Chap 4 - Vulnerability Scanning Flashcards
SQLMap
SQLmap is an open-source penetration testing tool designed to automate the detection and exploitation of SQL injection vulnerabilities in web applications.
SQLmap is used to identify and exploit SQL injection flaws, which involve injecting malicious SQL commands into a web application to gain unauthorized access to, or manipulate, sensitive database information
OpenVAS
OpenVAS, or Open Vulnerability Assessment System, is an open-source vulnerability scanning and management tool designed to help organizations identify and manage security weaknesses in their systems and networks
Gary is conducting a black‐box penetration test against an organization and is being provided with the results of vulnerability scans that the organization already ran for use in his tests. Which one of the following scans is most likely to provide him with helpful information within the bounds of his test?
- Stealth internal scan
- Full internal scan
- Stealth external scan
- Full external scan
Full external scan
A full scan is likely to provide more useful and actionable results because it includes more tests. There is no requirement in the scenario that Gary avoid detection, so a stealth scan is not necessary. However, this is a black‐box test, so it would not be appropriate for Gary to have access to scans conducted on the internal network.
What tool can white‐box penetration testers use to help identify the systems present on a network prior to conducting vulnerability scans?
- Asset inventory
- Web application assessment
- Router
- DLP
Asset inventory
An asset inventory supplements automated tools with other information to detect systems present on a network. The asset inventory provides critical information for vulnerability scans. It is appropriate to share this information with penetration testers during a white‐box penetration test.
Tonya is configuring vulnerability scans for a system that is subject to the PCI DSS compliance standard. What is the minimum frequency with which she must conduct scans?
- Daily
- Weekly
- Monthly
- Quarterly
Quarterly
PCI DSS requires that organizations conduct vulnerability scans on at least a quarterly basis, although many organizations choose to conduct scans on a much more frequent basis.
Which one of the following is not an example of a vulnerability scanning tool?
- Qualys
- Snort
- Nessus
- OpenVAS
Snort
QualysGuard, Nessus, and OpenVAS are all examples of vulnerability scanning tools. Snort is an intrusion detection system.
Snort
Snort is an open-source network intrusion detection and prevention system (IDS/IPS) that plays a crucial role in enhancing network security by monitoring, analyzing, and responding to network traffic. Here are the key aspects of Snort:
Snort can be configured to operate in three primary modes:
* Sniffer Mode: Snort reads and displays network packets on the console, similar to tools like TCPdump or Wireshark
* Packet Logger Mode: It logs network packets to a disk file, which is useful for network traffic debugging and analysis
* Network Intrusion Detection and Prevention System (NIDS/NIPS) Mode: This is the most critical mode, where Snort monitors network traffic, compares it against a user-defined rule set, and takes action when suspicious activity is detected
Snort uses several detection techniques:
* Signature-Based Detection: It compares network packets against a database of preconfigured signatures linked to known threats. These signatures include information about IP addresses, ports, protocols, and content patterns
* Anomaly-Based Detection: Snort identifies unusual network traffic patterns that deviate from normal, expected traffic
* Protocol-Based Inspection: It analyzes network protocols to detect deviations from standard protocol behavior
Qualys
Qualys is a comprehensive, cloud-based cybersecurity and vulnerability management platform designed to help organizations identify, prioritize, and remediate security vulnerabilities across their IT infrastructure.
Features/Use Cases:
* Vulnerability Management
* Asset Inventory
* Patch Management
* Compliance Monitoring
* Web Application Scanning
* Network Security
* Container Security
* Cloud Security Posture Management (CSPM)
* File Integrity Monitoring (FIM) and SIEM Integration
* Continuous Monitoring
Which one of the following technologies, when used within an organization, is the least likely to interfere with vulnerability scanning results achieved by external penetration testers?
- Encryption
- Firewall
- Containerization
- Intrusion prevention system
Encryption
Encryption technology is unlikely to have any effect on the results of vulnerability scans because it does not change the services exposed by a system. Firewalls and intrusion prevention systems may block inbound scanning traffic before it reaches target systems. Containerized and virtualized environments may prevent external scanners from seeing services exposed within the containerized or virtualized environment.
Renee is configuring her vulnerability management solution to perform credentialed scans of servers on her network. What type of account should she provide to the scanner?
- Domain administrator
- Local administrator
- Root
- Read‐only
Read‐only
Credentialed scans only require read‐only access to target servers. Renee should follow the principle of least privilege and limit the access available to the scanner
Jason is writing a report about a potential security vulnerability in a software product and wishes to use standardized product names to ensure that other security analysts understand the report. Which SCAP component can Jason turn to for assistance?
- CVSS
- CVE
- CPE
- OVAL
CPE
Common Product Enumeration (CPE) is an SCAP component that provides standardized nomenclature for product names and versions.
CPE
Common Product Enumeration (CPE) is an SCAP component that provides standardized nomenclature for product names and versions.
CVSS
The Common Vulnerability Scoring System (CVSS) is an industry-standard framework used to assess the severity of security vulnerabilities.
It provides a quantitative method to rate vulnerabilities based on factors like exploitability and potential impact, helping cybersecurity professionals prioritize their response actions
OVAL
The Open Vulnerability and Assessment Language (OVAL) is a standardized language used for specifying low-level testing procedures in security checklists. It enables consistent and automated testing to detect vulnerabilities and misconfigurations in systems
Ken is planning to conduct a vulnerability scan of an organization as part of a penetration test. He is conducting a black‐box test. When would it be appropriate to conduct an internal scan of the network?
- During the planning stage of the test
- As soon as the contract is signed
- After receiving permission from an administrator
- After compromising an internal host
After compromising an internal host
Because this is a black‐box scan, Ken should not (and most likely cannot) conduct an internal scan until he first compromises an internal host. Once he gains this foothold on the network, he can use that compromised system as the launching point for internal scans.
Which type of organization is the most likely to be impacted by a law requiring them to conduct vulnerability scans?
- Bank
- Hospital
- Government agency
- Doctor’s office
Government agency
The Federal Information Security Management Act (FISMA) requires that government agencies conduct vulnerability scans. HIPAA, which governs hospitals and doctors’ offices, does not include a vulnerability scanning requirement, nor does the Gramm–Leach–Bliley Act, which covers financial institutions.
Which one of the following categories of systems is most likely to be disrupted during a vulnerability scan?
- External web server
- Internal web server
- IoT device
- Firewall
IoT device
Internet of Things (IoT) devices are examples of nontraditional systems that may be fragile and highly susceptible to failure during vulnerability scans. Web servers and firewalls are typically designed for exposure to wider networks and are less likely to fail during a scan.
What term describes an organization’s willingness to tolerate risk in their computing environment?
- Risk landscape
- Risk appetite
- Risk level
- Risk adaptation
Risk appetite
The organization’s risk appetite is its willingness to tolerate risk within the environment. If an organization is extremely risk‐averse, it may choose to conduct scans more frequently to minimize the amount of time between when a vulnerability comes into existence and when it is detected by a scan.
Which one of the following factors is least likely to impact vulnerability scanning schedules?
- Regulatory requirements
- Technical constraints
- Business constraints
- Staff availability
Staff availability
Scan schedules are most often determined by the organization’s risk appetite, regulatory requirements, technical constraints, business constraints, and licensing limitations. Most scans are automated and do not require staff availability.
Adam is conducting a penetration test of an organization and is reviewing the source code of an application for vulnerabilities. What type of code testing is Adam conducting?
- Mutation testing
- Static code analysis
- Dynamic code analysis
- Fuzzing
Static code analysis
Adam is conducting static code analysis by reviewing the source code. Dynamic code analysis requires running the program, and both mutation testing and fuzzing are types of dynamic analysis.
Which one of the following activities is not part of the vulnerability management life cycle?
A. Detection
B. Remediation
C. Reporting
D. Testing
Reporting
Although reporting and communication are an important part of vulnerability management, they are not included in the life cycle. The three life‐cycle phases are detection, remediation, and testing.
Vulnerability Management Lifecycle
Three phases:
- Detection
- Remediation
- Testing
What approach to vulnerability scanning incorporates information from agents running on the target servers?
A. Continuous monitoring
B. Ongoing scanning
C. On‐demand scanning
D. Alerting
Continuous monitoring
Continuous monitoring incorporates data from agent‐based approaches to vulnerability detection and reports security‐related configuration changes to the vulnerability management platform as soon as they occur, providing the ability to analyze those changes for potential vulnerabilities.
Brian is seeking to determine the appropriate impact categorization for a federal information system as he plans the vulnerability scanning controls for that system. After consulting management, he discovers that the system contains information that, if disclosed improperly, would have a serious adverse impact on the organization. How should this system be categorized?
A. Low impact
B. Moderate impact
C. High impact
D. Severe impact
Moderate impact
Systems have a moderate impact from a confidentiality perspective if the unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.
Jessica is reading reports from vulnerability scans run by different parts of her organization using different products. She is responsible for assigning remediation resources and is having difficulty prioritizing issues from different sources. What SCAP component can help Jessica with this task?
CVSS
CVE
CPE
XCCDF
CVSS
The Common Vulnerability Scoring System (CVSS) provides a standardized approach for measuring and describing the severity of security vulnerabilities. Jessica could use this scoring system to prioritize issues raised by different source systems.
SCAP
SCAP, or Security Content Automation Protocol, is a framework defined by the National Institute of Standards and Technology (NIST) for
standardizing format/exchange of system security information.
It provides a structured way to manage vulnerabilities, automate security checks, and assess compliance with security policies.
XCCDF
Extensible Configuration Checklist Description Format
a standard that is part of the SCAP framework. It provides a structured, XML-based format for
* describing security checklists
* benchmarks
* configuration baselines.
These descriptions are used to assess and measure the security state of systems against defined security policies or standards.
features:
- Standardization
- Automation
- Interoperability
Sarah is conducting a penetration test and discovers a critical vulnerability in an application. What should she do next?
A. Report the vulnerability to the client’s IT manager.
B. Consult the SOW.
C. Report the vulnerability to the developer.
D. Exploit the vulnerability.
Consult the SOW.
Penetration testers should always consult the statement of work (SOW) for guidance on how to handle situations where they discover critical vulnerabilities. The SOW may require reporting these issues to management immediately, or it may allow the continuation of the test exploiting the vulnerability.
