CSA+ CH2 Vulnerability Management Part 1/2

During a recent vulnerability scan, Ed discovered that a web server running on his network has access to a database server that should be restricted. Both servers are running on his organization's VMware virtualization platform. Where should Ed look first to configure a security control to restrict this access? VMware Data center firewall Perimeter (Internet) firewall Intrusion prevention system

A. Because both of these hosts are located on the same virtualization platform, it is likely that the network traffic never leaves that environment and would not be controlled by an external network firewall or intrusion prevention system. Ed should first look at the internal configuration of the virtual network to determine whether he can apply the restriction there.

Which one of the following protocols is not likely to trigger a vulnerability scan alert when used to support a virtual private network (VPN)? IPsec SSLv2 PPTP SSLv3

A. IPsec is a secure protocol for the establishment of VPN links. Organizations should no longer use the obsolete Secure Sockets Layer (SSL) or Point-to-Point Tunneling Protocol (PPTP) for VPN connections or other secure connections.

Kristen is attempting to determine the next task that she should take on from a list of security priorities. Her boss told her that she should focus on activities that have the most "bang for the buck." Of the tasks shown here, which should she tackle first? Table shows columns for security issue, criticality (medium, high, medium, low), and time required to fix (6 hours, 3 weeks, 2 days, and 6 hours). Task 1 Task 2 Task 3 Task 4

A. Task 1 strikes the best balance between criticality and difficulty. It allows her to remediate a medium criticality issue with an investment of only six hours of time. Task 2 is higher criticality, but would take three weeks to resolve. Task 3 is the same criticality but would require two days to fix. Task 4 is lower criticality but would require the same amount of time to resolve as Task 1.

Katherine coordinates the remediation of security vulnerabilities in her organization and is attempting to work with a system engineer on the patching of a server to correct a moderate impact vulnerability. The engineer is refusing to patch the server because of the potential interruption to a critical business process that runs on the server. What would be the most reasonable course of action for Katherine to take? Schedule the patching to occur during a regular maintenance cycle. Exempt the server from patching because of the critical business impact. Demand that the server be patched immediately to correct the vulnerability. Inform the engineer that if he does not apply the patch within a week that Katherine will file a complaint with his manager.

A. The fact that the server runs a critical business process should increase the importance of the patch, rather than deferring it indefinitely. Katherine should work with the engineer to schedule the patch to occur during a regular maintenance window. It is reasonable to wait until that scheduled window because of the relatively low impact of the vulnerability.

Gina ran a vulnerability scan on three systems that her organization is planning to move to production and received the results shown here. How many of these issues should Gina require be resolved before moving to production? Window shows sections for vulnerabilities (5) (3 SSL/TLS server supports TLSv1.0), vulnerabilities (2) (3 SSL/TLS server supports TLSv1.0), and vulnerabilities (2). 0. 1. 3. All of these issues should be resolved.

A. The report notes that all of the vulnerabilities for these three servers are in Fixed status. This indicates that the vulnerabilities existed but have already been remediated and no additional work is required.

Which one of the following actions could Ryan take to remediate the underlying issue without disrupting business activity? Disable the IIS service. Apply a security patch. Modify the web application. Apply IPS rules.

B. Applying a security patch would correct the issue on this server. The fact that the header for this vulnerability includes a Microsoft security bulletin ID (MS17-016) indicates that Microsoft likely released a patch in 2017. Disabling the IIS service would disrupt business activity on the server. Modifying the web application would not likely address this issue as the report indicates that it is an issue with the underlying IIS server and not a specific web application. IPS rules may prevent an attacker from exploiting the vulnerability but they would not correct the underlying issue.

George recently ran a port scan on a network device used by his organization. Which one of the following open ports represents the most significant possible security vulnerability? 22 23 161 443

B. Port 23 is used by telnet, an insecure unencrypted communications protocol. George should ensure that telnet is disabled and blocked. Secure shell (ssh) runs on port 22 and serves as a secure alternative. Port 161 is used by the Simple Network Management Protocol (SNMP), and port 443 is used for secure web connections.

A SQL injection exploit typically gains access to a database by exploiting a vulnerability in a(n) ____________. Operating system Web application Database server Firewall

B. SQL injection vulnerabilities target the data stored in enterprise databases, but they do so by exploiting flaws in client-facing applications. These flaws are most commonly, but not exclusively, found in web applications.

Amanda scans a Windows server in her organization and finds that it has multiple critical vulnerabilities, detailed in the report shown here. What action can Amanda take that will have the most significant impact on these issues without creating a long-term outage? Window shows section for vulnerabilities and options for 5 Microsoft Cumulative Security Update for Windows (MS17-012), 5 (EOL/obsolete software: Microsoft VC plus plus 2005 detected, et cetera. Configure the host firewall to block inbound connections. Apply security patches. Disable the guest account on the server. Configure the server to only use secure ciphers.

B. The majority of the most serious issues in this scan report relate to missing security updates to Windows and applications installed on the server. Amanda should schedule a short outage to apply these updates. Blocking inbound connections at the host firewall would prevent the exploitation of these vulnerabilities, but it would also prevent users from accessing the server. Disabling the guest account and configuring the use of secure ciphers would correct several vulnerabilities, but they are not as severe as the vulnerabilities related to patches.

Javier discovered the vulnerability shown here in a system on his network. He is unsure what system component is affected. What type of service is causing this vulnerability? Window shows sections for 2 Microsoft SQL server compact 3.5 service pack 2 not installed, and options for first detected, last detected, vendor reference, et cetera. Backup service Database service File sharing Web service

B. The vulnerability report states that the issue is with SQL Server. SQL Server is a database platform provided by Microsoft.

Landon is preparing to run a vulnerability scan of a dedicated Apache server that his organization is planning to move into a DMZ. Which one of the following vulnerability scans is least likely to provide informative results? Web application vulnerability scan Database vulnerability scan Port scan Network vulnerability scan

B. There is no indication in the scenario that the server is running a database; in fact, the scenario indicates that the server is dedicated to running the Apache web service. Therefore, it is unlikely that a database vulnerability scan would yield any results. Landon should run the other three scans, and if they indicate the presence of a database server, he could follow up with a specialized database vulnerability scan.

Matthew is creating a new forum for system engineers from around his organization to discuss security configurations of their systems. What SCAP component can Matthew take advantage of to help administrators have a standard language for discussing configuration issues? CPE CVE CCE CVSS

C. Common Configuration Enumeration (CCE) provides a standard nomenclature for discussing system configuration issues. Common Platform Enumeration (CPE) provides a standard nomenclature for describing product names and versions. Common Vulnerabilities and Exposures (CVE) provides a standard nomenclature for describing security-related software flaws. Common Vulnerability Scoring System (CVSS) provides a standardized approach for measuring and describing the severity of security-related software flaws.

During a vulnerability scan, Patrick discovered that the configuration management agent installed on all of his organization's Windows servers contains a serious vulnerability. The manufacturer is aware of this issue, and a patch is available. What process should Patrick follow to correct this issue? Immediately deploy the patch to all affected systems. Deploy the patch to a single production server for testing and then deploy to all servers if that test is successful. Deploy the patch in a test environment and then conduct a staged rollout in production. Disable all external access to systems until the patch is deployed.

C. Patrick should be extremely careful with this patch. If the patch causes services to fail, it has the potential to disable all of his organization's Windows servers. This is a serious risk and requires testing prior to patch deployment. Patrick's best course of action is to deploy the patch in a test environment and then roll it out into production on a staged basis if that test is successful. Options that involve deploying the patch to production systems prior to testing may cause those services to fail. Disabling all external access to systems is likely an overreaction that would have critical business impact.

Harry is developing a vulnerability scanning program for a large network of sensors used by his organization to monitor a transcontinental gas pipeline. What term is commonly used to describe this type of sensor network? WLAN VPN P2P SCADA

D. A Supervisory Control and Data Acquisition (SCADA) network is a form of industrial control system (ICS) that is used to maintain sensors and control systems over a large geographic area.

Alicia runs a vulnerability scan of a server being prepared for production and finds the vulnerability shown here. Which one of the following actions is least likely to reduce this risk? Window shows sections for 4 OpenSSH AES-GSM cipher remote code execution vulnerability, threat, impact, solution, compliance, exploitability, associated malware, and results. Block all connections on port 22. Upgrade OpenSSH. Disable AES-GCM in the server configuration. Install a network IPS in front of the server.

D. It is unlikely that a network IPS would resolve this issue because it would not be able to view the contents of an encrypted SSH session. Disabling port 22 would correct the issue although it may cause business disruption. Disabling AES-GCM is listed in the solution section as a feasible workaround, while upgrading OpenSSH is the ideal solution.

Pete recently conducted a broad vulnerability scan of all the servers and workstations in his environment. He scanned the following three networks: DMZ network that contains servers with public exposure Workstation network that contains workstations that are allowed outbound access only Internal server network that contains servers exposed only to internal systems He detected the following vulnerabilities: Vulnerability 1: A SQL injection vulnerability on a DMZ server that would grant access to a database server on the internal network (severity 5/5) Vulnerability 2: A buffer overflow vulnerability on a domain controller on the internal server network (severity 3/5) Vulnerability 3: A missing security patch on several hundred Windows workstations on the workstation network (severity 2/5) Vulnerability 4: A denial-of-service vulnerability on a DMZ server that would allow an attacker to disrupt a public-facing website (severity 2/5) Vulnerability 5: A denial of service vulnerability on an internal server that would allow an attacker to disrupt an internal website (severity 4/5) Note that the severity ratings assigned to these vulnerabilities are directly from the vulnerability scanner and were not assigned by Pete. Pete recently conferred with the organization's CISO, and the team is launching an initiative designed to combat the insider threat. They are particularly concerned about the theft of information by employees seeking to exceed their authorized access. Which one of the vulnerabilities in this report is of greatest concern given this priority? Vulnerability 2 Vulnerability 3 Vulnerability 4 Vulnerability 5

A. An insider would have the network access required to connect to a system on the internal server network and exploit this buffer overflow vulnerability. Buffer overflow vulnerabilities typically allow the execution of arbitrary code, which may allow an attacker to gain control of the server and access information above his or her authorization level. Vulnerability 3 may also allow the theft of information, but it has a lower severity level than vulnerability 2. Vulnerabilities 4 and 5 are denial-of-service vulnerabilities that would allow the disruption of service, not the theft of information.

If an attacker is able to exploit this vulnerability, what is the probable result that will have the highest impact on the organization? Administrative control of the server Complete control of the domain Access to configuration information Access to web application logs

A. As this is an escalation of privilege vulnerability, it is likely that an attacker could gain complete control of the system. There is no indication that control of this system would then lead to complete control of the domain. Administrative control of the server would grant access to configuration information and web application logs, but these issues are not as serious as an attacker gaining complete control of the server.

Natalie ran a vulnerability scan of a web application recently deployed by her organization, and the scan result reported a blind SQL injection. She reported the vulnerability to the developers who scoured the application and made a few modifications but did not see any evidence that this attack was possible. Natalie reran the scan and received the same result. The developers are now insisting that their code is secure. What is the most likely scenario? The result is a false positive. The code is deficient and requires correction. The vulnerability is in a different web application running on the same server. Natalie is misreading the scan report.

A. Blind SQL injection vulnerabilities are very difficult to detect and are a notorious source of false positive reports. Natalie should verify the results of the tests performed by the developers but should be very open to the possibility that this is a false positive report, as that is the most likely scenario.

Ken is reviewing the results of a vulnerability scan, shown here, from a web server in his organization. Access to this server is restricted at the firewall so that it may not be accessed on port 80 or 443. Which of the following vulnerabilities should Ken still address? Window shows section for vulnerabilities with options for 3 HTTP TRACE/TRACK methods enabled, 1 presence of load-balancing device detected, et cetera. OpenSSL version Cookie information disclosure TRACK/TRACE methods Ken does not need to address any of these vulnerabilities because they are not exposed to the outside world

A. From the information given in the scenario, you can conclude that all of the HTTP/HTTPS vulnerabilities are not exploitable by an attacker because of the firewall restrictions. However, OpenSSL is an encryption package used for other services, in addition to HTTPS. Therefore, it may still be exposed via SSH or other means. Ken should replace it with a current, supported version because running an end-of-life (EOL) version of this package exposes the organization to potentially unpatchable security vulnerabilities.

Margot discovered that a server in her organization has a SQL injection vulnerability. She would like to investigate whether attackers have attempted to exploit this vulnerability. Which one of the following data sources is least likely to provide helpful information? Netflow logs Web server logs Database logs IDS logs

A. Margot can expect to find relevant results in the web server logs because they would contain records of HTTP requests to the server. Database server logs would contain records of the queries made against the database. IDS logs may contain logs of SQL injection alerts. Netflow logs would not contain useful information because they only record traffic flows, not the details of the communications.

After scanning a web application for possible vulnerabilities, Barry received the result shown here. Which one of the following best describes the threat posed by this vulnerability? Window shows section for vulnerabilities and options for first detected, last detected, vendor reference, service modified, et cetera. An attacker can eavesdrop on authentication exchanges. An attacker can cause a denial-of-service attack on the web application. An attacker can disrupt the encryption mechanism used by this server. An attacker can edit the application code running on this server.

A. Plain-text authentication sends credentials "in the clear," meaning that they are transmitted in unencrypted form and are vulnerable to eavesdropping by an attacker with access to a network segment between the client and server.

Stella is analyzing the results of a vulnerability scan and comes across the vulnerability shown here on a server in her organization. The SharePoint service in question processes all of the organization's work orders and is a critical part of the routine business workflow. Window shows sections for threat, impact, solution, and exploitability, and options for first detected, category, vendor reference, CVSS base, et cetera. What priority should Stella place on remediating this vulnerability? Stella should make this vulnerability one of her highest priorities. Stella should remediate this vulnerability within the next several weeks. Stella should remediate this vulnerability within the next several months. Stella does not need to assign any priority to remediating this vulnerability.

A. Stella should remediate this vulnerability as quickly as possible because it is rated by the vendor as a Critical vulnerability. The description of the vulnerability indicates that an attacker could execute arbitrary code on the server and use this vulnerability to achieve escalation of privilege. Therefore, this should be one of Stella's highest priorities for remediation.

Wendy is the security administrator for a membership association that is planning to launch an online store. As part of this launch, she will become responsible for ensuring that the website and associated systems are compliant with all relevant standards. What regulatory regime specifically covers credit card information? PCI DSS FERPA HIPAA SOX

A. The Payment Card Industry Data Security Standard (PCI DSS) regulates credit and debit card information. The Family Educational Rights and Privacy Act (FERPA) applies to student educational records. The Health Insurance Portability and Accountability Act (HIPAA) regulates protected health information. The Sarbanes-Oxley (SOX) Act requires controls around the handling of financial records for public companies.

Without access to any additional information, which one of the following vulnerabilities would you consider the most severe if discovered on a production web server? CGI generic SQL injection Web application information disclosure Web server uses basic authentication without HTTPS Web server directory enumeration

A. The SQL injection attack could be quite serious as it may allow an attacker to retrieve and/or modify information stored in the backend database. The second highest priority should be resolving the use of unencrypted authentication, as it may allow the theft of user credentials. The remaining two vulnerabilities are less serious because they pose only a reconnaissance risk.

Pete recently conducted a broad vulnerability scan of all the servers and workstations in his environment. He scanned the following three networks: DMZ network that contains servers with public exposure Workstation network that contains workstations that are allowed outbound access only Internal server network that contains servers exposed only to internal systems He detected the following vulnerabilities: Vulnerability 1: A SQL injection vulnerability on a DMZ server that would grant access to a database server on the internal network (severity 5/5) Vulnerability 2: A buffer overflow vulnerability on a domain controller on the internal server network (severity 3/5) Vulnerability 3: A missing security patch on several hundred Windows workstations on the workstation network (severity 2/5) Vulnerability 4: A denial-of-service vulnerability on a DMZ server that would allow an attacker to disrupt a public-facing website (severity 2/5) Vulnerability 5: A denial of service vulnerability on an internal server that would allow an attacker to disrupt an internal website (severity 4/5) Note that the severity ratings assigned to these vulnerabilities are directly from the vulnerability scanner and were not assigned by Pete. Absent any other information, which one of the vulnerabilities in the report should Pete remediate first? Vulnerability 1 Vulnerability 2 Vulnerability 3 Vulnerability 4

A. The SQL injection vulnerability is clearly the highest priority for remediation. It has the highest severity (5/5) and also exists on a server that has public exposure because it resides on the DMZ network.

Ahmed is reviewing the vulnerability scan report from his organization's central storage service and finds the results shown here. Which action can Ahmed take that will be effective in remediating the highest-severity issue possible? Window shows section for vulnerabilities (22) with options for 3 NetBIOS shared folder list available, 2 NetBIOS name accessible, 2 hidden RPC services, et cetera. Upgrade to SNMPv3. Disable the use of RC4. Replace the use of SSL with TLS. Disable remote share enumeration.

A. The highest-severity vulnerability in this report is the use of an outdated version of SNMP. Ahmed can correct this issue by disabling the use of SNMPv1 and SNMPv2, which contain uncorrectable security issues and replacing them with SNMPv3. The other actions offered as choices in this question would remediate other vulnerabilities shown in the report, but they are all of lower severity than the SNMP issue.

Mary runs a vulnerability scan of her entire organization and shares the report with another analyst on her team. An excerpt from that report appears here. Her colleague points out that the report contains only vulnerabilities with severities of 3, 4, or 5. What is the most likely cause of this result? Window shows sections for vulnerabilities (7), vulnerabilities (7), vulnerabilities (1), vulnerabilities (4), and vulnerabilities (3). The scan sensitivity is set to exclude low-importance vulnerabilities. Mary did not configure the scan properly. Systems in the data center do not contain any level 1 or 2 vulnerabilities. The scan sensitivity is set to exclude high-impact vulnerabilities.

A. The most likely reason for this result is that the scan sensitivity is set to exclude low-impact vulnerabilities rated as 1 or 2. There is no reason to believe that Mary configured the scan improperly because this is a common practice to limit information overload and is likely intentional. It is extremely unlikely that systems in the data center contain no low-impact vulnerabilities when they have high-impact vulnerabilities. If Mary excluded high-impact vulnerabilities, the report would not contain any vulnerabilities rated 4 or 5.

Krista is reviewing a vulnerability scan report and comes across the vulnerability shown here. She comes from a Linux background and is not as familiar with Windows administration. She is not familiar with the runas command mentioned in this vulnerability. What is the closest Linux equivalent command? Window shows sections for 3 Microsoft Windows "RunAs" password length local information disclosure - zero day and threat, and options for first detected, last detected, vendor reference, user modified, et cetera. sudo grep su ps

A. The runas command allows an administrator to execute a command using the privileges of another user. Linux offers the same functionality with the sudo command. The Linux su command is similar but allows an administrator to switch user identities, rather than simply execute a command using another user's identity. The ps command in Linux lists active processes, while the grep command is used to search for text matching a pattern.

Larry recently discovered a critical vulnerability in one of his organization's database servers during a routine vulnerability scan. When he showed the report to a database administrator, the administrator responded that they had corrected the vulnerability by using a vendor-supplied workaround because upgrading the database would disrupt an important process. Larry verified that the workaround is in place and corrects the vulnerability. How should Larry respond to this situation? Mark the report as a false positive. Insist that the administrator apply the vendor patch. Mark the report as an exception. Require that the administrator submit a report describing the workaround after each vulnerability scan.

A. This is an example of a false positive report. The administrator demonstrated that the database is not subject to the vulnerability because of the workaround, and Larry went a step further and verified this himself. Therefore, he should mark the report as a false positive in the vulnerability scanner.

Mike runs a vulnerability scan against his company's virtualization environment and finds the vulnerability shown here in several of the virtual hosts. What action should Mike take? Window shows HTTP methods allowed (per directory) with section for description with text which reads by calling OPTIONS method, it is possible to determine which HTTP methods are allowed on each directory. No action is necessary because this is an informational report. Mike should disable HTTP on the affected devices. Mike should upgrade the version of OpenSSL on the affected devices. Mike should immediately upgrade the hypervisor.

A. This is an informational-level report that will be discovered on any server that supports the OPTIONS method. This is not a serious issue and is listed as an informational item, so Mike does not need to take any action to address it.

Miranda is reviewing the results of a vulnerability scan and identifies the issue shown here in one of her systems. She consults with developers who check the code and assure her that it is not vulnerable to SQL injection attacks. An independent auditor confirms this for Miranda. What is the most likely scenario? Window shows CGI generic SQL injection (blind, time based) with sections for description and solution. This is a false positive report. The developers are wrong, and the vulnerability exists. The scanner is malfunctioning. The database server is misconfigured.

A. This is most likely a false positive report. The vulnerability description says "note that this script is experimental and may be prone to false positives." It is less likely that the developers and independent auditors are all incorrect. The scanner is most likely functioning properly, and there is no indication that either it or the database server is misconfigured.

Kim is preparing to deploy a new vulnerability scanner and wants to ensure that she can get the most accurate view of configuration issues on laptops belonging to traveling salespeople. Which technology will work best in this situation? Agent-based scanning Server-based scanning Passive network monitoring Noncredentialed scanning

A. Using an agent-based scanning approach will provide Kim with the most reliable results for systems that are not always connected to the network. The agent can run the scans and then report results the next time the agent is connected to a network. The other technologies all require that the system be connected to the network during the scan.

Frank discovers a missing Windows security patch during a vulnerability scan of a server in his organization's data center. Upon further investigation, he discovers that the system is virtualized. Where should he apply the patch? To the virtualized system The patch is not necessary To the domain controller To the virtualization platform

A. Virtualized systems run full versions of operating systems. If Frank's scan revealed a missing operating system patch when he scanned a virtualized server, the patch should be applied directly to that guest operating system.

Doug is preparing an RFP for a vulnerability scanner for his organization. He needs to know the number of systems on his network to help determine the scanner requirements. Which one of the following would not be an easy way to obtain this information? ARP tables Asset management tool Discovery scan Results of scans recently run by a consultant

A. While ARP tables may provide the necessary information, this is a difficult way to enumerate hosts and is prone to error. Doug would have much greater success if he consulted the organization's asset management tool, ran a discovery scan, or looked at the results of other recent scans.

Gene is concerned about the theft of sensitive information stored in a database. Which one of the following vulnerabilities would pose the most direct threat to this information? SQL injection Cross-site scripting Buffer overflow Denial of service

A. While a buffer overflow attack could theoretically have an impact on information stored in the database, a SQL injection vulnerability poses a more direct threat by allowing an attacker to execute arbitrary SQL commands on the database server. Cross-site scripting attacks are primarily user-based threats that would not normally allow database access. A denial-of-service attack targets system availability, rather than information disclosure.

The presence of ____________ triggers specific vulnerability scanning requirements based upon law or regulation. Credit card information Protected health information Personally identifiable information Trade secret information

A. While all of these categories of information should trigger vulnerability scanning for assets involved in their storage, processing, or transmission, only credit card information has specific regulations covering these scans. The Payment Card Industry Data Security Standard (PCI DSS) contains detailed requirements for vulnerability scanning.

Renee is configuring a vulnerability scanner that will run scans of her network. Corporate policy requires the use of daily vulnerability scans. What would be the best time to configure the scans? During the day when operations reach their peak to stress test systems During the evening when operations are minimal to reduce the impact on systems During lunch hour when people have stepped away from their systems but there is still considerable load On the weekends when the scans may run unimpeded

B. According to corporate policy, Renee must run the scans on a daily basis, so the weekend is not a viable option. The scans should run when they have the least impact on operations, which, in this scenario, would be in the evening. The purpose of vulnerability scans is to identify known vulnerabilities in systems and not to perform load testing of servers.

Carla runs a vulnerability scan of a new appliance that engineers are planning to place on her organization's network and finds the results shown here. Of the actions listed, which would correct the highest criticality vulnerability? Window shows section for vulnerabilities and options for 2 hidden RPC services CVSS: - CVSS3 - Active, 2 netBIOS name accessible CVSS: - CVSS3 - Active, et cetera. Block the use of TLSv1.0. Replace the expired SSL certificate. Remove the load balancer. Correct the information leakage vulnerability.

B. As Carla reads this report, she should note that the bottom three vulnerabilities have a status of Fixed. This indicates that the information leakage vulnerability is already corrected and that the server no longer supports TLSv1.0. The alert about the load balancer is severity 1, and Carla should treat it as informational. This leaves a severity 2 vulnerability for the expired SSL certificate as the highest-severity issue of the choices presented.

Brian is considering the use of several different categories of vulnerability plug-ins. Of the types listed here, which is the most likely to result in false positive reports? Registry inspection Banner grabbing Service interrogation Fuzzing

B. Banner grabbing scans are notorious for resulting in false positive reports because the only validation they do is to check the version number of an operating system or application against a list of known vulnerabilities. This approach is unable to detect any remediation activities that may have taken place that do not alter the version number.

Beth is a software developer and she receives a report from her company's cybersecurity team that a vulnerability scan detected a SQL injection vulnerability in one of her applications. She examines her code and makes a modification in a test environment that she believes corrects the issue. What should she do next? Deploy the code to production immediately to resolve the vulnerability. Request a scan of the test environment to confirm that the issue is corrected. Mark the vulnerability as resolved and close the ticket. Hire a consultant to perform a penetration test to confirm that the vulnerability is resolved.

B. Beth should perform testing of her code before deploying it to production. Because this code was designed to correct an issue in a vulnerability scan, Beth should ask the security team to rerun the scan to confirm that the vulnerability scan was resolved as one component of her testing. A penetration test is overkill and not necessary in this situation. Beth should not deploy the code to production until it is tested. She should not mark the issue as resolved until it is verified to work in production.

Julie is developing a vulnerability scanning approach that will unify the diverse approaches used throughout her organization's different operating locations. She would like to ensure that everyone uses the same terminology when referring to different applications and operating systems. Which SCAP component can assist Julie with this task? CVE CPE CVSS OVAL

B. Common Platform Enumeration (CPE) provides a standard nomenclature for describing product names and versions, including applications and operating systems. Common Vulnerabilities and Exposures (CVE) provides a standard nomenclature for describing security-related software flaws. Common Vulnerability Scoring System (CVSS) provides a standardized approach for measuring and describing the severity of security-related software flaws. Open Vulnerability and Assessment Language (OVAL) is a language for specifying low-level testing procedures used by checklists.

Michelle would like to share information about vulnerabilities with partner organizations who use different vulnerability scanning products. What component of SCAP can best assist her in ensuring that the different organizations are talking about the same vulnerabilities? CPE CVE CVSS OVAL

B. Common Vulnerabilities and Exposures (CVE) provides a standard nomenclature for describing security-related software flaws. Common Platform Enumeration (CPE) provides a standard nomenclature for describing product names and versions, including applications and operating systems. Common Vulnerability Scoring System (CVSS) provides a standardized approach for measuring and describing the severity of security-related software flaws. Open Vulnerability and Assessment Language (OVAL) is a language for specifying low-level testing procedures used by checklists.

Larry recently discovered a critical vulnerability in one of his organization's database servers during a routine vulnerability scan. When he showed the report to a database administrator, the administrator responded that they had corrected the vulnerability by using a vendor-supplied workaround because upgrading the database would disrupt an important process. Larry verified that the workaround is in place and corrects the vulnerability. What is the most likely cause of this report? The vulnerability scanner requires an update. The vulnerability scanner depends upon version detection. The database administrator incorrectly applied the workaround. Larry misconfigured the scan.

B. False positive reports like the one described in this scenario are common when a vulnerability scanner depends upon banner grabbing and version detection. The primary solution to this issue is applying a patch that the scanner would detect by noting a new version number. However, the administrator performed the perfectly acceptable action of remediating the vulnerability in a different manner without applying the patch, but the scanner is unable to detect that remediation activity and is reporting a false positive result.

What priority should Glenda place on remediating this vulnerability? Glenda should make this vulnerability her highest priority. Glenda should remediate this vulnerability urgently but does not need to drop everything. Glenda should remediate this vulnerability within the next several months. Glenda does not need to assign any priority to remediating this vulnerability.

B. Glenda should remediate this vulnerability as quickly as possible because it occurs widely throughout her organization and has a significant severity (4 on a five-point scale). If an attacker exploits this vulnerability, he or she could take control of the affected system by executing arbitrary code on it.

Ted runs the cybersecurity vulnerability management program for his organization. He sends a database administrator a report of a missing database patch that corrects a high severity security issue. The DBA writes back to Ted that he has applied the patch. Ted reruns the scan, and it still reports the same vulnerability. What should Ted do next? Mark the vulnerability as a false positive. Ask the DBA to recheck the database. Mark the vulnerability as an exception. Escalate the issue to the DBA's manager.

B. In this case, Ted should ask the DBA to recheck the server to ensure that the patch was properly applied. It is not yet appropriate to mark the issue as a false positive report until Ted performs a brief investigation to confirm that the patch is applied properly. This is especially true because the vulnerability relates to a missing patch, which is not a common source of false positive reports. There was no acceptance of this vulnerability, so Ted should not mark it as an exception. Ted should not escalate this issue to management because the DBA is working with him in good faith.

Grace ran a vulnerability scan and detected an urgent vulnerability in a public-facing web server. This vulnerability is easily exploitable and could result in the complete compromise of the server. Grace wants to follow best practices regarding change control while also mitigating this threat as quickly as possible. What would be Grace's best course of action? Initiate a high-priority change through her organization's change management process and wait for the change to be approved. Implement a fix immediately and document the change after the fact. Schedule a change for the next quarterly patch cycle. Initiate a standard change through her organization's change management process.

B. In this situation, Grace is facing a true emergency. Her web server has a critical vulnerability that is exposed to the outside world and may be easily exploited. Grace should correct the issue immediately, informing all relevant stakeholders of the actions that she is taking. She can then follow up by documenting the change as an emergency action in her organization's change management process. All of the other approaches in this question introduce an unacceptable delay.

Quentin ran a vulnerability scan of a server in his organization and discovered the results shown here. Which one of the following actions is not required to resolve one of the vulnerabilities on this server? Window shows sections for vulnerabilities 3 SSL/TLS use of weak RC4 cipher, 3 SSL/TLS server supports TLSv1.0, 2 NetBIOS name accessible, et cetera. Reconfigure cipher support. Apply Window security patches. Obtain a new SSL certificate. Enhance account security policies.

B. Quentin should reconfigure cipher support to resolve the issues surrounding the weak cipher support of SSL/TLS and RDP. He should also obtain a new SSL certificate to resolve multiple issues with the current certificate. He should add account security requirements to resolve the naming of guest accounts and the expiration of administrator passwords. There is no indication that any Windows patches are missing on this system.

Carla is designing a vulnerability scanning workflow and has been tasked with selecting the person responsible for remediating vulnerabilities. Which one of the following people would normally be in the best position to remediate a server vulnerability? Cybersecurity analyst System administrator Network engineer IT manager

B. System engineers are normally in the best position to remediate vulnerabilities because they are responsible for maintaining the server configuration. Network engineers, security analysts, and managers may provide input, but they often lack either the privileges or knowledge to successfully remediate a server.

Molly is assessing the criticality of a vulnerability discovered on her organization's network. It has the CVSS information shown here. What is the greatest risk exposed by this server? Windows shows section for risk information and options for risk, CVSS base score, and CVSS vector. Confidentiality Integrity Availability There is no risk associated with this vulnerability.

B. The CVSS string indicates that there is no Confidentiality (C:N) or Availability (A:N) risk associated with this vulnerability. It does indicate that there is a partial Integrity risk (I:P).

Gina would like to leverage the Security Content Automation Protocol (SCAP) in her organization to bring a standard approach to their vulnerability management efforts. What SCAP component can Gina use to provide a common language for describing vulnerabilities? XCCDF CVE CPE CCE

B. The Common Vulnerabilities and Exposures (CVE) provides a standard language for describing security flaws. Common Platform Enumeration (CPE) provides a standard language for product names and versions. Common Configuration Enumeration (CCE) provides a standard language for system configurations. The Extensible Configuration Checklist Description Format (XCCDF) provides a language for specifying checklists and reporting results.

Rob's manager recently asked him for an overview of any critical security issues that exist on his network. He looks at the reporting console of his vulnerability scanner and sees the options shown here. Which of the following report types would be his best likely starting point? Window shows columns for title (executive report, high severity report), type, and vulnerability data (host based, scan based). Technical Report High Severity Report Qualys Patch Report Unknown Device Report

B. The High Severity Report is the most likely report of the choices given that will provide a summary of critical security issues. The Technical Report will likely contain too much detail for Rob's manager. The Patch Report will indicate systems and applications that are missing patches but omit other security issues. The Unknown Device Report will focus on systems detected during the scan that are not registered with the organization's asset management system.

Terry recently ran a vulnerability scan against his organization's credit card processing environment that found a number of vulnerabilities. Which vulnerabilities must he remediate in order to have a "clean" scan under PCI DSS standards? Critical vulnerabilities Critical and high vulnerabilities Critical, high, and moderate vulnerabilities Critical, high, moderate, and low vulnerabilities

B. The PCI DSS standard requires that merchants and service providers present a clean scan result that shows no critical or high vulnerabilities in order to maintain compliance.

Morgan recently restarted an old vulnerability scanner that had not been used in more than a year. She booted the scanner, logged in, and configured a scan to run. After reading the scan results, she found that the scanner was not detecting known vulnerabilities that were detected by other scanners. What is the most likely cause of this issue? The scanner is running on an outdated operating system. The scanner's maintenance subscription is expired. Morgan has invalid credentials on the scanner. The scanner does not have a current, valid IP address.

B. The most likely issue is that the maintenance subscription for the scanner expired while it was inactive and the scanner is not able to retrieve current signatures from the vendor's vulnerability feed. The operating system of the scanner should not affect the scan results. Morgan would not be able to access the scanner at all if she had invalid credentials or the scanner had an invalid IP address.

What is the best way that Stella can correct this vulnerability? Deploy an intrusion prevention system. Apply one or more application patches. Apply one or more operating system patches. Disable the service.

B. The vulnerability report indicates that SharePoint application patches are available to correct the vulnerability on a variety of versions of SharePoint. This should be Stella's first course of action as it will correct the underlying issue. Deploying an intrusion prevention system may also prevent attackers from exploiting the vulnerability but it will depend upon the positioning of the IPS and the attacker's location on the network and will not correct the underlying issue. There is no indication that an operating system patch will correct the issue. Disabling the service will prevent an attacker from exploiting the vulnerability but will also disable the business critical service.

Kaitlyn discovered the vulnerability shown here on a workstation in her organization. Which one of the following is not an acceptable method for remediating this vulnerability? Window shows sections for 3 WinRAR insecure executable loading remote code execution vulnerability and threat, and options for first detected, last detected, vendor reference, user modified, et cetera. Upgrade WinRAR. Upgrade Windows. Remove WinRAR. Replace WinRAR with an alternate compression utility.

B. There is no reason to believe that upgrading the operating system will resolve this application vulnerability. All of the other solutions presented are acceptable ways to address this risk.

Ted is configuring vulnerability scanning for a file server on his company's internal network. The server is positioned on the network as shown here. What types of vulnerability scans should Ted perform to balance the efficiency of scanning effort with expected results? Diagram shows Internet connected to firewall, which is connected to data center network and DMZ, where data center network is connected to database server (192.168.0.22) and file server (192.168.0.16), and DMZ is connected to web server. Ted should not perform scans of servers on the internal network. Ted should only perform internal vulnerability scans. Ted should only perform external vulnerability scans. Ted should perform both internal and external vulnerability scans.

B. This server is located on an internal network and only has a private IP address. Therefore, the only scan that would provide any valid results is an internal scan. The external scanner would not be able to reach the file server through a valid IP address.

Harold runs a vulnerability scan of a server that he is planning to move into production and finds the vulnerability shown here. Window shows section for 3 SSL/TLS server supports TLSv1.0 and options for first detected, category, vendor reference, CVSS base, et cetera. What operating system is most likely running on the server in this vulnerability scan report? macOS Windows CentOS RHEL

B. This system is exposing a service on port 3389. This port is typically used for remote administrative access to Windows servers.

What operating system is most likely running on the server in this vulnerability scan report? macOS Windows CentOS RHEL

B. This system is running SharePoint. This application only runs on Microsoft Windows servers.

Ryan ran a vulnerability scan of one of his organization's production systems and received the report shown here. He would like to understand this vulnerability better and then remediate the issue. Window shows sections for 4 Microsoft IIS server XSS elevation of privilege vulnerability (MS17-016) and threat, and options for first detected, last detected, vendor reference, user modified, et cetera. Ryan will not be able to correct the vulnerability for several days. In the meantime, he would like to configure his intrusion prevention system to watch for issues related to this vulnerability. Which one of the following protocols would an attacker use to exploit this vulnerability? SSH HTTPS FTP RDP

B. This vulnerability exists in Microsoft Internet Information Server (IIS), which is a web server. The fact that the vulnerability could result in cross-site scripting issues also points to a web server. Web servers use the HTTP and HTTPS protocols. Ryan could configure IPS rules to filter HTTP/HTTPS access to this server.

Eric is reviewing the results of a vulnerability scan and comes across the vulnerability report shown here. Which one of the following services is least likely to be affected by this vulnerability? Window shows sections for 2 X.509 certificate MD5 signature collision vulnerability and threat, and options for first detected, last detected, vendor reference, user modified, et cetera. HTTPS HTTP SSH VPN

B. X.509 certificates are used to exchange public keys for encrypted communications. They are a fundamental part of the SSL and TLS protocols, and an issue in an X.509 certificate may definitely affect HTTPS, SSH, and VPN communications that depend upon public key cryptography. HTTP does not use encryption and would not be subject to this vulnerability.

Ken is responsible for the security of his organization's network. His company recently contracted with a vendor that will be using laptops that he does not control to connect to their systems. Ken is concerned because he believes that these laptops contain vulnerabilities. What can he do to best mitigate the risk to other devices on the network without having administrative access to the devices? Apply any necessary security patches. Increase the encryption level of the VPN. Implement a jumpbox system. Require two-factor authentication.

C. A jumpbox allows Ken to isolate the vendor systems where they cannot directly access any other networked systems. The other solutions listed may be good security practices, but they do not mitigate the risk that an insecure vendor system may impact the security of other systems on the network.

In what type of attack does the adversary leverage a position on a guest operating system to gain access to hardware resources assigned to other operating systems running in the same hardware environment? Buffer overflow Directory traversal VM escape Cross-site scripting

C. In a VM escape attack, the attacker exploits vulnerabilities in the hypervisor to gain access to resources assigned to other guest operating systems. Services running on the guest may be vulnerable to the other attacks listed here, but those attacks would only be able to access other resources assigned to either the same guest (in the case of buffer overflow or directory traversal) or the client (in the case of cross-site scripting).

Bill is creating a vulnerability management program for his company. He has limited scanning resources and would like to apply them to different systems based upon the sensitivity and criticality of the information that they handle. What criteria should Bill use to determine the vulnerability scanning frequency? Data remnance Data privacy Data classification Data privacy

C. Data classification is a set of labels applied to information based upon their degree of sensitivity and/or criticality. It would be the most appropriate choice in this scenario. Data retention requirements dictate the length of time that an organization should maintain copies of records. Data remnance is an issue where information thought to be deleted may still exist on systems. Data privacy may contribute to data classification but does not encompass the entire field of data sensitivity and criticality in the same manner as data classification. For example, a system may process proprietary business information that would be very highly classified and require frequent vulnerability scanning. Unless that system also processed personally identifiable information, it would not trigger scans under a system based solely upon data privacy.

Glenda ran a vulnerability scan of workstations in her organization. She noticed that many of the workstations reported the vulnerability shown here. She would like to not only correct this issue but also prevent the likelihood of similar issues occurring in the future. Window shows sections for 4 Google Chrome prior to 57.0.2987.133 multiple vulnerabilities, threat, impact, solution, and exploitability, and options for first detected, last detected, vendor reference, user modified, et cetera. What action should Glenda take to achieve her goals? Glenda should uninstall Chrome from all workstations and replace it with Internet Explorer. Glenda should manually upgrade Chrome on all workstations. Glenda should configure all workstations to automatically update Chrome. Glenda does not need to take any action.

C. Glenda can easily resolve this issue by configuring workstations to automatically upgrade Chrome. It is reasonable to automatically deploy Chrome updates to workstations because of the fairly low impact of a failure and the fact that users could switch to another browser in the event of a failure. Manually upgrading Chrome would also resolve the issue, but it would not prevent future issues. Replacing Chrome with Internet Explorer would resolve this issue but create others, as Internet Explorer is no longer supported by Microsoft. This is a serious issue, so Glenda should not ignore the report.

Morgan is interpreting the vulnerability scan from her organization's network, shown here. She would like to determine which vulnerability to remediate first. Morgan would like to focus on vulnerabilities that are most easily exploitable by someone outside her organization. Assuming the firewall is properly configured, which one of the following vulnerabilities should Morgan give the highest priority? Diagram shows Internet connected to firewall, which is connected to internal network and DMZ, where internal network is connected to workstation and file server and DMZ is connected to email server and web server. Severity 5 vulnerability in the workstation Severity 1 vulnerability in the file server Severity 5 vulnerability in the web server Severity 1 vulnerability in the mail server

C. If the firewall is properly configured, the workstation and file server are not accessible by an external attacker. Of the two remaining choices, the web server vulnerability (at severity 5) is more severe than the mail server vulnerability (at severity 1). Most organizations do not bother to remediate severity 1 vulnerabilities because they are usually informational in nature.

Tom recently read a media report about a ransomware outbreak that was spreading rapidly across the Internet by exploiting a zero-day vulnerability in Microsoft Windows. As part of a comprehensive response, he would like to include a control that would allow his organization to effectively recover from a ransomware infection. Which one of the following controls would best achieve Tom's objective? Security patching Host firewalls Backups Intrusion prevention systems

C. In this scenario, a host firewall may be an effective way to prevent infections from occurring in the first place, but it will not expedite the recovery of a system that is already infected. Intrusion prevention systems and security patches will generally not be effective against a zero-day attack and also would not serve as a recovery control. Backups would provide Tom with an effective way to recover information that was encrypted during a ransomware attack.

Donna is prioritizing vulnerability scans and would like to base the frequency of scanning on the information asset value. Which of the following criteria would be most appropriate for her to use in this analysis? Cost of hardware acquisition Cost of hardware replacement Types of information processed Depreciated hardware cost

C. Information asset value refers to the value that the organization places upon data stored, processed, or transmitted by an asset. In this case, the types of information processed (e.g., regulated data, intellectual property, personally identifiable information) helps to determine information asset value. The cost of server acquisition, cost of hardware replacement, and depreciated cost all refer to the financial value of the hardware, which is a different concept than information asset value.

Josh is responsible for the security of a network used to control systems within his organization's manufacturing plant. The network connects manufacturing equipment, sensors, and controllers. He runs a vulnerability scan on this network and discovers that several of the controllers are running very out-of-date firmware that introduces security issues. The manufacturer of the controllers is out of business. What action can Josh take to best remediate this vulnerability in an efficient manner? Develop a firmware update internally and apply it to the controllers. Post on an Internet message board seeking other organizations that have developed a patch. Ensure that the ICS is on an isolated network. Use an intrusion prevention system on the ICS network.

C. Josh should ensure that the ICS is on an isolated network, unreachable from any Internet-connected system. This greatly reduces the risk of exploitation. It would not be cost-effective to develop a patch himself, and Josh should not trust any software that he obtains from an Internet forum. An intrusion prevention system, while a good idea, is not as strong a control as network isolation.

Joe is conducting a network vulnerability scan against his data center and receives reports from system administrators that the scans are slowing down their systems. There are no network connectivity issues, only performance problems on individual hosts. He looks at the scan settings shown here. Which setting would be most likely to correct the problem? Window shows sections for general settings (enable safe checks, scan IP addresses in random order) and performance options (use Linux kernel congestion detection, network timeout). Scan IP addresses in a random order Network timeout (in seconds) Max simultaneous checks per host Max simultaneous hosts per scan

C. Of the choices presented, the maximum number of simultaneous checks per host is the only setting that would affect individual systems. Changing the number of simultaneous hosts per scan and the network timeout would have an effect on the broader network. Randomizing IP addresses would not have a performance impact.

After reviewing the results of a vulnerability scan, Beth discovered a flaw in her Oracle database server that may allow an attacker to attempt a direct connection to the server. She would like to review netflow logs to determine what systems have connected to the server recently. What TCP port should Beth expect to find used for this communication? 443 1433 1521 8080

C. Oracle database servers use port 1521 for database connections. Port 443 is used for HTTPS connections to a web server. Port 1433 is used by Microsoft SQL Server for database connections. Port 8080 is a nonstandard port for web services.

Hunter discovered that a server in his organization has a critical web application vulnerability and would like to review the logs. The server is running Apache on CentOS with a default configuration. What is the name of the file where Hunter would expect to find the logs? httpd_log apache_log access_log http_log

C. The Apache web server stores log files in a file named access_log. By default on CentOS, this file may be found at /var/log/httpd/access_log.

Breanne ran a vulnerability scan of a server in her organization and found the vulnerability shown here. What is the use of the service affected by this vulnerability? Window shows POP3 cleartext logins permitted with sections for description, solution (see also), and output (port, hosts). Web server Database server Email server Directory server

C. The Post Office Protocol v3 (POP3) is used for retrieving email from an email server.

During a recent vulnerability scan of workstations on her network, Andrea discovered the vulnerability shown here. Which one of the following actions is least likely to remediate this vulnerability? Window shows sections for 4 Sun Java RunTime environment GIF images buffer overflow vulnerability, threat, impact, and solution, and options for first detected, last detected, vendor reference, user modified, et cetera. Remove JRE from workstations. Upgrade JRE to the most recent version. Block inbound connections on port 80 using the host firewall. Use a web content filtering system to scan for malicious traffic.

C. The best options to correct this vulnerability are either removing the JRE if it is no longer necessary or upgrading it to a recent, secure version. This vulnerability is exploited by the user running a Java applet and does not require any inbound connections to the victim system, so a host firewall would not be an effective control. A web content filtering solution, while not the ideal solution, may be able to block malicious GIF files from exploiting this vulnerability.

Harold is preparing to correct the vulnerability. What service should he inspect to identify the issue? SSH HTTPS RDP SFTP

C. The issue identified in this scan report is with a service running on port 3389. Windows systems use port 3389 for the Remote Desktop Protocol (RDP). Therefore, Harold should turn to this service first.

Aaron is configuring a vulnerability scan for a Class C network and is trying to choose a port setting from the list shown here. He would like to choose a scan option that will efficiently scan his network but also complete in a reasonable period of time. Which setting would be most appropriate? Window shows options for none, full, standard scan (about 1900 ports), light scan (about 160 ports), and additional. None Full Standard Scan Light Scan

C. The standard scan of 1,900 common ports is a reasonably thorough scan that will conclude in a realistic period of time. If Aaron knows of specific ports used in his organization that are not included in the standard list, he could specify them using the Additional section of the port settings. A full scan of all 65,535 ports would require an extremely long period of time on a Class C network. Choosing the Light Scan setting would exclude a large number of commonly used ports, while the None setting would not scan any ports.

Ken recently received the vulnerability report shown here that affects a file server used by his organization. What is the primary nature of the risk introduced by this vulnerability? Window shows sections for 3 NetBIOS name conflict vulnerability, threat, impact, and solution, and options for first detected, last detected, vendor reference, user modified, et cetera. Confidentiality Integrity Availability Nonrepudiation

C. The vulnerability report's impact statement reads as follows: "If successfully exploited, this vulnerability could lead to intermittent connectivity problems, or the loss of all NetBIOS functionality." This is a description of an availability risk.

Beth discovers the vulnerability shown here on several Windows systems in her organization. There is a patch available, but it requires compatibility testing that will take several days to complete. What type of file should Beth be watchful for because it may directly exploit this vulnerability? Window shows section for 4 Microsoft Windows PNG processing information disclosure vulnerability (MS15-024), and options for first detected, last detected, vendor reference, user modified, et cetera. Private key files Word documents Image files Encrypted files

C. The vulnerability shown here affects PNG processing on systems running Windows. PNG is an acronym for Portable Networks Graphics and is a common image file format.

Brenda runs a vulnerability scan of the management interface for her organization's DNS service. She receives the vulnerability report shown here. What should be Brenda's next action? Window shows sections for 2 cookie does not contain "secure" attribute and threat, and options for first detected, last detected, vendor reference, user modified, et cetera. Disable the use of cookies on this service. Request that the vendor rewrite the interface to avoid this vulnerability. Investigate the contents of the cookie. Shut down the DNS service.

C. This report simply states that a cookie used by the service is not encrypted. Before raising any alarms, Brenda should investigate the contents of the cookie to determine whether the compromise of its contents would introduce a security issue. This might be the case if the cookie contains session or authentication information. However, if the cookie does not contain any sensitive contents, Brenda may be able to simply leave the service as is.

Vic scanned a Windows server used in his organization and found the result shown here. The server is on an internal network with access limited to IT staff and is not part of a domain. How urgently should Vic remediate this vulnerability? Window shows section for administrator account's password does not expire and options for first detected, category, vendor reference, CVSS base, et cetera. Vic should drop everything and remediate this vulnerability immediately. While Vic does not need to drop everything, this vulnerability requires urgent attention and should be addressed quickly. This is a moderate vulnerability that can be scheduled for remediation at a convenient time. This vulnerability is informational in nature and may be left in place.

C. This vulnerability has a severity rating of 3/5 and is further mitigated by the fact that the server is on an internal network, accessible only to trusted staff. This rises above the level of an informational report and should be addressed, but it does not require urgent attention.

Aaron is scanning a server in his organization's data center and receives the vulnerability report shown here. The service is exposed only to internal hosts. Window shows sections for 2 NTP information disclosure vulnerability, threat, impact, solution, and exploitability, and options for first detected, last detected, vendor reference, user modified, et cetera. What is the normal function of the service with this vulnerability? File transfer Web hosting Time synchronization Network addressing

C. This vulnerability is with the Network Time Protocol (NTP), a service that runs on UDP port 123. NTP is responsible for providing synchronizing for the clocks of servers, workstations, and other devices in the organization.

Rob conducts a vulnerability scan and finds three different vulnerabilities, with the CVSS scores shown here. Which vulnerability should be his highest priority to fix, assuming all three fixes are of equal difficulty? Image shows sections for vulnerability 1, vulnerability 2, and vulnerability 3 (CVSS2 number AV:N/AC:H/Au:N/C:P/I:N/A:N. Vulnerability 1 Vulnerability 2 Vulnerability 3 Vulnerabilities 1 and 3 are equal in priority.

C. Vulnerability 3 has a CVSS score of 10.0 because it received the highest possible ratings on all portions of the CVSS vector. For example, it has ratings of "complete" for the confidentiality, integrity, and availability impact metrics, while the other two vulnerabilities have ratings of "partial" or "none" for those same metrics.

During a port scan of a server, Miguel discovered that the following ports are open on the internal network: TCP port 25 TCP port 80 TCP port 110 TCP port 443 TCP port 1433 TCP port 3389 The scan results provide evidence that a variety of services are running on this server. Which one of the following services is not indicated by the scan results? Web Database SSH RDP

C. Web servers commonly run on ports 80 (for HTTP) and 443 (for HTTPS). Database servers commonly run on ports 1433 (for Microsoft SQL Server), 1521 (for Oracle), or 3306 (for MySQL). Remote Desktop Protocol services commonly run on port 3389. There is no evidence that SSH, which uses port 22, is running on this server.

Kevin manages the vulnerability scans for his organization. The senior director that oversees Kevin's group provides a report to the CIO on a monthly basis on operational activity, and he includes the number of open critical vulnerabilities. Kevin would like to provide this information to his director in as simple a manner as possible each month. What should Kevin do? Provide the director with access to the scanning system. Check the system each month for the correct number and email it to the director. Configure a report that provides the information to automatically send to the director's email at the proper time each month. Ask an administrative assistant to check the system and provide the director with the information.

C. While all of these options are viable, the simplest solution is to design a report that provides the information and then configure the system to automatically send this report to the director each month.

Which one of the following is not an appropriate criteria to use when prioritizing the remediation of vulnerabilities? Network exposure of the affected system Difficulty of remediation Severity of the vulnerability All of these are appropriate.

D. A cybersecurity analyst should consider all of these factors when prioritizing remediation of vulnerabilities. The severity of the vulnerability is directly related to the risk involved. The likelihood of the vulnerability being exploited may be increased or reduced based upon the affected system's network exposure. The difficulty of remediation may impact the team's ability to correct the issue with a reasonable commitment of resources.

What priority should Aaron place on remediating this vulnerability? Aaron should make this vulnerability his highest priority. Aaron should remediate this vulnerability urgently but does not need to drop everything. Aaron should remediate this vulnerability within the next month. Aaron does not need to assign any priority to remediating this vulnerability.

D. Aaron should treat this vulnerability as a fairly low priority and may never get around to remediating it if there are more critical issues on his network. The vulnerability only has a severity rating of 2 (out of 5), and the vulnerability is further mitigated by the fact that the server is accessible only from the local network.

Andrew is frustrated at the high level of false positive reports produced by his vulnerability scans and is contemplating a series of actions designed to reduce the false positive rate. Which one of the following actions is least likely to have the desired effect? Moving to credentialed scanning Moving to agent-based scanning Integrating asset information into the scan Increasing the sensitivity of scans

D. Andrew can improve the quality and quantity of information available to the scanner by moving to credentialed scanning, moving to agent-based scanning, and integrating asset information into the scans. Any of these actions is likely to reduce the false positive rate. Increasing the sensitivity of scans would likely have the opposite effect, causing the scanner to report even more false positives.

Ben is preparing to conduct a vulnerability scan for a new client of his security consulting organization. Which one of the following steps should Ben perform first? Conduct penetration testing. Run a vulnerability evaluation scan. Run a discovery scan. Obtain permission for the scans.

D. Ben should obtain permission from the client to perform scans before engaging in any other activities. Failure to do so may violate the law and/or anger the client.

Javier ran a vulnerability scan of a network device used by his organization and discovered the vulnerability shown here. What type of attack would this vulnerability enable? Window shows sections for 2 UDP constant IP identification field fingerprinting vulnerability and threat, and options for first detected, last detected, vendor reference, user modified, et cetera. Denial of service Information theft Information alteration Reconnaissance

D. Fingerprinting vulnerabilities disclose information about a system and are used in reconnaissance attacks. This vulnerability would allow an attacker to discover the operating system and version running on the target server.

Laura is working to upgrade her organization's vulnerability management program. She would like to add technology that is capable of retrieving the configurations of systems, even when they are highly secured. Many systems use local authentication, and she wants to avoid the burden of maintaining accounts on all of those systems. What technology should Laura consider to meet her requirement? Credentialed scanning Uncredentialed scanning Server-based scanning Agent-based scanning

D. Laura should consider deploying vulnerability scanning agents on the servers she wants to scan. These agents can retrieve configuration information and send it to the scanner for analysis. Credentialed scanning would also be able to retrieve this information, but it would require that Laura manage accounts on each scanned system. Server-based scanning would not be capable of retrieving configuration information from the host unless run in credentialed mode. Uncredentialed scans would not have the access required to retrieve detailed configuration information from scan targets.

Harold would like to secure the service affected by this vulnerability. Which one of the following protocols/versions would be an acceptable way to resolve the issue? SSL v2.0 SSL v3.0 TLS v1.0 None of the above

D. None of the protocols and versions listed in this question is an acceptable way to correct this vulnerability. All versions of SSL contain critical vulnerabilities and should no longer be used. TLSv1.0 also contains a vulnerability that would allow an attacker to downgrade the cryptography used by the server. Harold should upgrade the server to support at least TLSv1.2.

Pete recently conducted a broad vulnerability scan of all the servers and workstations in his environment. He scanned the following three networks: DMZ network that contains servers with public exposure Workstation network that contains workstations that are allowed outbound access only Internal server network that contains servers exposed only to internal systems He detected the following vulnerabilities: Vulnerability 1: A SQL injection vulnerability on a DMZ server that would grant access to a database server on the internal network (severity 5/5) Vulnerability 2: A buffer overflow vulnerability on a domain controller on the internal server network (severity 3/5) Vulnerability 3: A missing security patch on several hundred Windows workstations on the workstation network (severity 2/5) Vulnerability 4: A denial-of-service vulnerability on a DMZ server that would allow an attacker to disrupt a public-facing website (severity 2/5) Vulnerability 5: A denial of service vulnerability on an internal server that would allow an attacker to disrupt an internal website (severity 4/5) Note that the severity ratings assigned to these vulnerabilities are directly from the vulnerability scanner and were not assigned by Pete. Pete is working with the desktop support manager to remediate vulnerability 3. What would be the most efficient way to correct this issue? Personally visit each workstation to remediate the vulnerability. Remotely connect to each workstation to remediate the vulnerability. Perform registry updates using a remote configuration tool. Apply the patch using a GPO

D. Pete and the desktop support team should apply the patch using a GPO or other centralized configuration management tool. This is much more efficient than visiting each workstation individually, either in person or via remote connection. There is no indication in the scenario that a registry update would remediate this issue.

Juan recently scanned a system and found that it was running services on ports 139 and 445. What operating system is this system most likely running? Ubuntu macOS CentOS Windows

D. Ports 139 and 445 are associated with Windows systems that support file and printer sharing.

Rahul ran a vulnerability scan of a server that will be used for credit card processing in his environment and received a report containing the vulnerability shown here. What action must Rahul take? Window shows sections for 2 web server HTTP trace/track method support cross-site tracing vulnerability, threat, and impact, and options for first detected, last detected, vendor reference, user modified, et cetera. Remediate the vulnerability when possible. Remediate the vulnerability prior to moving the system into production and rerun the scan to obtain a clean result. Remediate the vulnerability within 90 days of moving the system to production. No action is required.

D. Rahul does not need to take any action on this vulnerability because it has a severity rating of 2 on a five-point scale. PCI DSS only requires the remediation of vulnerabilities with at least a "high" rating, and this vulnerability does not clear that threshold.

Rick discovers the vulnerability shown here in a server running in his data center. What characteristic of this vulnerability should concern him the most? Window shows sections for 4 Microsoft security update for Windows Kernel-Mode Drivers (MS17-018), threat, impact, solution, and exploitability, and options for first detected, last detected, vendor reference, user modified, et cetera. It is the subject of a recent security bulletin. It has a CVSS score of 7.2. There are multiple Bugtraq and CVE IDs. It affects kernel-mode drivers.

D. The fact that this vulnerability affects kernel-mode drivers is very serious, as it indicates that an attacker could compromise the core of the operating system in an escalation of privilege attack. The other statements made about this vulnerability are all correct, but they are not as serious as the kernel-mode issue.

This morning, Eric ran a vulnerability scan in an attempt to detect a vulnerability that was announced by a software manufacturer yesterday afternoon. The scanner did not detect the vulnerability although Eric knows that at least two of his servers should have the issue. Eric contacted the vulnerability scanning vendor who assured him that they released a signature for the vulnerability overnight. What should Eric do as a next step? Check the affected servers to verify a false positive. Check the affected servers to verify a false negative. Report a bug to the vendor. Update the vulnerability signatures.

D. The most likely issue is that Eric's scanner has not pulled the most recent signatures from the vendor's vulnerability feed. Eric should perform a manual update and rerun the scan before performing an investigation of the servers in question or filing a bug report.

Carla runs both internal and external vulnerability scans of a web server and detects a possible SQL injection vulnerability. The vulnerability only appears in the internal scan and does not appear in the external scan. When Carla checks the server logs, she sees the requests coming from the internal scan and sees some requests from the external scanner but no evidence that a SQL injection exploit was attempted by the external scanner. What is the most likely explanation for these results? A host firewall is blocking external network connections to the web server. A network firewall is blocking external network connections to the web server. A host IPS is blocking some requests to the web server. A network IPS is blocking some requests to the web server.

D. The most likely scenario is that a network IPS is blocking SQL injection attempts sent to this server, and the internal scanner is positioned on the network in such a way that it is not filtered by the network IPS. If a host IPS were blocking the requests, the vulnerability would likely not appear on internal scans either. If a firewall were blocking the requests, then no external scanner entries would appear in the log file.

Greg runs a vulnerability scan of a server in his organization and finds the results shown here. What is the most likely explanation for these results? Window shows HTTP server type and version with sections for description, output (port, hosts), plugin details (severity, ID, version, type), and risk information. The organization is running web services on nonstandard ports. The scanner is providing a false positive error report. The web server has mirrored ports available. The server has been compromised by an attacker.

D. This cipher uses the insecure Data Encryption Standard (DES) algorithm and should be replaced. The other ciphers listed all use the secure Advanced Encryption Standard (AES) in place of DES encryption.

Jim is reviewing a vulnerability scan of his organization's VPN appliance. He wants to remove support for any insecure ciphers from the device. Which one of the following ciphers should he remove? ECDHE-RSA-AES128-SHA256 AES256-SHA256 DHE-RSA-AES256-GCM-SHA384 EDH-RSA-DES-CBC3-SHA

D. This cipher uses the insecure Data Encryption Standard (DES) algorithm and should be replaced. The other ciphers listed all use the secure Advanced Encryption Standard (AES) in place of DES encryption.

Brent ran a vulnerability scan of several network infrastructure devices on his network and obtained the result shown here. What is the extent of the impact that an attacker could have by exploiting this vulnerability directly? Window shows sections for 3 readable SNMP information and threat, and options for first detected, last detected, vendor reference, user modified, et cetera. Denial of service Theft of sensitive information Network eavesdropping Reconnaissance

D. This is a serious vulnerability because it exposes significant network configuration information to attackers and could be used to wage other attacks on this network. However, the direct impact of this vulnerability is limited to reconnaissance of network configuration information.

Carl runs a vulnerability scan of a mail server used by his organization and receives the vulnerability report shown here. What action should Carl take to correct this issue? Window shows sections for 4 OpenSSL oracle padding vulnerability (CVE-2016-2107) and threat, and options for first detected, last detected, vendor reference, user modified, et cetera. Carl does not need to take any action because this is an informational report. Carl should replace SSL with TLS on this server. Carl should disable weak ciphers. Carl should upgrade OpenSSL.

D. This is an example of the POODLE vulnerability that exploits weaknesses in the OpenSSL encryption library. While replacing SSL with TLS and disabling weak ciphers are good practices, they will not correct this issue. Carl should upgrade OpenSSL to a more current version that does not contain this vulnerability.

James is reviewing the vulnerability shown here, which was detected on several servers in his environment. What action should James take? Window shows TCP/IP timestamps supported with sections for description (see also) and plugin details (severity, ID, version, type, family, published, modified). Block TCP/IP access to these servers from external sources. Upgrade the operating system on these servers. Encrypt all access to these servers. No action is necessary.

D. This vulnerability is presented as an Info level vulnerability and, therefore, does not represent an actual threat to the system. James can safely ignore this issue.

After scanning his organization's email server, Frank discovered the vulnerability shown here. What is the most effective response that Frank can take in this situation? Window shows Microsoft exchange client access server information with sections for description, solution, see also, output, plugin details, risk information, vulnerability information, and reference information. Upgrade to the most recent version of Microsoft Exchange. Upgrade to the most recent version of Microsoft Windows. Implement the use of strong encryption. No action is required.

D. Unfortunately, Frank cannot take any action to remediate this vulnerability. He could consider restricting network access to the server, but this would likely have an undesirable effect on email access. The use of encryption would not correct this issue. The vulnerability report indicates that "There is no known fix at this time," meaning that upgrading Windows or Exchange would not correct the problem.

Seth found the vulnerability shown here in one of the systems on his network. What component requires a patch to correct this issue? Window shows sections for 5 VMware WSXi 5.5.0 patch release ESXi550-201703401-SG missing (KB2149576), threat, impact, solution, and exploitability, and options for first detected, category, vendor reference, CVSS base, et cetera. Operating system VPN concentrator Network router or switch Hypervisor

D. VMware is a virtualization platform that is widely used to run multiple guest operating systems on the same hardware platform. This vulnerability indicates a vulnerability in VMware itself, which is the hypervisor that moderates access to physical resources by those guest operating systems.

Which one of the following approaches provides the most current and accurate information about vulnerabilities present on a system because of the misconfiguration of operating system settings? On-demand vulnerability scanning Continuous vulnerability scanning Scheduled vulnerability scanning Agent-based monitoring

D. Vulnerability scans can only provide a snapshot in time of a system's security status from the perspective of the vulnerability scanner. Agent-based monitoring provides a detailed view of the system's configuration from an internal perspective and is likely to provide more accurate results, regardless of the frequency of vulnerability scanning.