04- Vulnerability Assessment Quiz Flashcards

1
Q

On which is the National Vulnerability Database primarily built upon?

A. Vulnerabilities
B. NVD
C. Patch
D. CVE identifiers

A

Answer: D

The National Vulnerability Database is built primarily upon CVE identifiers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which of the following is another top priority of SANS Top 20 critical controls?

A. Prioritizing security functions
B. Standardization and automation
C. Vulnerability management
D. Exploit

A

Answer: B

Standardization and automation is another top priority.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

National Vulnerability Database (NVD) is the U.S. government repository of standards-based vulnerability management data.
True
False

A

Answer: True
National Vulnerability Database (NVD) is the U.S. government repository of standards-based vulnerability management data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which continuously updates advisories to reflect new data whenever it becomes available?

A. Secunia
B. NVD
C. CVE
D. CVSS

A

Answer: A

Secunia continuously updates advisories to reflect new data whenever it becomes available.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which is a dictionary of common names for publicly known information security vulnerabilities?

A. Vulnerability
B. Zero day
C. SANS Top 20 controls
D. Common Vulnerabilities and Exposures

A

Answer: D
Common Vulnerabilities and Exposures (CVE) is a dictionary of common names, i.e. CVE Identifiers for publicly known information security vulnerabilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q
Vulnerability analysis is also known as:
A.	Penetration testing
B.	Port scanning
C.	Vulnerability assessment
D.	none of these
A

Answer: C
Vulnerability analysis, also known as vulnerability assessment, is a process that defines, identifies, and classifies the security holes in a computer, network, or communications infrastructure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q
What are the gateways by which threats are manifested?
A.	Ports
B.	Computer Networks
C.	Patches
D.	Vulnerabilities
A

Answer: D

Vulnerabilities are the gateways by which threats are manifested.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

The professional pen tester will focus on automated methods to confirm whether the results in the vulnerability assessment report are positive or negative.
True
False

A

Answer: False
The professional pen tester will focus on manual methods to confirm whether the results in the vulnerability assessment report are positive or negative.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which of the following can you use as a foundation when building a vulnerability assessment report?

A. Tools
B. Nmap
C. SQL Injection
D. Salami

A

Answer: A

You can use tools as a foundation when building a vulnerability assessment report.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is common with most vulnerability assessment tools?

A. Command mode
B. GUI front end
C. ICMP traffic
D. Fragmented packets

A

Answer: B

Most vulnerability assessment tools have a GUI front end.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is CVSSv2?

A. Latest version of the CVE
B. Latest version of CVS
C. Latest version of SANS Top 20 controls
D. None of these

A

Answer: D

CVSSv2 is the latest version of the Common Vulnerability Scoring System(CVSS).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which of the following tools allows automation of patching from a single console for the entire network?

A. Nessus
B. LanGuard
C. IBM Security AppScan
D. None of these

A

Answer: B
LanGuard 2014 is now a perfect fit for mixed environments because it allows automation of patching from a single console for the entire network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Nessus Enterprise provides four user levels.

True
False

A

Answer: True
Nessus Enterprise provides four user levels that enable managed access to all resources based on user and/or group permissions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

How does MBSA determine security updates on Windows computers?

A. Windows agent
B. Windows security agent
C. Security agent
D. Missing patch agent

A

Answer: B
Security updates are determined by the current version of MBSA using the Windows update agent present on Windows computers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q
Which of the following servers works as a daemon at the back end when a client is used at the front end?
A.	Nessus
B.	IBM Security AppScan
C.	MBSA
D.	iScanOnline
A

Answer: A

In Nessus the server works as a daemon at the back end and a client is used at the front end.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

IBM Security AppScan automates vulnerability assessments and scans and tests for all common web application vulnerabilities, including SQL-injection, cross-site scripting, buffer overflow, flash/flex application, and Web 2.0 exposure scans.
True
False

A

Answer: True
IBM Security AppScan automates vulnerability assessments and scans and tests for all common web application vulnerabilities, including SQL-injection, cross-site scripting, buffer overflow, flash/flex application, and Web 2.0 exposure scans.

17
Q

Which of the following tools provides full coverage of the OWASP Top 10 for 2013?

A. Nessus
B. MBSA
C. GFI LanGuard
D. IBM Security AppScan

A

Answer: A and D
Nessus provides full coverage of the OWASP Top 10 for 2013. IBM Security AppScan provides full coverage of the OWASP Top 10 for 2013.

18
Q

GFI LanGuard does not offer agent-less vulnerability assessment for all smartphones and tablets that connect to your Microsoft Exchange servers.
True
False

A

Answer: False
GFI LanGuard offers agent-less vulnerability assessment for all smartphones and tablets that connect to your Microsoft Exchange servers.

19
Q

Who should be held accountable for successes and failures of remediation?

A. Vulnerability tester
B. Senior management
C. Chief Financial Officer
D. Vulnerability team

A

Answer: B

Senior management should be held accountable for successes and failures of remediation.

20
Q

Which of the following is not an automated patch management tool?

A. Everguard
B. PatchLink Update
C. HFNetChk
D. IBM Security AppScan

A

Answer: D

IBM Security AppScan is not an automated patch management tool.