04- Vulnerability Assessment Quiz

Question 1

On which is the National Vulnerability Database primarily built upon?

A. Vulnerabilities
B. NVD
C. Patch
D. CVE identifiers

Answer 1

Answer: D

The National Vulnerability Database is built primarily upon CVE identifiers.

Question 2

Which of the following is another top priority of SANS Top 20 critical controls?

A. Prioritizing security functions
B. Standardization and automation
C. Vulnerability management
D. Exploit

Answer 2

Answer: B

Standardization and automation is another top priority.

Question 3

National Vulnerability Database (NVD) is the U.S. government repository of standards-based vulnerability management data.
True
False

Answer 3

Answer: True
National Vulnerability Database (NVD) is the U.S. government repository of standards-based vulnerability management data.

Question 4

Which continuously updates advisories to reflect new data whenever it becomes available?

A. Secunia
B. NVD
C. CVE
D. CVSS

Answer 4

Answer: A

Secunia continuously updates advisories to reflect new data whenever it becomes available.

Question 5

Which is a dictionary of common names for publicly known information security vulnerabilities?

A. Vulnerability
B. Zero day
C. SANS Top 20 controls
D. Common Vulnerabilities and Exposures

Answer 5

Answer: D
Common Vulnerabilities and Exposures (CVE) is a dictionary of common names, i.e. CVE Identifiers for publicly known information security vulnerabilities.

Question 6

Vulnerability analysis is also known as:
A.	Penetration testing
B.	Port scanning
C.	Vulnerability assessment
D.	none of these

Answer 6

Answer: C
Vulnerability analysis, also known as vulnerability assessment, is a process that defines, identifies, and classifies the security holes in a computer, network, or communications infrastructure.

Question 7

What are the gateways by which threats are manifested?
A.	Ports
B.	Computer Networks
C.	Patches
D.	Vulnerabilities

Answer 7

Answer: D

Vulnerabilities are the gateways by which threats are manifested.

Question 8

The professional pen tester will focus on automated methods to confirm whether the results in the vulnerability assessment report are positive or negative.
True
False

Answer 8

Answer: False
The professional pen tester will focus on manual methods to confirm whether the results in the vulnerability assessment report are positive or negative.

Question 9

Which of the following can you use as a foundation when building a vulnerability assessment report?

A. Tools
B. Nmap
C. SQL Injection
D. Salami

Answer 9

Answer: A

You can use tools as a foundation when building a vulnerability assessment report.

Question 10

What is common with most vulnerability assessment tools?

A. Command mode
B. GUI front end
C. ICMP traffic
D. Fragmented packets

Answer 10

Answer: B

Most vulnerability assessment tools have a GUI front end.

Question 11

What is CVSSv2?

A. Latest version of the CVE
B. Latest version of CVS
C. Latest version of SANS Top 20 controls
D. None of these

Answer 11

Answer: D

CVSSv2 is the latest version of the Common Vulnerability Scoring System(CVSS).

Question 12

Which of the following tools allows automation of patching from a single console for the entire network?

A. Nessus
B. LanGuard
C. IBM Security AppScan
D. None of these

Answer 12

Answer: B
LanGuard 2014 is now a perfect fit for mixed environments because it allows automation of patching from a single console for the entire network.

Question 13

Nessus Enterprise provides four user levels.

True
False

Answer 13

Answer: True
Nessus Enterprise provides four user levels that enable managed access to all resources based on user and/or group permissions

Question 14

How does MBSA determine security updates on Windows computers?

A. Windows agent
B. Windows security agent
C. Security agent
D. Missing patch agent

Answer 14

Answer: B
Security updates are determined by the current version of MBSA using the Windows update agent present on Windows computers.

Question 15

Which of the following servers works as a daemon at the back end when a client is used at the front end?
A.	Nessus
B.	IBM Security AppScan
C.	MBSA
D.	iScanOnline

Answer 15

Answer: A

In Nessus the server works as a daemon at the back end and a client is used at the front end.

Question 16

IBM Security AppScan automates vulnerability assessments and scans and tests for all common web application vulnerabilities, including SQL-injection, cross-site scripting, buffer overflow, flash/flex application, and Web 2.0 exposure scans.
True
False

Answer 16

Answer: True
IBM Security AppScan automates vulnerability assessments and scans and tests for all common web application vulnerabilities, including SQL-injection, cross-site scripting, buffer overflow, flash/flex application, and Web 2.0 exposure scans.

Question 17

Which of the following tools provides full coverage of the OWASP Top 10 for 2013?

A. Nessus
B. MBSA
C. GFI LanGuard
D. IBM Security AppScan

Answer 17

Answer: A and D
Nessus provides full coverage of the OWASP Top 10 for 2013. IBM Security AppScan provides full coverage of the OWASP Top 10 for 2013.

Question 18

GFI LanGuard does not offer agent-less vulnerability assessment for all smartphones and tablets that connect to your Microsoft Exchange servers.
True
False

Answer 18

Answer: False
GFI LanGuard offers agent-less vulnerability assessment for all smartphones and tablets that connect to your Microsoft Exchange servers.

Question 19

Who should be held accountable for successes and failures of remediation?

A. Vulnerability tester
B. Senior management
C. Chief Financial Officer
D. Vulnerability team

Answer 19

Answer: B

Senior management should be held accountable for successes and failures of remediation.

Question 20

Which of the following is not an automated patch management tool?

A. Everguard
B. PatchLink Update
C. HFNetChk
D. IBM Security AppScan

Answer 20

Answer: D

IBM Security AppScan is not an automated patch management tool.