ch 7 quiz questions
How many numbering authorities comprise the CVE?
94
Which answer BEST describes the purpose of CVE?
A list of standardized identifiers for known software vulnerabilities and exposures.
Vulnerability scanning has its limitations. Which answer BEST describes the concept of point in time?
A scan can only obtain data for the period of time that it runs
Which BEST defines the term base in CVSS?
A vulnerability's unique characteristics.
Charles, a security analyst, needs to check his network for vulnerabilities. He wants a scan that interacts with network nodes and repairs security issues found. Which kind of scanning BEST describes Charles' requirements?
Active scanning
Which of the following BEST describes Retina CS for Mobile?
Analyzes and reports findings from a centralized data warehouse.
A company is considering the purchase of a new application. During the evaluation period, a security analyst wants to make sure that all areas of the app are secure, especially input controls. Which assessment BEST meets these requirements?
Application-level assessment
John's company just purchased a new application for which they do not have the source code. Which of the following BEST describes the type of assessment John should use on this application?
Application-level assessment
The third step in vulnerability management is to see what an organization looks like from an outsider's and insider's point of view. Which step in life cycle management does this apply to?
Baseline creation
You have just installed Nessus for auditing a network segment. Which of the following Nessus scans would be BEST suited for an initial query of hosts on a network segment?
Basic Network Scan
Which web application scanner looks for common vulnerabilities, like cross-site scripting and SQL injections, and also scans for the OWASP Top 10?
Burp Suite
Which of the following is a dictionary of known patterns of cyberattacks used by hackers?
CAPEC
Which vulnerability scoring system uses metrics called base, temporal, and environmental?
CVSS Calculator
Which resource can BEST be described as a site that combines diverse ideas and perspectives from professionals, academics, and government sources?
Common weakness enumeration
Creating a baseline is vital to managing vulnerabilities. What is the FIRST step in creating this baseline?
Conduct a pre-assessment
Which of the following would an external assessment check?
DNS zones
As a security analyst working for an accounting firm, you need to evaluate the current environment. Which of the following is the FIRST thing you should do?
Define the effectiveness of the current security policies and procedures.
Which government agency sponsors five valuable resources for security analysts?
Dept. of Homeland Security
Mary, a security analyst, is tasked with vulnerability research as part of her company's vulnerability assessment. She discovered that their website is vulnerable to cross-site scripting. Which vulnerability type BEST describes what Mary has found?
Design flaw
Which site MOST often shows the newest vulnerabilities before other sources?
Full Disclosure
Misconfigurations occur throughout a network. What is the primary cause of misconfigurations?
Human errors
Which of the following BEST describes the Qualys Vulnerability Management assessment tool?
It is a cloud-based service that keeps all your data in a private virtual database.
Which of the following is the BEST reason to choose a serviced-based assessment solution?
It provides a protection level that a professional provides through knowledge.
What is the FIRST step in vulnerability scanning penetration?
Locate the live nodes in the network. You can do this using a variety of techniques, but you must know where each live host is.
Which of the following is the last phase of the vulnerability management life cycle?
Monitoring
John is a security analyst, and he needs the following information about a current exploit: Fix information Impact rating Severity score What is his BEST resource?
National Vulnerability Database
Kjell wants a network scanning tool that gives remediation solutions to found vulnerabilities. He also wants to be able to create customized scan jobs that run during off hours and can scan multiple network technologies. Which application is BEST for him?
Nessus
A mailing list that often has the newest vulnerabilities listed before they show up on government-sponsored resources is operated by whom?
Nmap
Troy, a security analyst, needs a web application scanner that is extensible and that evaluates each web application individually. Which tool is BEST for his needs?
OWASP ZAP
Which web application scanner uses an on-path (man-in-the-middle) proxy design?
OWASP ZAP
A security analyst needs an infrastructure vulnerability scanner that's flexible enough for low- and high-level protocols, is updated daily with new vulnerabilities, and allows for performance tuning. The company is on a tight budget, so it needs to be open source. Which tool is the BEST option?
OpenVAS
Allen's company has raised concerns about network information that can be observed without a hacker being discovered. Which of the following BEST describes the type of assessment that could be used to operate in this manner?
Passive
A company decides to purchase and administer tools on their own. Which type of assessment solution are they using?
Product-based assessment
John's company needs a product to fix found network vulnerabilities. This product needs to run inside their firewall without help from an outside professional. Which of the following BEST describes this type of assessment solution?
Product-based assessment
A security analyst is concerned about flaws in the operating system being used within their company. What should their FIRST step be to remedy this?
Regular system patches
During which of the vulnerability life cycle management phases do you implement the controls and protections from your plan of action?
Remediation
You are looking for a vulnerability assessment tool that detects vulnerabilities on mobile devices and gives you a report containing a total risk score, a summary of revealed vulnerabilities, and remediation suggestions. Which of the following vulnerability assessment tools should you use?
SecurityMetrics Mobile
Which of the following BEST describes scan information?
The name of the scanning tool, its version, and the network ports that have been scanned.
The following command and output were performed against a new web server prior to deploying it to production. Which type of security process identifies security weaknesses in an organization's infrastructure that might result in the output below?
Vulnerability assessment
Which vulnerability life cycle step is BEST described as the phase in which a security analyst determines whether all the previous phases are effectively employed?
verification