Chapter 5: Vulnerability Assessments
A large company has recently discovered a vulnerability in its system. After analyzing the data, the company must prioritize the vulnerabilities based on exploitability and weaponization. Which of the following would be important for the company to consider when analyzing the data to achieve their requirements? (Select two.)
- The level of sophistication of threat actors targeting the vulnerability - The availability of patches for the vulnerability
A cybersecurity analyst uses the Common Vulnerability Scoring System (CVSS) to evaluate the severity of a vulnerability in a company's software. When using the CVSS to evaluate the severity of a software vulnerability, what specific factors should the analyst consider, and why is CVSS an important tool for IT teams to use? (Select two.)
- Type of vulnerability, affected system, and potential impact; to prioritize remediation efforts - Likelihood of exploitation, potential impact, and patch availability; to provide an objective measure of risk
When performing an authorized security audit of a website, you are given only the website address and asked to find other hosts on that network that might be vulnerable to attack. Which of the following tools might be used to lead you to the following Nmap output? (Select two.)
- whois.org - nslookup
While reviewing security on your intrusion detection box, which runs Linux, you note the following in your .bash_history file. You are the only person with access to this machine, yet someone has performed some enumeration on this Linux box. Which file or command contains a list of users?
/etc/passwd
As a network administrator, you have just received a final copy of a vulnerability report and are ready to start writing an action plan to address the security vulnerabilities in the report. Which of the following should the action plan begin with?
A clear statement of the desired outcome
When a host initiates a connection to a server via the TCP Protocol, a three-way handshake is used. What is the host's final reply?
ACK
A managed security service provider (MSSP) is deploying a sensor on a new client's network. The service level objectives (SLOs) discussed between the two parties would need to perform vulnerability scans that perform enumerating services and banner grabbing. These services directly interact with the devices/software to identify vulnerabilities. Which method of vulnerability scanning would BEST meet the goals arranged in the SLOs?
Active
Which of the following BEST describes the Qualys Vulnerability Management assessment tool?
It is a cloud-based service that keeps all your data in a private virtual database.
A network security engineer provided a report to the operations manager with a large amount of public information that is accessible solely from the company's website. For example, the report shows email addresses and other company phone numbers on a graph that would otherwise be known internally. What tool did the network security engineer most likely use to gather this information with little effort?
Maltego
An information security project manager has an important stakeholder meeting for the security operations center's (SOC's) future projections. Most executives will require visualizers of critical systems across the network and how they correlate to simulated attacks, which the SOC has built controls around. Which tool can help stakeholders understand how the mapped network prevents mock attacks?
Maltego
A security engineer is looking to improve the security posture of their organization. One of the issues the security engineer finds is that they need to know what devices are on the network. What kind of scan can help the engineer get visibility into what is on the network?
Map scan
A company is considering entering into a collaboration with a potential partner. The potential partner is a large, well-respected company with a strong track record in cybersecurity. The company has a concern about the potential partner's ability to comprehend and meet all its needs per its standard operating procedures. What is best to ensure mutual comprehension and communication methods short of legal recourse?
Memorandum of understanding (MoU)
A security analyst validates a vulnerability by exploiting it. Which tool can best accomplish this task?
Metasploit Framework (MSF)
A security administrator has identified a new Zero-day vulnerability in the company's operating system. The administrator is responsible for addressing the vulnerability in the most efficient way possible. What action should the administrator take to address the vulnerability?
Mitigate the vulnerability using compensating controls.
You would like to extend the functionality of the Nmap tool to let you perform tasks such as basic vulnerability detection performance and Windows user account discovery. Which of the following would allow you to extend that functionality?
NSE Scripts
John is a security analyst and needs the following information about a current exploit: - Fix information - Impact rating - Severity score What would be the BEST resource for John to use to gather this information?
National Vulnerability Database
As a security analyst, you are looking for a vulnerability scanning tool for internal company use that is an industry-standard tool. Which of the following tools BEST fits this requirement?
Nessus
Kjell wants a network scanning tool that gives remediation solutions to found vulnerabilities. He also wants to be able to create customized scan jobs that run during off hours and can scan multiple network technologies. Which application is BEST for him?
Nessus
John, a security analyst, needs a network mapping tool that will diagram network configurations. Which of the following tools BEST meets John's requirements?
NetAuditor
Which tool scans web servers and version-specific vulnerabilities?
Nikto
As a security analyst for a large financial institution, you want to discover information available through the open ports in your network that could provide hackers with details that could result in guessing software and software versions available in the network. Which of the following would you MOST likely use to discover that information?
Nmap fingerprinting
As a security analyst, you need a web application scanner that is extensible and that evaluates each web application individually. Which tool would BEST meet your needs?
OWASP ZAP
A security administrator wants to scan the company's network for vulnerabilities. Which of these scanners is an open-source software developed from the Nessus codebase?
OpenVAS
The businesses security operations center (SOC) is currently re-evaluating the yearly budget. They want to use different alternatives, including reduced overhead spending and less intensive resources on the company's current systems. The SOC's final decision is to use a different scanning method that monitors and inspects the network traffic more thoroughly. What method of scanning best matches what the SOC has decided?
Passive
The security operations center (SOC) manager has ordered an analyst to fingerprint some of a new client's systems. Which of the following aligns most with performing fingerprinting as the SOC manager requested?
Perform a scan looking to focus attention on individual devices to understand their purpose better.
The Security Operations (SecOps) completed a rollout of a next-generation antivirus solution to better protect the company from known viruses and provide heuristic scanning for unknown viruses. After the implementation, the team received a flood of tickets complaining about computer sluggishness. What did the SecOps team fail to consider with the new antivirus and its effects on potential settings?
Performance
As a security analyst, you need a web-based scanner for your enterprise-level employer. It's imperative that the data be encrypted while in motion and at rest and that only the scanner workers reside on-premises. Which application would BEST suit your needs?
Qualys
A company has hired a security analyst to perform a comprehensive information gathering and reconnaissance phase of a penetration testing engagement. The analyst needs to use a tool that can automate gathering information about a target and performing reconnaissance on the target network. Which of the following tools is best suited for this task?
Recon-ng
During which vulnerability life cycle management phases do you implement the controls and protections from your plan of action?
Remediation
A security consultant identified a vulnerability in a web application that allows an attacker to execute arbitrary commands on the target system, potentially gaining full control over it. Which of the following web vulnerabilities best describes this scenario?
Remote Code Execution (RCE)
Which type of KPI (Key Performance Indicator) indicates the percentage of cybersecurity resources an organization assigns to different areas (such as prevention and detection)?
Resource Allocation
A financial institution is considering partnering with a new vendor to provide online payment services to its customers. The vendor has a reputation for delivering reliable and secure services; however, the financial institution wants to ensure that they make an informed decision. What metric could the institution use to assess the security risk associated with this partnership?
Risk score
TCP is a connection-oriented protocol that uses a three-way handshake to establish a connection to a system port. Computer 1 sends a SYN packet to Computer 2. Which packet does Computer 2 send back?
SYN/ACK
You are looking for a vulnerability assessment tool that detects vulnerabilities on mobile devices and gives you a report containing a total risk score, a summary of revealed vulnerabilities, and remediation suggestions. Which of the following vulnerability assessment tools should you use?
SecurityMetrics Mobile
A new IT professional is responsible for performing vulnerability scans on a web application. The professional wants to understand the differences between static and dynamic analysis methods before deciding which scan to use. Which of the following is a key difference between these two options?
Static analysis involves manually inspecting source code or reviewing configuration files, while dynamic analysis involves using vulnerability scanning software to identify vulnerabilities.
A network administrator is using Nmap to scan a target host for open ports. Which Nmap scan type is known for being a fast and stealthy technique?
TCP SYN
An attacker may poison the DNS by making changes to an organization's DNS table. Why might an attacker take this action?
The attacker can redirect users to a malicious website.
A recently patched Windows machine on your network no longer responds to ping, but you have confirmed it is otherwise functioning normally and servicing incoming connections to other machines on the network. No other changes were made to the machine or its connection to the network. When you use hping3, you get the following output. Which of the following BEST explains that behavior?
The machine's firewall is blocking ICMP.
Which of the following BEST describes scan information?
The name of the scanning tool, its version, and the network ports that have been scanned
An Information Systems Security Officer (ISSO) received a report about secure shell (SSH) access to a network device and quickly reported it up the chain of command. SSH is normally prohibited since a central networking management application manages the network devices. However, the next day, the operations manager addressed the case as a false-positive and confirmed the network team's tasks with an official end date. Why did the operations manager conclude that the security event was false-positive?
The network team has a temporary exemption.
SNMP uses agents that communicate with network devices using which of the following?
The public community that provides read-only access to device configuration.
What should organizations prioritize when selecting tools for vulnerability reporting?
The reporting needs of the organization
Which of the following statements is true concerning the use of top 10 style lists?
They allow for a quick and easy overview of important activities and trends.
An employee downloads a file attachment from a supposed coworker. The file, in reality, was a virus that required it to execute first to initiate the attack. Which exploitability metrics would score high when on a vulnerability assessment of the employee's workstation?
User interaction
A company's login page needs testing after their cyber security engineer implemented hardening techniques. As a result, its penetration testing team assigned the website specialist to perform some tests to ensure the changes were stable. What precisely is the specialist attempting when using fuzzing tools to perform the tests?
Using tools to identify problems and issues with the webpage by purposely inputting or injecting malformed data.
An unauthorized hacker has discovered a publicly known vulnerability in a retail store's cloud-based supply chain management software. The exposure has a CVSS score of 9.3 and a high impact to confidentiality. Fortunately, there is no appropriate proof of concept or publicly available exploit for this vulnerability. What is the biggest hurdle to the hacker gaining access to the retail store's supply chain management software?
Weaponization
An attacker needs the following information about his target: domain ownership, domain names, IP addresses, and server types. Which tool is BEST matched for this operation?
Whois
Iggy, a penetration tester, is conducting an unknown penetration test. She wants to do reconnaissance by gathering information about ownership, IP addresses, domain name, locations, and server types. Which of the following tools would be MOST helpful?
Whois
Creating a baseline is vital to managing vulnerabilities. What is the FIRST step in creating this baseline?
Conduct a pre-assessment.
You have just installed Nessus for auditing a network segment. Which of the following Nessus scans would be BEST suited for an initial query of hosts on a network segment?
Basic Network Scan
Which web application scanner looks for common vulnerabilities, like cross-site scripting and SQL injections, and also scans for the OWASP Top 10?
Burp Suite
This government resource is a community-developed list of common software security weaknesses. They strive to create commonality in the descriptions of weaknesses of software security. Which of the following government resource is described?
CWE
Which resource can BEST be described as a site that combines diverse ideas and perspectives from professionals, academics, and government sources?
Common Weakness Enumeration
An analyst reviews an alert detecting a rogue backend server deployed behind the company's load balancer. After the analyst attempts to identify the possible threat, the DMZ firewall blocks the action. What process was the analyst using to identify where the connection of the device was on the network?
Discovery scan
Xavier is doing reconnaissance using a tool that pulls information from social media postings that were made using location services. He is gathering information about a company and its employees by going through their social media content. What tool is MOST likely being used?
Echosec
A company is planning to conduct a vulnerability scan on its systems. Before starting the scan, what should the security administrator consider regarding data sensitivity levels?
Ensure that sensitive data is appropriately scanned and protected.
A large retail company is conducting a tabletop exercise in its incident response plan. The cybersecurity team must prioritize vulnerabilities based on their scoring. How would the cybersecurity team's understanding of vulnerability scoring concepts benefit the company during the tabletop exercise?
Ensuring effective prioritization of vulnerabilities for remediation
While investigating a potential security breach on a Windows machine, you list the commands that have recently been executed from the command line and find the following: arp -a, set username, set computername, net localgroup administrators, and tasklist. There are other commands as well. You then check the running processes and see the output below in Task Manager. It is clear that someone has compromised the Windows machine. What would you call the phase of the attack that you have found?
Enumeration
What information will be returned from the following Google search?
Excel documents with the word "password" in the title, but not from .gov and .gov.uk websites.
A video production company has a server farm with high-end graphics cards that allows the company to generate computer-generated imagery. Although the servers do not currently store any data, the company wants to ensure the security of its equipment. What is a compelling reason why the company should be proactive in preventing server vulnerabilities?
Exploitability
