Chapter 5: Implementing Vulnerability Management Processes

Question 1

A company needs a vulnerability scan performed on its internal network. After the company
consults with an external cybersecurity analyst, the analyst immediately begins drafting a
contract to outline conditions to be met for the scan. These conditions include limiting
who is allowed to view the results, specifying what servers and data must not be accessed
under any circumstances, and satisfying the company’s need for two types of scans to be
done quarterly. Which of the following is the most likely reason behind these conditions?

A. Regulatory requirements

B. Security policy

C. Analyst’s recommendation

D. Past experience deems the contract prudent

Answer 1

A is correct. Regulatory requirements are by far the most likely driver of the contract.
The conditions stated are examples of regulatory requirements.

B, C, and D are incorrect. B is incorrect because although security policy is also a
likely reason behind the contract, the sample requirements are similar to HIPAA and
PCI DSS requirements. C is incorrect because the analyst would offer the suggestion
but not likely draft a contract with those specific conditions. D is incorrect because
experience would not be the most likely cause.

Question 2

Regulatory requirements can specify the need for vulnerability scanning when a company
is in the financial or health industry. However, what best specifies vulnerability scanning
as a requirement without regulatory requirement?

A. CISO mandate

B. Local and/or national legislation

C. Corporate policy

D. NIST 800-53

Answer 2

C is correct. Corporate policy is the most likely internal source of such requirements.

A, B, and D are incorrect. A is incorrect because a CISO could require the scanning
but would do so via policy. B is incorrect because legislation suggests regulatory
requirements. D is incorrect because NIST 800-53 suggests but does not mandate
vulnerability scanning.

Question 3

What is a technique that allows a company to vary resources spent toward protecting data
according to a set value?

A. Data encryption

B. Data classification

C. Data criticality

D. Data storage location

Answer 3

B is correct. Data classification provides a method of allocating resources in varying
amounts based on the criticality or sensitivity of the data.

A, C, and D are incorrect. A is incorrect because encryption does protect data but not
according to its value. C is incorrect because criticality is an attribute that can classify
the data, not a means to protect it. D is incorrect because storage location is not a
practical primary means of protecting data according to its value.

Question 4

With regard to asset inventory, how would a cybersecurity analyst classify assets such as
financial systems, intellectual property, and a customer-facing ordering system?

A. Noncritical

B. Sensitive

C. Credentialed

D. Critica

Answer 4

D is correct. Those asset examples should be deemed critical, versus noncritical.

A, B, and C are incorrect. A is incorrect because those assets are certainly critical
assets. B is incorrect because while the assets might have sensitive data, the assets
themselves are critical. C is incorrect because credentialed is not a type of asset

Question 5

. When a company is developing a vulnerability management plan, its assets must be
inventoried. Which of the following asset types would be included? (Choose all that apply.)

A. Noncritical

B. Critical

C. Critical only

D. On-site and assets of partners and suppliers

Answer 5

A and B are correct. Critical and noncritical assets both should be inventoried when
developing a vulnerability management plan.

C and D are incorrect. C is incorrect because a company can inventory all its
assets, whether on-site, mobile, or company assets currently at remote locations.
D is incorrect because partner and supplier assets are not within a company’s scope
to be tracked.

Question 6

The frequency with which a company performs vulnerability scanning is dependent upon
which of the following criteria? (Choose all that apply.)

A. Scanning policy

B. Vulnerability management planning

C. Risk appetite

D. Regulatory requirements

E. Limitations of time, tools, and personne

Answer 6

A, B, C, D, and E are correct. All of those criteria are important factors in determining
vulnerability scanning frequency.

Question 7

The cybersecurity analyst must consider several factors when determining vulnerability
scanning frequency. Criteria such as network bandwidth, systems’ CPU capacity, and
number of qualified personnel are examples of which of the following?

A. Soft restrictions

B. Regulatory requirements

C. Technical constraints

D. Budgetary limitations

Answer 7

C is correct. These are examples of technical constraints.

A, B, and D are incorrect. A is incorrect because “soft restrictions” is not a commonly
used term, and it suggests something other than hardware anyway. B is incorrect
because regulatory requirements would not include these sample criteria to determine
frequency. D is incorrect because although a budgetary limitation might impact these
technical aspects, it would not positively help to determine scanning frequency

Question 8

Apart from policies and regulatory requirements, what creates the largest impact on
establishing an effective vulnerability scanning process?
A. Regular routine and workflow of personnel
B. Management style of the IT director or head of security
C. Mandates from the chief of information security
D. Personal whims of the CEO

Answer 8

A is correct. The regular routine of personnel has a huge enabling impact on
vulnerability scanning and management.
B, C, and D are incorrect. The management style of and mandates from supervisory
staff and executives are effectively the same as policy.

Question 9

When a company is configuring tools to perform vulnerability scans, which of the following
would be the earliest step?

A. Choosing the tool plug-ins

B. Generating reports

C. Establishing permissions and scanning credentials

D. Establishing scanning criteria

Answer 9

D is correct. Establishing scanning criteria would come before the other options.
A, B, and C are incorrect. A is incorrect because choosing the correct plug-ins would
come after determining what plug-ins are needed—after establishing the scanning
criteria. B is incorrect because reports aren’t generated before scanning. C is incorrect
because credentials and permissions would follow deciding which systems to scan and
other criteria

Question 10

A cybersecurity analyst is performing a vulnerability scan of a few systems, including a
server processing protected health information (PHI). The scan of all servers completed
successfully, with no interruption of service. To demonstrate proof of weaknesses found
during the vulnerability scan, the analyst manages to exfiltrate documents from each server.
Which of the following specifications of vulnerability scanning did the analyst likely breach?
A. Using credentials when a noncredentialed scan would suffice.
B. No vulnerability feed was evidenced.
C. Permissions set incorrectly.
D. Considering the sensitivity of the data on the scanned systems.
E. Using agents when a server-based scan would suffice.

Answer 10

D is correct. The sensitivity of the data, particularly the PHI, means no exfiltration
can happen.
A, B, C, and E are incorrect. A is incorrect because there is no mention of credentials.
B is incorrect because, while the vulnerability scan specification might have detailed
the requirement for a vulnerability feed, there is no evidence this was ignored or
violated. C is incorrect because permissions didn’t seem to impact the success of the
scan. E is incorrect because the scan was completely successfully, regardless of whether
agents were used

Question 11

. Which of the following reasons are valid arguments for using server-based vulnerability
scanning instead of agent-based scanning? (Choose all that apply.)
A. Erratic connectivity to remote and mobile devices
B. Limited bandwidth
C. Limited personnel availability for maintenance
D. Occasional rogue device connecting to the network

Answer 11

C and D are correct. Less availability of security staff to maintain the scanning agents
would be a vote in favor of server-based scanning. Also, a server-based architecture
would scan the entire network space and thus be able to detect rogue devices without
an agent being installed.
A and B are incorrect. A is incorrect because erratic connectivity equates to erratic
accessibility of the server-based scan; therefore, agent-based scanning is best for
devices not consistently connected to the company network. B is incorrect because
agent-based scanning sends only results; therefore, it requires less bandwidth,
meaning any limitation on network capacity favors agent-based scanning.

Question 12

When it comes time to execute a vulnerability scan, what are optional tools you might
use to launch it? (Choose all that apply.)
A. Nessus
B. Burp Suite
C. OpenVAS
D. Vega
E. FTK
F. Nikto

Answer 12

D is correct. Essentially every vulnerability scanner has a way of reporting on the
results. Whereas some send output to the screen, others can package results in a PDF,
CSV, XML, or other format.
A, B, and C are incorrect. A is incorrect because a report is necessary, regardless
whether the scanning tool itself generates it. B is incorrect because it’s not common
to direct results to a separate reporting tool. C is incorrect because XML is not a
standardized format for results.

Question 13

It’s time to deliver a vulnerability report to the stakeholders. What are your options for
distribution? (Choose all that apply.)
A. Automated delivery via the report generation component of the vulnerability scanner
B. Delivered entirely via e-mail to all administrators
C. Delivered manually, through face-to-face meetings
D. E-mailing only the portions immediately relevant to the individual

Answer 13

A and C are correct. There are two ways to distribute scan results: automated and
manual distribution. Some vulnerability tools possess the means to automatically
distribute reporting. Still, for the sake of confidentiality, delivering via a face-to-face
meeting is preferred, if practical.

B and D are incorrect. A vulnerability report contains sensitive information, including
the organization’s security weaknesses. No part of a vulnerability report should be
delivered via e-mail due to the open nature of such communications

Question 14

What remediation step requires careful discussion concerning the scan results, with
the goal of satisfying both the concerns of technical staff and the organization’s
business objectives?
A. Validation of the results
B. Prioritization of the results
C. Distribution of the results
D. Categorization of the results

Answer 14

B is correct. Prioritization is the goal—that is, to discuss the results and decide on the
next steps in remediation. Far too often results can be overwhelming if the focus is to
“fix everything now.”
A, C, and D are incorrect. A is incorrect because, although validation is a correct
step, it’s generally a task done by an internal technical team, not shared among
management. C is incorrect because distribution was already carefully decided upon
and can be found in the statement of work. D is incorrect because categorization is
not such a delicate discussion.

Question 15

After you complete your scan, creating heaps of output, you need to prepare a report.
What are your options?
A. As vulnerability tools rarely generate reports, there’s no need for a report.
B. It’s common to pipe vulnerability tool output to a report generation tool.
C. Nearly all vulnerability scanners generate standardized reports via XML.
D. Every vulnerability tool generates some kind of report, but not using a
standardized format.

Answer 15

D is correct. Essentially every vulnerability scanner has a way of reporting on the
results. Whereas some send output to the screen, others can package results in a PDF,
CSV, XML, or other format.
A, B, and C are incorrect. A is incorrect because a report is necessary, regardless
whether the scanning tool itself generates it. B is incorrect because it’s not common
to direct results to a separate reporting tool. C is incorrect because XML is not a
standardized format for results.

Question 16

Figure 5-1 shows the top portion of the results screen in Nessus when a scan has
completed. The wide bar across the top separates quantities of results in varying colors.
What is Nessus distinguishing by using colors?
A. Scope
B. Chronological order of the scan execution
C. Association to the vulnerability feeds used
D. Criticality of the findings

Answer 16

D is correct. The colors separating the results are used to distinguish between the
criticality or severity levels of the results.
B, C, and D are incorrect. B is incorrect because the colors have nothing to do
with scope. C is incorrect because the order in which the scan was done has little
to no impact on the end results or how they are presented. D is incorrect because
vulnerability feeds are irrelevant to the presentation of the results.

Question 17

The chief information security officer is among many at a meeting about the vulnerability
scan results. Everyone has the same table, shown in Figure 5-2. The discussion is focused
on how to order the findings to remediate. The cybersecurity analyst focuses on criticality,
wanting to fix the findings in the order shown: A, B, C, then D. The CISO instead wants
the remediation order to be C, B, A, then D. What aspect caused the CISO to change the
order of remediation?
A. Criticality
B. Cost
C. Effort to fix
D. Alphabetical

Answer 17

C is correct. Based on the order the CISO prefers (C, B, A, D), it seems difficulty
of implementation is the guiding factor. A good strategy is to follow up on the
“low-hanging fruit,” or perform fairly simple remediation first.
A, B, and D are incorrect. A is incorrect because criticality would be A, B, C, D
order. B is incorrect because cost would be B, D, A, C order. D is incorrect because
remediating by alphabetical order, in addition to being a bit silly, would be A, B, C, D.

Question 18

Patching is an important preventative control in ensuring a system’s security. Patches
generally improve the stability of a system and, in the case of security patches, remediate
a vulnerability. However, on the rare occasion a patch gets released that opens up a
different vulnerability, perhaps more severe than the weakness the patch originally aimed
to strengthen. What is the suggested method for mitigating the risk of an errant patch?
A. Communicate directly with the patch vendor.
B. Wait for others to install the patch, in case of bad news.

C. Have a safe environment as a sandbox for testing patched systems.
D. Don’t install patches.

Answer 18

C is correct. Patching is necessary, but there are rare times when patching goes
bad. Always have a sandbox or testing stage for monitoring the effect of patches
on systems.
A, B, and D are incorrect. A is incorrect because the vendor will naturally say the
patch is fine. B is incorrect because waiting for others isn’t a viable strategy, especially
for critical patches. D is incorrect because not patching isn’t going to work in the
long run.

Question 19

After the results of a vulnerability scan were prioritized into remediation steps, a
company’s cybersecurity team began working on implementing those steps. All systems
that were affected by the remediation team continued operating as expected, except for
one. One server’s application stopped functioning, no longer able to reach others systems.
The system owner could not figure out why or how the system just stopped working.
What overall process seems most at fault here?
A. Communication/change control
B. Patching/remediation
C. Business continuity
D. Systems administration

Answer 19

A is correct. Communication and practicing proper change control are very likely the
cause for the unexpected application disconnect. Whether a previously open network
port was closed or a service deemed unnecessary was shut down is in the past.
Change control, if done correctly, should have alerted the systems owner to changes
impacting the application.
B, C, and D are incorrect. B is incorrect because patching and remediation are too
granular. Yes, remediation was the direct cause, but not the shortfall that allowed
remediation to become a problem. C is incorrect because business continuity deals
with resuming operations after a significant outage. D is incorrect because system
administration wasn’t at fault but rather likely what helped resolve the problem.

Question 20

. A cybersecurity analyst is hired by a company to conduct a vulnerability scan on its
servers. In the process of scanning a particular server, the analyst comes across evidence
that suggests the system has a great many open vulnerabilities. What should the analyst
do to properly respond to this?
A. Speak to the CISO in confidence about the server.
B. Speak to the internal information security team.
C. Consult the MOU or ROE.
D. Write up a formal SLA specific that that server

Answer 20

C is correct. The memorandum of understanding (MOU), or scope of the
vulnerability scan, would include details on how to respond to finding evidence.
The rules of engagement (ROE) should also specify detailed expectations on
interacting with systems. The MOU and ROE contain the answers to questions
such as “What do we do now?”
A, B, and D are incorrect. A is incorrect, unless the MOU and ROE specifically
named the CISO as the point of contact for such findings. B is incorrect for the
same reason—the MOU and ROE would need to name that team as the contact
in order for this to be the correct answer. D is incorrect because an SLA has no
relevance here.

Question 21

What term is used to describe a contract made between units within an organization
(for example, between IT and HR) to outline the service expectations, including roles
and responsibilities?
A. MOU
B. SLA
C. IOU
D. ROE

Answer 21

B is correct. A service level agreement (SLA) is a contract between units within an
organization, or even between an organization and third party, to specify the service’s
availability, response, and other expectations.
☑
☐✗
☑
☐✗
☑
05-ch05.indd 92 08/08/18 3:08 PM
Chapter 5: Implementing Vulnerability Management Processes
93
All-In-One_PE / CompTIA CySA+® Cybersecurity Analyst Certification Practice Exams / Jeff Parker / 701-4 / Chapter 5
A, C, and D are incorrect. A is incorrect because a memorandum of understanding
(MOU) is an agreement that’s more about expectations for an event or partnership,
such as a vulnerability scan. C is incorrect because an IOU, or “I owe you,” does
not apply here. D is incorrect because the ROE (rules of engagement) is a formal
set of rules that, in the case of a vulnerability scan, specify what will happen, who is
involved, and what to do when a vulnerability is discovered.

Question 22

For years, vulnerability scanning tools output their findings with no standardization,
resulting in an array of reporting styles, inconsistent levels of detail, and no guarantee
a particular element was included. This was tolerated until the demand for policy
compliance pushed vendors and NIST to form a solution to this problem. What was
the result?
A. FISMA
B. NIST 800-53
C. SCAP
D. ARF
E. CVE

Answer 22

C is correct. SCAP, or Security Content Automation Protocol, is a product of NIST
and industry leaders that provides some standardization around how vulnerability
reporting is presented and managed.
A, B, D, and E are incorrect. A is incorrect because FISMA is the Federal
Information Security Management Act—just one of the sets of requirements that
SCAP helps to present. B is incorrect because NIST 800-53 is the Security and
Privacy Controls special publication from NIST. D is incorrect because ARF, or
asset reporting format, is only one of many components contained SCAP. Finally,
E is incorrect because CVE is the Common Vulnerabilities Exposure system for
standardizing how vulnerabilities are catalogued.

Question 23

When you’re configuring vulnerability scanners, what most influences the types of data
you will gather? (Choose all that apply.)
A. The tool’s capabilities
B. Regulatory requirements
C. Scope
D. SCAP

Answer 23

A, B, and C are correct. A is correct because a vulnerability scanner’s capabilities
by definition influence what the tool can do and gather. B is correct because the
regulatory requirements of the company to be scanned would influence what data
you seek to collect, in order to determine compliance. C is correct because what the
company deems “in scope” will impact what types of data are gathered.
D is incorrect. SCAP would impact how the results are presented, but not directly
change the types of data you intend to find.

Question 24

A company is starting the process of remediating issues discovered in a vulnerability scan.
One of the more severe vulnerabilities was found on a server that happens to contain highly
sensitive data and is business critical. The vulnerability would permit exfiltration of the
sensitive data across the network. A possible remediation would be implementing DLP.
However, being such an important system, its remediation was halted by the chief information
officer. In the context of degrading functionality, what might be a good course of action?
A. Do not implement DLP, but do place a sniffer upstream to monitor for exfiltration.
Inform the CIO.
B. Cease and desist remediation.
C. Resume remediation after the CIO goes home for the day.
D. Discuss with the CEO.
E. Check to confirm that the CIO is not on the ROE and then proceed with the
original remediation.

Answer 24

A is correct. Just because the CIO demands that remediation stop, this does not
erase the responsibility to mitigate the risk. If the original steps are called off due to
impacting the server’s operation, then compensating controls such as implementing
data loss prevention (DLP) and/or an intrusion detection system (IDS) would lessen
the exposure.
B, C, D, and E are incorrect. B is incorrect because simply doing nothing is not an
option. C is incorrect because it’s likely the CIO would be displeased when returning
the next morning. D is incorrect because this might displease the CIO even more
than option C. Finally, E is incorrect because dismissing the CIO’s concerns is just as
unwise a career move as the other incorrect answers

Question 25

The terms “ongoing scanning” and “continuous monitoring” refer to what in the context
of vulnerability scanning?
A. Simultaneous scanning and monitoring during a scheduled vulnerability scan
B. Scanning occurring regularly, such as daily
C. Agent-based scanning, instead of server-based, to provide continual availability
D. Full-time staff available to perform vulnerability scanning as needed

Answer 25

B is correct. Ongoing scanning and continuous monitoring refer to having scanning
being a part of the company’s routine operation. Daily is suggested as an optimal
frequency, if it can be noninvasive to the environment, because it’s very responsive to
newly discovered vulnerabilities.
A, C, and D are incorrect. A is incorrect because ongoing and continuous does
not suggest “simultaneous.” C is incorrect because whether the scan is performed
by agent-based or server-based components is not relevant. D is incorrect because
although having adequate staff does factor into managing ongoing scanning, it is not
the defining characteristic.

Question 26

What vulnerability scanner provides its own scripting language with which to
customize plug-ins?
A. Klaatu
B. Barada
C. Necturn
D. Nikto
E. Nessus

Answer 26

E is correct. Okay then, that’s it—Nessus has NASL, the Nessus Attack Scripting
Language. Nessus plug-ins are written in NASL. This allows you to configure
Nessus to perform the scan exactly as your specifications require.
A, B, C, and D are incorrect. A, B, and C are incorrect because these are not
vulnerability scanners. D is incorrect because Nikto, a command-line web vulnerability
scanner, does not utilize a scripting language.

Question 27

Which of the following would be an inhibitor to remediation?
A. Organizational governance
B. NASL
C. SCAP
D. CSF

Answer 27

A is correct. Organizational governance can sometimes impede remediation
efforts, based on senior management wanting to ensure operations suffer no
unexpected outages.
B, C, and D are incorrect because neither NASL (Nessus Attack Scripting Language),
the SCAP (Security Content Automation Protocol), nor the CSF (Cyber Security
Framework) inhibit remediation.

Question 28

Which of the following is a well-known framework for quantifying severity or the criticality
of vulnerabilities?
A. OpenVAS
B. CVE
C. CVSS
D. CSV

Answer 28

C is correct. The CVSS, or Common Vulnerability Scoring System, is a framework
for standardizing ratings for vulnerabilities, including severity.
A, B, and D are incorrect. A is incorrect because OpenVAS is a vulnerability scanner.
B is incorrect because CVE is a vulnerability and exposure database. D is incorrect
because CSV is a file format, common with spreadsheet software.

Question 29

What aspect about performing a noncredentialed vulnerability scan is not as common as
when performing a credentialed vulnerability scan?
A. Higher level of detail
B. Higher number of false positives
C. Higher number of true negatives
D. Higher number of verifiable results

Answer 29

B is correct. A noncredential scan produces more false positives, takes more network
bandwidth, and would produce fewer verifiable results.
A, C, and D are incorrect. A is incorrect because credentialed scans provide more
relevant and deeper detail, whereas noncredentialed scans tend to produce more
general, unverified findings. C is incorrect because credentialed scans will provide
the greater percentage of true negatives due to the ability to log in for validation.
D is incorrect because the credentialed scan is able to verify the results by virtue of
having authenticated.

Question 30

When configuring a vulnerability scanning tool, you may utilize at least one additional
vulnerability feed beyond the product’s own source. Selecting a feed that matches your needs
is important. Which of the following will most influence your selection of vulnerability feed?
A. Scanning frequency
B. Company policy
C. Regulatory requirements
D. Senior management risk appetite

Answer 30

A is correct. The scanning frequency most affects your vulnerability feed needs.
Vulnerability feeds differ in a number of ways, such as providing only analyzed
vulnerabilities versus vulnerabilities as they are discovered, or vulnerabilities every
few hours versus within minutes.
B, C, and D are incorrect. B is incorrect because company policy shouldn’t dictate
such a specific technical detail as vulnerability feed requirements. C is incorrect
because regulatory requirements will affect the need for periodic scanning but won’t
have a specialized feed requirement. D is incorrect because the risk appetite affects
the scanning frequency and scope, but has little impact on feed choice.

Question 31

A B2B health information exchange provider has hired a new cybersecurity team to
perform a vulnerability scan. A junior analyst eager to make a good impression raises the
point that PCI DSS standard requirement 11.2 directly affects vulnerability scanning.
What specific aspect of this scan will the analyst’s reference affect?
A. Scope
B. Frequency

C. Sensitivity
D. DAR encryption
E. None of the above

Answer 31

E is correct. Being a health information exchange, operating between businesses, it’s
very unlikely to be operating as a credit card merchant on any level. Therefore, there’s
no issue with maintaining PCI DSS compliance. (Sorry for the trick question.)
A, B, C, and D are incorrect. A, C, and D are incorrect because PCI DSS 11.2
has no effect on scope, sensitivity, or data-at-rest encryption. B is incorrect but it
would be relevant only if the company required PCI DSS compliance, in which
case scanning frequency is required to be quarterly per PCI DSS requirement 11,
section 2.

Question 32

At the earliest stages of a vulnerability scan, which of the following would be the first step?
A. Draft the ROE.
B. Identify the requirements.
C. Sign the MOU.
D. Configure the scanning tool.

Answer 32

B is correct. The first step is to identify requirements. From there, a memorandum of
understanding can be signed. Upon further detailing the engagement expectations,
the rules of engagement can be established. Then it’s tool-configuration time.
A, C, and D are incorrect. A is incorrect because drafting the ROE would follow the
step of identifying the requirements. C is incorrect because signing the MOU follows
knowing what to put in the MOU (identifying the requirements). D is incorrect
because configuring the tool comes after all the paperwork is final.

Question 33

A hospital is interested in having an external ASV perform a vulnerability scan, from the
perspective of an attacker. What is the scanning criteria that most satisfies the hospital’s needs?
A. Agent-based, instead of server-based
B. Minimum of two vulnerability feeds
C. Extreme care for scope to avoid accessing PHI
D. Noncredentialed scan, instead of credentialed

Answer 33

D is correct. Choosing to run a noncredentialed scan causes the vulnerability scan to
report with results that most closely resemble what an attacker would see.
A, B, and C are incorrect. A is incorrect because an agent-based scan is certainly not
what an attacker would see. B is incorrect because the number of feeds is not relevant
to the question. C is incorrect because although not accessing PHI (protected health
information) is very important, it’s not as relevant to the question.

Question 34

What is the most important reason why vulnerability tools require feeds and updates?
A. If the tool is unaware of a vulnerability, it cannot detect the vulnerability.
B. Without updates, the tool reports more false negatives.
C. Vulnerability tools come with a vendor-provided feed. No extra feed is required.
D. If a tool receives no updates, regulatory compliance scans may be outdated.

Answer 34

A is correct. Similar to other signature-based products like antivirus and intrusion
detection systems, a vulnerability scanning tool is only capable of scanning for what
it’s aware of.
B, C, and D are incorrect. B is incorrect because it’s true the tool requires updates to
have visibility of vulnerabilities. Therefore, no updates would not produce false negatives.
C is incorrect because the vulnerability scanning tool probably does make use of a
source, but still should be configured with one or two other feeds. D is incorrect because
it’s likely the regulatory compliance aspect is not a concern when updates are lacking.

Question 35

A security team was hired to conduct a large-scale vulnerability scan at multiple sites. The
team begins at the smallest facility. In the process of launching the vulnerability scanner,
an analyst soon gets word that users are starting to complain the network seems slow or
unreliable. What might likely be the cause of the problem?
A. Sensitivity level
B. Risk appetite
C. Permissions
D. Technical constraints

Answer 35

D is correct. Experiencing a sluggish network given a large vulnerability scan
launched at a small facility seems to point to technical constraints.
A, B, and C are incorrect. Sensitivity levels, risk appetite, and permissions are all very
unlikely related to the network issues

Question 36

What is a benefit of utilizing a cloud-based web application security scanner, versus
scanning at the site?
A. Less network perimeter traffic.
B. More control on the hardware.
C. Less operations and maintenance.
D. Frequency can be half as often when launched from the cloud.

Answer 36

C is correct. Cloud-based scanning also transfers maintenance to the scanning provider.
A, B, and D are incorrect. A is incorrect because you could expect an external scan to
create more traffic across the perimeter. B is incorrect because you would have more
control over infrastructure if the scanning were done on-site. D is incorrect because
the scanning frequency is not altered based on the scanning origin.

Question 37

8. Prioritizing vulnerabilities is made standard and fair given the Common Vulnerability
   Scoring System (CVSS). The CVSS ranks vulnerabilities on a 10-point scale using an
   equation based on several metrics. Which of the following is not a group of metrics used
   in scoring vulnerabilities?
   A. Attack Complexity/Attack Vector/Privileges Required/User Interaction
   B. Confidentiality Impact/Integrity Impact/Availability Impact
   C. Exploit Code Maturity/Remediation Level/Report Confidence
   D. Exploit Age/Attack Speed/Ease of Exploitation

Answer 37

D is correct. Exploit age, attack speed, and ease of exploitation not actual named factors.
A, B, and C are incorrect. All these are actual base metrics in the CVSS equation
for determining severity.

Question 38

In the process of working with a vulnerability scanning tool, which of the following
shows the correct order of steps?
A. Requirements identification, scan execution, report distribution, report generation
B. Requirements identification, scan execution, report generation, report distribution
C. Requirements identification, scan execution, report distribution, report generation
D. Requirements identification, report generation, scan execution, report distribution

Answer 38

B is correct. The correct order is, of course, requirements identification, scan
execution, report generation, report distribution.
A, C, and D are incorrect. All other variations of the process order are not correct.

Question 39

At the retailer S-Mart, a security analyst named Ash is familiar with dealing with local
nefarious characters trying to exploit the point-of-sale (POS) machines. The POS
machines are required for the retailer to operate. Further, data in the POS systems
includes financial transaction information. Ash is now developing a data classification
system and asset inventory. How should Ash classify S-Mart’s POS machines and the data
held inside them?
A. Information: private, Asset: critical
B. Information: private, Asset: noncritical
C. Information: public, Asset: critical
D. Information: proprietary, Asset: noncritica

Answer 39

A is correct. The data should be classified as private, meaning its disclosure could
cause privacy issues. The POS system is required for the business to operate, so it is a
critical asset.
B, C, and D are incorrect. All these variations of the data and asset classifications are
not correct.

Question 40

What remediation step requires careful discussion concerning the scan results, with
the goal of satisfying both the concerns of technical staff and the organization’s
business objectives?
A. Validation of the results
B. Prioritization of the results
C. Distribution of the results
D. Categorization of the results

Answer 40

B is correct. Prioritization is the goal—that is, to discuss the results and decide on the
next steps in remediation. Far too often results can be overwhelming if the focus is to
“fix everything now.”
A, C, and D are incorrect. A is incorrect because, although validation is a correct
step, it’s generally a task done by an internal technical team, not shared among
management. C is incorrect because distribution was already carefully decided upon
and can be found in the statement of work. D is incorrect because categorization is
not such a delicate discussion.