5 Security Assessment and Testing

Question 2

What are common sources of vulnerabilities in computing environments?

Answer 2

Improper or weak patch management, weak configuration settings

Weak configuration settings include open permissions, unsecured root accounts, errors, weak encryption settings, insecure protocol use, default settings, and open ports and services.

Question 3

What is a false positive in vulnerability scanning?

Answer 3

A report that detects a vulnerability that does not exist.

Question 4

What is a false negative in vulnerability scanning?

Answer 4

A report that does not detect a vulnerability that actually exists.

Question 5

What is the primary goal of threat hunting?

Answer 5

To discover existing compromises within an organization.

Question 6

What tools do threat hunters use?

Answer 6

Advisories, bulletins, and threat intelligence feeds.

Question 7

What is the purpose of vulnerability scans?

Answer 7

To probe systems, applications, and devices for known security issues.

Question 8

What standards are used to describe and rate vulnerabilities?

Answer 8

Common Vulnerabilities and Exposures (CVE) and Common Vulnerability Scoring System (CVSS).

Question 9

What is penetration testing?

Answer 9

A simulated cyber attack conducted by security professionals.

Question 10

What are the three types of environments in penetration testing?

Answer 10

Known environment, unknown environment, partially known environment.

Question 11

What is the first step in penetration testing?

Answer 11

Reconnaissance efforts.

Question 12

What is the purpose of bug bounty programs?

Answer 12

To incentivize external security professionals to report vulnerabilities.

Question 13

What is the purpose of a security audit?

Answer 13

To formally examine an organization’s security controls.

Question 14

Who can perform security audits?

Answer 14

Internal audit teams or independent third-party auditors.

Question 15

What are the stages of the vulnerability life cycle?

Answer 15

Vulnerability identification, analysis, response and remediation, validation of remediation, reporting.

Question 16

What is involved in the analysis stage of the vulnerability life cycle?

Answer 16

Confirming the vulnerability, prioritizing it using CVSS and CVE, considering organization-specific factors.

Question 17

What are some responses to identified vulnerabilities?

Answer 17

• Applying patches
• Isolating affected systems
• Implementing compensating controls
• Transferring risk through insurance
• Formally accepting the risk.

Question 18

What is the purpose of validation in the vulnerability life cycle?

Answer 18

To ensure the vulnerability is no longer present.

Question 19

What does reporting in the vulnerability life cycle inform stakeholders about?

Answer 19

Findings, actions, trends, and recommendations for improvement.