CYSA+ Chapter 3 Review Questions
What tool can administrators use to help identify the systems present on a network prior too conducting vulnerability scans? A. Asset Inventory B. Web Application Assessment C. Router D. DLP
A: Asset Inventory. An asset inventory supplements automated tools with other information to detect systems present on a network. The asset inventory provides critical information for vulnerability scans.
Jessica is reading reports from vulnerability scans run by different parts of her organization using different products. She is responsible for assigning remediation resources and is having difficulty prioritizing issues from different sources. What SCAP component can help Jessica with this task? A. CVSS B. CVE C. CPE D. XCCDF
A: CVSS. The Common Vulnerability Scoring System (CVSS) provides a standardized approach for measuring and describing the severity of security vulnerabilities. Jessica could use this scoring system to prioritize issues raised by different source systems.
What approach to vulnerability scanning incorporates information from agents running on the target servers? A. Continuous Monitoring B. Ongoing Scanning C. On-Demand Scanning D. Alerting
A: Continuous Monitoring. Continuous monitoring incorporates data from agent-based approaches to vulnerability detection and reports security-related configuration changes to the vulnerability management platform as soon as they occur, providing the ability analyze those changes for potential vulnerabilities.
Bethany is the vulnerability management specialist for a large retail organization. She completed her last PCI DSS compliance scan in March. In April, the organization upgraded their point-of-sale system, and Bethany is preparing to conduct new scans. When must she complete the new scan? A. Immediately B. June C. December D. No Scans Are Required
A: Immediately. PCI DSS requires that organizations conduct vulnerability scans quarterly, which should have Bethany's next regularly scheduled scan scheduled for June. However, the standard also requires scanning after any significant change in the payment card environment. This would include an upgrade to the point-of-sale system, so Bethany must complete anew compliance scan immediately.
Sarah would like to run an external vulnerability scan on a system for PCI DSS compliance purposes. Who is authorized to complete one of these scans? A. Any Employee of the Organization B. An Approved Scanning Vendor C. A PCI DSS Service Provider D. Any Qualified Individual
B: An Approved Scanning Vendor. While any qualified individual may conduct internal compliance scans, PCI DSS requires the use of a scanning vendor approved by the PCI SSC for external compliance scans.
Brian is seeking to determine the appropriate impact categorization for a federal information system as he plans the vulnerability scanning controls for that system. After consulting management, he discovers that the system contains information that, if disclosed improperly, would have a serious adverse impact on the organization. How should this system be categorized? A. Low Impact B. Moderate Impact C. High Impact D. Severe Impact
B: Moderate Impact. Systems have a moderate impact from a confidentiality perspective if the unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.
What term describes an organization's willingness to tolerate risk in their comping environment? A. Risk Landscape B. Risk Appetite C. Risk Level D. Risk Adaptation
B: Risk Appetite. The organization's risk appetite is it's willingness to tolerate risk within the environment. If an organization is extremely risk averse, it may choose to conduct scans more frequently to minimize the amount of time between when a vulnerability comes into existence and when it is detected by a scan.
Which one of the following is not an example of a vulnerability scanning tool? A. QualysGuard B. Snort C. Nessus D. OpenVAS
B: Snort. QualysGuard, Nessus, and OpenVAS are all examples of vulnerability scanning tools. Snort is an intrusion detection system.
Barry placed all of his organization's credit card processing systems on an isolated network dedicated to card processing. He has implemented appropriate segmentation controls to limit the scope of PCI DSS to those systems through the use of VLANs and firewalls. When Barry goes to conduct vulnerability scans for PCI DSS compliance purposes, what systems must he scan? A. Customer Systems B. Systems on the Isolated Network C. Systems on the General Enterprise Network D. Both B and C
B: Systems on the Isolated Network. If Barry is able to limit the scope of his PCI DSS compliance efforts to the isolated network, then that is the only network requirement that must be scanned for PCI DSS compliance purposes.
Jason is writing a report about a potential security vulnerability in a software product and wishes to use standardized product names to ensure that other security analysts understand the report. Which SCAP component can Jason turn to for assistance? A. CVSS B. CVE C. CPE D. OVAL
C: CPE. Common Product Enumeration (CPE) is an SCAP component that provides standardized nomenclature for product names and versions.
What federal law requires the use of vulnerability scanning on information systems operated by federal government agencies? A. HIPAA B. GLBA C. FISMA D. FERPA
C: FISMA. The Federal Information Security Management Act (FISMA) requires that federal agencies implement vulnerability management programs for federal information systems.
Which type of organization is the most likely to face a regulatory requirement to conduct vulnerability scans? A. Bank B. Hospital C. Government Agency D. Doctor's Office
C: Government Agency. The Federal Information Security Management Act (FISMA) requires that government agencies conduct vulnerability scans. HIPAA, which governs hospitals and doctors' offices, does not include a vulnerability scanning requirement, nor does GLBA, which covers financial institutions.
What minimum level of impact must a system have under FISMA before the organization is required to determine what information about the system is discoverable by adversaries? A. Low B. Moderate C. High D. Severe
C: High. Control enhancement number 4 requires that an organization determine what information about the system is discoverable by adversaries. This enhancement only applies to FISMA high systems.
Which of the following activities is not part of the vulnerability management life cycle? A. Detection B. Remediation C. Reporting D. Testing
C: Reporting. While reporting and communication are an important part of vulnerability management, they are not included in the life cycle. The three life-cycle phases are detection, remediation, and testing.
Ryan is planning to conduct a vulnerability scan of a business critical system using dangerous plug-ins. What would be the best approach for the initial scan? A. Run the Scan Against Production Systems to Achieve the Most Realistic Results Possible B. Run the Scan During Business Hours C. Run the Scan in a Test Environment D. Do not Run the Scan to Avoid Disrupting the Business
C: Run the Scan in a Test Environment. Ryan should first run his scan against a test environment to identify likely vulnerabilities and asses whether the scan itself might disrupt business activities.
Bill would like to run an internal vulnerability scan on a system for PCI DSS compliance purposes. Who is authorized to complete one of these scans? A. Any Employee of the Organization B. An Approved Scanning Vendor C. A PCI DSS Service Provider D. Any Qualified Individual
D: Any Qualified Individual. Internal scans completed for PCI DSS compliance purposes may be conducted by any qualified individual.
Gary is the system administrator for a federal agency and is responsible for a variety of information systems. Which systems must be covered by vulnerability scanning programs? A. Only High-Impact Systems B. Only Systems Containing Classified Information C. High- or Moderate-Impact Systems D. High-, Moderate-, or Low-Impact Systems
D: High-, Moderate-, or Low-Impact Systems. The Federal Information Security Management Act (FISMA) requires vulnerability management programs for all federal information systems, regardless of their assigned impact rating.
Tonya is configuring vulnerability scans for a system that is subject to the PCI DSS compliance standard. What is the minimum frequency with which she must conduct scans? A. Daily B. Weekly C. Monthly D. Quarterly
D: Quarterly. PCI DSS requires that organizations conduct vulnerability scans on at least a quarterly basis, although many organizations choose to conduct scans on a much more frequent basis.
Renee is configuring her vulnerabilty management solution to perform credentialed scans of her network. What type of account should she provide to the scanner? A. Domain Administrator B. Local Administrator C. Root D. Read-Only
D: Read-Only. Credentialed scans only require read-only access to target servers. Renee should follow the principle of least privilege and limit the access available to the scanner.
Which one of the following factors is least likely to impact vulnerability scanning schedules? A. Regulatory Requirements B. Technical Constraints C. Business Constraints D. Staff Availability
D: Staff Availability. Scan schedules are most often determined by the organization's risk appetite, regulatory requirements, technical constraints, business constraints, and licensing limitations. Most scans are automated and do not require staff availability.