Ch.5 Security Assessment and Testing Flashcards
Explain the CVSS Severity Rating Scale scores for each
Low, Medium, High, Critical
0.1 – 3.9 Low
4.0 – 6.9 Medium
7.0 – 8.9 High
9.0 – 10.0 Critical
What are the 4 categories of Pentration Testing?
Physical - Tests physical security (e.g., tailgating, picking locks, bypassing badge systems)
Offensive - Simulates a real-world attacker trying to break in and gain access
Defensive - Tests and evaluates the organization’s detection and response capabilities
Integrated - Combines offensive and defensive teams (Red Team vs Blue Team), sometimes includes Purple Team coordination
Explain the 3 Pen Test Classification Types
Known Environment - Full knowledge of the system (aka White Box testing)
Unknown Environment - No knowledge of the system (aka Black Box testing)
Partially Known - Limited knowledge of the system (aka Gray Box testing)
Explain the difference between Passive and Active Reconnnaissance
Passive Reconnaissance - Collecting info without directly touching or alerting the target. Often done via public records, WHOIS lookups, social media, etc.
Active Reconnaissance - Actively probing or scanning the target system, which may trigger alerts (e.g., port scanning, ping sweeps, banner grabbing).
What is the difference between an external audit and an independent third party audit?
The only difference is who is requesting the audit. External audits typicall come from the organization or its governing body (e.g board of directors). Independent third-party audits come fro regularors, customers, or other outiside entities.
Name 4 Vulneragbility Identification Methods
Vulnerability scan (internal or external)
Penetration testing
Responsible discloure or bug bounty programs
System/process audits
After a Vulnerability analysis is completed, what is used to prioritize and classify the vulnerability?
CVSS and CVE
Which one of the following security assessment techniques assumes that an organization has already been compromised and searches for evidence of that compromise?
A. Vulnerability scanning
B. Penetration testing
C. Threat hunting
D. War driving
Correct Answer: C. Threat hunting
A. Vulnerability scanning → Identifies weaknesses, not evidence of compromise.
B. Penetration testing → Simulates attacks but doesn’t assume compromise already happened.
✅ C. Threat hunting → Actively looks for evidence of existing compromise.
D. War driving → Searches for wireless networks, not threats inside systems.
Renee is configuring her vulnerability management solution to perform credentialed scans of servers on her network. What type of account should she provide to the scanner?
A. Domain administrator
B. Local administrator
C. Root
D. Read-only
D. Credentialed scans only require read-only access to target servers. Renee should follow the principle of least privilege and limit the access available to the scanner.
Ryan is planning to conduct a vulnerability scan of a business-critical system using dangerous plug-ins. What would be the best approach for the initial scan?
A. Run the scan against production systems to achieve the most realistic results possible.
B. Run the scan during business hours.
C. Run the scan in a test environment.
D. Do not run the scan to avoid disrupting the business.
Correct Answer: C. Run the scan in a test environment
A. Run against production → Risky; may disrupt services.
B. During business hours → Increases risk of impacting users.
✅ C. Test environment → Safest place to test dangerous plugins first.
D. Do not run the scan → Avoiding the scan defeats the purpose of vulnerability management.
Which one of the following values for the CVSS attack complexity metric would indicate that the specified attack is simplest to exploit?
A. High
B. Medium
C. Low
D. Severe
Correct Answer: C. Low
A. High → Means more complex, harder to exploit.
B. Medium → Not a valid CVSS AC value.
✅ C. Low → Means easiest to exploit in CVSS terms.
D. Severe → Not a CVSS attack complexity value.
Tara recently analyzed the results of a vulnerability scan report and found that a vulnerability reported by the scanner did not exist because the system was actually patched as specified. What type of error occurred?
A. False positive
B. False negative
C. True positive
D. True negative
Correct Answer: A. False positive
✅ A. False positive → Vulnerability was reported but doesn’t actually exist.
B. False negative → Missed something that is actually there.
C. True positive → Correctly identified a real vulnerability.
D. True negative → Correctly showed no vulnerability.
Brian ran a penetration test against a school’s grading system and discovered a flaw that would allow students to alter their grades by exploiting a SQL injection vulnerability. What type of control should he recommend to the school’s cybersecurity team to prevent students from engaging in this type of activity?
A. Confidentiality
B. Integrity
C. Alteration
D. Availability
Correct Answer: B. Integrity
A. Confidentiality → Protects data from unauthorized access, not changes.
✅ B. Integrity → Prevents unauthorized modification of data (e.g., grades).
C. Alteration → Not a valid Security+ control type.
D. Availability → Keeps data/services accessible, not protected from changes.
Which one of the following security assessment tools is least likely to be used during the reconnaissance phase of a penetration test?
A. Nmap
B. Nessus
C. Metasploit
D. Nslookup
Correct Answer: C. Metasploit
A. Nmap → Used in reconnaissance for port scanning.
B. Nessus → Vulnerability scanner, can be part of recon.
✅ C. Metasploit → Used for exploitation, not reconnaissance.
D. Nslookup → Passive recon tool for DNS queries.
Which one of the following tools is most likely to detect an XSS vulnerability?
A. Static application test
B. Web application vulnerability scanner
C. Intrusion detection system
D. Network vulnerability scanner
B. Intrusion detection systems do not detect vulnerabilities; they detect attacks. The remaining three tools could all possibly discover a cross-site scripting (XSS) vulnerability, but a web application vulnerability scanner is the most likely to detect it because it is specifically designed to test web applications.
Zian is a cybersecurity leader who is coordinating the activities of a security audit. The audit is being done to validate the organization’s financial statements to investors and involves a review of cybersecurity controls. What term best describes this audit?
A. External audit
B. Penetration test
C. Internal audit
D. Informal audit
A. Audits performed to validate an organization’s financial statements are very formal audits that are performed by independent third-party auditors. This makes them external audits. Internal audits may be more or less formal than external audits but they are generally done only to provide assurance to internal parties and not to investors. Penetration tests may be done as part of an audit but they are not audits themselves.
During a penetration test, Patrick deploys a toolkit on a compromised system and uses it to gain access to other systems on the same network. What term best describes this activity?
A. Lateral movement
B. Privilege escalation
C. Footprinting
D. OSINT
A. Moving from one compromised system to other systems on the same network is known as lateral movement. Privilege escalation attacks increase the level of access that an attacker has to an already compromised system. Footprinting and OSINT are reconnaissance techniques.
Which one of the following assessment techniques is designed to solicit participation from external security experts and reward them for discovering vulnerabilities?
A. Threat hunting
B. Penetration testing
C. Bug bounty
D. Vulnerability scanning
Correct Answer: C. Bug bounty
A. Threat hunting → Done internally to find existing threats.
B. Pen testing → Contracted simulated attacks, not open participation.
✅ C. Bug bounty → Invites external researchers, pays for valid vuln findings.
D. Vulnerability scanning → Automated and internal.
Kyle is conducting a penetration test. After gaining access to an organization’s database server, he installs a backdoor on the server to grant himself access in the future. What term best describes this action?
A. Privilege escalation
B. Lateral movement
C. Maneuver
D. Persistence
Correct Answer: D. Persistence
A. Privilege escalation → Gaining higher access.
B. Lateral movement → Moving to other systems.
C. Maneuver → Not a defined Security+ term.
✅ D. Persistence → Installing a backdoor to maintain long-term access.
Which one of the following techniques would be considered passive reconnaissance?
A. Port scans
B. Vulnerability scans
C. WHOIS lookups
D. Footprinting
Correct Answer: C. WHOIS lookups
A. Port scans → Active — sends packets.
B. Vulnerability scans → Active — probes for weaknesses.
✅ C. WHOIS lookups → Passive — gathers public domain info.
D. Footprinting → General term, may include active methods.
Which element of the SCAP framework can be used to consistently describe vulnerabilities?
A. CPE
B. CVE
C. CVSS
D. CCE
B. Common Vulnerabilities and Exposures (CVE) provides a standard nomenclature for describing security-related software flaws. Common Platform Enumeration (CPE) provides a standard nomenclature for describing product names and versions. The Common Vulnerability Scoring System (CVSS) provides a standardized approach for measuring and describing the severity of security-related software flaws. Common Configuration Enumeration (CCE) provides a standard nomenclature for discussing system configuration issues.
Bruce is conducting a penetration test for a client. The client provided him with full details of their systems in advance. What type of test is Bruce conducting?
A. Partially known environment test
B. Detailed environment test
C. Known environment test
D. Unknown environment test
C. Known environment tests are performed with full knowledge of the underlying technology, configurations, and settings that make up the target. Unknown environment tests are intended to replicate what an attacker would encounter. Testers are not provided with access to or information about an environment, and instead, they must gather information, discover vulnerabilities, and make their way through an infrastructure or systems like an attacker would. Partially known environment tests are a blend of unknown environment and known environment testing. Detailed environment tests are not a type of penetration test.
Lila is working on a penetration testing team and she is unsure whether she is allowed to conduct social engineering as part of the test. What document should she consult to find this information?
A. Contract
B. Statement of work
C. Rules of engagement
D. Lessons learned report
C. The rules of engagement provide technical details on the parameters of the test. This level of detail would not normally be found in a contract or statement of work (SOW). The lessons learned report is not produced until after the test.
Grace would like to determine the operating system running on a system that she is targeting in a penetration test. Which one of the following techniques will most directly provide her with this information?
A. Port scanning
B. Footprinting
C. Vulnerability scanning
D. Packet capture
B. All of these techniques might provide Grace with information about the operating system running on a device. However, footprinting is a technique specifically designed to elicit this information.
Kevin recently identified a new security vulnerability and computed its CVSS base score as 6.5. Which risk category would this vulnerability fall into?
A. Low
B. Medium
C. High
D. Critical
Correct Answer: B. Medium
CVSS Severity Scale:
0.1–3.9 = Low
✅ 4.0–6.9 = Medium
7.0–8.9 = High
9.0–10.0 = Critical
Which one of the CVSS metrics would contain information about the type of account access that an attacker must have to execute an attack?
A. AV
B. C
C. PR
D. AC
Correct Answer: C. PR
A. AV (Attack Vector) → How the attacker reaches the system.
B. C (Confidentiality) → Measures data exposure.
✅ C. PR (Privileges Required) → Describes what level of access is needed.
D. AC (Attack Complexity) → Describes how hard the attack is to perform.
An organization wants to streamline vulnerability management across thousands of assets while ensuring all findings are reported in a standardized format that can be shared with external auditors. Which of the following BEST describes the protocol that supports this requirement?
A. CVSS
B. SCAP
C. CPE
D. SIEM
Correct Answer: B. SCAP
SCAP (Security Content Automation Protocol) is a suite of standards maintained by NIST used to automate the vulnerability management, measurement, and policy compliance evaluation processes. SCAP helps organizations standardize how vulnerabilities are described, shared, and reported, which is critical when you’re working with large environments or reporting to third parties.
A. CVSS → A scoring system used within SCAP to rate severity but not a protocol itself.
C. CPE → Identifies software and hardware platforms in a standardized way, but doesn’t automate anything.
D. SIEM → Aggregates and analyzes logs; not a standard or automation protocol for vulnerability data.
🔐 Security+ Tip: If the question emphasizes standardization, automation, or reporting vulnerability data across systems — SCAP is the right answer.
A company is conducting an audit to evaluate the effectiveness of its cybersecurity policies and controls. The audit is initiated by senior management and conducted by a team that reports to the organization’s risk and compliance division.
Which of the following BEST describes this audit?
A. Independent third-party audit
B. Internal audit
C. Compliance attestation
D. External audit
Correct Answer: B. Internal audit
This audit is conducted by employees of the same organization (the risk and compliance division), and it was requested by senior management. This defines it as an internal audit. Internal audits evaluate internal controls, risks, and compliance with organizational policy — and they’re typically proactive, not regulatory.
A. Independent third-party audit → Would involve an external firm hired by a customer or regulator.
C. Compliance attestation → A third party confirming that a system meets compliance (e.g., SOC 2, PCI).
D. External audit → Performed by outside firms, usually for compliance or investor purposes — not the case here.
🔐 Security+ Tip: Pay attention to who initiates the audit and who performs it — that determines whether it’s internal, external, or third-party.
A cloud provider undergoes a formal security assessment by an independent third-party auditor. The auditor verifies that the provider’s controls meet regulatory compliance requirements and signs a document confirming this.
Which of the following BEST describes this outcome?
A. Self-assessment
B. Attestation
C. Certification
D. Internal audit
Correct Answer: B. Attestation
An attestation is when an independent third party (such as an auditor) reviews your controls and formally confirms that they meet a specific framework or compliance requirement. The key element is the formal validation and signed documentation.
A. Self-assessment → Performed by the organization itself, not third-party verified.
C. Certification → Usually implies a formal approval process (e.g., ISO 27001), often with broader scope than an attestation.
D. Internal audit → Conducted by internal personnel, not an external third party.
🔐 Security+ Tip: If a third party confirms compliance through review and documentation, it’s an attestation — even if it’s not a full certification.
