Network Security Chapter #5
Which technique would be considered passive reconnaissance? (Port scans, Vulnerability scans, WHOIS lookups, or Footprinting)
WHOIS lookups use external registries and are an example of open-source intelligence (OSINT) which is a passive reconnaissance technique. Port scans, vulnerability scans, and footprinting require active engagement with the target, therefore are active reconnaissance.
Tara recently analyzed the results of a vulnerability scan report and found that a vulnerability reported by the scanner did not exist because the system was actually patched as specified. What type of error occurred? (False-positive, False-negative, True-positive, or True-negative)
False-positive error, when a vulnerability scan reports a vulnerability that does not exists.
Grace would like to determine the operating system that she is targeting in a penetration test. Which technique would most directly provide her this information? (Port scanning, Footprinting, Vulnerability scanning, or Packet capture)
Footprinting: All these techniques may provide the information about the operating system but footprinting is a specifically designed to elicit this information.
Which CVSS attack value on the complexity metric would indicate that the specific attack is the simplest to exploit? (Severe, High, Medium, or Low)
Low, indicating that exploiting the vulnerability does not require any specialized conditions.
Kevin recently identified a new security vulnerability and computed its CVSS base score as 6.5. Which risk would this vulnerability fall into? (Low, Medium, High, or Critical)
Medium: Vulnerabilities with CVSS scores between 4.0-6.9 are considered medium risk.
Which security assessment tool is least likely to be used during reconnaissance phase of a penetration test? (Nmap, Nessus, Metaploit, or Nslookup)
Metaploit is an exploitation framework used to execute and attack. Would be better used during the Attacking and Exploiting phase of a penetration test.
Which security assessments technique assumes that an organization has already been compromised and searches for evidence of that compromise?
Threat Hunting, others test vulnerabilities but doesn't assume a compromised system.
Which tool is most likely to detect an XSS vulnerability? (Static application test, Web application vulnerability scanner, Intrusion detection system, or Network vulnerability scanner)
All but the Intrusion detection system which detects attacks, not XSS (cross-site scripting) where the Web application vulnerability scanner is best because it's specifically designed to test web applications.
Kyle is conducting a penetration test. After gaining access to an organization's database server, he installs a backdoor on the server to grant himself access in the future. What term describes this action? Privilege escalation, Lateral movement, Maneuver, or Persistence)
Backdoors are a persistence tools, designed to make sure that the attacker's access persist after the original vulnerabilities is remediated. Providing access to the system in the future even if the means used to gain access are no longer effective.
Which one of the following assessment techniques is designed to solicit participation from external security experts and reward them for discovering vulnerabilities?(Threat hunting, Penetration testing, Bug bounty, or Vulnerability scanning)
Bug Bounty programs are designed to allow external security experts to test systems and uncover previously unknown vulnerabilities.
Which element of the SCAP framework can be used to consistently describe vulnerabilities? (CPE, CVE, CVSS, or CCE)
CVE Common Vulnerabilities and Exposures provides a standard nomenclature for describing security-related software flaws. CCE Common Configuration Enumeration provides standard naming for system configuration issues. CPE Common Platform Enumeration provides standard for product names and versions. CVSS Common Vulnerabilities Scoring System provides standard for measuring to describe the severity of security-related software flaws.
Kevin is participating in a security exercise for his organization. His role in the exercise is to use hacking techniques to attempt to gain access to the organization's systems. What role is Kevin playing? (Red team, Blue team,.Purple team, or White team)
Offensive hacking is used by Red Teams as they attempt to gain access to systems of the targeted network. Blue-managing the organization's defenses White-neutral moderators Purple-knowledge sharing of both red-blue after the exercise
Which CVSS metrics would contain information about the type of account access that an attacker must have to execute an attack? (AV, C, PR, or AC)
PR, The privileges required (PR) metric indicates the type of system access that an attacker must have to execute the attack.
During a vulnerability scan, Brian discovered that a system on his network contained this vulnerability; A remote attacker could gain the ability to execute code by sending crafted messages to Microsoft Server Message Block 1.0 (SMBv1) server. Customers refer to Microsoft Advisory MS17-010. What security control should be deployed to address this issue? (Patch management, File integrity, Intrusion detection, or Threat hunting?
Patch Management: it would be corrected by a strong Patch management program to identify and remediate the missing patch.
Lila is working on a penetration testing team and she is unsure whether she is allowed to conduct social engineering as part of the test. What documents should she consult to find this information? (Contract, Statement of work, Rules of engagement, or Lessons learned report)
Rules of engagement provides technical details around the parameters of the test. This kind of detail would not be provided in a Contract or State of work. Lessons learned report is produced only after the test.
Ryan is planning to conduct a vulnerability scan of a business critical system using dangerous plug-ins. What would be the best approach for the critical scan? (Against Production systems, During business hours, test environment, or do not run the scan avoiding any disruptions)
Should first run his scan against a test environment to identify likely vulnerabilities and assess whether the scan itself could disrupt business activities.
Bruce is conducting a penetration test for a client. The client provided him with details of their system in advance. What type of test is Bruce conducting? (Gray-box, Blue-box, White-box, or Black-box)
White-box test are performed with full knowledge of the underlying technology, configurations, and settings that make up the target. Black-box are intended to replicate what an attacked would encounter. Testers are not provided with access to or information about the environment. Gray-box are a blend of white and black testing. Blue-box test are not a type of penetration test.
During a penetration test, Patrick deploys a toolkit on a compromised system and uses it to gain access to other systems on the same network. What term describes this activity? (Lateral movement, privilege escalation, footprinting, or OSINT)
Moving from one compromised system to another system on the same network is Lateral Movement. Footprinting and OSINT are reconnaissance techniques. While, Privilege escalation is an increasing level of attacks on a compromised system.
Renee is configuring her vulnerability management solution to perform credentialed scans of servers on her network. What type of account should she provide to the scanners? Domain Admin, Local Admin, Root, or Read-only)
Read-only access, following the principle of least privilege and limit access to the scanner.
Brian ran a penetration test against a school's grading system and discovered a flaw that would allow students to alter their grades by exploiting a SQL injection vulnerability. What type of control should he recommend to the school's cybersecurity team to prevent students from engaging in this type of activity? (Confidentiality, Integrity, Alteration or Availability)
Recommend Integrity controls which would prevent unauthorized modifications.