Chapter 10 - Vulnerability and Risk Assessment

Question 1

Which type of vulnerability assessments software can check for weak passwords
on the network?
A. Wireshark
B. Antivirus software
C. Performance Monitor
D. A password cracker

Answer 1

D. A password cracker can check for weak passwords on the network. Antivirus software can scan for viruses on a computer. Performance Monitor enables you to create baselines to check the performance of a computer. Wireshark is a protocol analyzer.

Question 2

You are contracted to conduct a forensics analysis of the computer.  What should you do first?
A. Back up the system.
B. Analyze the files.
C. Scan for viruses.
D. Make changes to the operating system.

Answer 2

A. Back up the system before you do anything else. This way, you have a backup copy in case anything goes wrong when you analyze or make changes to the system.

Question 3

Which of the following has schemas written in XML?
A. OVAL
B. 3DES
C. WPA
D. PAP

Answer 3

A. OVAL (Open Vulnerability and Assessment Language) uses XML as a framework for the language. It is a community standard dealing with the standardization of information transfer. 3DES is an encryption algorithm. WPA is a wireless encryption standard, and the deprecated PAP is the Password Authentication Protocol, used for identifying users to a server.

Question 4

Russ is using only documentation to test the security of a system. What type of testing methodology is this known as?
A. Active security analysis
B. Passive security analysis
C. Hybrid security analysis
D. Hands-on security analysis

Answer 4

B. Passive security analysis or passive security testing would be one that possibly does not include a hands-on test. It is less tangible and often includes the use of documentation only. To better protect a system or network, a person should also use active security analysis.

Question 5

Of the following which is the best way for a person to find out what security holes exist on the network?
A. Run a port scan.
B. Use a network sniffer.
C. Perform a vulnerability assessment.
D. Use an IDS solution.

Answer 5

C. The best way to find all the security holes that exist on a network is to perform a vulnerability assessment. This may include utilizing a port scanner and using a network sniffer and perhaps using some sort of IDS.

Question 6

After using NMAP to do a port scan of your server, you find that several ports are open. Which of the following should you do next?
A. Leave the ports open and monitor them for malicious attacks.
B. Run the port scan again.
C. Close all ports.
D. Examine the services and/or processes that use those ports.

Answer 6

D. If you find ports open that you don’t expect, be sure to examine the services and or processes that use those ports. You may have to close some or all those ports. When you finish with your examination, and after you have taken action, run the port scan again to verify that those ports are closed.

Question 7

Which of the following is a vulnerability assessment tool?
A. John the Ripper
B. AirSnort
C. Nessus
D. Cain & Abel

Answer 7

C. Nessus is a vulnerability assessment tool. AirSnort is used to crack wireless encryption codes. John the Ripper and Cain & Abel are password cracking programs.

Question 8

You are a consultant for an IT company. Your boss asks you to determine the topology of the network. What is the best device to use in this circumstance?
A. Network mapper
B. Protocol analyzer
C. Port scanner
D. A vulnerability scanner

Answer 8

A. A network mapper is the best tool to use to determine the topology of the network and to find out what devices and computers reside on that network. An example of this would be LAN Surveyor.

Question 9

Which of the following can enable you to find all the open ports on an entire network?
A. Protocol analyzer
B. Network scanner
C. Firewall
D. Performance monitor

Answer 9

B. A network scanner is a port scanner used to find open ports on multiple computers on the network. A protocol analyzer is used to delve into packets. A firewall protects a network, and a performance monitor is used to create baselines for and monitor a computer.

Question 10

What can hackers accomplish using malicious port scanning?
A. “Fingerprint” of the operating system
B. Topology of the network
C. All the computer names on the network
D. All the usernames and passwords

Answer 10

A. Port scanning can be used in a malicious way to find out all the openings to a computer’s operating system; this is known as the “fingerprint” of the operating system. Port scanning cannot find out the topology of the network,
computer names, usernames, or passwords.

Question 11

Many companies send passwords via clear text. Which of the following can view these passwords?
A. Rainbow Table
B. Port scanner
C. John the Ripper
D. Protocol analyzer

Answer 11

D. A protocol analyzer can delve into the packets sent across the network and determine whether those packets contain clear-text passwords. Rainbow Tables and John the Ripper deal with cracking passwords that were previously encrypted; they aren’t necessary if the password were sent via clear text. Port scanners scan computers for any open ports.

Question 12

Which of the following persons is ultimately in charge of deciding how much residual risk there will be?
A. Chief security officer
B. Security administrator
C. Senior management
D. Disaster Recovery Plan coordinator

Answer 12

C. Residual risk is the risk left over after a security and disaster recovery plan have been implemented. There is always risk, because a company cannot possibly foresee every future event, nor can it secure against every single threat. Senior management as a collective whole is ultimately responsible for deciding how much residual risk there will be in a company’s network. No one person should be in charge of this, but it should be decided on as a group. If the group decides that residual risk is too high, the group might decide to get insurance in addition to its security plan. The security administrator is in charge of finding and removing risks to the network and systems and should mitigate risks if possible. The disaster recovery plan (DRP) coordinator usually assesses risks and documents them, along with creating strategies to defend against any disastrous problems that might occur from that risk, but that person does not decide on the amount of acceptable residual risk to a company.

Question 13

To show risk from a monetary standpoint, which of the following should risk assessments be based upon?
A. Survey of loss, potential threats, and asset value
B. Quantitative measurement of risk, impact, and asset value
C. Complete measurement of all threats
D. Qualitative measurement of risk and impact

Answer 13

B. When dealing with dollars, risk assessments should be based upon a quantitative measurement of risk, impact, and asset value.

Question 14

The main objective of risk management in an organization is to reduce risk to a level \_\_\_\_\_\_\_\_\_\_\_\_\_. (Fill in the blank.)
A. The organization will mitigate
B. Where the ARO equals the SLE
C. The organization will accept
D. Where the ALE is lower than the SLE

Answer 14

C. The main objective of risk management is to reduce risk to a level that the organization or company will accept. Mitigation is the act of reducing threats in general.

Question 15

Why would a security administrator use a vulnerability scanner? (Select the best answer.)
A. To identify remote access policies
B. To analyze protocols
C. To map the network
D. To find open ports on a server

Answer 15

D. The best answer for why a security administrator would use a vulnerability scanner is to find open ports on a particular computer. Although a vulnerability scanner can do more than scan for open ports, it is the best answer listed.

Question 16

An example of a program that does comparative analysis is what?
A. Protocol analyzer
B. Password cracker
C. Port scanner
D. Event Viewer

Answer 16

B. A password cracker is considered to be a program that does comparative analysis. It systematically guesses the password and compares all previous guesses before making new ones until it cracks the password.

Question 17

Why do hackers often target nonessential services? (Select the two best answers.)
A. Often they are not configured correctly.
B. They are not monitored as often.
C. They are not used.
D. They are not monitored by an IDS.

Answer 17

A and B. Nonessential services are often not configured and secured by the network administrator; this goes hand-in-hand with the fact that they are not
monitored as often as essential services. It is imperative that network administrators scan for nonessential services and close any corresponding ports. Even though services may be nonessential, that doesn’t necessarily mean that they are not used. An IDS, if installed properly, should monitor everything on a given system.

Question 18

Which of the following tools uses ICMP as its main underlying protocol?
A. Ping scanner
B. Port scanner
C. Image scanner
D. Barcode scanner

Answer 18

A. A ping scanner uses the Internet Control Message Protocol (ICMP) to conduct its scans. Ping uses ICMP as its underlying protocol and IP and ARP. Image scanners are found in printers and as standalone items that scan images, photos, and text into a computer. Barcode scanners are used to scan barcodes, for example, at the supermarket.

Question 19

Which command would display the following output?
Active Connections
Proto                     TCP
Local Address       laptop-musicxpc:1395
Foreign Address   8.15.228.165:http
State                     ESTABLISHED
A. Ping
B. Ipconfig
C. Nbtstat
D. Netstat

Answer 19

D. Netstat shows sessions including the local computer and remote computer. It shows these connections by computer name (or IP) and port name (or number).

Question 20

Which of the following is used when performing a quantitative risk analysis?
A. Asset value
B. Surveys
C. Focus groups
D. Best practices

Answer 20

A. Asset value is assigned when performing quantitative risk analysis. Surveys, focus groups, and best practices might help with qualitative risk analysis but do not offer concrete data that a quantitative risk analysis requires. Money is the key ingredient here when it comes to quantitative risk analysis.

Question 21

You have been tasked with running a penetration test on a server.  You have been given limited knowledge about the inner workings of the server.  What kind of test will you be performing?
A. White box
B. Gray box
C. Black box
D. Passive vulnerability scan

Answer 21

B. When you are given limited information of a system or network, it is known as gray box testing. White box testing is when you are given in-depth or complete information about the system. Black box testing is when you know very little (or nothing) about the system to be tested. Penetration tests are active and are meant to test for a single threat and exploit it. Passive vulnerability
scans are different tests altogether and test for as many threats as they can find, without exploiting one of them.

Question 22

Which of the following is a technical control?
A. Disaster recovery plan
B. Baseline configuration development
C. Least privilege implementation
D. Categorization of system security

Answer 22

C. The least privilege concept is executed as a technical control. A process that is severely limited in its functionality and a user who has very limited rights are some of the things that must be initiated technically. A disaster recovery plan and baseline configuration development would be operational controls. The categorization of system security would be a management control.

Question 23

Which of the following is a detective security control?
A. Bollards
B. Firewall
C. Tape backup
D. CCTV

Answer 23

D. Close-circuit television is an example of a detective security control. It can detect who is entering a building and when it happened. Bollards (vertical posts) and firewalls are preventive controls, while tape backup is a corrective control.

Question 24

Which of the following is a management control?
A. Least privilege implementation
B. Baseline configuration development
C. Vulnerability scanning
D. Session locks

Answer 24

C. Vulnerability scanning, as it is part of vulnerability management would be a management control. least privilege implementation and session locks would be examples of technical controls. Baseline configuration development would be an example of an operational control.

Question 25

Which of the following would you make use of when performing a qualitative risk analysis?
A. Judgment
B. Asset value
C. Threat frequency
D. SLE

Answer 25

A. When performing a qualitative risk analysis a person often uses his own judgment. Asset value, threat frequency, and SLE (single loss expectancy) are all components of a quantitative risk analysis.

Question 26

What is the best action to take when you conduct a corporate vulnerability assessment?
A. Document your scan results for the change control board
B. Examine vulnerability data with a network sniffer
C. Update systems
D. Organize data based on severity and asset value

Answer 26

D. When conducting vulnerability assessments you should organize the collected data by vulnerability and exploit severity as well as the asset value of the possibly affected equipment/systems. Documenting your scan results for a change control board may come later depending on some decision making by the corporation. You should have already used a network sniffer to find vulnerabilities and possible exploits. Updating the systems will most likely happen at some point, but for the time being, it should be a recommendation within your vulnerability assessment. Management will decide how and if that will occur.

Question 27

You are implementing a new enterprise database server. After you evaluate the product with various vulnerability scans you determine that the product is not a threat in of itself but it has the potential to introduce new vulnerabilities to your network.  Which assessment should you now take into consideration while you continue to evaluate the database server?
A. Risk assessment
B. Code assessment
C. Vulnerability assessment
D. Threat assessment

Answer 27

A. If a new solution poses the potential for new vulnerabilities to your network, you should run an in-depth risk assessment of the new product. In this case, we are not yet doing any coding, so a code assessment is not necessary, but should be implemented as part of a secure code review in the case that we make any programming changes to the database server. You have already run a vulnerability assessment when you did the vulnerability scans. You found that the solution is not a threat but could pose other threats. The risk assessment defines what kind of issues your organization could face due to the threats and vulnerabilities.

Question 28

Why should penetration testing only be done during controlled conditions?
A. Because vulnerability scanners can cause network flooding
B. Because penetration testing actively tests security controls and can cause system instability
C. Because white box penetration testing cannot find zero-day attacks
D. Because penetration testing passively tests security controls and can cause system instability

Answer 28

B. Penetration testing is an active test that seeks to exploit one vulnerability. It can indeed cause system instability, so it should be run only during controlled conditions and with express consent of the system owner. Vulnerability scanners are usually passive and should not cause network flooding. Zero-day attacks are based on vulnerabilities that are unknown to the system designer. In a white box testing environment, zero-day vulnerabilities may become uncovered (at which point they are not quite zero-day anymore), but the fact remains that penetration testing can cause system instability.