7.3 Vulnerability Scoring Systems
There are two non-government sites that provide lists of valuable information for ethical hackers. Which of the following best describes the Full Disclosure site? -A community-developed list of common software security weaknesses. -A mailing list that often shows the newest vulnerabilities before other sources. -A list searchable by mechanisms of attack or domains of attack. -A list of standardized identifiers for known software vulnerabilities and exposures.
A mailing list that often shows the newest vulnerabilities before other sources.
Which of the following are the three metrics used to determine a CVSS score? -Base, temporal, and environmental -Base, change, and environmental -Risk, temporal, and severity -Risk, change, and severity
Base, temporal, and environmental
Which of the following government resources is a dictionary of known patterns of cyberattacks used by hackers? CWE CVE CAPEC CISA
CAPEC
The list of cybersecurity resources below are provided by which of the following government sites? -Information exchange -Training and exercises -Risk and vulnerability assessments -Data synthesis and analysis -Operational planning and coordination -Watch operations -Incident response and recovery -CWE -CISA -CVE -CAPEC
CISA
As an ethical hacker, you are looking for a way to organize and prioritize vulnerabilities that were discovered in your work. Which of the following scoring systems could you use? CVE CAPEC CISA CVSS
CVSS
This government resource is a community-developed list of common software security weaknesses. They strive to create commonality in the descriptions of weaknesses of software security. Which of the following government resources is described? CVE CISA CWE NVD
CWE
Jessica, an employee, has come to you with a new software package she would like to use. Before you purchase and install the software, you would like to know if there are any known security-related flaws or if it is commonly misconfigured in a way that would make it vulnerable to attack. You only know the name and version of the software package. Which of the following government resources would you consider using to find an answer to your question? CVSS CVE NVD CWE
NVD
