Chap 4 - Vulnerability Scanning

Question 1

SQLMap

Answer 1

SQLmap is an open-source penetration testing tool designed to automate the detection and exploitation of SQL injection vulnerabilities in web applications.

SQLmap is used to identify and exploit SQL injection flaws, which involve injecting malicious SQL commands into a web application to gain unauthorized access to, or manipulate, sensitive database information

Question 2

OpenVAS

Answer 2

OpenVAS, or Open Vulnerability Assessment System, is an open-source vulnerability scanning and management tool designed to help organizations identify and manage security weaknesses in their systems and networks

Question 3

Gary is conducting a black‐box penetration test against an organization and is being provided with the results of vulnerability scans that the organization already ran for use in his tests. Which one of the following scans is most likely to provide him with helpful information within the bounds of his test?

• Stealth internal scan
• Full internal scan
• Stealth external scan
• Full external scan

Answer 3

Full external scan

A full scan is likely to provide more useful and actionable results because it includes more tests. There is no requirement in the scenario that Gary avoid detection, so a stealth scan is not necessary. However, this is a black‐box test, so it would not be appropriate for Gary to have access to scans conducted on the internal network.

Question 4

What tool can white‐box penetration testers use to help identify the systems present on a network prior to conducting vulnerability scans?

• Asset inventory
• Web application assessment
• Router
• DLP

Answer 4

Asset inventory

An asset inventory supplements automated tools with other information to detect systems present on a network. The asset inventory provides critical information for vulnerability scans. It is appropriate to share this information with penetration testers during a white‐box penetration test.

Question 5

Tonya is configuring vulnerability scans for a system that is subject to the PCI DSS compliance standard. What is the minimum frequency with which she must conduct scans?

• Daily
• Weekly
• Monthly
• Quarterly

Answer 5

Quarterly

PCI DSS requires that organizations conduct vulnerability scans on at least a quarterly basis, although many organizations choose to conduct scans on a much more frequent basis.

Question 6

Which one of the following is not an example of a vulnerability scanning tool?

• Qualys
• Snort
• Nessus
• OpenVAS

Answer 6

Snort

QualysGuard, Nessus, and OpenVAS are all examples of vulnerability scanning tools. Snort is an intrusion detection system.

Question 7

Snort

Answer 7

Snort is an open-source network intrusion detection and prevention system (IDS/IPS) that plays a crucial role in enhancing network security by monitoring, analyzing, and responding to network traffic. Here are the key aspects of Snort:

Snort can be configured to operate in three primary modes:
* Sniffer Mode: Snort reads and displays network packets on the console, similar to tools like TCPdump or Wireshark
* Packet Logger Mode: It logs network packets to a disk file, which is useful for network traffic debugging and analysis
* Network Intrusion Detection and Prevention System (NIDS/NIPS) Mode: This is the most critical mode, where Snort monitors network traffic, compares it against a user-defined rule set, and takes action when suspicious activity is detected

Snort uses several detection techniques:
* Signature-Based Detection: It compares network packets against a database of preconfigured signatures linked to known threats. These signatures include information about IP addresses, ports, protocols, and content patterns
* Anomaly-Based Detection: Snort identifies unusual network traffic patterns that deviate from normal, expected traffic
* Protocol-Based Inspection: It analyzes network protocols to detect deviations from standard protocol behavior

Question 8

Qualys

Answer 8

Qualys is a comprehensive, cloud-based cybersecurity and vulnerability management platform designed to help organizations identify, prioritize, and remediate security vulnerabilities across their IT infrastructure.

Features/Use Cases:
* Vulnerability Management
* Asset Inventory
* Patch Management
* Compliance Monitoring
* Web Application Scanning
* Network Security
* Container Security
* Cloud Security Posture Management (CSPM)
* File Integrity Monitoring (FIM) and SIEM Integration
* Continuous Monitoring

Question 9

Which one of the following technologies, when used within an organization, is the least likely to interfere with vulnerability scanning results achieved by external penetration testers?

• Encryption
• Firewall
• Containerization
• Intrusion prevention system

Answer 9

Encryption

Encryption technology is unlikely to have any effect on the results of vulnerability scans because it does not change the services exposed by a system. Firewalls and intrusion prevention systems may block inbound scanning traffic before it reaches target systems. Containerized and virtualized environments may prevent external scanners from seeing services exposed within the containerized or virtualized environment.

Question 10

Renee is configuring her vulnerability management solution to perform credentialed scans of servers on her network. What type of account should she provide to the scanner?

• Domain administrator
• Local administrator
• Root
• Read‐only

Answer 10

Read‐only

Credentialed scans only require read‐only access to target servers. Renee should follow the principle of least privilege and limit the access available to the scanner

Question 11

Jason is writing a report about a potential security vulnerability in a software product and wishes to use standardized product names to ensure that other security analysts understand the report. Which SCAP component can Jason turn to for assistance?

• CVSS
• CVE
• CPE
• OVAL

Answer 11

CPE

Common Product Enumeration (CPE) is an SCAP component that provides standardized nomenclature for product names and versions.

Question 12

CPE

Answer 12

Common Product Enumeration (CPE) is an SCAP component that provides standardized nomenclature for product names and versions.

Question 13

CVSS

Answer 13

The Common Vulnerability Scoring System (CVSS) is an industry-standard framework used to assess the severity of security vulnerabilities.

It provides a quantitative method to rate vulnerabilities based on factors like exploitability and potential impact, helping cybersecurity professionals prioritize their response actions

Question 14

OVAL

Answer 14

The Open Vulnerability and Assessment Language (OVAL) is a standardized language used for specifying low-level testing procedures in security checklists. It enables consistent and automated testing to detect vulnerabilities and misconfigurations in systems

Question 15

Ken is planning to conduct a vulnerability scan of an organization as part of a penetration test. He is conducting a black‐box test. When would it be appropriate to conduct an internal scan of the network?

• During the planning stage of the test
• As soon as the contract is signed
• After receiving permission from an administrator
• After compromising an internal host

Answer 15

After compromising an internal host

Because this is a black‐box scan, Ken should not (and most likely cannot) conduct an internal scan until he first compromises an internal host. Once he gains this foothold on the network, he can use that compromised system as the launching point for internal scans.

Question 16

Which type of organization is the most likely to be impacted by a law requiring them to conduct vulnerability scans?

• Bank
• Hospital
• Government agency
• Doctor’s office

Answer 16

Government agency

The Federal Information Security Management Act (FISMA) requires that government agencies conduct vulnerability scans. HIPAA, which governs hospitals and doctors’ offices, does not include a vulnerability scanning requirement, nor does the Gramm–Leach–Bliley Act, which covers financial institutions.

Question 17

Which one of the following categories of systems is most likely to be disrupted during a vulnerability scan?

• External web server
• Internal web server
• IoT device
• Firewall

Answer 17

IoT device

Internet of Things (IoT) devices are examples of nontraditional systems that may be fragile and highly susceptible to failure during vulnerability scans. Web servers and firewalls are typically designed for exposure to wider networks and are less likely to fail during a scan.

Question 18

What term describes an organization’s willingness to tolerate risk in their computing environment?

• Risk landscape
• Risk appetite
• Risk level
• Risk adaptation

Answer 18

Risk appetite

The organization’s risk appetite is its willingness to tolerate risk within the environment. If an organization is extremely risk‐averse, it may choose to conduct scans more frequently to minimize the amount of time between when a vulnerability comes into existence and when it is detected by a scan.

Question 19

Which one of the following factors is least likely to impact vulnerability scanning schedules?

• Regulatory requirements
• Technical constraints
• Business constraints
• Staff availability

Answer 19

Staff availability

Scan schedules are most often determined by the organization’s risk appetite, regulatory requirements, technical constraints, business constraints, and licensing limitations. Most scans are automated and do not require staff availability.

Question 20

Adam is conducting a penetration test of an organization and is reviewing the source code of an application for vulnerabilities. What type of code testing is Adam conducting?

• Mutation testing
• Static code analysis
• Dynamic code analysis
• Fuzzing

Answer 20

Static code analysis

Adam is conducting static code analysis by reviewing the source code. Dynamic code analysis requires running the program, and both mutation testing and fuzzing are types of dynamic analysis.

Question 21

Which one of the following activities is not part of the vulnerability management life cycle?

A. Detection
B. Remediation
C. Reporting
D. Testing

Answer 21

Reporting

Although reporting and communication are an important part of vulnerability management, they are not included in the life cycle. The three life‐cycle phases are detection, remediation, and testing.

Question 22

Vulnerability Management Lifecycle

Answer 22

Three phases:

1. Detection
2. Remediation
3. Testing

Question 23

What approach to vulnerability scanning incorporates information from agents running on the target servers?

A. Continuous monitoring
B. Ongoing scanning
C. On‐demand scanning
D. Alerting

Answer 23

Continuous monitoring

Continuous monitoring incorporates data from agent‐based approaches to vulnerability detection and reports security‐related configuration changes to the vulnerability management platform as soon as they occur, providing the ability to analyze those changes for potential vulnerabilities.

Question 24

Brian is seeking to determine the appropriate impact categorization for a federal information system as he plans the vulnerability scanning controls for that system. After consulting management, he discovers that the system contains information that, if disclosed improperly, would have a serious adverse impact on the organization. How should this system be categorized?

A. Low impact
B. Moderate impact
C. High impact
D. Severe impact

Answer 24

Moderate impact

Systems have a moderate impact from a confidentiality perspective if the unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.

Question 25

Jessica is reading reports from vulnerability scans run by different parts of her organization using different products. She is responsible for assigning remediation resources and is having difficulty prioritizing issues from different sources. What SCAP component can help Jessica with this task?

CVSS
CVE
CPE
XCCDF

Answer 25

CVSS

The Common Vulnerability Scoring System (CVSS) provides a standardized approach for measuring and describing the severity of security vulnerabilities. Jessica could use this scoring system to prioritize issues raised by different source systems.

Question 26

SCAP

Answer 26

SCAP, or Security Content Automation Protocol, is a framework defined by the National Institute of Standards and Technology (NIST) for standardizing the format and exchange of information related to system security.

It provides a structured way to manage vulnerabilities, automate security checks, and assess compliance with security policies.

Question 27

XCCDF

Answer 27

Extensible Configuration Checklist Description Format

a standard that is part of the SCAP framework. It provides a structured, XML-based format for describing security checklists, benchmarks, or configuration baselines. These descriptions are used to assess and measure the security state of systems against defined security policies or standards.

features:
* Standardization
* Automation
* Interoperability

Question 28

Sarah is conducting a penetration test and discovers a critical vulnerability in an application. What should she do next?

A. Report the vulnerability to the client’s IT manager.
B. Consult the SOW.
C. Report the vulnerability to the developer.
D. Exploit the vulnerability.

Answer 28

Consult the SOW.

Penetration testers should always consult the statement of work (SOW) for guidance on how to handle situations where they discover critical vulnerabilities. The SOW may require reporting these issues to management immediately, or it may allow the continuation of the test exploiting the vulnerability.