2.1 Vulnerability Management

Question 1

what should you consult to identify all systems that need to have a vulnerability scan?

Answer 1

the company’s asset inventory

Question 2

what is a flaw, loophole, or weakness in the system, software, or hardware?

Answer 2

vulnerabiltiy

Question 3

which scan has less of an impact on the network: agent-based or server-based?

Answer 3

agent-based vulnerability scans because they run on the device and only send the report to the centralized server

Question 4

what are the two main factors that CompTIA list as factors for prioritizing vulnerability remediation?

Answer 4

criticality and difficulty of implementation

Question 5

how often should vulnerability scans be carried out based on PCI-DSS standards?

Answer 5

every three months and whenever systems are updated

Question 6

which SCAP component provides standardized names for security-related software flaws?

Answer 6

common vulnerabilities and exposures (CVE)2

Question 7

what does the acronym CCE denote?

Answer 7

common configuration enumeration

Question 8

which systems provides CCE and CVE identifiers for vulnerability scans?

Answer 8

security content automation protocol (SCAP)

Question 9

which term is used for an agreement that is signed by two partnering companies?

Answer 9

business partners agreement (BPA)

Question 10

what does the acronym CVE denote?

Answer 10

common vulnerabilities and exposures

Question 11

which term is used for an agreement between two or more parties where the parties cannot create a legally enforceable agreement?

Answer 11

memorandum of understanding (MoU)

Question 12

what does the acronym SCAP denote?

Answer 12

security content automation protocol

Question 13

which step of the vulnerability management process involves assessing the documented requirements and workflow to determine when scans should occur?

Answer 13

establish scanning frequency

Question 14

why should you document workflow prior to setting up a vulnerability scan?

Answer 14

to help provide business constraints for the scan

Question 15

which step of the vulnerability management process involves documenting the regulatory environment and corporate policy, classifying data, and obtaining an asset inventory?

Answer 15

identify requirements

Question 16

in which situation will you accept a risk?

Answer 16

when the cost of the safeguard exceeds the amount of the potential loss

Question 17

why should you deploy remediation in a sandbox environment?

Answer 17

to test the effects of the remediation to ensure that the devices will be able to function properly after deployment

Question 18

what is the process for the vulnerability management process?

Answer 18

1. identify requirements
2. establish scanning frequency
3. configure the tools to perform the scans according to specifications
4. execute the scan
5. generate scan reports
6. provide remediation for discovered vulnerabilities

Question 19

what does the acronym CVSS denote?

Answer 19

common vulnerability scoring system

Question 20

what is a service level agreement (SLA)?

Answer 20

a contract between a network service provider and a customer that specifies the services the network service provider will furnish

Question 21

which range of CVSS scores indicates low priority?

Answer 21

0.1 to 3.9

Question 22

what is meant by the term vulnerability feed?

Answer 22

the updates to the vulnerability scanner that ensures that the scanner is able to recognize newly discovered vulnerabilities

Question 23

which range of CVSS scores indicates high priority?

Answer 23

7.0 to 8.9

Question 24

what happens with an agent-based vulnerability scan?

Answer 24

agents are installed on the devices to run the scan and send the report to a centralized server

Question 25

which range of CVSS scores indicates medium priority?

Answer 25

4.0 to 6.9

Question 26

what is the recommended action when the cost of the safeguard exceeds the amount of the potential loss for a given risk?

Answer 26

to accept the risk

Question 27

which permissions should you assign the account used for the vulnerability scans?

Answer 27

read only

Question 28

which SCAP component provides standard names for product names and versions?

Answer 28

common platform enumeration (CPE)

Question 29

which step of the vulnerability management process includes scanning criteria, such as sensitivity levels, vulnerability feed, and scope?

Answer 29

configure the tools to perform the scans according to specifications

Question 30

which range of CVSS scores indicates critical priority?

Answer 30

9.0 to 10.0

Question 31

what is meant by the scope of a vulnerability scan?

Answer 31

the range of hosts or subnets included in the scan

Question 32

what is the purpose of a discovery vulnerability scan?

Answer 32

to create an inventory of assets based on host or service discovery

Question 33

which SCAP component provides a standardized metric that measures and describes the severity of security-related software flaws?

Answer 33

common vulnerability scoring system (CVSS)

Question 34

what is the term Nessus uses for vulnerability feeds?

Answer 34

plug-ins

Question 35

which type of vulnerability scan includes the appropriate permissions for the different data types?

Answer 35

credentialed scan

Question 36

what does a CVSS score of 0 indicate?

Answer 36

no issues

Question 37

what are the FIVE inhibitors to remediation after a vulnerability scan?

Answer 37

MOUs
SLAs
Organizational Governance
Business process interruption
Degrading functionality

Question 38

what does the acronym CPE denote?

Answer 38

common platform enumeration (CPE)