CSA+ CH2 Vulnerability management Part2/2
Emily discovered the vulnerability shown here on a server running in her organization. What is the most likely underlying cause for this vulnerability? Window shows section for 4 Microsoft Windows OLE remote code execution vulnerability (MS16-044), and options for first detected, last detected, vendor reference, user modified, et cetera. Failure to perform input validation Failure to use strong passwords Failure to encrypt communications Failure to install antimalware software
A. In a remote code execution attack, the attacker manages to upload arbitrary code to a server and run it. These attacks are often because of the failure of an application or operating system component to perform input validation.
Don completed a vulnerability scan of his organization's virtualization platform from an external host and discovered the vulnerability shown here. How should Don react? Window shows section for vulnerabilities with options for Mozilla Firefox multiple vulnerabilities (MFSA2017-05,MFSA2017-06), 5 Mozilla Firefox integer overflow vulnerability (MFSA2017-08), et cetera. This is a critical issue that requires immediate adjustment of firewall rules. This issue has a very low severity and does not require remediation. This issue should be corrected as time permits. This is a critical issue, and Don should shut down the platform until it is corrected.
A. Although the vulnerability scan report does indicate that this is a low-severity vulnerability, Don must take this information in context. The management interface of a virtualization platform should never be exposed to external hosts, and it also should not use unencrypted credentials. In that context, this is a critical vulnerability that could allow an attacker to take control of a large portion of the computing environment. Don should work with security and network engineers to block this activity at the firewall as soon as possible. Shutting down the virtualization platform is not a good alternative because it would be extremely disruptive, and the firewall adjustment is equally effective from a security point of view.
Helen performs a vulnerability scan of one of the internal LANs within her organization and finds a report of a web application vulnerability on a device. Upon investigation, she discovers that the device in question is a printer. What is the most likely scenario in this case? The printer is running a web server. The report is a false positive result. The printer recently changed IP addresses. Helen inadvertently scanned the wrong network.
A. Any one of the answer choices provided is a possible reason that Helen received this result. However, the most probable scenario is that the printer is actually running a web server and this is a true positive result. Printers commonly provide administrative web interfaces, and those interfaces may be the source of vulnerabilities.
Shannon reviewed the vulnerability scan report for a web server and found that it has multiple SQL injection and cross-site scripting vulnerabilities. What would be the least difficult way for Shannon to address these issues? Install a web application firewall. Recode the web application to include input validation. Apply security patches to the server operating system. Apply security patches to the web server service.
A. Applying patches to the server will not correct SQL injection or cross-site scripting flaws, as these reside within the web applications themselves. Shannon could correct the root cause by recoding the web applications to use input validation, but this is the more difficult path. A web application firewall would provide immediate protection with lower effort.
Which one of the following types of data is subject to regulations in the United States that specify the minimum frequency of vulnerability scanning? Driver's license numbers Insurance records Credit card data Medical records
C. Credit card information is subject to the Payment Card Industry Data Security Standard (PCI DSS), which contains specific provisions that dictate the frequency of vulnerability scanning. While the other data types mentioned in the question are regulated, none of those regulations contains specific provisions that identify a required vulnerability scanning frequency.
Sunitha discovered the vulnerability shown here in an application developed by her organization. What application security technique is most likely to resolve this issue? Window shows section for 4 Sun Java RunTime environment GIF images buffer overflow vulnerability and options for first detected, last detected, vendor reference, user modified, et cetera. Bounds checking Network segmentation Parameter handling Tag removal
A. Buffer overflow vulnerabilities occur when an application attempts to put more data in a memory location than was allocated for that use, resulting in unauthorized writes to other areas of memory. Bounds checking verifies that user-supplied input does not exceed the maximum allowable length before storing it in memory.
Thomas learned this morning of a critical security flaw that affects a major service used by his organization and requires immediate patching. This flaw was the subject of news reports and is being actively exploited. Thomas has a patch and informed stakeholders of the issue and received permission to apply the patch during business hours. How should he handle the change management process? Thomas should apply the patch and then follow up with an emergency change request after work is complete. Thomas should initiate a standard change request but apply the patch before waiting for approval. Thomas should work through the standard change approval process and wait until it is complete to apply the patch. Thomas should file an emergency change request and wait until it is approved to apply the patch.
A. Change management processes should always include an emergency change procedure. This procedure should allow applying emergency security patches without working through the standard change process. Thomas has already secured stakeholder approval on an informal basis so he should proceed with the patch and then file a change request after the work is complete. Taking the time to file the change request before completing the work would expose the organization to a critical security flaw during the time required to complete the paperwork.
Richard is designing a remediation procedure for vulnerabilities discovered in his organization. He would like to make sure that any vendor patches are adequately tested prior to deploying them in production. What type of environment could Richard include in his procedure that would best address this issue? Sandbox Honeypot Honeynet Production
A. Deploying changes in a sandbox environment provides a safe place for testing changes that will not affect production systems. Honeypots and honeynets are not testing environments but, rather, are decoy services used to attract attackers. Vendor patches should not normally be tested in production because of the potential impact on business operations.
Sara's organization has a well-managed test environment. What is the most likely issue that Sara will face when attempting to evaluate the impact of a vulnerability remediation by first deploying it in the test environment? Test systems are not available for all production systems. Production systems require a different type of patch than test systems. Significant configuration differences exist between test and production systems. Test systems are running different operating systems than production systems.
A. In a well-managed test environment, the test systems should be configured in a near-identical manner to production systems. They should be running the same operating systems and require the same patches. However, in almost every organization, there are systems running in production that do not have mirror deployments in test environments because of cost, legacy system issues, and other reasons.
Beth is configuring a vulnerability scanning tool. She recently learned about a privilege escalation vulnerability that requires the user already have local access to the system. She would like to ensure that her scanners are able to detect this vulnerability as well as future similar vulnerabilities. What action can she take that would best improve the scanner's ability to detect this type of issue? Enable credentialed scanning. Run a manual vulnerability feed update. Increase scanning frequency. Change the organization's risk appetite.
A. Enabling credentialed scanning would increase the likelihood of detecting vulnerabilities that require local access to a server. Credentialed scans can read deep configuration settings that might not be available with an uncredentialed scan of a properly secured system. Updating the vulnerability feed manually may add a signature for this particular vulnerability but would not help with future vulnerabilities. Instead, Beth should configure automatic feed updates. Increasing the scanning frequency may increase the speed of detection but would not impact the scanner's ability to detect the vulnerability. The organization's risk appetite affects what vulnerabilities they choose to accept but would not change the ability of the scanner to detect a vulnerability.
Dennis is developing a checklist that will be used by different security teams within his broad organization. What SCAP component can he use to help write the checklist and report results in a standardized fashion? XCCDF CCE CPE CVE
A. Extensible Configuration Checklist Description Format (XCCDF) is a language for specifying checklists and reporting checklist results. Common Configuration Enumeration (CCE) provides a standard nomenclature for discussing system configuration issues. Common Platform Enumeration (CPE) provides a standard nomenclature for describing product names and versions. Common Vulnerabilities and Exposures (CVE) provides a standard nomenclature for describing security-related software flaws.
Vincent is a security manager for a U.S. federal government agency subject to FISMA. Which one of the following is not a requirement that he must follow for his vulnerability scans to maintain FISMA compliance? Run complete scans on at least a monthly basis. Use tools that facilitate interoperability and automation. Remediate legitimate vulnerabilities. Share information from the vulnerability scanning process.
A. FISMA does specify many requirements for agencies that conduct vulnerability scans, but it does not contain any specific requirements regarding the frequency of the scans. It merely states that agencies must conduct scans of information systems and hosted applications when new vulnerabilities potentially affecting the system/application are identified and reported.
Sally discovered during a vulnerability scan that a system that she manages has a high-priority vulnerability that requires a patch. The system is behind a firewall and there is no imminent threat, but Sally wants to get the situation resolved as quickly as possible. What would be her best course of action? Initiate a high-priority change through her organization's change management process. Implement a fix immediately and then document the change after the fact. Implement a fix immediately and then inform her supervisor of her action and the rationale. Schedule a change for the next quarterly patch cycle.
A. In this situation, Sally recognizes that there is no imminent threat, so it is not necessary to follow an emergency change process that would allow her to implement the change before conducting any change management. That said, the change should be made without waiting up to three months for a scheduled patch cycle. Therefore, Sally's best option is to initiate a high-priority change through her organization's change management process.
Laura discovered an operating system vulnerability on a system on her network. After tracing the IP address, she discovered that the vulnerability is on a search appliance installed on her network. She consulted with the responsible engineer who informed her that he has no access to the underlying operating system. What is the best course of action for Laura? Contact the vendor to obtain a patch. Try to gain access to the underlying operating system and install the patch. Mark the vulnerability as a false positive. Wait 30 days and rerun the scan to see whether the vendor corrected the vulnerability.
A. Laura should contact the vendor to determine whether a patch is available for the appliance. She should not attempt to modify the appliance herself, as this may cause operational issues. Laura has no evidence to indicate that this is a false positive report, and there is no reason to wait 30 days to see whether the problem resolves itself.
After running a vulnerability scan, Janet discovered that several machines on her network are running Internet Explorer 8 and reported the vulnerability shown here. Which one of the following would not be a suitable replacement browser for these systems? Window shows sections for 5 EOL/obsolete software: Microsoft Internet Explorer 8 detected, threat, and impact, and options for first detected, last detected, vendor reference, user modified, et cetera. Internet Explorer 10 Google Chrome Mozilla Firefox Microsoft Edge
A. Microsoft has discontinued support for Internet Explorer versions other than IE 11 and is planning to discontinue Internet Explorer after version 11 because it is being replaced by Microsoft Edge. Google Chrome and Mozilla Firefox are also suitable replacement browsers.
Bruce is concerned about the security of an industrial control system that his organization uses to monitor and manage systems in their factories. He would like to reduce the risk of an attacker penetrating this system. Which one of the following security controls would best mitigate the vulnerabilities in this type of system? Network segmentation Input validation Memory protection Redundancy
A. Network segmentation is one of the strongest controls that may be used to protect industrial control systems and SCADA systems by isolating them from other systems on the network. Input validation and memory protection may provide some security, but the mitigating effect is not as strong as isolating these sensitive systems from other devices and preventing an attacker from connecting to them in the first place. Redundancy may increase uptime from accidental failures but would not protect the systems from attack.
Norman is working with his manager to implement a vulnerability management program for his company. His manager tells him that he should focus on remediating critical and high-severity risks and that the organization does not want to spend time worrying about risks rated medium or lower. What type of criteria is Norman's manager using to make this decision? Risk appetite False positive False negative Data classification
A. Norman's manager is deciding to use the organization's risk appetite (or risk tolerance) to make this decision. He is stating that the organization will tolerate medium severity risks but will not accept critical or high-severity risks. This is not a case of a false positive or false negative error, as they are not discussing a specific vulnerability. The decision is not based upon data classification because the criticality or sensitivity of information was not discussed.
Chandra's organization recently upgraded the firewall protecting the network where they process credit card information. This network is subject to the provisions of PCI DSS. When is Chandra required to schedule the next vulnerability scan of this network? Immediately Within one month Before the start of next month Before the end of the quarter following the upgrade
A. PCI DSS requires that networks be scanned quarterly or after any "significant change in the network." A firewall upgrade definitely qualifies as a significant network change, and Chanda should schedule a vulnerability scan immediately to maintain PCI DSS compliance.
After reviewing the results of a vulnerability scan, Bruce discovered that many of the servers in his organization are susceptible to a brute-force SSH attack. He would like to determine what external hosts attempted SSH connections to his servers and is reviewing firewall logs. What TCP port would relevant traffic most likely use? 22 636 1433 1521
A. Secure shell (SSH) traffic flows over TCP port 22. Port 636 is used by the Lightweight Directory Access Protocol (LDAP). Port 1433 is used by Microsoft SQL Server. Port 1521 is used by Oracle databases.
Which one of the following protocols might be used within a virtualization platform for monitoring and management of the network? SNMP SMTP BGP EIGRP
A. The Simple Network Management Protocol (SNMP) uses traps and polling requests to monitor and manage both physical and virtual networks. The Simple Mail Transfer Protocol (SMTP) is an email transfer protocol. The Border Gateway Protocol (BGP) and Enhanced Interior Gateway Routing Protocol (EIGRP) are used to make routing decisions.
refer to the bare-metal virtualization environment shown here: Diagram shows boxes labeled with four A's, B, and C. What component is identified by B in the image? Hypervisor Host operating system Guest operating system Physical hardware
A. The label B designates the hypervisor in this environment. In a bare-metal virtualization environment, the hypervisor sits beneath the guest operating systems and controls access to memory, disk, CPU, and other system resources.
Holly ran a scan of a server in her data center and the most serious result was the vulnerability shown here. What action is most commonly taken to remediate this vulnerability? Window shows sections for 3 phpinfo information disclosure vulnerability, threat, and impact, and options for first detected, last detected, vendor reference, user modified, et cetera. Remove the file from the server. Edit the file to limit information disclosure. Password protect the file. Limit file access to a specific IP range.
A. The phpinfo file is a testing file often used by web developers during the initial configuration of a server. While any of the solutions provided here may remediate this vulnerability, the most common course of action is to simply remove this file before the server is moved into production or made publicly accessible.
Frank recently ran a vulnerability scan and identified a POS terminal that contains an unpatchable vulnerability because of running an unsupported operating system. Frank consults with his manager and is told that the POS is being used with full knowledge of management and, as a compensating control, it has been placed on an isolated network with no access to other systems. Frank's manager tells him that the merchant bank is aware of the issue. How should Frank handle this situation? Document the vulnerability as an approved exception. Explain to his manager that PCI DSS does not permit the use of unsupported operating systems. Decommission the POS system immediately to avoid personal liability. Upgrade the operating system immediately.
A. The scenario describes an acceptable use of a compensating control that has been reviewed with the merchant bank. Frank should document this as an exception and move on with his scans. Other actions would go against his manager's wishes and are not required by the situation.
Meredith recently ran a vulnerability scan on her organization's accounting network segment and found the vulnerability shown here on several workstations. What would be the most effective way for Meredith to resolve this vulnerability? Window shows sections for 5 Adobe Flash Player remote code execution vulnerability (APSB17-07), threat, and impact, and options for first detected, last detected, vendor reference, user modified, et cetera. Remove Flash Player from the workstations. Apply the security patches described in the Adobe bulletin. Configure the network firewall to block unsolicited inbound access to these workstations. Install an intrusion detection system on the network.
A. The security and web development communities both consider Adobe Flash an outdated and insecure technology. The best solution would be for Meredith to remove this software from systems in her organization. Applying the security patches would be a temporary solution, but it is likely that new vulnerabilities will arise soon requiring more patches. Blocking inbound access to the workstations would not be effective because Flash vulnerabilities are typically exploited after a client requests a malicious file. An intrusion detection system may alert administrators to malicious activity but does not perform blocking.
Rex recently ran a vulnerability scan of his organization's network and received the results shown here. He would like to remediate the server with the highest number of the most serious vulnerabilities first. Which one of the following servers should be on his highest priority list? Window shows dashboard with boxes for all vulnerabilities, level 5, level 4, and level 3, and section for operating system, and table shows most vulnerable hosts with columns for host (by IP and OS), last scan date, total vulns, level 5, level 4, and level 3. 10.0.102.58 10.0.16.58 10.0.46.116 10.0.69.232
A. The server with IP address 10.0.102.58 is the only server on the list that contains a level 5 vulnerability. Level 5 vulnerabilities have the highest severity and should be prioritized. The server at 10.0.16.58 has the most overall vulnerabilities but does not have any level 5 vulnerabilities. The servers at 10.0.46.116 and 10.0.69.232 have only level 3 vulnerabilities, which are less severe than level 5 vulnerabilities.
Paul ran a vulnerability scan of his vulnerability scanner and received the result shown here. What is the simplest fix to this issue? Window shows Tenable Nessus 6.0.x less than 6.6 multiple vulnerabilities with section for description and markings for multiple vulnerabilities such as cross-site scripting (XSS) vulnerability and denial of service vulnerability. Upgrade Nessus. Remove guest accounts. Implement TLS encryption. Renew the server certificate.
A. The vulnerability description indicates that this is a vulnerability that exists in versions of Nessus earlier than 6.6. Upgrading to a more recent version of Nessus would correct the issue.
Ron is responsible for distributing vulnerability scan reports to system engineers who will remediate the vulnerabilities. What would be the most effective and secure way for Ron to distribute the reports? Ron should configure the reports to generate automatically and provide immediate, automated notification to administrators of the results. Ron should run the reports manually and send automated notifications after he reviews them for security purposes. Ron should run the reports on an automated basis and then manually notify administrators of the results after he reviews them. Ron should run the reports manually and then manually notify administrators of the results after he reviews them.
A. There is no reasonable justification for Ron reviewing the reports prior to providing them to the administrators responsible for the systems. In the interests of transparency and efficiency, he should configure the scans to run automatically and send automated notifications to administrators as soon as they are generated. This allows immediate remediation. There is nothing preventing Ron from performing a review of the scan results, but he should not filter them before providing them to the responsible engineers.
Kassie discovered the vulnerability shown here on one of the servers running in her organization. What action should she take? Window shows Microsoft Windows Server 2003 unsupported installation detection with section for description. Decommission this server. Run Windows Update to apply security patches. Require strong encryption for access to this server. No action is required.
A. This is a critical vulnerability that should be addressed immediately. In this case, Kassie should decommission the server and replace it with a server running a current operating system. Microsoft no longer supports Windows Server 2003 and will not issue patches for vulnerabilities identified after July 2015.
What level of availability risk does this vulnerability pose to the organization? There is no availability impact. The performance of the system is degraded. One or more services on the system may be stopped. The system is completely shut down.
A. This vulnerability does not allow the attacker to affect the availability of the system. This is confirmed by the CVSS string "A:N" indicating that the Availability metric is None.
What level of integrity risk does this vulnerability pose to the organization? There is no integrity impact. Modification of some information is possible, but the attacker does not have control over what information is modified. Modification of most information is possible, but the attacker does not have control over what information is modified. All information on the system may be modified.
A. This vulnerability does not allow the attacker to modify any information on the system. This is confirmed by the CVSS string "I:N" indicating that the Integrity metric is None.
Tom is planning a series of vulnerability scans and wants to ensure that the organization is meeting its customer commitments with respect to the scans' performance impact. What two documents should Tom consult to find these obligations? SLAs and MOUs SLAs and DRPs DRPs and BIAs BIAs and MOUs
A. Tom should consult service level agreements (SLAs) and memorandums of understanding (MOUs). These documents should contain all commitments made to customers related to performance. Disaster recovery plans (DRPs) and business impact assessments (BIAs) should not contain this type of information.
Tonya is configuring a new vulnerability scanner for use in her organization's data center. Which one of the following values is considered a best practice for the scanner's update frequency? Daily Weekly Monthly Quarterly
A. Vulnerability scanners should be updated as often as possible to allow the scanner to retrieve new vulnerability signatures as soon as they are released. Tonya should choose daily updates.
Wanda recently discovered the vulnerability shown here on a Windows server in her organization. She is unable to apply the patch to the server for six weeks because of operational issues. What workaround would be most effective in limiting the likelihood that this vulnerability would be exploited? Window shows sections for 4 Microsoft Windows graphics component multiple vulnerabilities (MS17-013), threat, and impact, and options for first detected, last detected, vendor reference, user modified, et cetera. Restrict interactive logins to the system. Remove Microsoft Office from the server. Remove Internet Explorer from the server. Apply the security patch.
A. Wanda should restrict interactive logins to the server. The vulnerability report states that "The most severe of these vulnerabilities could allow remote code execution if a user either visits a specially crafted website or opens a specially crafted document." If Wanda restricts interactive login, it greatly reduces the likelihood of this type of activity. Removing Internet Explorer or Microsoft Office might lower some of the risk, but it would not be as effective as completely restricting logins. Applying the security patch is not an option because of the operational concerns cited in the question.
Becky is scheduling vulnerability scans for her organization's data center. Which one of the following is a best practice that Becky should follow when scheduling scans? Schedule scans so that they are spread evenly throughout the day. Schedule scans so that they run during periods of low activity. Schedule scans so that they all begin at the same time. Schedule scans so that they run during periods of peak activity to simulate performance under load.
B. If possible, Becky should schedule the scans during periods of low activity to reduce the impact they have on business operations. The other approaches all have a higher risk of causing a disruption.
Morgan recently completed the security analysis of a web browser deployed on systems in her organization and discovered that it is susceptible to a zero-day integer overflow attack. Who is in the best position to remediate this vulnerability in a manner that allows continued use of the browser? Morgan The browser developer The network administrator The domain administrator
B. Morgan or the domain administrator could remove the software from the system, but this would not allow continued use of the browser. The network administrator could theoretically block all external web browsing, but this is not a practical solution. The browser developer is the only one in a good situation to correct an overflow error because it is a flaw in the code of the web browser.
Ann would like to improve her organization's ability to detect and remediate security vulnerabilities by adopting a continuous monitoring approach. Which one of the following is not a characteristic of a continuous monitoring program? Analyzing and reporting findings Conducting forensic investigations when a vulnerability is exploited Mitigating the risk associated with findings Transferring the risk associated with a finding to a third party
B. Analyzing and reporting findings to management is one of the core tasks of a continuous monitoring program. Another core task is responding to findings by mitigating, accepting, transferring, or avoiding risks. Continuous monitoring programs are not tasked with performing forensic investigations, as this is an incident response process.
Frank discovered during a vulnerability scan that an administrative interface to one of his storage systems was inadvertently exposed to the Internet. He is reviewing firewall logs and would like to determine whether any access attempts came from external sources. Which one of the following IP addresses reflects an external source? 10.15.1.100 12.8.1.100 172.16.1.100 192.168.1.100
B. Any addresses in the 10.x.x.x, 172.16.x.x, and 192.168.x.x ranges are private IP addresses that are not routable over the Internet. Therefore, of the addresses listed, only 12.8.1.100 could originate outside the local network.
What strategy can be used to immediately report configuration changes to a vulnerability scanner? Scheduled scans Continuous monitoring Automated remediation Automatic updates
B. Continuous monitoring uses agents installed on monitored systems to immediately report configuration changes to the vulnerability scanner. Scheduled scans would not detect a change until the next time they run. Automated remediation would correct security issues rather than report configuration changes. Automatic updates would ensure that scans use the most current vulnerability information.
Craig completed the vulnerability scan of a server in his organization and discovered the results shown here. Which one of the following is not a critical remediation action dictated by these results? Window shows vulnerabilities (71) and options for 5 Google Chrome Prior to 57.0.2987.98 multiple vulnerabilities, 5 Oracle Java SE critical patch update - October 2016, et cetera. Remove obsolete software. Reconfigure the host firewall. Apply operating system patches. Apply application patches.
B. Craig should remove the four pieces of obsolete software identified by the vulnerability scan (Java 6.1, Internet Explorer 8, Microsoft .NET Framework 4, and Microsoft Visual C++ 2005). He should also apply the Windows MS17-012 security update and patch Chrome, Java, and other vulnerable applications on this system. All of these issues raise critical vulnerabilities in the scan report. There is no indication that host firewall changes are required.
Chris is preparing to conduct vulnerability scans against a set of workstations in his organization. He is particularly concerned about system configuration settings. Which one of the following scan types will give him the best results? Unauthenticated scan Credentialed scan External scan Internal scan
B. Credentialed scans are able to log on to the target system and directly retrieve configuration information, providing the most accurate results of the scans listed. Unauthenticated scans must rely upon external indications of configuration settings, which are not as accurate. The network location of the scanner (external vs. internal) will not have a direct impact on the scanner's ability to read configuration information.
Lori is studying vulnerability scanning as she prepares for the CySA+ exam. Which of the following is not one of the principles she should observe when preparing for the exam to avoid causing issues for her organization? Run only nondangerous scans on production systems to avoid disrupting a production service. Run scans in a quiet manner without alerting other IT staff to the scans or their results to minimize the impact of false information. Limit the bandwidth consumed by scans to avoid overwhelming an active network link. Run scans outside of periods of critical activity to avoid disrupting the business.
B. Lori should absolutely not try to run scans without the knowledge of other IT staff. She should inform her team of her plans and obtain permission for any scans that she runs. She should limit scans of production systems to safe plug-ins while she is learning. She should also limit the bandwidth consumed by her scans and the time of her scans to avoid impacts on production environments.
Andrea recently discovered the vulnerability shown here on the workstation belonging to a system administrator in her organization. What is the major likely threat that should concern Andrea? Window shows sections for 3 PuTTY local information disclosure vulnerability and threat, and options for first detected, last detected, vendor reference, user modified, et cetera. An attacker could exploit this vulnerability to take control of the administrator's workstation. An attacker could exploit this vulnerability to gain access to servers managed by the administrator. An attacker could exploit this vulnerability to prevent the administrator from using the workstation. An attacker could exploit this vulnerability to decrypt sensitive information stored on the administrator's workstation.
B. PuTTY is a commonly used remote login application used by administrators to connect to servers and other networked devices. If an attacker gains access to the SSH private keys used by PuTTY, the attacker could use those keys to gain access to the systems managed by that administrator. This vulnerability does not necessarily give the attacker any privileged access to the administrator's workstation, and the SSH key is not normally used to encrypt stored information.
William is preparing a legal agreement for his organization to purchase services from a vendor. He would like to document the requirements for system availability, including the vendor's allowable downtime for patching. What type of agreement should William use to incorporate this requirement? MOU SLA BPA BIA
B. Service level agreements (SLAs) specify the technical parameters of a vendor relationship and should include coverage of service availability as well as remedies for failure to meet the agreed-upon targets. Memorandums of understanding (MOUs) are less formal documents that outline the relationship between two organizations. Business partnership agreements (BPAs) typically cover business, rather than technical, issues and would not normally include availability commitments. Business impact assessments (BIAs) are risk assessments and are not legal agreements.
Ted recently ran a vulnerability scan of his network and was overwhelmed with results. He would like to focus on the most important vulnerabilities. How should Ted reconfigure his vulnerability scanner? Increase the scan sensitivity. Decrease the scan sensitivity. Increase the scan frequency. Decrease the scan frequency.
B. Ted can reduce the number of results returned by the scan by decreasing the scan sensitivity. This will increase the threshold for reporting, only returning the most important results. Increasing the scan sensitivity would have the opposite effect, increasing the number of reported vulnerabilities. Changing the scan frequency would not alter the number of vulnerabilities reported.
Renee is assessing the exposure of her organization to the denial-of-service vulnerability in the scan report shown here. She is specifically interested in determining whether an external attacker would be able to exploit the denial-of-service vulnerability. Which one of the following sources of information would provide her with the best information to complete this assessment? Window shows sections for 3 MediaWiki information disclosure, Denial of Service and multiple cross-site scripting vulnerabilities and threat, and options for first detected, last detected, vendor reference, user modified, et cetera. Server logs Firewall rules IDS configuration DLP configuration
B. The firewall rules would provide Renee with information about whether the service is accessible from external networks. Server logs would contain information on actual access but would not definitively state whether the server is unreachable from external addresses. Intrusion detection systems may detect an attack in progress but are not capable of blocking traffic and would not be relevant to Renee's analysis. Data loss prevention systems protect against confidentiality breaches and would not be helpful against an availability attack.
Nick is configuring vulnerability scans for his network using a third-party vulnerability scanning service. He is attempting to scan a web server that he knows exposes a CIFS file share and contains several significant vulnerabilities. However, the scan results only show ports 80 and 443 as open. What is the most likely cause of these scan results? The CIFS file share is running on port 443. A firewall configuration is preventing the scan from succeeding. The scanner configuration is preventing the scan from succeeding. The CIFS file share is running on port 80.
B. The most likely issue here is that there is a network firewall between the server and the third-party scanning service. This firewall is blocking inbound connections to the web server and preventing the external scan from succeeding. CIFS generally runs on port 445, not port 80 or 443. Those ports are commonly associated with web services. The scanner is not likely misconfigured because it is successfully detecting other ports on the server. Nick should either alter the firewall rules to allow the scan to succeed or, preferably, place a scanner on a network in closer proximity to the web server.
Tom runs a vulnerability scan of the file server shown here. Diagram shows Internet connected to firewall, which is connected to internal network and DMZ, where internal network is connected to workstation and file server and DMZ is connected to email server and web server. He receives the vulnerability report shown next. Assuming that the firewall is configured properly, what action should Tom take immediately? Window shows section for vulnerabilities with options for 3 Windows Remote Desktop Protocol weak encryption method allowed, 3 administrator account's password does not expire, et cetera. Block RDP access to this server from all hosts. Review and secure server accounts. Upgrade encryption on the server. No action is required.
B. The scan report shows two issues related to server accounts: a weak password policy for the Administrator account and an active Guest account. Tom should remediate these issues to protect against the insider threat. The server also has an issue with weak encryption, but this is a lower priority given that the machine is located on an internal network
Elliott runs a vulnerability scan of one of the servers belonging to his organization and finds the results shown here. Which one of these statements is not correct? Window shows section for 1 remote management service accepting unencrypted credentials detected, and options for first detected, last detected, vendor reference, user modified, et cetera. This server requires one or more Linux patches. This server requires one or more Oracle database patches. This server requires one or more Firefox patches. This server requires one or more MySQL patches.
B. The server described in this report requires multiple Red Hat Linux and Firefox patches to correct serious security issues. One of those Red Hat updates also affect the MySQL database service. While there are Oracle patches listed on this report, they relate to Oracle Java, not an Oracle database.
After running a vulnerability scan of systems in his organization's development shop, Mike discovers the issue shown here on several systems. What is the best solution to this vulnerability? Window shows section for 5 EOL/obsolete software: Microsoft .NET Framework 4 - 4.5.1 detected, and options for first detected, last detected, vendor reference, user modified, et cetera. Apply the required security patches to this framework. Remove this framework from the affected systems. Upgrade the operating system of the affected systems. No action is necessary.
B. The vulnerability description indicates that this software has reached its end-of-life (EOL) and, therefore, is no longer supported by Microsoft. Mike's best solution is to remove this version of the framework from the affected systems. No patches will be available for future vulnerabilities. There is no indication from this result that the systems require operating system upgrades. Mike should definitely take action because of the critical severity (5 on a five-point scale) of this vulnerability.
Arlene ran a vulnerability scan of a VPN server used by contractors and employees to gain access to her organization's network. An external scan of the server found the vulnerability shown here. Window shows SSL certificate signed using weak hashing algorithm with section for description. How can Josh correct this vulnerability? Reconfigure the VPN server to only use secure hash functions. Request a new certificate. Change the domain name of the server. Implement an intrusion prevention system.
B. This error is a vulnerability in the certificate itself and may be corrected only by requesting a new certificate from the certificate authority (CA) that uses a secure hash algorithm in the certificate signature.
What level of confidentiality risk does this vulnerability pose to the organization? There is no confidentiality impact. Access to some information is possible, but the attacker does not have control over what information is compromised. Access to most information is possible, but the attacker does not have control over what information is compromised. All information on the system may be compromised.
B. This vulnerability discloses the type of database server supporting the web application but no other information. The CVSS vector contains the string "C:P," which indicates that the Confidentiality metric is Partial, meaning that access to some information is possible, but the attacker does not have control over what information is compromised.
Arlene ran a vulnerability scan of a VPN server used by contractors and employees to gain access to her organization's network. An external scan of the server found the vulnerability shown here. Window shows SSL certificate signed using weak hashing algorithm with section for description. What is the most likely result of failing to correct this vulnerability? All users will be able to access the site. All users will be able to access the site, but some may see an error message. Some users will be unable to access the site. All users will be unable to access the site.
B. This vulnerability should not prevent users from accessing the site, but it will cause their browsers to display a warning that the site is not secure.
Dave is running a vulnerability scan of a client's network for the first time. The client has never run such a scan and expects to find many results. What security control is likely to remediate the largest portion of the vulnerabilities discovered in Dave's scan? Input validation Patching Intrusion prevention systems Encryption
B. While all of the solutions listed may remediate some of the vulnerabilities discovered by Dave's scan, the vast majority of issues in an unmaintained network result from missing security updates. Applying patches will likely resolve quite a few vulnerabilities, if not the majority of them.
Eric is a security consultant and is trying to sell his services to a new client. He would like to run a vulnerability scan of their network prior to their initial meeting to show the client the need for added security. What is the most significant problem with this approach? Eric does not know the client's infrastructure design. Eric does not have permission to perform the scan. Eric does not know what operating systems and applications are in use. Eric does not know the IP range of the client's systems.
B. While all of these concerns are valid, the most significant problem is that Eric does not have permission from the potential client to perform the scan and may wind up angering the client (at best) or violating the law (at worst).
Ben was recently assigned by his manager to begin the remediation work on the most vulnerable server in his organization. A portion of the scan report appears below. What remediation action should Ben take first? Window shows section for vulnerabilities with options for Mozilla Firefox multiple vulnerabilities (MFSA2017-05,MFSA2017-06), 5 Mozilla Firefox integer overflow vulnerability (MFSA2017-08), et cetera. Install patches for Adobe Flash. Install patches for Firefox. Run Windows Update. Remove obsolete software.
C. Ben is facing a difficult challenge and should likely perform all of the actions described in this question. However, the best starting point would be to run Windows Update to install operating system patches. Many of the critical vulnerabilities relate to missing Windows patches. The other actions may also resolve critical issues, but they all involve software that a user must run on the server before they can be exploited. This makes them slightly lower priorities than the Windows flaws that may be remotely exploitable with no user action.
Which one of the following mobile device strategies is most likely to result in the introduction of vulnerable devices to a network? COPE TLS BYOD MDM
C. Bring your own device (BYOD) strategies allow users to operate personally owned devices on corporate networks. These devices are more likely to contain vulnerabilities than those managed under a mobile device management (MDM) system or a corporate-owned, personally enabled (COPE) strategy. Transport Layer Security (TLS) is a network encryption protocol, not a mobile device strategy.
Which one of the following vulnerabilities is the most difficult to confirm with an external vulnerability scan? Cross-site scripting Cross-site request forgery Blind SQL injection Unpatched web server
C. Cross-site scripting and cross-site request forgery vulnerabilities are normally easy to detect with vulnerability scans because the scanner can obtain visual confirmation of a successful attack. Unpatched web servers are often identified by using publicly accessible banner information. While scanners can often detect many types of SQL injection vulnerabilities, it is often difficult to confirm blind SQL injection vulnerabilities because they do not return results to the attacker but rely upon the silent (blind) execution of code.
Don is evaluating the success of his vulnerability management program and would like to include some metrics. Which one of the following would be the least useful metric? Time to resolve critical vulnerabilities Number of open critical vulnerabilities over time Total number of vulnerabilities reported Number of systems containing critical vulnerabilities
C. Don should likely focus his efforts on high-priority vulnerabilities, as vulnerability scanners will report results for almost any system scanned. The time to resolve critical vulnerabilities, the number of open critical vulnerabilities over time, and the number of systems containing critical vulnerabilities are all useful metrics. The total number of reported vulnerabilities is less useful because it does not include any severity information.
Gene runs a vulnerability scan of his organization's data center and produces a summary report to share with his management team. The report includes the chart shown here. When Gene's manager reads the report, she points out that the report is burying important details because it is highlighting too many unimportant issues. What should Gene do to resolve this issue? Bar graph shows severity level from 5 to 1 versus vulnerabilities from 4 to 85 with plots for security level as 2 severity 5, 1 severity 4, 24 severity 3, 85 severity 2, and 3 severity 1. Tell his manager that all vulnerabilities are important and should appear on the report. Create a revised version of the chart using Excel. Modify the sensitivity level of the scan. Stop sharing reports with the management team.
C. Gene's best option is to alter the sensitivity level of the scan so that it excludes low-importance vulnerabilities. The fact that his manager is telling him that many of the details are unimportant is his cue that the report contains superfluous information. While he could edit the chart manually, he should instead alter the scan settings so that he does not need to make those manual edits each time he runs the report.
Sharon is designing a new vulnerability scanning system for her organization. She must scan a network that contains hundreds of unmanaged hosts. Which of the following techniques would be most effective at detecting system configuration issues in her environment? Agent-based scanning Credentialed scanning Server-based scanning Passive network monitoring
C. It would be difficult for Sharon to use agent-based or credentialed scanning in an unmanaged environment because she would have to obtain account credentials for each scanned system. Of the remaining two technologies, server-based scanning is more effective at detecting configuration issues than passive network monitoring.
Jacquelyn recently read about a new vulnerability in Apache web servers that allows attackers to execute arbitrary code from a remote location. She verified that her servers have this vulnerability, but this morning's vulnerability scan report shows that the servers are secure. She contacted the vendor and determined that they have released a signature for this vulnerability and it is working properly at other clients. What action can Jacquelyn take that will most likely address the problem efficiently? Add the web servers to the scan. Reboot the vulnerability scanner. Update the vulnerability feed. Wait until tomorrow's scan.
C. Jacquelyn should update the vulnerability feed to obtain the most recent signatures from the vendor. She does not need to add the web servers to the scan because they are already appearing in the scan report. Rebooting the scanner would not necessarily update the feed. If she waits until tomorrow, the scanner may be configured to automatically update the feed, but this is not guaranteed and is not as efficient as simply updating the feed now.
Jeff's team is preparing to deploy a new database service, and he runs a vulnerability scan of the test environment. This scan results in the four vulnerability reports shown here. Jeff is primarily concerned with correcting issues that may lead to a confidentiality breach. Which vulnerability should Jeff remediate first? Window shows sections for vulnerabilities (2) (1 non-zero padding bytes observed in Ethernet packets and vulnerabilities (3) (2 Hidden RPC services). Rational ClearCase Portscan Denial of Service vulnerability Non-Zero Padding Bytes Observed in Ethernet Packets Oracle Database TNS Listener Poison Attack vulnerability Hidden RPC Services
C. Jeff should begin by looking at the highest-severity vulnerabilities and then identify whether they are confidentiality risks. The highest-severity vulnerability on this report is the Rational ClearCase Portscan Denial of Service vulnerability. However, a denial-of- service vulnerability affects availability, rather than confidentiality. The next highest-severity report is the Oracle Database TNS Listener Poison Attack vulnerability. A poisoning vulnerability may cause hosts to connect to an illegitimate server and could result in the disclosure of sensitive information. Therefore, Jeff should address this issue first.
Jim is responsible for managing his organization's vulnerability scanning program. He is experiencing issues with scans aborting because the previous day's scans are still running when the scanner attempts to start the current day's scans. Which one of the following solutions is least likely to resolve Jim's issue? Add a new scanner. Reduce the scope of the scans. Reduce the sensitivity of the scans. Reduce the frequency of the scans.
C. Jim could resolve this issue by adding additional scanners to balance the load, reducing the frequency of scans or reducing the scope (number of systems) of the scan. Changing the sensitivity level would not likely have a significant impact on the scan time.
Raul is replacing his organization's existing vulnerability scanner with a new product that will fulfill that functionality moving forward. As Raul begins to build out the policy, he notices some conflicts in the scanning settings between different documents. Which one of the following document sources should Raul give the highest priority when resolving these conflicts? NIST guidance documents Vendor best practices Corporate policy Configuration settings from the prior system
C. Of the documents listed, only corporate policy is binding upon Raul, and he should ensure that his new system's configuration complies with those requirements. The other sources may provide valuable information to inform Raul's work, but compliance with them is not mandatory.
Sarah is designing a vulnerability management system for her organization. Her highest priority is conserving network bandwidth. She does not have the ability to alter the configuration or applications installed on target systems. What solution would work best in Sarah's environment to provide vulnerability reports? Agent-based scanning Server-based scanning Passive network monitoring Port scanning
C. Passive network monitoring meets Sarah's requirements to minimize network bandwidth consumption while not requiring the installation of an agent. Sarah cannot use agent-based scanning because it requires application installation. She should not use server-based scanning because it consumes bandwidth. Port scanning does not provide vulnerability reports.
Julian recently detected the vulnerability shown here on several servers in his environment. Because of the critical nature of the vulnerability, he would like to block all access to the affected service until it is resolved using a firewall rule. He verifies that the following TCP ports are open on the host firewall. Which one of the following does Julian not need to block to restrict access to this service? Window shows sections for 5 Microsoft SMB server remote code execution vulnerability (MS17-010), threat, impact, and solution, and options for first detected, last detected, vendor reference, user modified, et cetera. 137 139 389 445
C. Port 389 is used by the Lightweight Directory Access Protocol (LDAP) and is not part of the SMB communication. SMB may be accessed directly over TCP port 445 or indirectly by using NetBIOS over TCP/IP on TCP ports 137 and 139.
Rhonda is planning to patch a production system to correct a vulnerability detected during a scan. What process should she follow to correct the vulnerability but minimize the risk of a system failure? Rhonda should deploy the patch immediately on the production system. Rhonda should wait 60 days to deploy the patch to determine whether bugs are reported. Rhonda should deploy the patch in a sandbox environment to test it prior to applying it in production. Rhonda should contact the vendor to determine a safe timeframe for deploying the patch in production.
C. Rhonda should deploy the patch in a sandbox environment and then thoroughly test it prior to releasing it in production. This reduces the risk that the patch will not work well in her environment. Simply asking the vendor or waiting 60 days may identify some issues, but it does not sufficiently reduce the risk because the patch will not have been tested in her company's environment.
Based upon the information presented in the vulnerability report, how difficult would it be for an attacker to exploit this vulnerability? Exploiting this vulnerability requires specialized conditions that would be difficult to find. Exploiting this vulnerability requires somewhat specialized conditions. Exploiting this vulnerability does not require any specialized conditions. Exploiting this vulnerability is not possible without an administrator account.
C. The CVSS vector for this vulnerability contains the string "AC:L." This indicates that the access complexity is Low, meaning that an attacker can exploit the vulnerability without any specialized conditions occurring.
Based upon the information presented in the vulnerability report, what authentication hurdles would an attacker need to clear to exploit this vulnerability? Attackers would need to authenticate two or more times. Attackers would need to authenticate once. Attackers would not need to authenticate. Attackers cannot exploit this vulnerability regardless of the number of authentications.
C. The CVSS vector for this vulnerability contains the string "Au:N." This indicates that the authentication metric for this vector is None, meaning that an attacker would not need to authenticate to exploit this vulnerability.
Brian is configuring a vulnerability scan of all servers in his organization's data center. He is configuring the scan to only detect the highest-severity vulnerabilities. He would like to empower system administrators to correct issues on their servers but also have some insight into the status of those remediations. Which approach would best serve Brian's interests? Give the administrators access to view the scans in the vulnerability scanning system. Send email alerts to administrators when the scans detect a new vulnerability on their servers. Configure the vulnerability scanner to open a trouble ticket when they detect a new vulnerability on a server. Configure the scanner to send reports to Brian who can notify administrators and track them in a spreadsheet.
C. The best path for Brian to follow would be to leverage the organization's existing trouble ticket system. Administrators likely already use this system on a regular basis, and it can handle reporting and escalation of issues. Brian might want to give administrators access to the scanner and/or have emailed reports sent automatically as well, but those will not provide the tracking that he desires.
Laura received a vendor security bulletin that describes a zero-day vulnerability in her organization's main database server. This server is on a private network but is used by publicly accessible web applications. The vulnerability allows the decryption of administrative connections to the server. What reasonable action can Laura take to address this issue as quickly as possible? Apply a vendor patch that resolves the issue. Disable all administrative access to the database server. Require VPN access for remote connections to the database server. Verify that the web applications use strong encryption.
C. The issue raised by this vulnerability is the possibility of eavesdropping on administrative connections to the database server. Requiring the use of a VPN would add strong encryption to this connection and negate the effect of the vulnerability. A patch is not an option because this is a zero-day vulnerability, meaning that a patch is not yet available. Disabling administrative access to the database server would be unnecessarily disruptive to the business. The web server's encryption level is irrelevant to the issue as it would affect connections to the web server, not the database server.
refer to the bare-metal virtualization environment shown here: Diagram shows boxes labeled with four A's, B, and C. What component is identified by A in the image? Hypervisor Host operating system Guest operating system Physical hardware
C. The label A designates the guest operating systems in this environment. Each virtualization platform may run multiple guest operating systems, all of whom share physical resources.
Vanessa ran a vulnerability scan of a server and received the results shown here. Her boss instructed her to prioritize remediation based upon criticality. Which issue should she address first? Table shows columns for severity, plugin name, plugin family, and count. Remove the POP server. Remove the FTP server. Upgrade the web server. Remove insecure cryptographic protocols.
C. The only high-criticality issue on this report (and all but one of the medium-criticality issues) relates to an outdated version of the Apache web server. Vanessa should upgrade this server before taking any other remediation action.
Karen ran a vulnerability scan of a web server used on her organization's internal network. She received the report shown here. What circumstances would lead Karen to dismiss this vulnerability as a false positive? Window shows sections for 2 SSL certificate - signature verification failed vulnerability, threat, impact, solution, and exploitability, and options for first detected, last detected, vendor reference, user modified, et cetera. The server is running SSLv2. The server is running SSLv3. The server is for internal use only. The server does not contain sensitive information.
C. This error indicates that the vulnerability scanner was unable to verify the signature on the digital certificate used by the web server. If the organization is using a self-signed digital certificate for this internal application, this would be an expected result.
Terry runs a vulnerability scan of the network devices in his organization and sees the vulnerability report shown here for one of those devices. What action should he take? Window shows section for 2 SSL certificate - subject common name does not match server FQDN and options for first detected, last detected, vendor reference, user modified, et cetera. No action is necessary because this is an informational report. Upgrade the version of the certificate. Replace the certificate. Verify that the correct ciphers are being used.
C. This error occurs when the server name on a certificate does not match the name of the server in question. It is possible that this certificate was created for another device or that the device name is slightly different than that on the certificate. Terry should resolve this error by replacing the certificate with one containing the correct server name.
Trevor is working with an application team on the remediation of a critical SQL injection vulnerability in a public-facing service. The team is concerned that deploying the fix will require several hours of downtime and that will block customer transactions from completing. What is the most reasonable course of action for Trevor to suggest? Wait until the next scheduled maintenance window. Demand that the vulnerability be remediated immediately. Schedule an emergency maintenance for an off-peak time later in the day. Convene a working group to assess the situation.
C. This is a critical vulnerability in a public-facing service and should be patched urgently. However, it is reasonable to schedule an emergency maintenance for the evening and inform customers of the outage several hours in advance. Therefore, Trevor should immediately begin monitoring affected systems for signs of compromise and work with the team to schedule maintenance for as soon as possible.
Pete ran a vulnerability scan of several network appliances in his organization and received the scan result shown here. What is the simplest tool that an attacker could use to cause a denial-of-service attack on these appliances, provided that they are running ClearCase? Window shows sections for 3 rational ClearCase portscan denial of service vulnerability, threat, impact, and solution, and options for first detected, last detected, vendor reference, user modified, et cetera. Metasploit Nessus nmap Wireshark
C. This vulnerability allows an attacker to crash a server after running two consecutive port scans. The simplest way to trigger this vulnerability is by using a port scanning tool, such as nmap. While Nessus or Metasploit may be able to trigger this vulnerability, it would be easier to do so with a command-line port scanner. Wireshark is a protocol analyzer and could not trigger this vulnerability.
Glenda routinely runs vulnerability scans of servers in her organization. She is having difficulty with one system administrator who refuses to correct vulnerabilities on a server used as a jumpbox by other IT staff. The server has had dozens of vulnerabilities for weeks and would require downtime to repair. One morning, her scan reports that all of the vulnerabilities suddenly disappeared overnight, while other systems in the same scan are reporting issues. She checks the service status dashboard, and the service appears to be running properly with no outages reported in the past week. What is the most likely cause of this result? The system administrator corrected the vulnerabilities. The server is down. The system administrator blocked the scanner. The scan did not run.
C. While any of these reasons are possible, the most likely cause of this result is that the system administrator blocked the scanner with a host firewall rule. It is unlikely that the administrator completed the lengthy, time-consuming work overnight and without causing a service disruption. If the server were down, other IT staff would have reported the issue. If the scan did not run, Glenda would not see any entries in the scanner's logs.
James is configuring vulnerability scans of a dedicated network that his organization uses for processing credit card transactions. What types of scans are least important for James to include in his scanning program? Scans from a dedicated scanner on the card processing network Scans from an external scanner on his organization's network Scans from an external scanner operated by an approved scanning vendor All three types of scans are equally important.
D. All three of these scan types provide James with important information and/or are needed to meet regulatory requirements. The external scan from James' own network provides information on services accessible outside of the payment card network. The internal scan may detect vulnerabilities accessible to an insider or someone who has breached the network perimeter. The approved scanning vendor (ASV) scans are required to meet PCI DSS obligations. Typically, ASV scans are run infrequently and do not provide the same level of detailed reporting as scans run by the organization's own external scans, so James should include both in his program.
After running a vulnerability scan against his organization's VPN server, Chis discovered the vulnerability shown here. What type of cryptographic situation does a birthday attack leverage? Window shows section for vulnerability with options for first detected, last detected, QID, category, CVE ID, vendor reference, et cetera. Unsecured key Meet-in-the-middle Man-in-the-middle Collision
D. Birthday attacks occur when an attacker is able to discover multiple inputs that generate the same output. This is an event known as a collision.
Meredith is configuring a vulnerability scan and would like to configure the scanner to perform credentialed scans. Of the menu options shown here, which will allow her to directly configure this capability? Manage Discovery Scans Configure Scan Settings Configure Search Lists Set Up Host Authentication
D. Credentialed scans are also known as authenticated scans and rely upon having credentials to log onto target hosts and read their configuration settings. Meredith should choose this option.
Garrett is configuring vulnerability scanning for a new web server that his organization is deploying on its DMZ network. The server hosts the company's public website. What type of scanning should Garrett configure for best results? Garrett should not perform scanning of DMZ systems. Garrett should perform external scanning only. Garrett should perform internal scanning only. Garrett should perform both internal and external scanning.
D. For best results, Garret should combine both internal and external vulnerability scans. The external scan provides an "attacker's eye view" of the web server, while the internal scan may uncover vulnerabilities that would only be exploitable by an insider or an attacker who has gained access to another system on the network.
Joe discovered a critical vulnerability in his organization's database server and received permission from his supervisor to implement an emergency change after the close of business. He has eight hours before the planned change window. In addition to planning the technical aspects of the change, what else should Joe do to prepare for the change? Ensure that all stakeholders are informed of the planned outage. Document the change in his organization's change management system. Identify any potential risks associated with the change. All of the above
D. Joe has time to conduct some communication and change management before making the change. Even though this change is urgent, Joe should take advantage of that time to communicate with stakeholders, conduct a risk assessment, and initiate change management processes. These tasks will likely be abbreviated forms of what Joe would do if he had time to plan a change normally, but he should make every effort to complete them.
Mary is trying to determine what systems in her organization should be subject to vulnerability scanning. She would like to base this decision upon the criticality of the system to business operations. Where should Mary turn to best find this information? The CEO System names IP addresses Asset inventory
D. Mary should consult the organization's asset inventory. If properly constructed and maintained, this inventory should contain information about asset criticality. The CEO may know some of this information, but it is unlikely that he or she would have all of the necessary information or the time to review it. System names and IP addresses may contain some hints to asset criticality but would not be as good a source as an asset inventory that clearly identifies criticality.
Matt is working to integrate his organization's network with that of a recently acquired company. He is concerned that the acquired company's network contains systems with vulnerabilities that may be exploited and wants to protect his network against compromised hosts on the new network. Which one of the following controls would be least effective at reducing the risk from network interconnection? Network segmentation VLAN separation Firewall Proxy server
D. Matt should separate the two networks using a network segmentation technique, such as placing the new company on a separate VLAN or firewalling the two networks. A proxy server would not be effective because there is no indication that either network intends to offer services to the other.
Terry is conducting a vulnerability scan when he receives a report that the scan is slowing down the network for other users. He looks at the performance configuration settings shown here. Which setting would be most likely to correct the issue? Window shows sections for general settings (enable safe checks, scan IP addresses in random order) and performance options (use Linux kernel congestion detection, network timeout). Enable safe checks. Stop scanning hosts that become unresponsive during the scan. Scan IP addresses in random order. Max simultaneous hosts per scan.
D. Of the answers presented, the maximum number of simultaneous hosts per scan is most likely to have an impact on the total bandwidth consumed by the scan. Enabling safe checks and stopping the scanning of unresponsive hosts is likely to resolve issues where a single host is negatively affected by the scan. Randomizing IP addresses would only change the order of scanning systems.
Sherry runs a vulnerability scan and receives the high-level results shown here. Her priority is to remediate the most important vulnerabilities first. Which system should be her highest priority? Window shows rows for system A, system B, system C, and system D, and markings for critical, high, medium, and informational. A B C D
D. System D is the only system that contains a critical vulnerability, as seen in the scan results. Therefore, Sherry should begin with this system as it has the highest-priority vulnerability.
Based upon the information presented in the vulnerability report, what type of access must an attacker have to exploit this vulnerability? The attacker must have physical access to the system. The attacker must have logical access to the system. The attacker must have access to the local network that the system is connected to. The attacker can exploit this vulnerability remotely.
D. The CVSS vector for this vulnerability contains the string "AV:N." This indicates that the access vector is Network, meaning that an attacker can exploit the vulnerability remotely over the network.
Gil is configuring a scheduled vulnerability scan for his organization using the QualysGuard scanner. If he selects the Relaunch On Finish scheduling option shown here, what will be the result? Window shows dialog box of edit scheduled vulnerability scan with tabs for task title, target hosts, scheduling (selected), notifications, and schedule status, and section for scheduling. The scan will run once each time the schedule occurs. The scan will run twice each time the schedule occurs. The scan will run twice the next time the schedule occurs and once on each subsequent schedule interval. The scan will run continuously until stopped.
D. The Relaunch On Finish schedule option will run continuous vulnerability scanning of the target servers. Each time the scan completes, it will start over again. Gil should be extremely careful when choosing this option because it may cause undesirable resource consumption for both the scanner and the target servers.
Donna is working with a system engineer who wants to remediate vulnerabilities in a server that he manages. Of the report templates shown here, which would be most useful to the engineer? Window shows table with columns for title (executive report, high severity report), type, and vulnerability data (host based, scan based). Qualys Top 20 Report PCI Technical Report Executive Report Technical Report
D. The Technical Report will contain detailed information on a specific host and is designed for an engineer seeking to remediate the system. The PCI Technical Report would focus on credit card compliance issues, and there is no indication that this server is used for credit card processing. The Qualys Top 20 Report and Executive Report would contain summary information more appropriate for a management audience and covering an entire network, rather than providing detailed information on a single system.
Nitesh would like to identify any systems on his network that are not registered with his asset management system. He looks at the reporting console of his vulnerability scanner and sees the options shown here. Which of the following report types would be his best likely starting point? Window shows columns for title (executive report, high severity report, technical report), type, and vulnerability data (host based, scan based). Technical Report High Severity Report Qualys Patch Report Unknown Device Report
D. The Unknown Device Report will focus on systems detected during the scan that are not registered with the organization's asset management system. The High Severity Report will provide a summary of critical security issues across all systems. The Technical Report will likely contain too much detail and may not call out unknown systems. The Patch Report will indicate systems and applications that are missing patches but not necessarily identify unknown devices.
Given the CVSS information shown here, where would an attacker need to be positioned on the network to exploit this vulnerability? Window shows section of risk information with options for risk factor, CVSS base score, and CVSS vector. The attacker must have a local administrator account on the vulnerable system. The attacker must have a local account on the vulnerable system but does not necessarily require administrative access. The attacker must have access to the local network. The attacker may exploit this vulnerability remotely without an account on the system.
D. The attack vector (AV:N) indicates that the attacker may exploit this vulnerability remotely over the network without requiring any local user account on the targeted server.
While conducting a vulnerability scan of his organization's data center, Renee discovers that the management interface for the organization's virtualization platform is exposed to the scanner. In typical operating circumstances, what is the proper exposure for this interface? Internet Internal networks No exposure Management network
D. The best practice for securing virtualization platforms is to expose the management interface only to a dedicated management network, accessible only to authorized engineers. This greatly reduces the likelihood of an attack against the virtualization platform.
refer to the bare-metal virtualization environment shown here: Diagram shows boxes labeled with four A's, B, and C. What component is identified by C in the image? Hypervisor Host operating system Guest operating system Physical hardware
D. The label C designates the physical hardware in this environment. In a bare-metal virtualization environment, the physical hardware sits beneath the hypervisor, which moderates access by guest operating systems. There is no host operating system in a bare-metal virtualization approach.
During a recent vulnerability scan, Mark discovered a flaw in an internal web application that allows cross-site scripting attacks. He spoke with the manager of the team responsible for that application and was informed that he discovered a known vulnerability and the manager worked with other leaders and determined that the risk is acceptable and does not require remediation. What should Mark do? Object to the manager's approach and insist upon remediation. Mark the vulnerability as a false positive. Schedule the vulnerability for remediation in six months. Mark the vulnerability as an exception.
D. The manager has thought about the risk and, in consultation with others, determined that it is acceptable. Therefore, Mark should not press the matter and demand remediation, either now or in six months. He should mark this vulnerability as an approved exception in the scanner to avoid future alerts. It would not be appropriate to mark this as a false positive because the vulnerability detection was accurate.
Victor is configuring a new vulnerability scanner. He set the scanner to run scans of his entire data center each evening. When he went to check the scan reports at the end of the week, he found that they were all incomplete. The scan reports noted the error "Scan terminated due to start of preempting job." Victor has no funds remaining to invest in the vulnerability scanning system. He does want to cover the entire data center. What should he do to ensure that scans complete? Reduce the number of systems scanned. Increase the number of scanners. Upgrade the scanner hardware. Reduce the scanning frequency.
D. The problem Victor is experiencing is that the full scan does not complete in the course of a single day and is being cancelled when the next full scan tries to run. He can fix this problem by reducing the scanning frequency. For example, he could set the scan to run once a week so that it completes. Reducing the number of systems scanned would not meet his requirement to scan the entire data center. He cannot increase the number of scanners or upgrade the hardware because he has no funds to invest in the system.
Dan is the vulnerability manager for his organization and is responsible for tracking vulnerability remediation. There is a critical vulnerability in a network device that Dan has handed off to the device's administrator, but it has not been resolved after repeated reminders to the engineer. What should Dan do next? Threaten the engineer with disciplinary action. Correct the vulnerability himself. Mark the vulnerability as an exception. Escalate the issue to the network administrator's manager.
D. The scenario does not indicate that Dan has any operational or managerial control over the device or the administrator, so his next step should be to escalate the issue to an appropriate manager for resolution. Dan should not threaten the engineer because there is no indication that he has the authority to do so. Dan cannot correct the vulnerability himself because he should not have administrative access to network devices as a vulnerability manager. He should not mark the vulnerability as an exception because there is no indication that it was accepted through a formal exception process.
James received the vulnerability report shown here for a server in his organization. What risks does this vulnerability present? Window shows section for 4 unauthenticated access to FTP server allowed, and options for first detected, last detected, vendor reference, user modified, et cetera. Unauthorized access to files stored on the server Theft of credentials Eavesdropping on communications All of the above
D. The use of FTP is not considered a good security practice. Unless tunneled through a secure protocol, FTP is unencrypted, allowing an attacker to eavesdrop on communications and steal credentials that may be transmitted over FTP links. Additionally, this vulnerability indicates that an attacker can gain access to the server without even providing valid credentials.
How many vulnerabilities listed in the report shown here are significant enough to warrant immediate remediation in a typical operating environment? Window shows section for vulnerabilities (22) and options for 3 NetBIOS shared folder list available, 2 NetBIOS name accessible, 1 presence of load-balancing device detected, et cetera. 22 14 5 0
D. The vulnerability scan of this server has fairly clean results. All of the vulnerabilities listed are severity 3 or lower. In most organizations, immediate remediation is required only for severity 4 or 5 vulnerabilities.
Terry is reviewing a vulnerability scan of a Windows server and came across the vulnerability shown here. What is the risk presented by this vulnerability? Window shows sections for 1 detected compatibility 8.3 filename feature, threat, impact, and solution, and options for first detected, last detected, vendor reference, user modified, et cetera. An attacker may be able to execute a buffer overflow and execute arbitrary code on the server. An attacker may be able to conduct a denial-of-service attack against this server. An attacker may be able to determine the operating system version on this server. There is no direct vulnerability, but this information points to other possible vulnerabilities on the server.
D. This scan result does not directly indicate a vulnerability. However, it does indicate that the server is configured for compatibility with 16-bit applications, and those applications may have vulnerabilities. It is an informational result that does not directly require action on Terry's behalf.
Arlene ran a vulnerability scan of a VPN server used by contractors and employees to gain access to her organization's network. An external scan of the server found the vulnerability shown here. Window shows SSL certificate signed using weak hashing algorithm with section for description. Which one of the following hash algorithms would not trigger this vulnerability? MD4 MD5 SHA-1 SHA-256
D. To be used in a secure manner, certificates must take advantage of a hash function that is not prone to collisions. The MD2, MD4, MD5, and SHA-1 algorithms all have demonstrated weaknesses and would trigger a vulnerability. The SHA-256 algorithm is still considered secure.
Veronica recently conducted a PCI DSS vulnerability scan of a web server and noted a critical PHP vulnerability that required an upgrade to correct. She applied the update. How soon must Veronica repeat the scan? Within 30 days At the next scheduled quarterly scan At the next scheduled annual scan Immediately
D. Veronica is required to rerun the vulnerability scan until she receives a clean result that may be submitted for PCI DSS compliance purposes.
Tom's company is planning to begin a bring your own device (BYOD) policy for mobile devices. Which one of the following technologies allows the secure use of sensitive information on personally owned devices, including providing administrators with the ability to wipe corporate information from the device without affecting personal data? Remote wipe Strong passwords Biometric authentication Containerization
D. While all of the technologies listed here contribute to the security of mobile devices, only containerization allows the isolation and protection of sensitive information separate from other uses of the device. Containerization technology creates a secure vault for corporate information that may be remotely wiped without affecting other uses of the device. It also protects the contents of the container from other applications and services running on the device.
Given no other information, which one of the following vulnerabilities would you consider the greatest threat to information confidentiality? HTTP TRACE/TRACK methods enabled SSL Server with SSLv3 enabled vulnerability phpinfo information disclosure vulnerability Web application SQL injection vulnerability
D. While all of these vulnerabilities do pose a confidentiality risk, the SQL injection vulnerability poses the greatest threat because it may allow an attacker to retrieve the contents of a backend database. The HTTP TRACK/TRACE methods and PHP information disclosure vulnerabilities may provide reconnaissance information but would not directly disclose sensitive information. SSLv3 is no longer considered secure but is much more difficult to exploit for information theft than a SQL injection issue.