Vulnerability Management Ch 2- 4 – 6|41 Questions with Verified Answers
What all is included in vulnerabilities - CORRECT ANSWER NVD, CWE and third
... [Show More] party
What all is included under CMDB CI's? - CORRECT ANSWER Third party integrations, discovery, service mapping into CMDB, and people/processes
What all is included into Vulnerable items? - CORRECT ANSWER vulnerabilities and CMDB CI's
What does the main XML feed do? - CORRECT ANSWER Provides the CVE data organized by the first four digits of a CVE identifier
What happens when the CVE records are downloaded from the NVD? - CORRECT ANSWER They are compared to the software in a customers network as identified by their software asset discovery model
CVE-ID - CORRECT ANSWER When a CVE-ID matches vulnerable software or CI's on a network, a vulnerable item is created
Vulnerability groups - CORRECT ANSWER are used to help analyst prioritize vulnerable items and analyze them in bulk.
Different ways of assigning vulnerable items to a group - CORRECT ANSWER 1. by hand
2. use a condition filter
3. use a filter group
Instance sizing guidelines - CORRECT ANSWER 1. identify the target SNow instance that will host the application and obtain the instance size information.
2. get an estimated count of open vulnerabilities in the environment
3. request an instance size in accordance with the guidelines below:
- less than 1 million vulnerabilities = Instance size XL
- 1 - 2.5 million vulnerabilities = Instance size XXL
- 2.5 million or more vulnerabilities = Instance size ultra
4. Follow the steps for VR plugin installation outlined in SNow documentation
what makes up vulnerable items - CORRECT ANSWER vulnerabilities (NVD, CWE, and third party) and CMDB CI's (service mapping, discovery, Third party integrations, and people/processes)
What is Qualys - CORRECT ANSWER a popular vulnerability scanner that is used by many organizations
When Qualys scanner detects vulnerabilities, where do they go? - CORRECT ANSWER Vulnerability response where you can track, prioritize and resolve them
Where is the QID stored? - CORRECT ANSWER sn_vul_third_party_entry
Qualys lookup logic - CORRECT ANSWER 1. Qualys host name
2. Qualys host ID
3. FQDN
4. DNS name
5. IP address
What needs to happen for it to be treated as a new CI - CORRECT ANSWER found CI has an existing Qualys ID or Qualys Host ID set which does not match what is coming from Qualys
Asset tagging - CORRECT ANSWER Set the qualys host parameter of asset_tags to a value of 1 to have asset tag information from qualys to be included into the XML payload
Asset tagging loading - CORRECT ANSWER After qualys transform script example to load asset tag information into related tables
D. Quarterly
PCI DSS requires that organizations conduct vulnerability scans on at least a quarterly basis, although many organizations choose to conduct scans on a much more frequent basis. - CORRECT ANSWER Tonya is configuring vulnerability scans for a system that is subject to the PCI DSS compliance standard. What is the minimum frequency with which she must conduct scans?
A. Daily
B. Weekly
C. Monthly
D. Quarterly
B. Snort
Qualys, Nessus, and OpenVAS are all examples of vulnerability scanning tools. Snort is an intrusion detection system. - CORRECT ANSWER Which one of the following is not an example of a vulnerability scanning tool?
A. Qualys
B. Snort
C. Nessus
D. OpenVAS
D. Read-only
Credentialed scans only require read-only access to target servers. Renee should follow the principle of least privilege and limit the access available to the scanner. - CORRECT ANSWER Renee is configuring her vulnerability management solution to perform credentialed scans of servers on her network. What type of account should she provide to the scanner?
A. Domain administrator
B. Local administrator
C. Root
D. Read-only
C. CPE
Common Platform Enumeration (CPE) is an SCAP component that provides standardized nomenclature for product names and versions. - CORRECT ANSWER Jason is writing a report about a potential security vulnerability in a software product and wishes to use standardized product names to ensure that other security analysts understand the report. Which SCAP component can Jason turn to for assistance?
A. CVSS
B. CVE
C. CPE
D. OVAL
C. Government agency
The Federal Information Security Management Act (FISMA) requires that government agencies conduct vulnerability scans. HIPAA, which governs hospitals and doctors' offices, does not include a vulnerability scanning requirement, nor does GLBA, which covers financial institutions. Banks may be required to conduct scans under PCI DSS, but this is a contractual obligation and not a statutory requirement. - CORRECT ANSWER Which type of organization is the most likely to face a statutory requirement to conduct vulnerability scans?
A. Bank
B. Hospital
C. Government agency
D. Doctor's office
C. High
Control enhancement number 4 requires that an organization determine what information about the system is discoverable by adversaries. This enhancement only applies to FISMA high systems. - CORRECT ANSWER What minimum level of impact must a system have under FISMA before the organization is required to determine what information about the system is discoverable by adversaries?
A. Low
B. Moderate
C. High
D. Severe
C. Reporting
Although reporting and communication are an important part of vulnerability management, they are not included in the life cycle. The three life-cycle phases are detection, remediation, and testing. - CORRECT ANSWER Which one of the following activities is not part of the vulnerability management life cycle?
A. Detection
B. Remediation
C. Reporting
D. Testing
A. Continuous monitoring
Continuous monitoring incorporates data from agent-based approaches to vulnerability detection and reports security-related configuration changes to the vulnerability management platform as soon as they occur, providing the ability to analyze those changes for potential vulnerabilities. - CORRECT ANSWER What approach to vulnerability scanning incorporates information from agents running on the target servers?
A. Continuous monitoring
B. Ongoing scanning
C. On-demand scanning
D. Alerting
B. Moderate impact
Systems have a moderate impact from a confidentiality perspective if the unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. - CORRECT ANSWER Brian is seeking to determine the appropriate impact categorization for a federal information system as he plans the vulnerability scanning controls for that system. After consulting management, he discovers that the system contains information that, if disclosed improperly, would have a serious adverse impact on the organization. How should this system be categorized?
A. Low impact
B. Moderate impact
C. High impact
D. Severe impact
A. CVSS
The Common Vulnerability Scoring System (CVSS) provides a standardized approach for measuring and describing the severity of security vulnerabilities. Jessica could use this scoring system to prioritize issues raised by different source systems. - CORRECT ANSWER Jessica is reading reports from vulnerability scans run by different parts of her organization using different products. She is responsible for assigning remediation resources and is having difficulty prioritizing issues from different sources. What SCAP component can help Jessica with this task?
A. CVSS
B. CVE
C. CPE
D. XCCDF
B. NAT
Although the network can support any of these protocols, internal IP disclosure vulnerabilities occur when a network uses Network Address Translation (NAT) to map public and private IP addresses but a server inadvertently discloses its private IP address to remote systems. - CORRECT ANSWER Tom is reviewing a vulnerability scan report and finds that one of the servers on his network suffers from an internal IP address disclosure vulnerability. What technology is likely in use on this network that resulted in this vulnerability?
A. TLS
B. NAT
C. SSH
D. VPN
C. PR
The privileges required (PR) metric indicates the type of account access the attacker must have. - CORRECT ANSWER Which one of the CVSS metrics would contain information about the type of account access that an attacker must have to execute an attack?
A. AV
B. C
C. PR
D. AC
C. Low
An attack complexity of "low" indicates that exploiting the vulnerability does not require any specialized conditions. - CORRECT ANSWER Which one of the following values for the CVSS attack complexity metric would indicate that the specified attack is simplest to exploit?
A. High
B. Medium
C. Low
D. Severe
D. 3.1
Version 3.1 of CVSS is currently available but is not as widely used as the more common CVSS version 2.0. - CORRECT ANSWER What is the most recent version of CVSS that is currently available?
A. 1.0
B. 2.0
C. 2.5
D. 3.1
A. VM escape
VM escape vulnerabilities are the most serious issue that can exist in a virtualized environment, particularly when a virtual host runs systems of differing security levels. In an escape attack, the attacker has access to a single virtual host and then manages to leverage that access to intrude on the resources assigned to a different virtual machine. - CORRECT ANSWER In what type of attack does the attacker seek to gain access to resources assigned to a different virtual machine?
A. VM escape
B. Management interface brute force
C. LDAP injection
D. DNS amplification
B. IDS
Intrusion detection systems (IDSs) are a security control used to detect network or host attacks. The Internet of Things (IoT), supervisory control and data acquisition (SCADA) systems, and industrial control systems (ICSs) are all associated with connecting physical world objects to a network. - CORRECT ANSWER Which one of the following terms is not typically used to describe the connection of physical devices to a network?
A. IoT
B. IDS
C. ICS
D. SCADA
D. Cross-site scripting
In a cross-site scripting (XSS) attack, an attacker embeds scripting commands on a website that will later be executed by an unsuspecting visitor accessing the site. The idea is to trick a user visiting a trusted site into executing malicious code placed there by an untrusted third party. - CORRECT ANSWER Monica discovers that an attacker posted a message in a web forum that she manages that is attacking users who visit the site. Which one of the following attack types is most likely to have occurred?
A. SQL injection
B. Malware injection
C. LDAP injection
D. Cross-site scripting
B. ScoutSuite
ScoutSuite is the only cloud assessment tool listed here that performs security scans of Azure environments. Inspector and Prowler are AWS-specific tools. Pacu is an exploitation framework used in penetration testing. - CORRECT ANSWER Amanda would like to run a security configuration scan of her Microsoft Azure cloud environment. Which one of the following tools would be most appropriate for her needs?
A. Inspector
B. ScoutSuite
C. Prowler
D. Pacu
D. Data
In the shared responsibility model, the customer always retains either full or partial responsibility for data security. Responsibility for hardware and physical datacenters is the cloud provider's responsibility under all models. Responsibility for applications is the customer's responsibility under IaaS, the provider's responsibility under SaaS, and a shared responsibility under PaaS. - CORRECT ANSWER Under the shared responsibility model, which component always remains the responsibility of the customer, regardless of the cloud service model used?
A. Application
B. Hardware
C. Datacenter
D. Data
B. DeepLens
AWS Lambda, Google Cloud Functions, and Microsoft Azure Functions are all examples of function as a service (FaaS) computing. AWS DeepLens is an AI-enabled camera. - CORRECT ANSWER Which one of the following services is not an example of FaaS computing?
A. Lambda
B. DeepLens
C. Google Cloud Functions
D. Azure Functions
D. Hybrid cloud
Hybrid cloud environments blend elements of public, private, and/or community cloud solutions. A hybrid cloud requires the use of technology that unifies the different cloud offerings into a single, coherent platform. - CORRECT ANSWER Which cloud computing deployment model requires the use of a unifying technology platform to tie together components from different providers?
A. Public cloud
B. Private cloud
C. Community cloud
D. Hybrid cloud
C. Using a cloud provider's web interface to provision resources
Infrastructure as code is any approach that automates the provisioning, management, and deprovisioning of cloud resources. Defining resources through JSON or YAML is IaC, as is writing code that interacts with an API. Provisioning resources through a web interface is manual, not automated, and therefore does not qualify as IaC. - CORRECT ANSWER Which one of the following is not an example of infrastructure as code?
A. Defining infrastructure in JSON
B. Writing code to interact with a cloud provider's API
C. Using a cloud provider's web interface to provision resources
D. Defining infrastructure in YAML
C. Inline CASB solutions can monitor activity but cannot actively enforce policy.
Inline CASB solutions require either network reconfiguration or the use of a software agent. They intercept requests from users to cloud providers and, by doing so, are able to both monitor activity and enforce policy. - CORRECT ANSWER Which one of the following statements about inline CASB is incorrect?
A. Inline CASB solutions often use software agents on endpoints.
B. Inline CASB solutions intercept requests from users to cloud providers.
C. Inline CASB solutions can monitor activity but cannot actively enforce policy.
D. Inline CASB solutions may require network reconfiguration.
D. Pacu
Pacu is an AWS-specific exploitation framework. It is particularly well suited to identifying the permissions available to an account during a penetration test. ScoutSuite, Inspector, and Prowler are all assessment tools that would not directly provide the information that Gina seeks. - CORRECT ANSWER Gina gained access to a client's AWS account during a penetration test. She would like to determine what level of access she has to the account. Which one of the following tools would best meet her need?
A. ScoutSuite
B. Inspector
C. Prowler
D. Pacu [Show Less]