Chapter 8 Practice Questions
Which of the following statements are true regarding risk assessments? (Choose two.) A. A quantitative risk assessment uses hard numbers. B. A qualitative risk assessment uses hard numbers. C. A qualitative risk assessment uses a subjective ranking. D. A quantitative risk assessment uses a subjective ranking.
A. A quantitative risk assessment uses hard numbers. C. A qualitative risk assessment uses a subjective ranking A quantitative risk assessment uses hard numbers (such as costs) and a qualitative risk assessment uses a subjective ranking based on judgments. A qualitative risk assessment does not use hard numbers and a quantitative risk assessment does not use subjective rankings.
A tester is fuzzing an application. What is another name for this? A. Black box testing B. White box testing C. Gray box testing D. Black hat testing
A. Black box testing Fuzzing sends random data to an application and is sometimes referred to as black box testing. White box and gray box testing have some knowledge of the application and can test the application with specific data rather than random data. Black hat refers to a malicious attacker not a tester, though a black hat attacker can use a fuzzer.
A security administrator wants to scan the network for a wide range of potential security and configuration issues. What tool provides this service? A. Fuzzer B. Protocol analyzer C. Port scanner D. Vulnerability scanner
A. Fuzzer A vulnerability scanner is a management control that can identify a wide range of security and configuration issues. A fuzzer is an active tool that sends random data to a system and can potentially result in an outage. A protocol analyzer can capture and analyze IP packets, and a port scanner can identify open ports. However, the question is asking for a tool that can scan the network for a wide range of issues, and vulnerability scanners can do more than either a protocol analyzer or a port scanner.
Which of the following tools can perform a port scan? (Choose all that apply.) A. Nmap B. Netcat C. Wireshark D. Netstat
A. Nmap B. Netcat Nmap and Netcat are two tools that can perform port scans and vulnerability scans. Wireshark is a protocol analyzer and can view headers and clear-text contents in IP packets. Netstat is a command-line tool that identifies open connections.
What can you use to examine IP headers in a data packet? A. Protocol analyzer B. Port scanner C. Vulnerability scanner D. Penetration tester
A. Protocol analyzer You can use a protocol analyzer (sniffer) to view headers and clear-text contents in IP packets. A port scanner can detect open ports. A vulnerability scanner will passively identify vulnerabilities and a penetration will actively try to exploit vulnerabilities, and even though some may examine IP headers, not all of them do.
An organization is hiring a security firm to perform vulnerability testing. What should it define before the testing? A. Rules of engagement B. Information given to the black box testers C. Vulnerabilities D. Existing security controls
A. Rules of engagement A rules-of-engagement document identifies boundaries of a test and expectations of the testers, and it provides consent for the testers to perform the test. Black box testers are not given any knowledge prior to the test. The test will help identify vulnerabilities so these aren't defined before the test. It's not required to tell the testers what security controls are in place.
What is included in a risk assessment? (Choose three.) A. Threats B. Vulnerabilities C. Asset values D. Recommendations to eliminate risk
A. Threats B. Vulnerabilities C. Asset values A risk assessment identifies assets, asset values, threats, and vulnerabilities. It prioritizes the results and makes recommendations on what controls to implement. Risk cannot be eliminated.
A security professional is performing a penetration test on a system. Of the following choices, what identifies the best description of what this will accomplish? A. Passively detect vulnerabilities B. Actively assess security controls C. Identify lack of security controls D. Identify common misconfiguration
B. Actively assess security controls A penetration test will actively assess or test security controls. A vulnerability scan is passive and detects vulnerabilities, identifies a lack of security controls, and identifies common misconfigurations but it stops there. Further, the three incorrect answers are specifically listed under vulnerability scanning in the objectives. While a penetration test starts with a passive vulnerability scan, it goes a step further to actively test the controls.
A security professional is performing a qualitative risk analysis. Of the following choices, what will most likely to be used in the assessment? A. Cost B. Judgment C. ALE D. Hard numbers
B. Judgment A qualitative risk assessment uses judgment to categorize risks based on probability and impact. A quantitative risk assessment uses hard numbers such as costs and asset values. A quantitative risk assessment uses annual loss expectancy (ALE).
An administrator suspects that a web application is sending database credentials across the network in clear text. What can the administrator use to verify this? A. SQL injection B. Protocol analyzer C. A network-based DLP D. Password cracker
B. Protocol analyzer A protocol analyzer can capture packets and view the contents, including credentials sent across the network in clear text. SQL injection is an attack against a database through an application that isn't using input validation. A network-based Data Loss Prevention (DLP) system can examine and analyze e-mail and detect if confidential company data is included. A password cracker cracks passwords that are protected, not that are sent in clear text.
An administrator suspects that a computer is sending out large amounts of sensitive data to an external system. What tool can the administrator use to verify this? A. Rainbow table B. Protocol analyzer C. Password cracker D. Port scanner
B. Protocol analyzer A protocol analyzer can capture packets and view the contents, including data sent across the network. A rainbow table is a lookup table used by password crackers, and a password cracker cracks passwords. A port scanner identifies open ports on a system.
Of the following choices, what is an example of a system audit? A. Separation of duties B. User rights and permissions review C. Whaling D. Smurf review
B. User rights and permissions review Reviewing user rights and permissions is an example of a system audit. Separation of duties prevents any one person or entity from completing all the functions of a critical or sensitive process, and helps to prevent fraud, theft, and errors. Whaling is a form of phishing that targets high-level executives. Smurf is a type of attack that can be detected with a NIDS.
A security administrator used a tool to discover security issues but did not exploit them. What best describes this action? A. Penetration test B. Vulnerability scan C. Protocol analysis D. Port scan
B. Vulnerability scan A vulnerability scan attempts to discover vulnerabilities but does not exploit them. A penetration test actively tests security controls by trying to exploit vulnerabilities. A protocol analyzer can capture and analyze IP packets but isn't as useful as a vulnerability scanner to discover security issues. A port scanner will identify open ports but won't identify security issues.
Testers have access to product documentation and source code for an application that they are using in a vulnerability test. What type of test is this? A. Black box B. White box C. Black hat D. White hat
B. White box In white box testing, testers have access to all of the system details. In a black box test, testers have zero knowledge of system details. Black hat identifies a malicious attacker, while white hat identifies a security professional working within the bounds of the law.
A security administrator is performing a vulnerability assessment. Which of the following actions would be included? A. Implement a password policy B. Delete unused accounts C. Organize data based on severity and asset value D. Remove system rights for users that don't need them
C. Organize data based on severity and asset value The vulnerability assessment is prioritized based on the severity of the vulnerabilities and their ability to affect the high value asset items. A vulnerability assessment checks for the existence of security controls such as a password policy and can include a user rights and access review to identify unused accounts, or accounts with unneeded permissions. However, a vulnerability assessment identifies these issues, but does not make changes.
Sally used WinZip to create an archive of several sensitive documents on an upcoming merger, and she password-protected the archive file. Of the following choices, what is the best way to test the security of the archive file? A. Rainbow table B. Vulnerability scanner C. Password cracker D. Sniffer
C. Password cracker A password cracker can attempt to crack the password of a password-protected file and is the best choice here. Some password crackers use a rainbow table, but it can't be used by itself. A vulnerability scanner can scan for vulnerabilities, but it won't necessarily be able to check for a password used to protect an archive file. You can use a sniffer (protocol analyzer) to view headers and clear-text contents in IP packets.
What can you use to examine text transmitted over a network by an application? A. Honeypot B. Honeynet C. Protocol analyzer D. Vulnerability scanner
C. Protocol analyzer You can use a protocol analyzer (sniffer) to view headers and clear-text contents in IP packets. A honeypot is a system used to divert an attacker from a live network, and a honeynet is a group of honeypots. A vulnerability scanner will passively identify vulnerabilities but doesn't always include the ability examine transmitted text.
An administrator needs to test the security of a network without affecting normal operations. What can the administrator use? A. Internal penetration test B. External penetration test C. Vulnerability scanner D. Protocol analyzer
C. Vulnerability scanner A vulnerability scanner will test the security of the network without affecting users. A penetration test (external or internal) is active and can affect users. A protocol analyzer can capture and analyze IP packets but won't test the security of a network.
An organization has released an application. Of the following choices, what is the most thorough way to discover vulnerabilities with the application? A. Fuzzing B. OVAL comparison C. Rainbow table D. Code review
D. Code review A code review is a line-by-line examination of the code to discover vulnerabilities and is the most thorough of the choices. Fuzzing sends random data to an application to identify vulnerabilities, but it will generally only find simple problems and isn't as thorough as a code review. The Open Vulnerability and Assessment Language (OVAL) is an international standard used to rate the exposure of vulnerabilities, but doesn't discover them. A rainbow table is a lookup table used to crack weak passwords.
An organization wants to test how well employees can respond to a compromised system. Of the following choices, what identifies the best choice to test the response? A. Vulnerability scan B. White hat test C. Black hat test D. Penetration test
D. Penetration test A penetration test will exploit vulnerabilities and will test employees' ability to respond to a compromised system. A vulnerability scan will identify vulnerabilities but not exploit them, so employees won't need to respond. White hat refers to a security professional working within the law, and black hat refers to a malicious attacker, but these aren't tests. Black box testing, white box testing, and gray box testing (not included in the answers) are forms of penetration testing.
You want to check a log to determine when a user logged on and off of a system. What log would you check? A. System B. Application C. Firewall D. Security
D. Security The Security log records auditable events such as user logons and logoffs. The System log records system such as when a service stops and starts. The Application log records events from individual applications. A firewall log can record what traffic is passed and what traffic is blocked.
An organization recently completed a risk assessment. Who should be granted access to the report? A. All employees B. Security professionals only C. Executive management only D. Security professionals and executive management
D. Security professionals and executive management Executive management needs access to the report to approve controls. and security professionals need access to the report to implement the controls. The report has sensitive data and should not be released to all employees.
After a recent security incident, a security administrator discovered someone used an enabled account of an ex-employee to access data in the Sales Department. What should be done to prevent this in the future? A. Modify the security policy to disable all accounts in the Sales Department B. Vulnerability scans C. Port scans D. User access review
D. User access review A user rights and access review will detect inactive accounts and accounts with more permissions than they require. Normally, a security policy will direct that accounts are disabled or deleted when an employee leaves, but isn't appropriate to disable all accounts for a department. Neither vulnerability scans nor port scans can detect if an account is for a current or previous employee.
You are trying to determine what systems on your network are most susceptible to an attack. What tool would you use? A. Port scanner B. SQL injection C. Header manipulation D. Vulnerability scanner
D. Vulnerability scanner A vulnerability scanner can scan systems for vulnerabilities and determine which ones are most susceptible to an attack. A port scanner scans a system for open ports and helps identify what services are running. SQL injection is a narrow attack on databases, but it would not check all systems. Attackers can manipulate headers in TCP packets for specific attacks, but this isn't as useful as a vulnerability scanner.
An organization has purchased fire insurance to manage the risk of a potential fire. What method are they using? A. Risk acceptance B. Risk avoidance C. Risk deterrence D. Risk mitigation E. Risk transference
E. Risk transference Purchasing insurance is a common method of risk transference. Organizations often accept a risk when the cost of the control exceeds the cost of the risk. An organization can avoid a risk by not providing a service or not participating in a risky activity. Risk deterrence attempts to discourage attacks with preventative controls such as a security guard. Risk mitigation reduces risks through internal controls.
