CompTIA Security+ Chapter 5 (Chapple/Seidl)

What are 4 well-known vulnerability scanners on the market?

Nessus, Nexpose, Qualys, OpenVAS

What are three vulnerability scanning tools you will want to have in your "toolkit"?

Network vulnerability scanner, application scanner, web application scanner

During a penetration test, Patrick deploys a toolkit on a compromised system and uses it to gain access to other systems on the same network. What term best describes this activity? a) Lateral movement b) Privilege escalation c) Footprinting d) OSINT

A

Kevin is participating in a security exercise for his organization. His role in the exercise is to use hacking techniques to attempt to gain access to the organization's systems. What role is Kevin playing in this exercise? a) Red team b) Blue team c) Purple team d) White team

A

Tara recently analyzed the results of a vulnerability scan report and found that a vulnerability reported by the scanner did not exist because the system was actually patched as specified. What type of error occurred? a) False positive b) False negative c) True positive d) True negative

A

Brian ran a penetration test against a school's grading system and discovered a flaw that would allow students to alter their grades by exploiting a SQL injection vulnerability. What type of control should he recommend to the school's cybersecurity team to prevent students from engaging in this type of activity? A. Confidentiality B. Integrity C. Alteration D. Availability

B

Grace would like to determine the operating system running on a system that she is targeting in a penetration test. Which one of the following techniques will most directly provide her with this information? a) Port scanning b) Footprinting c) Vulnerability scanning d) Packet capture

B

Kevin recently identified a new security vulnerability and computed its CVSS base score as 6.5. Which risk category would this vulnerability fall into? a) Low b) Medium c) High d) Critical

B

Which element of the SCAP framework can be used to consistently describe vulnerabilities? a) CPE b) CVE c) CVSS d) CCE

B

Which one of the following tools is most likely to detect an XSS vulnerability? a) Static application test b) Web application vulnerability scanner c) Intrusion detection system d) Network vulnerability scanner

B

Which one of the CVSS metrics would contain information about the type of account access that an attacker must have to execute an attack? a) AV b) C c) PR d) AC

C

Which one of the following assessment techniques is designed to solicit participation from external security experts and reward them for discovering vulnerabilities? a) Threat hunting b) Penetration testing c) Bug bounty d) Vulnerability scanning

C

Which one of the following security assessment techniques assumes that an organization has already been compromised and searches for evidence of that compromise? a) Vulnerability scanning b) Penetration testing c) Threat hunting d) War driving

C

Which one of the following security assessment tools is least likely to be used during the reconnaissance phase of a penetration test? a) Nmap b) Nessus c) Metasploit d) Nslookup

C

Which one of the following techniques would be considered passive reconnaissance? a) Port scans b) Vulnerability scans c) WHOIS lookups d) Footprinting

C

Which one of the following values for the CVSS attack complexity metric would indicate that the specified attack is simplest to exploit? a) High b) Medium c) Low d) Severe

C

Bruce is conducting a penetration test for a client. The client provided him with details of their systems in advance. What type of test is Bruce conducting? a) Gray-box test b) Blue-box test c) White-box test d) Black-box test

C

Lila is working on a penetration testing team and she is unsure whether she is allowed to conduct social engineering as part of the test. What document should she consult to find this information? a) Contract b) Statement of work c) Rules of engagement d) Lessons learned report

C

Ryan is planning to conduct a vulnerability scan of a business critical system using dangerous plug-ins. What would be the best approach for the critical scan? a) Run the scan against production systems to achieve the most realistic results possible. b) Run the scan during business hours. c) Run the scan in a test environment. d) Do not run the scan to avoid disrupting the business.

C

Scan perspectives

Conducting the scan(s) from a different location on the network, providing a different view into vulnerabilities.

Name the six SCAP standards.

CCE, CPE, CVE, CVSS, XCCDF, OVAL

What is CCE?

Common configuration enumeration; provides a standard nomenclature for discussing system configuration issues.

What is CPE?

Common platform enumeration; provides a standard nomenclature for describing product names and versions.

What is CVE?

Common vulnerabilities and exposures; provides a standardized approach for measuring and describing the severity of security-related software flaws.

What is CVSS?

Common vulnerability scoring system; provides a standardized approach for measuring and describing the severity of security-related software flaws.

Kyle is conducting a penetration test. After gaining access to an organization's database server, he installs a backdoor on the server to grant himself access in the future. What term best describes this action? a) Privilege escalation b) Lateral movement c) Maneuver d) Persistence

D

Renee is configuring her vulnerability management solution to perform credentialed scans of servers on her network. What type of account should she provide to the scanners? a) Domain administrator b) Local administrator c) Root d) Read-only

D

What purpose do plug-ins serve in a vulnerability scanner?

Each plug-in performs a check for a specific vulnerability; often grouped into families based on the OS.

How can administrators conduct "regular maintenance" of their vulnerability scanners?

Ensure that the scanning software and vulnerability feeds remain up-to-date (retrieve new plug-ins on a daily basis). This option is available to be performed automatically, but it's a good idea to manually verify this once in a while.

What is XCCDF?

Extensible configuration checklist description format; a language for specifying checklists and reporting checklist results.

What scan perspectives might an external scan provide? Or an internal scan?

External scan - run from the Internet, giving administrators a view of what an attacker located outside the organization would see as potential vulnerabilities. Internal scan - run from a scanner on the general corporate network, providing the view that a malicious insider might encounter.

What network controls might affect scan results?

Firewall settings, network segmentation, intrusion detection systems (IDSs), intrusion prevention systems (IPSs)

What benefit does disabling unnecessary plug-ins serve?

It improves the speed of the scan by bypassing unnecessary checks and also may reduce the number of false positive results detected by the scanner.

What is OVAL?

Open vulnerability assessment language; a language for specifying low-level testing procedures used by checklists.

Regulatory requirements for vulnerability scans are imposed by which two policies?

PCI DSS or FISMA (Federal Info. Sec. Management Act)

Intrusive plug-ins

Plug-ins that disrupt activity on a production system or damage content on those systems.

What do application scanning tools do?

They analyze custom-developed software to identify common security vulnerabilities.; commonly used as part of the software development process

What do network vulnerability scanners do?

They're capable of probing a wide range of network-connected devices for known vulnerabilities; they reach out to any systems connected to the network, attempt to determine the type of device and its configuration, and then launch targeted tests designed to direct the presence of any known vulnerabilities on those devices.

Configuration reviews

Reviews of vulnerability scanners to ensure that scan settings match current requirements.

This protocol provides a standardization that is important to the automation of interactions between security components.

SCAP

Which scan perspective offers the most accurate view of the real state of the server? How does it do this?

Scanners located inside the datacenter and agents located on the servers - this will show vulnerabilities that might be blocked by other security controls on the network.

What is SCAP?

Security Content Automation Protocol; an effort by the security community, led by NIST, to create a standardized approach for communicating security-related information.

Risk appetite

The organization's willingness to tolerate risk within the environment.

In order to minimize the difficulty of confirming a vulnerability, or the likelihood of detecting a false positive, modern vulnerability management solutions can supplement remote scans with trusted information about server configurations. What are two ways this information can be gathered?

a) administrators can provide the scanner with credentials that allow the scanner to connect to the target server and retrieve configuration information (credentialed scan). b) Agent-based scanning approach (in contrast of a server-based approach): administrators install small software agents on each target server. These agents conduct scans of the server configuration, providing an "inside-out" vulnerability scan, and then report information back to the vulnerability management platform for analysis and reporting.

What factors influence how often an organization decides to conduct vulnerability scans against its systems? Name five.

risk appetite, regulatory requirements, technical constraints, business constraints, and licensing limitations