also has many divisions focused on IT security. Their resources are freely available to IT and security professionals.KEY CONCEPTS AND TERMSAttack surfaceBuffer overflowConfiguration managementContinuous monitoringDemilitarized zone (DMZ)Denial of service (DoS) attacksDepartment of Homeland Security (DHS)Distributed denial of service (DDoS) attacksExploitExploit WednesdayHardening a serverIntentional threatsIntrusion detection system (IDS)Intrusion prevention system (IPS)National Cybersecurity and Communications Integration Center (NCCIC)National Institute of Standards and Technology (NIST)Patch managementPatch TuesdayPhysical controlsPrinciple of least privilegePrinciple of need to knowScript kiddiesSecurity policySeparation of dutiesSQL injection attacksSYN flood attackTechnical controlsThreat/vulnerability pairUnintentional threatsUnited States Computer Emergency Readiness Team (US-CERT)Version controlCHAPTER 2 ASSESSMENT1.What is a security policy?A.A rigid set of rules that must be followed explicitly to be effectiveB.A technical control used to enforce securityC.A physical control used to enforce securityD.A document created by senior management that identifies the role of security in the organization2.You want to ensure that users are granted only the rights to perform actions required for their jobs. What should you use?A.Principle of least privilegeB.Principle of need to knowC.Principle of limited rightsD.Separation of duties3.You want to ensure that users are granted only the permissions needed to access data required to perform their jobs. What should you use?A.Principle of least privilegeB.Principle of need to knowC.Principle of limited rightsD.Principle of limited permissions4.Which of the following security principles divides job responsibilities to reduce fraud?A.Need to knowB.Least privilegeC.Separation of dutiesD.Mandatory vacations5.What can you use to ensure that unauthorized changes are not made to systems?A.Input validationB.Patch managementC.Version controlD.Configuration management6.What are two types of intrusion detection systems?A.Intentional and unintentionalB.Natural and man-madeC.Host-based and network-basedD.Technical and physical7.A technical control prevents unauthorized personnel from having physical access to a secure area or secure system.A.TrueB.False8.What allows an attacker to gain additional privileges on a system by sending unexpected code to the system?A.Buffer overflowB.MAC floodC.Input validationD.Spiders9.What is hardening a server?A.Securing it from the default configurationB.Ensuring it cannot be powered downC.Locking it in a room that is hard to accessD.Enabling necessary protocols and services10.Which of the following steps could be taken to harden a server?A.Removing unnecessary services and protocolsB.Keeping the server up to dateC.Changing defaultsD.Enabling local firewallsE.All of the above11.Which government agency includes the Information Technology Laboratory and publishes SP 800-30?A.NISTB.DHSC.NCCICD.US-CERT12.ITL and ITIL are different names for the same thing.A.TrueB.False13.Which U.S. government agency regularly publishes alerts and bulletins related to security threats?A.NISTB.FBIC.US-CERTD.The MITRE Corporation14.The CVE list is maintained by ________.15.What is the standard used to create Information Security Vulnerability names?A.CVEB.MITREC.DISAD.CSICopy Add Highlight Add Note