Chapter 5: Implementing Vulnerability Management Processes Flashcards
A company needs a vulnerability scan performed on its internal network. After the company
consults with an external cybersecurity analyst, the analyst immediately begins drafting a
contract to outline conditions to be met for the scan. These conditions include limiting
who is allowed to view the results, specifying what servers and data must not be accessed
under any circumstances, and satisfying the company’s need for two types of scans to be
done quarterly. Which of the following is the most likely reason behind these conditions?
A. Regulatory requirements
B. Security policy
C. Analyst’s recommendation
D. Past experience deems the contract prudent
A is correct. Regulatory requirements are by far the most likely driver of the contract.
The conditions stated are examples of regulatory requirements.
B, C, and D are incorrect. B is incorrect because although security policy is also a
likely reason behind the contract, the sample requirements are similar to HIPAA and
PCI DSS requirements. C is incorrect because the analyst would offer the suggestion
but not likely draft a contract with those specific conditions. D is incorrect because
experience would not be the most likely cause.
Regulatory requirements can specify the need for vulnerability scanning when a company
is in the financial or health industry. However, what best specifies vulnerability scanning
as a requirement without regulatory requirement?
A. CISO mandate
B. Local and/or national legislation
C. Corporate policy
D. NIST 800-53
C is correct. Corporate policy is the most likely internal source of such requirements.
A, B, and D are incorrect. A is incorrect because a CISO could require the scanning
but would do so via policy. B is incorrect because legislation suggests regulatory
requirements. D is incorrect because NIST 800-53 suggests but does not mandate
vulnerability scanning.
What is a technique that allows a company to vary resources spent toward protecting data
according to a set value?
A. Data encryption
B. Data classification
C. Data criticality
D. Data storage location
B is correct. Data classification provides a method of allocating resources in varying
amounts based on the criticality or sensitivity of the data.
A, C, and D are incorrect. A is incorrect because encryption does protect data but not
according to its value. C is incorrect because criticality is an attribute that can classify
the data, not a means to protect it. D is incorrect because storage location is not a
practical primary means of protecting data according to its value.
With regard to asset inventory, how would a cybersecurity analyst classify assets such as
financial systems, intellectual property, and a customer-facing ordering system?
A. Noncritical
B. Sensitive
C. Credentialed
D. Critica
D is correct. Those asset examples should be deemed critical, versus noncritical.
A, B, and C are incorrect. A is incorrect because those assets are certainly critical
assets. B is incorrect because while the assets might have sensitive data, the assets
themselves are critical. C is incorrect because credentialed is not a type of asset
. When a company is developing a vulnerability management plan, its assets must be
inventoried. Which of the following asset types would be included? (Choose all that apply.)
A. Noncritical
B. Critical
C. Critical only
D. On-site and assets of partners and suppliers
A and B are correct. Critical and noncritical assets both should be inventoried when
developing a vulnerability management plan.
C and D are incorrect. C is incorrect because a company can inventory all its
assets, whether on-site, mobile, or company assets currently at remote locations.
D is incorrect because partner and supplier assets are not within a company’s scope
to be tracked.
The frequency with which a company performs vulnerability scanning is dependent upon
which of the following criteria? (Choose all that apply.)
A. Scanning policy
B. Vulnerability management planning
C. Risk appetite
D. Regulatory requirements
E. Limitations of time, tools, and personne
A, B, C, D, and E are correct. All of those criteria are important factors in determining
vulnerability scanning frequency.
The cybersecurity analyst must consider several factors when determining vulnerability
scanning frequency. Criteria such as network bandwidth, systems’ CPU capacity, and
number of qualified personnel are examples of which of the following?
A. Soft restrictions
B. Regulatory requirements
C. Technical constraints
D. Budgetary limitations
C is correct. These are examples of technical constraints.
A, B, and D are incorrect. A is incorrect because “soft restrictions” is not a commonly
used term, and it suggests something other than hardware anyway. B is incorrect
because regulatory requirements would not include these sample criteria to determine
frequency. D is incorrect because although a budgetary limitation might impact these
technical aspects, it would not positively help to determine scanning frequency
Apart from policies and regulatory requirements, what creates the largest impact on
establishing an effective vulnerability scanning process?
A. Regular routine and workflow of personnel
B. Management style of the IT director or head of security
C. Mandates from the chief of information security
D. Personal whims of the CEO
A is correct. The regular routine of personnel has a huge enabling impact on
vulnerability scanning and management.
B, C, and D are incorrect. The management style of and mandates from supervisory
staff and executives are effectively the same as policy.
When a company is configuring tools to perform vulnerability scans, which of the following
would be the earliest step?
A. Choosing the tool plug-ins
B. Generating reports
C. Establishing permissions and scanning credentials
D. Establishing scanning criteria
D is correct. Establishing scanning criteria would come before the other options.
A, B, and C are incorrect. A is incorrect because choosing the correct plug-ins would
come after determining what plug-ins are needed—after establishing the scanning
criteria. B is incorrect because reports aren’t generated before scanning. C is incorrect
because credentials and permissions would follow deciding which systems to scan and
other criteria
A cybersecurity analyst is performing a vulnerability scan of a few systems, including a
server processing protected health information (PHI). The scan of all servers completed
successfully, with no interruption of service. To demonstrate proof of weaknesses found
during the vulnerability scan, the analyst manages to exfiltrate documents from each server.
Which of the following specifications of vulnerability scanning did the analyst likely breach?
A. Using credentials when a noncredentialed scan would suffice.
B. No vulnerability feed was evidenced.
C. Permissions set incorrectly.
D. Considering the sensitivity of the data on the scanned systems.
E. Using agents when a server-based scan would suffice.
D is correct. The sensitivity of the data, particularly the PHI, means no exfiltration
can happen.
A, B, C, and E are incorrect. A is incorrect because there is no mention of credentials.
B is incorrect because, while the vulnerability scan specification might have detailed
the requirement for a vulnerability feed, there is no evidence this was ignored or
violated. C is incorrect because permissions didn’t seem to impact the success of the
scan. E is incorrect because the scan was completely successfully, regardless of whether
agents were used
. Which of the following reasons are valid arguments for using server-based vulnerability
scanning instead of agent-based scanning? (Choose all that apply.)
A. Erratic connectivity to remote and mobile devices
B. Limited bandwidth
C. Limited personnel availability for maintenance
D. Occasional rogue device connecting to the network
C and D are correct. Less availability of security staff to maintain the scanning agents
would be a vote in favor of server-based scanning. Also, a server-based architecture
would scan the entire network space and thus be able to detect rogue devices without
an agent being installed.
A and B are incorrect. A is incorrect because erratic connectivity equates to erratic
accessibility of the server-based scan; therefore, agent-based scanning is best for
devices not consistently connected to the company network. B is incorrect because
agent-based scanning sends only results; therefore, it requires less bandwidth,
meaning any limitation on network capacity favors agent-based scanning.
When it comes time to execute a vulnerability scan, what are optional tools you might use to launch it? (Choose all that apply.) A. Nessus B. Burp Suite C. OpenVAS D. Vega E. FTK F. Nikto
D is correct. Essentially every vulnerability scanner has a way of reporting on the
results. Whereas some send output to the screen, others can package results in a PDF,
CSV, XML, or other format.
A, B, and C are incorrect. A is incorrect because a report is necessary, regardless
whether the scanning tool itself generates it. B is incorrect because it’s not common
to direct results to a separate reporting tool. C is incorrect because XML is not a
standardized format for results.
It’s time to deliver a vulnerability report to the stakeholders. What are your options for
distribution? (Choose all that apply.)
A. Automated delivery via the report generation component of the vulnerability scanner
B. Delivered entirely via e-mail to all administrators
C. Delivered manually, through face-to-face meetings
D. E-mailing only the portions immediately relevant to the individual
A and C are correct. There are two ways to distribute scan results: automated and
manual distribution. Some vulnerability tools possess the means to automatically
distribute reporting. Still, for the sake of confidentiality, delivering via a face-to-face
meeting is preferred, if practical.
B and D are incorrect. A vulnerability report contains sensitive information, including
the organization’s security weaknesses. No part of a vulnerability report should be
delivered via e-mail due to the open nature of such communications
What remediation step requires careful discussion concerning the scan results, with
the goal of satisfying both the concerns of technical staff and the organization’s
business objectives?
A. Validation of the results
B. Prioritization of the results
C. Distribution of the results
D. Categorization of the results
B is correct. Prioritization is the goal—that is, to discuss the results and decide on the
next steps in remediation. Far too often results can be overwhelming if the focus is to
“fix everything now.”
A, C, and D are incorrect. A is incorrect because, although validation is a correct
step, it’s generally a task done by an internal technical team, not shared among
management. C is incorrect because distribution was already carefully decided upon
and can be found in the statement of work. D is incorrect because categorization is
not such a delicate discussion.
After you complete your scan, creating heaps of output, you need to prepare a report.
What are your options?
A. As vulnerability tools rarely generate reports, there’s no need for a report.
B. It’s common to pipe vulnerability tool output to a report generation tool.
C. Nearly all vulnerability scanners generate standardized reports via XML.
D. Every vulnerability tool generates some kind of report, but not using a
standardized format.
D is correct. Essentially every vulnerability scanner has a way of reporting on the
results. Whereas some send output to the screen, others can package results in a PDF,
CSV, XML, or other format.
A, B, and C are incorrect. A is incorrect because a report is necessary, regardless
whether the scanning tool itself generates it. B is incorrect because it’s not common
to direct results to a separate reporting tool. C is incorrect because XML is not a
standardized format for results.
Figure 5-1 shows the top portion of the results screen in Nessus when a scan has
completed. The wide bar across the top separates quantities of results in varying colors.
What is Nessus distinguishing by using colors?
A. Scope
B. Chronological order of the scan execution
C. Association to the vulnerability feeds used
D. Criticality of the findings
D is correct. The colors separating the results are used to distinguish between the
criticality or severity levels of the results.
B, C, and D are incorrect. B is incorrect because the colors have nothing to do
with scope. C is incorrect because the order in which the scan was done has little
to no impact on the end results or how they are presented. D is incorrect because
vulnerability feeds are irrelevant to the presentation of the results.
The chief information security officer is among many at a meeting about the vulnerability
scan results. Everyone has the same table, shown in Figure 5-2. The discussion is focused
on how to order the findings to remediate. The cybersecurity analyst focuses on criticality,
wanting to fix the findings in the order shown: A, B, C, then D. The CISO instead wants
the remediation order to be C, B, A, then D. What aspect caused the CISO to change the
order of remediation?
A. Criticality
B. Cost
C. Effort to fix
D. Alphabetical
C is correct. Based on the order the CISO prefers (C, B, A, D), it seems difficulty
of implementation is the guiding factor. A good strategy is to follow up on the
“low-hanging fruit,” or perform fairly simple remediation first.
A, B, and D are incorrect. A is incorrect because criticality would be A, B, C, D
order. B is incorrect because cost would be B, D, A, C order. D is incorrect because
remediating by alphabetical order, in addition to being a bit silly, would be A, B, C, D.
Patching is an important preventative control in ensuring a system’s security. Patches
generally improve the stability of a system and, in the case of security patches, remediate
a vulnerability. However, on the rare occasion a patch gets released that opens up a
different vulnerability, perhaps more severe than the weakness the patch originally aimed
to strengthen. What is the suggested method for mitigating the risk of an errant patch?
A. Communicate directly with the patch vendor.
B. Wait for others to install the patch, in case of bad news.
C. Have a safe environment as a sandbox for testing patched systems.
D. Don’t install patches.
C is correct. Patching is necessary, but there are rare times when patching goes
bad. Always have a sandbox or testing stage for monitoring the effect of patches
on systems.
A, B, and D are incorrect. A is incorrect because the vendor will naturally say the
patch is fine. B is incorrect because waiting for others isn’t a viable strategy, especially
for critical patches. D is incorrect because not patching isn’t going to work in the
long run.
After the results of a vulnerability scan were prioritized into remediation steps, a
company’s cybersecurity team began working on implementing those steps. All systems
that were affected by the remediation team continued operating as expected, except for
one. One server’s application stopped functioning, no longer able to reach others systems.
The system owner could not figure out why or how the system just stopped working.
What overall process seems most at fault here?
A. Communication/change control
B. Patching/remediation
C. Business continuity
D. Systems administration
A is correct. Communication and practicing proper change control are very likely the
cause for the unexpected application disconnect. Whether a previously open network
port was closed or a service deemed unnecessary was shut down is in the past.
Change control, if done correctly, should have alerted the systems owner to changes
impacting the application.
B, C, and D are incorrect. B is incorrect because patching and remediation are too
granular. Yes, remediation was the direct cause, but not the shortfall that allowed
remediation to become a problem. C is incorrect because business continuity deals
with resuming operations after a significant outage. D is incorrect because system
administration wasn’t at fault but rather likely what helped resolve the problem.
. A cybersecurity analyst is hired by a company to conduct a vulnerability scan on its
servers. In the process of scanning a particular server, the analyst comes across evidence
that suggests the system has a great many open vulnerabilities. What should the analyst
do to properly respond to this?
A. Speak to the CISO in confidence about the server.
B. Speak to the internal information security team.
C. Consult the MOU or ROE.
D. Write up a formal SLA specific that that server
C is correct. The memorandum of understanding (MOU), or scope of the
vulnerability scan, would include details on how to respond to finding evidence.
The rules of engagement (ROE) should also specify detailed expectations on
interacting with systems. The MOU and ROE contain the answers to questions
such as “What do we do now?”
A, B, and D are incorrect. A is incorrect, unless the MOU and ROE specifically
named the CISO as the point of contact for such findings. B is incorrect for the
same reason—the MOU and ROE would need to name that team as the contact
in order for this to be the correct answer. D is incorrect because an SLA has no
relevance here.
What term is used to describe a contract made between units within an organization
(for example, between IT and HR) to outline the service expectations, including roles
and responsibilities?
A. MOU
B. SLA
C. IOU
D. ROE
B is correct. A service level agreement (SLA) is a contract between units within an
organization, or even between an organization and third party, to specify the service’s
availability, response, and other expectations.
☑
☐✗
☑
☐✗
☑
05-ch05.indd 92 08/08/18 3:08 PM
Chapter 5: Implementing Vulnerability Management Processes
93
All-In-One_PE / CompTIA CySA+® Cybersecurity Analyst Certification Practice Exams / Jeff Parker / 701-4 / Chapter 5
A, C, and D are incorrect. A is incorrect because a memorandum of understanding
(MOU) is an agreement that’s more about expectations for an event or partnership,
such as a vulnerability scan. C is incorrect because an IOU, or “I owe you,” does
not apply here. D is incorrect because the ROE (rules of engagement) is a formal
set of rules that, in the case of a vulnerability scan, specify what will happen, who is
involved, and what to do when a vulnerability is discovered.
For years, vulnerability scanning tools output their findings with no standardization,
resulting in an array of reporting styles, inconsistent levels of detail, and no guarantee
a particular element was included. This was tolerated until the demand for policy
compliance pushed vendors and NIST to form a solution to this problem. What was
the result?
A. FISMA
B. NIST 800-53
C. SCAP
D. ARF
E. CVE
C is correct. SCAP, or Security Content Automation Protocol, is a product of NIST
and industry leaders that provides some standardization around how vulnerability
reporting is presented and managed.
A, B, D, and E are incorrect. A is incorrect because FISMA is the Federal
Information Security Management Act—just one of the sets of requirements that
SCAP helps to present. B is incorrect because NIST 800-53 is the Security and
Privacy Controls special publication from NIST. D is incorrect because ARF, or
asset reporting format, is only one of many components contained SCAP. Finally,
E is incorrect because CVE is the Common Vulnerabilities Exposure system for
standardizing how vulnerabilities are catalogued.
When you’re configuring vulnerability scanners, what most influences the types of data
you will gather? (Choose all that apply.)
A. The tool’s capabilities
B. Regulatory requirements
C. Scope
D. SCAP
A, B, and C are correct. A is correct because a vulnerability scanner’s capabilities
by definition influence what the tool can do and gather. B is correct because the
regulatory requirements of the company to be scanned would influence what data
you seek to collect, in order to determine compliance. C is correct because what the
company deems “in scope” will impact what types of data are gathered.
D is incorrect. SCAP would impact how the results are presented, but not directly
change the types of data you intend to find.
A company is starting the process of remediating issues discovered in a vulnerability scan.
One of the more severe vulnerabilities was found on a server that happens to contain highly
sensitive data and is business critical. The vulnerability would permit exfiltration of the
sensitive data across the network. A possible remediation would be implementing DLP.
However, being such an important system, its remediation was halted by the chief information
officer. In the context of degrading functionality, what might be a good course of action?
A. Do not implement DLP, but do place a sniffer upstream to monitor for exfiltration.
Inform the CIO.
B. Cease and desist remediation.
C. Resume remediation after the CIO goes home for the day.
D. Discuss with the CEO.
E. Check to confirm that the CIO is not on the ROE and then proceed with the
original remediation.
A is correct. Just because the CIO demands that remediation stop, this does not
erase the responsibility to mitigate the risk. If the original steps are called off due to
impacting the server’s operation, then compensating controls such as implementing
data loss prevention (DLP) and/or an intrusion detection system (IDS) would lessen
the exposure.
B, C, D, and E are incorrect. B is incorrect because simply doing nothing is not an
option. C is incorrect because it’s likely the CIO would be displeased when returning
the next morning. D is incorrect because this might displease the CIO even more
than option C. Finally, E is incorrect because dismissing the CIO’s concerns is just as
unwise a career move as the other incorrect answers