Practice Tests - Chapter 2: Domain 2.0: Vulnerability Management Flashcards

Question 1

Q

1- During the reconnaissance stage of a penetration test, Cynthia needs to gather information about the target organization’s network infrastructure without causing an IPS to alert the target to her information gathering. Which of the following is her best option?

Perform a DNS brute‐force attack.
Use an Nmap ping sweep.
Perform a DNS zone transfer.
Use an Nmap stealth scan.

Answer

A

Perform a DNS brute‐force attack.

Although it may seem strange, a DNS brute‐force attack that queries a list of IP addresses, common subdomains, or other lists of targets will often bypass intrusion detection and prevention systems that do not pay particular attention to DNS queries. Cynthia may even be able to find a DNS server that is not protected by the organization’s IPS! Nmap scans are commonly used during reconnaissance, and Cynthia can expect them to be detected since they are harder to conceal. Cynthia shouldn’t expect to be able to perform a DNS zone transfer, and if she can, a well‐configured IPS should immediately flag the event.

Question 2

Q

database vendor default ports

Answer

A

MySQL: 3306
Oracle: 1521
Postgres: 5423
MS SQL: 1433/1434

Question 3

Q

3- During a port scan of her network, Cynthia discovers a workstation that shows the following ports open. What should her next action be?

Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-26 19:25 EDT
Nmap scan report for deptsrv (192.168.2.22)
Host is up (0.0058s latency).
Not shown: 65524 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
7680/tcp open unknown
49677/tcp open unknown
MAC Address: AD:5F:7B:48:7D (Intel Corporation)

Nmap done: 1 IP address (1 host up) scanned in 121.29 seconds

Determine the reason for the ports being open.
Investigate the potentially compromised workstation.
Run a vulnerability scan to identify vulnerable services.
Reenable the workstation’s local host firewall

Answer

A

Determine the reason for the ports being open.

Cynthia’s first action should be to determine whether there is a legitimate reason for the workstation to have the listed ports open.

Question 4

Q

4- Which one of the following threats is the most pervasive in modern computing environments?

Zero‐day attacks
Advanced persistent threats
Malware
Insider threats

Answer

A

Malware

All of the threats described here are serious threats that exist in modern enterprises. However, the most pervasive threat is standard malware, which threatens essentially every computing environment on an almost constant basis.

Question 5

Q

6- What is the default Nmap scan type when Nmap is not provided with a scan type flag?

A TCP FIN scan
A TCP connect scan
A TCP SYN scan
A UDP scan

Answer

A

A TCP SYN scan

By default, Nmap uses a TCP SYN scan. If the user does not have proper socket privileges (such as root on a Linux system), it will use a TCP connect scan.

Question 6

Q

7- Lakshman wants to limit what potential attackers can gather during passive or semipassive reconnaissance activities. Which of the following actions will typically most reduce his organization’s footprint?

Limit information available via the organizational website without authentication.
Use a secure domain registration.
Limit technology references in job postings.
Purge all document metadata before posting.

Answer

A

Limit information available via the organizational website without authentication.

Limiting the information available about an organization by requiring authentication will strongly limit the ability of potential attackers to gather information. Secure domain registration may conceal the registration contact’s information but does not provide any real additional protection. Limiting technologies listed in a job posting can help limit what attackers may find out, but most organizations would prefer to better match candidates. Finally, purging all metadata can help protect information about internal systems and devices but is difficult to enforce, and document metadata is not a primary source of information about most organizations.

Question 7

Q

8- Cassandra’s Nmap scan of an open wireless network (192.168.10/24) shows the following host at IP address 192.168.1.1. Which of the following is most likely to be the type of system at that IP address based on the scan results shown?

PORT STATE SERVICE VERSION
22/tcp open ssh Dropbear sshd 2016.74 (protocol 2.0)
53/tcp open domain dnsmasq 2.76
80/tcp open http Acme milli_httpd 2.0 (ASUS RT-AC-series router)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
515/tcp open tcpwrapped
1723/tcp open pptp Linux (Firmware: 1)
8200/tcp open upnp MiniDLNA 1.1.5 (OS: 378.xx; DLNADOC 1.50; UPnP 1.0)
8443/tcp open ssl/http Acme milli_httpd 2.0 (ASUS RT-AC-series router)
9100/tcp open jetdirect?
9998/tcp open tcpwrapped
Device type: bridge|general purpose

A virtual machine
A wireless router
A broadband router
A print server

Answer

A

A wireless router

Since Cassandra is scanning a wireless network and the system is using an IP address that is commonly used for commodity wireless routers, her best guess should be that this is a wireless router that can be accessed via SSH and that is providing a web management interface and print services. The OS fingerprinting that Nmap provides is not always reliable, and the VirtualBox match is a false positive in this case. The actual host scanned is an Asus router running open source firmware and additional software.

Question 8

Q

9- Several organizations recently experienced security incidents when their AWS secret keys were published in public GitHub repositories. What is the most significant threat that could arise from this improper key management?

Total loss of confidentiality
Total loss of integrity
Total loss of availability
Total loss of confidentiality, integrity, and availability

Answer

A

Total loss of confidentiality, integrity, and availability

Depending on the level of access associated with the key, this error could give anyone discovering the key total control of an organization’s AWS account, resulting in a complete loss of confidentiality, integrity, and availability.

Question 9

Q

11- Andrea wants to conduct a passive footprinting exercise against a target company. Which of the following techniques is not suited to a passive footprinting process?

WHOIS lookups
Banner grabbing
BGP looking glass usage
Registrar checks

Answer

A

Banner grabbing

Banner grabbing is an active process and requires a connection to a remote host to grab the banner. The other methods are all passive and use third‐party information that does not require a direct lookup against a remote host.

Question 10

Q

BGP looking glass

Answer

A

A BGP (Border Gateway Protocol) looking glass is a public server that allows you to view an organization’s external network connectivity setup

Question 11

Q

12- Alex wants to scan a protected network and has gained access to a system that can communicate to both his scanning system and the internal network. What type of Nmap scan should Alex conduct to leverage this host if he cannot install Nmap on system A?

A reflection scan
A proxy scan
A randomized host scan
A ping‐through scan

Answer

A

A proxy scan

Nmap supports the use of both HTTP and SOCKS4 proxies, allowing Alex to configure the remote host as an HTTP proxy and bounce his scans through it. This can allow Nmap users to leverage their scanning tools without installing them on a protected host or network.

Question 12

Q

14- Alex has been asked to assess the likelihood of reconnaissance activities against her organization (a small, regional business). Her first assignment is to determine the likelihood of port scans against systems in her organization’s screened subnet (otherwise known as a DMZ). How should she rate the likelihood of this occurring?

Low.
Medium.
High.
There is not enough information for Alex to provide a rating.

Answer

A

High.

Alex knows that systems that are exposed to the Internet like screened subnet (DMZ) systems are constantly being scanned. She should rate the likelihood of the scan occurring as high. In fact, there is a good chance that a scan will be occurring while she is typing up her report!

Question 13

Q

15- Lucy recently detected a cross‐site scripting (XSS) vulnerability in her organization’s web server. The organization operates a support forum where users can enter HTML tags and the resulting code is displayed to other site visitors. What type of cross‐site scripting vulnerability did Lucy discover?

Persistent
Reflected
DOM‐based
Blind

Answer

A

Persistent

This type of XSS vulnerability, where the attack is stored on a server for later users, is a persistent vulnerability. The scenario does not tell us that the code is immediately displayed to the user submitting it, so there is no indication of a reflected attack. The attack is stored on the server, rather than in the browser, so it is not a DOM‐based attack. Blind XSS attacks do not exist.

Question 14

Q

Persistent XSS

Answer

A

also known as stored XSS attacks, occur when an attacker is able to store the attack code on a server, where it remains until a user requests the affected content

Question 15

Q

Reflected XSS

Answer

A

when an attacker tricks a user into sending the attack to the server as part of a query string or other content, and the server then sends the attack back to the user, causing the code to execute

Question 16

Q

DOM-based XSS

Answer

A

type of web security vulnerability where malicious code is executed in a user’s browser through manipulation of the Document Object Mode

Question 17

Q

17- The company that Dan works for has recently migrated to an SaaS provider for its enterprise resource planning (ERP) software. In its traditional on‐site ERP environment, Dan conducted regular port scans to help with security validation for the systems. What will Dan most likely have to do in this new environment?

Use a different scanning tool.
Rely on vendor testing and audits.
Engage a third‐party tester.
Use a VPN to scan inside the vendor’s security perimeter.

Answer

A

Rely on vendor testing and audits.

Most SaaS providers do not want their customers conducting port scans of their service, and many are glad to provide security assertions and attestations including audits, testing information, or contractual language that addresses potential security issues. Using a different scanning tool, engaging a third‐party tester, or even using a VPN are not typically valid answers in a scenario like this.

Question 18

Q

18- Which one of the following languages is least susceptible to an injection attack?

HTML
SQL
STIX
XML

Answer

A

STIX

STIX is a language used to define security threat information and is not a common target of injection attacks. SQL injection and XML injection attacks commonly take place against applications using those languages. Cross‐site scripting (XSS) attacks are a common example of an injection attack against HTML documents.

Question 19

Q

19- Which one of the following types of malware would be most useful in a privilege escalation attack?

Rootkit
Worm
Virus
RAT

Answer

A

Rootkit

Rootkits are specifically designed for privilege escalation attacks, providing the ability to escalate a normal user account into an administrative account.

Question 20

Q

ScoutSuite

Answer

A

This is an open-source multi-cloud security auditing tool that supports AWS, Azure, Google Cloud, and others. It provides security posture assessment across multiple cloud environments.

Question 21

Q

Pacu

Answer

A

This is an AWS-specific exploitation framework designed for penetration testing and security assessment of AWS environments. It’s focused exclusively on AWS and doesn’t support Azure.

Question 22

Q

Prowler

Answer

A

This is primarily an AWS security assessment tool that checks for CIS benchmarks and AWS best practices. While it’s excellent for AWS, it was originally designed specifically for AWS environments.

Question 23

Q

CloudSploit

Answer

A

This is a multi-cloud security configuration scanner that supports AWS, Azure, Google Cloud, and others. It can detect misconfigurations across different cloud providers.

Question 24

Q

21- Greg is concerned about the use of DDoS attack tools against his organization, so he purchased a mitigation service from his ISP. What portion of the threat model did Greg reduce?

Likelihood
Total attack surface
Impact
Adversary capability

Answer

A

Impact

By purchasing a mitigation service, Greg is reducing the potential impact of a DDoS attack. This service can’t reduce the likelihood that an attacker will launch an attack or the capability of that adversary. Greg did not change his own infrastructure, so he did not reduce the total attack surface.

Question 25

Q

22- Carrie needs to lock down a Windows workstation that has recently been scanned using Nmap with the results shown here. She knows that the workstation needs to access websites and that the system is part of a Windows domain. What ports should she allow through the system’s firewall for externally initiated connections?

Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-25 21:08 EDT
Nmap scan report for dynamo (192.168.1.14)
Host is up (0.00023s latency)
Not shown: 65524 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
2869/tcp open icslap
3389/tcp open ms-wbt-server
5357/tcp open wsdapi
7680/tcp open unknown
22350/tcp open CodeMeter
49677/tcp open unknown
MAC Address: BC:5F:F4:7B:4B:7D (ASRock Incorporation)

Nmap done: 1 IP address (1 host up) scanned in 105.78 seconds

80, 135, 139, and 445.
80, 445, and 3389.
135, 139, and 445.
No ports should be open.

Answer

A

No ports should be open.

The uses described for the workstation that Carrie is securing do not require inbound access to the system on any of these ports. Web browsing and Active Directory domain membership traffic can be handled by traffic initiated by the system.

Question 26

Q

23- Adam’s port scan returns results on six TCP ports: 22, 80, 443, 515, 631, and 9100. If Adam needs to guess what type of device this is based on these ports, what is his best guess?

A web server
An FTP server
A printer
A proxy server

Answer

A

A printer

Whereas the first three ports are common to many of the devices listed, TCP 515 is the LPR/LPD port, 631 is the IPP port commonly used by many print servers, and TCP port 9100 is the RAW, or direct, IP port. Although this could be another type of device, it is most likely a network‐connected printer.

Question 27

Q

24- In his role as the SOC operator, Manish regularly scans a variety of servers in his organization. After two months of reporting multiple vulnerabilities on a Windows file server, Manish recently escalated the issue to the server administrator’s manager.

At the next weekly scan window, Manish noticed that all the vulnerabilities were no longer active; however, ports 137, 139, and 445 were still showing as open. What most likely happened?

The server administrator blocked the scanner with a firewall.
The server was patched.
The vulnerability plug‐ins were updated and no longer report false positives.
The system was offline.

Answer

A

The server was patched.

The system is showing normal ports for a Windows file server. It is most likely that Manish’s escalation to management resulted in action by the server administrator.

Question 28

Q

25- While conducting reconnaissance, Piper discovers what she believes is an SMTP service running on an alternate port. What technique should she use to manually validate her guess?

Send an email via the open port.
Send an SMTP probe.
Telnet to the port.
SSH to the port.

Answer

A

Telnet to the port.

Using telnet to connect to remote services to validate their response is a useful technique for service validation. It doesn’t always work, but it can allow you to interact with the service to gather information manually. While telnet is an insecure service and should not typically be used, the telnet command is a valuable way to test connectivity to an SMTP server. A more secure tool that uses encryption, such as SSH, would not provide visibility into the SMTP service because SMTP is not set up to accept SSH connections.

Question 29

Q

26- Marta is a security analyst who has been tasked with performing Nmap scans of her organization’s network. She is a new hire and has been given this logical diagram of the organization’s network but has not been provided with any additional detail.

(Look up the diagram in the book)

Scan the organization’s web server and then scan the other 255 IP addresses in its subnet.
Query DNS and WHOIS to find her organization’s registered hosts.
Contact ICANN to request the data.
Use traceroute to identify the network that the organization’s domain resides in.

Answer

A

Query DNS and WHOIS to find her organization’s registered hosts.

Marta’s best option from this list is to query DNS using WHOIS. She might also choose to use a BGP looking glass, but most of the information she will need will be in WHOIS. If she simply scans the network the web server is in, she may end up scanning a third‐party hosting provider or other systems that aren’t owned by her organization in the /24 subnet range. Contacting ICANN isn’t necessary with access to WHOIS, and depending on what country Marta is in, ICANN may not have the data she wants. Finally, using traceroute will only show the IP address of the system she queries; she needs more data to perform a useful scan in most instances.

Question 30

Q

27- Marta is a security analyst who has been tasked with performing Nmap scans of her organization’s network. She is a new hire and has been given this logical diagram of the organization’s network but has not been provided with any additional detail.

(look up diagram in the book)

The scans will match.
Scans from location C will show no open ports.
Scans from location C will show fewer open ports.
Scans from location C will show more open ports.

Answer

A

Scans from location C will show fewer open ports.

Scans from location C will show fewer open ports because most datacenter firewalls are configured to only allow the ports for publicly accessible services through to other networks. Location C is on an internal network, so Marta will probably see more ports than if she tried to scan datacenter systems from location A, but it is likely that she will see far fewer ports than a port scan of the datacenter from inside the datacenter firewall will show.

Question 31

Q

28- Marta is a security analyst who has been tasked with performing Nmap scans of her organization’s network. She is a new hire and has been given this logical diagram of the organization’s network but has not been provided with any additional detail.

(look up diagram in book)

Location A
Location B
Location C
Location D

Answer

A

Location B

Marta will see the most important information about her organization at location B, which provides a view of datacenter servers behind the datacenter firewall. To get more information, she should request that the client network firewall ruleset include a rule allowing her scanner to scan through the firewall to all ports for all systems on all protocols.

Question 32

Q

29- Chris wants to gather as much information as he can about an organization using DNS harvesting techniques. Which of the following methods will easily provide the most useful information if they are all possible to conduct on the network he is targeting?

DNS record enumeration
Zone transfer
Reverse lookup
Domain brute‐forcing

Answer

A

Zone transfer

If Chris can perform a zone transfer, he can gather all of the organization’s DNS information, including domain servers, hostnames, MX and CNAME records, time to live records, zone serial number data, and other information. This is the easiest way to gather the most information about an organization via DNS if it is possible. Unfortunately, for penetration testers (and attackers!), few organizations allow untrusted systems to perform zone transfers.

Nick: this is so stupid because zone transfers cannot be done by untrusted sources!

Question 33

Q

30- Geoff wants to perform passive reconnaissance as part of an evaluation of his organization’s security controls. Which of the following techniques is a valid technique to perform as part of a passive DNS assessment?

A DNS forward or reverse lookup
A zone transfer
A WHOIS query
Using maltego

Answer

A

A WHOIS query

Performing a WHOIS query is the only passive reconnaissance technique listed. Each of the other techniques performs an active reconnaissance task.

Question 34

Q

Maltego

Answer

A

Maltego is a powerful OSINT visual link analysis and data mining tool used widely in cybersecurity, digital forensics, and intelligence analysis. It allows users to gather information about relationships between people, companies, websites, domains, IP addresses, and other entities from various public and private data sources

Question 35

Q

34- Part of Tracy’s penetration testing assignment is to evaluate the WPA3 Enterprise protected wireless networks of her target organization. What major differences exist between reconnaissances of a wired network versus a wireless network?

Encryption and physical accessibility
Network access control and encryption
Port security and physical accessibility
Authentication and encryption

Answer

A

Encryption and physical accessibility

Tracy knows that most wired networks do not use end‐to‐end encryption by default and that wireless networks are typically more easily accessible than a wired network that requires physical access to a network jack or a VPN connection from an authorized account. Without more detail, she cannot determine whether authentication is required for both networks, but NAC is a common security feature of wired networks, and WPA3 Enterprise requires authentication as well. Port security is used only for wired network connections.

Question 36

Q

36- Lauren wants to identify all the printers on the subnets she is scanning with nmap. Which of the following nmap commands will not provide her with a list of likely printers?

nmap -sS -p 9100,515,631 10.0.10.15/22 -oX printers.txt
nmap -O 10.0.10.15/22 -oG - | grep printer&raquo_space; printers.txt
nmap -sU -p 9100,515,631 10.0.10.15/22 -oX printers.txt
nmap -sS -O 10.0.10.15/22 -oG | grep&raquo_space; printers.txt

Answer

A

nmap -sU -p 9100,515,631 10.0.10.15/22 -oX printers.txt

Using a UDP scan, as shown in option C with the -sU flag, will not properly identify printers since print service ports are TCP ports. The other commands will properly scan and identify many printers based on either their service ports (515, 631, 9100) or their OS version.

Question 37

Q

37- What services will the following nmap scan test for?

nmap -sV -p 22,25,53,389 192.168.2.50/27

Telnet, SMTP, DHCP, MS‐SQL
SSH, SMTP, DNS, LDAP
Telnet, SNMP, DNS, LDAP
SSH, SNMP, DNS, RDP

Answer

A

SSH, SMTP, DNS, LDAP

This nmap scan will scan for SSH (22), SMTP (25), DNS (53), and LDAP (389) on their typical ports. If the services are running on an alternate port, this scan will completely miss those and any other services.

Question 38

Q

39- Nihar wants to conduct an nmap scan of a firewalled subnet. Which of the following is not an nmap firewall evasion technique he could use?

Fragmenting packets
Changing packet header flags
Spoofing the source IP
Appending random data

Answer

A

Changing packet header flags

nmap supports quite a few firewall evasion techniques including spoofing the MAC (hardware) address, appending random data, setting scan delays, using decoy IP addresses, spoofing the source IP or port, modifying the MTU size, or intentionally fragmenting packets.

Question 39

Q

42- What occurs when Mia uses the following command to perform an nmap scan of a network?

nmap -sP 192.168.2.0/24

A secure port scan of all hosts in the 192.168.0.0 to 192.168.2.255 network range
A scan of all hosts that respond to ping in the 192.168.0.0 to 192.168.255.255 network range
A scan of all hosts that respond to ping in the 192.168.2.0 to 192.168.2.255 network range
A SYN‐based port scan of all hosts in the 192.168.2.0 to 192.168.2.255 network range

Answer

A

A scan of all hosts that respond to ping in the 192.168.2.0 to 192.168.2.255 network range

The -sP flag for nmap indicates a ping scan, and /24 indicates a range of 255 addresses. In this case, that means nmap will scan for hosts that respond to ping in the 192.168.2.0 to 192.168.2.255 IP address range.

Question 40

Q

43- Amir’s remote scans of a target organization’s class C network block using the nmap command (nmap -sS 10.0.10.1/24) show only a single web server. If Amir needs to gather additional reconnaissance information about the organization’s network, which of the following scanning techniques is most likely to provide additional detail?

Use a UDP scan.
Perform a scan from on‐site.
Scan using the -p 1-65535 flag.
Use Nmap’s IPS evasion techniques.

Answer

A

Perform a scan from on‐site.

Performing a scan from an on‐site network connection is the most likely to provide more detail. Many organizations have a strong external network defense but typically provide fewer protections for on‐site network connections to allow internal users to access services. It is possible that the organization uses services found only on less common ports or UDP only services, but both of these options have a lower chance of being true than for an on‐site scan to succeed. Nmap does provide firewall and IPS evasion capabilities, but this is also a less likely scenario.

Question 41

Q

44- Damian wants to limit the ability of attackers to conduct passive fingerprinting exercises on his network. Which of the following practices will help to mitigate this risk?

Implement an IPS.
Implement a firewall.
Disable promiscuous mode for NICs.
Enable promiscuous mode for NICs

Answer

A

Disable promiscuous mode for NICs.

Passive fingerprinting relies on the ability of a system to capture traffic to analyze. Preventing systems from using promiscuous mode will provide attackers with very little data when performing passive fingerprinting. Both intrusion prevention systems and firewalls can help with active fingerprinting but will do nothing to stop passive fingerprinting.

Question 42

Q

45- As part of his active reconnaissance activities, Frank is provided with a shell account accessible via SSH. If Frank wants to run a default nmap scan on the network behind the firewall shown here, how can he accomplish this?

(look up diagram in book)

ssh -t 192.168.34.11 nmap 192.168.34.0/24
ssh -R 8080:192.168.34.11:8080 [remote account:remote password]
ssh -proxy 192.168.11 [remote account:remote password]
Frank cannot scan multiple ports with a single ssh command.

Answer

A

Frank cannot scan multiple ports with a single ssh command.

While SSH port forwarding and SSH tunneling are both useful techniques for pivoting from a host that allows access, nmap requires a range of ports open for default scans. He could write a script and forward the full range of ports that nmap checks, but none of the commands listed will get him there. If Frank has access to proxy chains, he could do this with two commands.

Question 43

Q

47- Stacey encountered a system that shows as “filtered” and “firewalled” during an nmap scan. Which of the following techniques should she not consider as she is planning her next scan?

Packet fragmentation
Spoofing the source address
Using decoy scans
Spoofing the destination address

Answer

A

Spoofing the destination address

nmap has a number of built‐in antifirewall capabilities, including packet fragmentation, decoy scans, spoofing of the source IP address and source port, and scan timing techniques that make detection less likely. Spoofing the target IP address won’t help; her packets still need to get to the actual target.

Question 44

Q

50- Sadiq is responsible for the security of a network used to control systems within his organization’s manufacturing plant. The network connects manufacturing equipment, sensors, and controllers. He runs a vulnerability scan on this network and discovers that several of the controllers are running out‐of‐date firmware that introduces security issues. The manufacturer of the controllers is out of business. What action can Sadiq take to best remediate this vulnerability in an efficient manner?

Develop a firmware update internally and apply it to the controllers.
Post on an Internet message board seeking other organizations that have developed a patch.
Ensure that the ICS is on an isolated network.
Use an intrusion prevention system on the ICS network.

Answer

A

Ensure that the ICS is on an isolated network.

Sadiq should ensure that the industrial control system (ICS) is on an isolated network, unreachable from any Internet‐connected system. This greatly reduces the risk of exploitation. It would not be cost‐effective to develop a patch himself, and Sadiq should not trust any software that he obtains from an Internet forum. An intrusion prevention system, while a good idea, is not as strong a control as network isolation.

Question 45

Q

56- George recently ran a port scan on a network device used by his organization. Which one of the following open ports represents the most significant possible security vulnerability?

22
23
161
443

Answer

A

23

Port 23 is used by telnet, an insecure unencrypted communications protocol. George should ensure that telnet is disabled and blocked. Secure shell (SSH) runs on port 22 and serves as a secure alternative. Port 161 is used by the Simple Network Management Protocol (SNMP), and port 443 (HTTPS) is used for secure web connections.

Question 46

Q

61- Quentin ran a vulnerability scan of a server in his organization and discovered the results shown here. Which one of the following actions is not required to resolve one of the vulnerabilities on this server?

(look up diagram in book)

Reconfigure cipher support.
Apply Window security patches.
Obtain a new SSL certificate.
Enhance account security policies.

Answer

A

Apply Window security patches.

Quentin should reconfigure cipher support to resolve the issues surrounding the weak cipher support of SSL/TLS and RDP. He should also obtain a new SSL certificate to resolve multiple issues with the current certificate. He should add account security requirements to resolve the naming of guest accounts and the expiration of administrator passwords. There is no indication that any Windows patches are missing on this system.

Question 47

Q

62- The presence of ____________ triggers specific vulnerability scanning requirements based on law or regulation.

Credit card information
Protected health information
Personally identifiable information
Trade secret information

Answer

A

Credit card information

Although all of these categories of information should trigger vulnerability scanning for assets involved in their storage, processing, or transmission, only credit card information has specific regulations covering these scans. The Payment Card Industry Data Security Standard (PCI DSS) contains detailed requirements for vulnerability scanning.

Question 48

Q

67- This morning, Eric ran a vulnerability scan in an attempt to detect a vulnerability that was announced by a software manufacturer yesterday afternoon. The scanner did not detect the vulnerability although Eric knows that at least two of his servers should have the issue. Eric contacted the vulnerability scanning vendor, who assured him that they released a signature for the vulnerability overnight. What should Eric do as a next step?

Check the affected servers to verify a false positive.
Check the affected servers to verify a false negative.
Report a bug to the vendor.
Update the vulnerability signatures.

Answer

A

Update the vulnerability signatures.

The most likely issue is that Eric’s scanner has not pulled the most recent signatures from the vendor’s vulnerability feed. Eric should perform a manual update and rerun the scan before performing an investigation of the servers in question or filing a bug report.

Question 49

Q

68- Natalie ran a vulnerability scan of a web application recently deployed by her organization, and the scan result reported a blind SQL injection. She reported the vulnerability to the developers, who scoured the application and made a few modifications but did not see any evidence that this attack was possible. Natalie reran the scan and received the same result. The developers are now insisting that their code is secure. What is the most likely scenario?

The result is a false positive.
The code is deficient and requires correction.
The vulnerability is in a different web application running on the same server.
Natalie is misreading the scan report.

Answer

A

The result is a false positive.

Blind SQL injection vulnerabilities are difficult to detect and are a notorious source of false positive reports. Natalie should verify the results of the tests performed by the developers but should be open to the possibility that this is a false positive report, since that is the most likely scenario.

Question 50

Q

70- Joaquin is frustrated at the high level of false positive reports produced by his vulnerability scans and is contemplating a series of actions designed to reduce the false positive rate. Which one of the following actions is least likely to have the desired effect?

Moving to credentialed scanning
Moving to agent‐based scanning
Integrating asset information into the scan
Increasing the sensitivity of scans

Answer

A

Increasing the sensitivity of scans

Joaquin can improve the quality and quantity of information available to the scanner by moving to credentialed scanning, moving to agent‐based scanning, and integrating asset information into the scans. Any of these actions is likely to reduce the false positive rate. Increasing the sensitivity of scans would likely have the opposite effect, causing the scanner to report even more false positives.

Question 51

Q

73- Zara is prioritizing vulnerability scans and would like to base the frequency of scanning on the information asset value. Which of the following criteria would be most appropriate for her to use in this analysis?

Cost of hardware acquisition
Cost of hardware replacement
Types of information processed
Depreciated hardware cost

Answer

A

Types of information processed

Information asset value refers to the value that the organization places on data stored, processed, or transmitted by an asset. In this case, the types of information processed (e.g., regulated data, intellectual property, personally identifiable information) helps to determine information asset value. The cost of server acquisition, cost of hardware replacement, and depreciated cost all refer to the financial value of the hardware, which is a different concept than information asset value.

Question 52

Q

Information Asset Value

Answer

A

refers to the value that an organization places on data that is stored, processed, or transmitted by an asset

Question 53

Q

84- Morgan is interpreting the vulnerability scan from her organization’s network, shown here. She would like to determine which vulnerability to remediate first. Morgan would like to focus on vulnerabilities that are most easily exploitable by someone outside her organization. Assuming the firewall is properly configured, which one of the following vulnerabilities should Morgan give the highest priority?

(see diagram in book)

Severity 5 vulnerability in the workstation
Severity 1 vulnerability in the file server
Severity 5 vulnerability in the web server
Severity 1 vulnerability in the mail server

Answer

A

Severity 5 vulnerability in the web server

If the firewall is properly configured, the workstation and file server are not accessible by an external attacker. Of the two remaining choices, the web server vulnerability (at severity 5) is more severe than the mail server vulnerability (at severity 1). Most organizations do not bother to remediate severity 1 vulnerabilities because they are usually informational in nature.

Question 54

Q

88- Which one of the following protocols is not likely to trigger a vulnerability scan alert when used to support a virtual private network (VPN)?

IPsec
SSL v2
PPTP
SSL v3

Answer

A

IPsec

IPsec is a secure protocol for establishing VPN links. Organizations should no longer use the obsolete Secure Sockets Layer (SSL) or Point‐to‐Point Tunneling Protocol (PPTP) for VPN connections or other secure connections.

Question 55

Q

89- Rahul ran a vulnerability scan of a server that will be used for credit card processing in his environment and received a report containing the vulnerability shown here. What action must Rahul take?

(look up diagram in book)

Remediate the vulnerability when possible.
Remediate the vulnerability prior to moving the system into production and rerun the scan to obtain a clean result.
Remediate the vulnerability within 90 days of moving the system to production.
No action is required.

Answer

A

No action is required.

Rahul does not need to take any action on this vulnerability because it has a severity rating of 2 on a five‐point scale. PCI DSS only requires the remediation of vulnerabilities with at least a “high” rating, and this vulnerability does not clear that threshold.

Question 56

Q

91- Aaron is scanning a server in his organization’s datacenter and receives the vulnerability report shown here. The service is exposed only to internal hosts.

(look up diagram in book)

What priority should Aaron place on remediating this vulnerability?

Aaron should make this vulnerability his highest priority.
Aaron should remediate this vulnerability urgently but does not need to drop everything.
Aaron should remediate this vulnerability within the next month.
Aaron does not need to assign any priority to remediating this vulnerability.

Answer

A

Aaron does not need to assign any priority to remediating this vulnerability.

Aaron should treat this vulnerability as a fairly low priority and may never get around to remediating it if there are more critical issues on his network. The vulnerability has a severity rating of 2 (out of 5), and the vulnerability is further mitigated by the fact that the server is accessible only from the local network.

Question 57

Q

92- Without access to any additional information, which one of the following vulnerabilities would you consider the most severe if discovered on a production web server?

CGI generic SQL injection
Web application information disclosure
Web server uses basic authentication without HTTPS
Web server directory enumeration

Answer

A

CGI generic SQL injection

The SQL injection attack could be quite serious, since it may allow an attacker to retrieve and/or modify information stored in the back‐end database. The second‐highest priority should be resolving the use of unencrypted authentication, because it may allow the theft of user credentials. The remaining two vulnerabilities are less serious, because they pose only a reconnaissance risk.

Nick: Not sure I agree with this, as if you get creds, you can get into the DB. Soooo how is that worse?

Question 58

Q

93- Gina ran a vulnerability scan on three systems that her organization is planning to move to production and received the results shown here. How many of these issues should Gina require be resolved before moving to production?

(look up diagram in book)

0.
1.
3.
All of these issues should be resolved.

Answer

A

0

The report notes that all of the vulnerabilities for these three servers are in Fixed status. This indicates that the vulnerabilities existed but have already been remediated and no additional work is required.

Question 59

Q

94- Ji‐won recently restarted an old vulnerability scanner that had not been used in more than a year. She booted the scanner, logged in, and configured a scan to run. After reading the scan results, she found that the scanner was not detecting known vulnerabilities that were detected by other scanners. What is the most likely cause of this issue?

The scanner is running on an outdated operating system.
The scanner’s maintenance subscription is expired.
Ji‐won has invalid credentials on the scanner.
The scanner does not have a current, valid IP address.

Answer

A

The scanner’s maintenance subscription is expired.

The most likely issue is that the maintenance subscription for the scanner expired while it was inactive and the scanner is not able to retrieve current signatures from the vendor’s vulnerability feed. The operating system of the scanner should not affect the scan results. Ji‐won would not be able to access the scanner at all if she had invalid credentials or the scanner had an invalid IP address.

Question 60

Q

95- Isabella runs both internal and external vulnerability scans of a web server and detects a possible SQL injection vulnerability. The vulnerability appears only in the internal scan and does not appear in the external scan. When Isabella checks the server logs, she sees the requests coming from the internal scan and sees some requests from the external scanner but no evidence that a SQL injection exploit was attempted by the external scanner. What is the most likely explanation for these results?

A host firewall is blocking external network connections to the web server.
A network firewall is blocking external network connections to the web server.
A host IPS is blocking some requests to the web server.
A network IPS is blocking some requests to the web server.

Answer

A

A network IPS is blocking some requests to the web server.

The most likely scenario is that a network IPS is blocking SQL injection attempts sent to this server, and the internal scanner is positioned on the network in such a way that it is not filtered by the network IPS. If a host IPS were blocking the requests, the vulnerability would likely not appear on internal scans either. If a firewall were blocking the requests, then no external scanner entries would appear in the log file.

Question 61

Q

96- Rick discovers the vulnerability shown here in a server running in his datacenter. What characteristic of this vulnerability should concern him the most?

(look up diagram in book)

It is the subject of a recent security bulletin.
It has a CVSS score of 7.8.
There are multiple Bugtraq and CVE IDs.
It affects kernel‐mode drivers.

Answer

A

It affects kernel‐mode drivers.

The fact that this vulnerability affects kernel‐mode drivers is very serious, because it indicates that an attacker could compromise the core of the operating system in an escalation of privilege attack. The other statements made about this vulnerability are all correct, but they are not as serious as the kernel‐mode issue.

Question 62

Q

97- Carl runs a vulnerability scan of a mail server used by his organization and receives the vulnerability report shown here. What action should Carl take to correct this issue?

(look up diagram in book)

Carl does not need to take any action because this is an informational report.
Carl should replace SSL with TLS on this server.
Carl should disable weak ciphers.
Carl should upgrade OpenSSL.

Answer

A

Carl should upgrade OpenSSL.

This is an example of the POODLE vulnerability that exploits weaknesses in the OpenSSL encryption library. While replacing SSL with TLS and disabling weak ciphers are good practices, they will not correct this issue. Carl should upgrade OpenSSL to a more current version that does not contain this vulnerability.

Question 63

Q

102- After reviewing the results of a vulnerability scan, Gabriella discovered a flaw in her Oracle database server that may allow an attacker to attempt a direct connection to the server. She would like to review NetFlow logs to determine what systems have connected to the server recently. What TCP port should Gabriella expect to find used for this communication?

443
1433
1521
8080

Answer

A

1521

Oracle database servers use port 1521 for database connections. Port 443 is used for HTTPS connections to a web server. Microsoft SQL Server uses port 1433 for database connections. Port 8080 is a nonstandard port for web services.

Question 64

Q

103- Terry recently ran a vulnerability scan against his organization’s credit card processing environment that found a number of vulnerabilities. Which vulnerabilities must he remediate to have a “clean” scan under PCI DSS standards?

Critical vulnerabilities
Critical and high vulnerabilities
Critical, high, and medium vulnerabilities
Critical, high, medium, and low vulnerabilities

Answer

A

Critical and high vulnerabilities

The PCI DSS standard requires that merchants and service providers present a clean scan result that shows no critical or high vulnerabilities in order to maintain compliance.

Answer 65

A

Class A: Subnet Mask: 255.0.0.0 (8 bits); CIDR: /8
Class B: Subnet Mask: 255.255.0.0 (16 bits); CIDR: /16
Class C: Subnet Mask: 255.255.255.0 (24 bits); CIDR: /24
Class D: Subnet Mask: 255.255.255.255 (32 bits); CIDR: /32

Answer 66

A

Standard Scan

The standard scan of 1,900 common ports is a reasonably thorough scan that will conclude in a realistic period of time. If Aaron knows of specific ports used in his organization that are not included in the standard list, he could specify them using the Additional section of the port settings. A full scan of all 65,535 ports would require an extremely long period of time on a Class C network. Choosing the Light Scan setting would exclude a large number of commonly used ports, whereas the None setting would not scan any ports.

Answer 67

A

OpenSSL version.

From the information given in the scenario, you can conclude that all of the HTTP/HTTPS vulnerabilities are not exploitable by an attacker because of the firewall restrictions. However, OpenSSL is an encryption package used for other services, in addition to HTTPS. Therefore, it may still be exposed via SSH or other means. Haruto should replace it with a current, supported version because running an end‐of‐life (EOL) version of this package exposes the organization to potentially unpatchable security vulnerabilities.

Answer 68

A

Banner grabbing

Banner grabbing scans are notorious for resulting in false positive reports because the only validation they do is to check the version number of an operating system or application against a list of known vulnerabilities. This approach is unable to detect any remediation activities that may have taken place that do not alter the version number.

Answer 69

A

Vulnerability 3.

Vulnerability 3 has a CVSS score of 10.0 because it received the highest possible ratings on all portions of the CVSS vector. All three vulnerabilities have ratings of “high” for the confidentiality, integrity, and availability impact metrics. Vulnerabilities 1 and 2 have lower values for one or more of the exploitability metrics, meaning that weaponization of those vulnerabilities would likely be more difficult.

Answer 70

A

Attack Vector (AV) - How the vulnerability is exploited:

N: Network - Exploitable remotely across a network
A: Adjacent - Requires access to local network
L: Local - Requires local access to the system
P: Physical - Requires physical access to the system

Attack Complexity (AC) - Conditions beyond the attacker’s control:

L: Low - No special conditions needed
H: High - Special conditions required

Privileges Required (PR) - Level of privileges needed:

N: None - No privileges required
L: Low - Basic user privileges required
H: High - Administrative privileges required

User Interaction (UI) - Whether a user must participate:

N: None - No user interaction required
R: Required - User interaction needed

Scope (S) - Whether the vulnerability impacts resources beyond its security scope:

U: Unchanged - Affects only resources managed by the same authority
C: Changed - Can affect resources beyond the vulnerable component

Confidentiality (C) - Impact to data confidentiality:

N: None - No impact
L: Low - Limited impact
H: High - Total information disclosure

Integrity (I) - Impact to data or system integrity:

N: None - No impact
L: Low - Limited modification possible
H: High - Total compromise of system integrity

Availability (A) - Impact to system availability:

N: None - No impact
L: Low - Reduced performance or interruptions
H: High - Total shutdown of the affected resource

Answer 71

A

Database vulnerability scan

There is no indication in the scenario that the server is running a database; in fact, the scenario indicates that the server is dedicated to running the Apache web service. Therefore, it is unlikely that a database vulnerability scan would yield any results. Landon should run the other three scans, and if they indicate the presence of a database server, he could follow up with a specialized database vulnerability scan.

Answer 72

A

property that prevents someone from denying they performed an action like sending a message or signing a document. It’s typically implemented using digital signatures, secure timestamps, and audit logs to provide verifiable proof of who did what and when.

Answer 73

A

Data classification

Data classification is a set of labels applied to information based on their degree of sensitivity and/or criticality. It would be the most appropriate choice in this scenario. Data retention requirements dictate the length of time that an organization should maintain copies of records. Data remanence is an issue where information thought to be deleted may still exist on systems. Data privacy may contribute to data classification but does not encompass the entire field of data sensitivity and criticality in the same manner as data classification. For example, a system may process proprietary business information that would be very highly classified and require frequent vulnerability scanning. Unless that system also processed personally identifiable information, it would not trigger scans under a system based solely on data privacy.

Answer 74

A

Ask the DBA to recheck the database server.

In this case, Yashvir should ask the DBA to recheck the server to ensure that the patch was properly applied. It is not yet appropriate to mark the issue as a false positive report until Yashvir performs a brief investigation to confirm that the patch is applied properly. This is especially true because the vulnerability relates to a missing patch, which is not a common source of false positive reports. There was no acceptance of this vulnerability, so Yashvir should not mark it as an exception. He should not escalate this issue to management because the DBA is working with him in good faith.

Answer 75

A

This is a false positive report.

This is most likely a false positive report. The vulnerability description says “note that this script is experimental and may be prone to false positives.” It is less likely that the developers and independent auditors are all incorrect. The scanner is most likely functioning properly, and there is no indication that either it or the database server is misconfigured.

Answer 76

A

Mark the report as a false positive.

This is an example of a false positive report. The administrator demonstrated that the database is not subject to the vulnerability because of the workaround, and Larry went a step further and verified this himself. Therefore, he should mark the report as a false positive in the vulnerability scanner.

Answer 77

A

The vulnerability scanner depends on version detection.

False positive reports like the one described in this scenario are common when a vulnerability scanner depends on banner grabbing and version detection. The primary solution to this issue is applying a patch that the scanner would detect by noting a new version number. However, the administrator performed the perfectly acceptable action of remediating the vulnerability in a different manner without applying the patch, but the scanner is unable to detect that remediation activity and is reporting a false positive result.

Answer 78

A

NetFlow logs

Margot can expect to find relevant results in the web server logs because they would contain records of HTTP requests to the server. Database server logs would contain records of the queries made against the database. IDS logs may contain logs of SQL injection alerts. NetFlow logs would not contain useful information because they record only traffic flows, not the details of the communications.

Answer 79

A

sudo

The runas command allows an administrator to execute a command using the privileges of another user. Linux offers the same functionality with the sudo command. The Linux su command is similar but allows an administrator to switch user identities, rather than simply execute a command using another user’s identity. The ps command in Linux lists active processes, whereas the grep command is used to search for text matching a pattern.

Answer 80

A

Apply security patches.

The majority of the most serious issues in this scan report relate to missing security updates to Windows and applications installed on the server. Akari should schedule a short outage to apply these updates. Blocking inbound connections at the host firewall would prevent the exploitation of these vulnerabilities, but it would also prevent users from accessing the server. Disabling the guest account and configuring the use of secure ciphers would correct several vulnerabilities, but they are not as severe as the vulnerabilities related to patches.

Answer 81

A

ARP tables

Although ARP tables may provide the necessary information, this is a difficult way to enumerate hosts and is prone to error. Doug would have much greater success if he consulted the organization’s asset management tool, ran a discovery scan, or looked at the results of other recent scans.

Answer 82

A

The scan sensitivity is set to exclude low‐importance vulnerabilities.

The most likely reason for this result is that the scan sensitivity is set to exclude low‐impact vulnerabilities rated as 1 or 2. There is no reason to believe that Mary configured the scan improperly because this is a common practice to limit information overload and is likely intentional. It is extremely unlikely that systems in the datacenter contain no low‐impact vulnerabilities when they have high‐impact vulnerabilities. If Mary excluded high‐impact vulnerabilities, the report would not contain any vulnerabilities rated 4 or 5.

Answer 83

A

Agent‐based monitoring

Vulnerability scans can only provide a snapshot in time of a system’s security status from the perspective of the vulnerability scanner. Agent‐based monitoring provides a detailed view of the system’s configuration from an internal perspective and is likely to provide more accurate results, regardless of the frequency of vulnerability scanning.

Answer 84

A

Apply the patch using a GPO.

Pete and the desktop support team should apply the patch using a Group Policy Object (GPO) or other centralized configuration management tool. This is much more efficient than visiting each workstation individually, either in person or via remote connection. There is no indication in the scenario that a registry update would remediate this issue.

Answer 85

A

Vulnerability 2

An insider would have the network access required to connect to a system on the internal server network and exploit this buffer overflow vulnerability. Buffer overflow vulnerabilities typically allow the execution of arbitrary code, which may allow an attacker to gain control of the server and access information above their authorization level. Vulnerability 3 may also allow the theft of information, but it has a lower severity level than vulnerability 2. Vulnerabilities 4 and 5 are denial‐of‐service vulnerabilities that would allow the disruption of service, not the theft of information.

Answer 86

A

Restrict interactive logins to the system.

Wanda should restrict interactive logins to the server. The vulnerability report states that “The most severe of these vulnerabilities could allow remote code execution if a user either visits a specially crafted website or opens a specially crafted document.” If Wanda restricts interactive login, it greatly reduces the likelihood of this type of activity. Removing Internet Explorer or Microsoft Office might lower some of the risk, but it would not be as effective as completely restricting logins. Applying the security patch is not an option because of the operational concerns cited in the question.

Answer 87

A

Garrett should perform both internal and external scanning.

For best results, Garret should combine both internal and external vulnerability scans. The external scan provides an “attacker’s eye view” of the web server, whereas the internal scan may uncover vulnerabilities that would only be exploitable by an insider or an attacker who has gained access to another system on the network.

Answer 88

A

Document the vulnerability as an approved exception.

The scenario describes an acceptable use of a compensating control that has been reviewed with the merchant bank. Frank should document this as an exception and move on with his scans. Other actions would go against his manager’s wishes and are not required by the situation.

Answer 89

A

389

Port 389 is used by the Lightweight Directory Access Protocol (LDAP) and is not part of the SMB communication. SMB may be accessed directly over TCP port 445 or indirectly by using NetBIOS over TCP/IP on TCP ports 137 and 139.

Answer 90

A

Reduce the scanning frequency.

The problem Victor is experiencing is that the full scan does not complete in the course of a single day and is being cancelled when the next full scan tries to run. He can fix this problem by reducing the scanning frequency. For example, he could set the scan to run once a week so that it completes. Reducing the number of systems scanned would not meet his requirement to scan the entire datacenter. He cannot increase the number of scanners or upgrade the hardware because he has no funds to invest in the system

Answer 91

A

There is no direct vulnerability, but this information points to other possible vulnerabilities on the server.

This scan result does not directly indicate a vulnerability. However, it does indicate that the server is configured for compatibility with 16‐bit applications, and those applications may have vulnerabilities. It is an informational result that does not directly require action on Terry’s behalf.

Answer 92

A

An attacker could exploit this vulnerability to gain access to servers managed by the administrator.

PuTTY is a commonly used remote login application used by administrators to connect to servers and other networked devices. If an attacker gains access to the SSH private keys used by PuTTY, the attacker could use those keys to gain access to the systems managed by that administrator. This vulnerability does not necessarily give the attacker any privileged access to the administrator’s workstation, and the SSH key is not normally used to encrypt stored information.

Answer 93

A

Immediately

PCI DSS requires that networks be scanned quarterly or after any “significant change in the network.” A firewall upgrade definitely qualifies as a significant network change, and Chanda should schedule a vulnerability scan immediately to maintain PCI DSS compliance.

Answer 94

A

A firewall configuration is preventing the scan from succeeding.

The most likely issue here is that there is a network firewall between the server and the third‐party scanning service. This firewall is blocking inbound connections to the web server and preventing the external scan from succeeding. CIFS generally runs on port 445, not port 80 or 443. Those ports are commonly associated with web services. The scanner is not likely misconfigured because it is successfully detecting other ports on the server. Nick should either alter the firewall rules to allow the scan to succeed or, preferably, place a scanner on a network in closer proximity to the web server.

Answer 95

A

Thomas should apply the patch and then follow up with an emergency change request after work is complete.

Change management processes should always include an emergency change procedure. This procedure should allow applying emergency security patches without working through the standard change process. Thomas has already secured stakeholder approval on an informal basis, so he should proceed with the patch and then file a change request after the work is complete. Taking the time to file the change request before completing the work would expose the organization to a critical security flaw during the time required to complete the paperwork.

Answer 96

A

Configure the scanner to send reports to Brian who can notify administrators and track them in a spreadsheet.

The best path for Brian to follow would be to leverage the organization’s existing trouble ticket system. Administrators likely already use this system on a regular basis, and it can handle reporting and escalation of issues. Brian might want to give administrators access to the scanner and/or have emailed reports sent automatically as well, but those will not provide the tracking that he desires.

Answer 97

A

Run Windows Update.

Ben is facing a difficult challenge and should likely perform all of the actions described in this question. However, the best starting point would be to run Windows Update to install operating system patches. Many of the critical vulnerabilities relate to missing Windows patches. The other actions may also resolve critical issues, but they all involve software that a user must run on the server before they can be exploited. This makes them slightly lower priorities than the Windows flaws that may be remotely exploitable with no user action.

Answer 98

A

This is a critical issue that requires immediate adjustment of firewall rules.

Although the vulnerability scan report does indicate that this is a low‐severity vulnerability, Zhang Wei must take this information in context. The management interface of a virtualization platform should never be exposed to external hosts, and it also should not use unencrypted credentials. In that context, this is a critical vulnerability that could allow an attacker to take control of a large portion of the computing environment. He should work with security and network engineers to block this activity at the firewall as soon as possible. Shutting down the virtualization platform is not a good alternative because it would be extremely disruptive, and the firewall adjustment is equally effective from a security point of view.

Answer 99

A

Patching

Although all the solutions listed may remediate some of the vulnerabilities discovered by Dave’s scan, the vast majority of issues in an unmaintained network result from missing security updates. Applying patches will likely resolve quite a few vulnerabilities, if not the majority of them.

Answer 100

A

The browser developer

Ling or the domain administrator could remove the software from the system, but this would not allow continued use of the browser. The network administrator could theoretically block all external web browsing, but this is not a practical solution. The browser developer is the only one in a good situation to correct an overflow error because it is a flaw in the code of the web browser.

Answer 101

A

Asset inventory

Mary should consult the organization’s asset inventory. If properly constructed and maintained, this inventory should contain information about asset criticality. The CEO may know some of this information, but it is unlikely that they would have all the necessary information or the time to review it. System names and IP addresses may contain some hints to asset criticality but would not be as good a source as an asset inventory that clearly identifies criticality.

Answer 102

A

Passive network monitoring

Passive network monitoring meets Kamea’s requirements to minimize network bandwidth consumption while not requiring the installation of an agent. Kamea cannot use agent‐based scanning because it requires application installation. She should not use server‐based scanning because it consumes bandwidth. Port scanning does not provide vulnerability reports.

Answer 103

A

Require VPN access for remote connections to the database server.

The issue raised by this vulnerability is the possibility of eavesdropping on administrative connections to the database server. Requiring the use of a VPN would add strong encryption to this connection and negate the effect of the vulnerability. A patch is not an option because this is a zero‐day vulnerability, meaning that a patch is not yet available. Disabling administrative access to the database server would be unnecessarily disruptive to the business. The web server’s encryption level is irrelevant to the issue as it would affect connections to the web server, not the database server.

Answer 104

A

Install a web application firewall.

Applying patches to the server will not correct SQL injection or cross‐site scripting flaws, since these reside within the web applications themselves. Kylie could correct the root cause by recoding the web applications to use input validation, but this is the more difficult path. A web application firewall would provide immediate protection with lower effort.

Answer 105

A

The server is for internal use only.

This error indicates that the vulnerability scanner was unable to verify the signature on the digital certificate used by the web server. If the organization is using a self‐signed digital certificate for this internal application, this would be an expected result.

Answer 106

A

Blind SQL injection

Cross‐site scripting and cross‐site request forgery vulnerabilities are normally easy to detect with vulnerability scans because the scanner can obtain visual confirmation of a successful attack. Unpatched web servers are often identified by using publicly accessible banner information. Although scanners can often detect many types of SQL injection vulnerabilities, it is often difficult to confirm blind SQL injection vulnerabilities because they do not return results to the attacker but rely on the silent (blind) execution of code.

Answer 107

A

Remove the file from the server.

The phpinfo file is a testing file often used by web developers during the initial configuration of a server. Although any of the solutions provided here may remediate this vulnerability, the most common course of action is to simply remove this file before the server is moved into production or made publicly accessible.

Answer 108

A

Server‐based scanning

It would be difficult for Sharon to use agent‐based or credentialed scanning in an unmanaged environment because she would have to obtain account credentials for each scanned system. Of the remaining two technologies, server‐based scanning is more effective at detecting configuration issues than passive network monitoring.

Answer 109

A

All users will be able to access the site, but some may see an error message.

This vulnerability should not prevent users from accessing the site, but it will cause their browsers to display a warning that the site is not secure.

Answer 110

A

Request a new certificate.

This error is a vulnerability in the certificate itself and may be corrected only by requesting a new certificate from the certificate authority (CA) that uses a secure hash algorithm in the certificate signature.

Answer 111

A

Test systems are not available for all production systems.

In a well‐managed test environment, the test systems should be configured in a near‐identical manner to production systems. They should be running the same operating systems and require the same patches. However, in almost every organization, there are systems running in production that do not have mirror deployments in test environments because of cost, legacy system issues, and other reasons.

Answer 112

A

Credit card data

Credit card information is subject to the Payment Card Industry Data Security Standard (PCI DSS), which contains specific provisions that dictate the frequency of vulnerability scanning. Although the other data types mentioned in the question are regulated, none of those regulations contains specific provisions that identify a required vulnerability scanning frequency.

Answer 113

A

Reduce the sensitivity of the scans.

Chang could resolve this issue by adding additional scanners to balance the load, reducing the frequency of scans or reducing the scope (number of systems) of the scan. Changing the sensitivity level would not likely have a significant impact on the scan time.

Answer 114

A

Design

Security artifacts created during the Design phase include security architecture documentation and data flow diagrams.

Answer 115

A

Disposition

Disposition is a separate SDLC phase that is designed to ensure that data is properly purged at the end of an application life cycle. Operations and maintenance activities include ongoing vulnerability scans, patching, and regression testing after upgrades.

Answer 116

A

$

The $ character does not necessarily represent a security issue. The greater than/less than brackets (<>) are used to enclose HTML tags and require further inspection to determine whether they are part of a cross‐site scripting attack. The single quotation mark (‘) could be used as part of a SQL injection attack.

Answer 117

A

A WAF

A web application firewall (WAF) can often be used to address the specific SQL injection attack. Claire can either write a rule based on the SQL injection attack or use a broader SQL injection prevention ruleset. An IDS would only detect the attack and would not stop it, whereas data loss prevention (DLP) tools might help if data was being stolen but won’t stop SQL injection. Some firewalls may have WAF functionality built in, but here the best option is the dedicated web application firewall.

Answer 118

A

They can use alternate encodings.

Using Unicode encoding to avoid blocklists is a common technique. OWASP recommends you avoid attempting to detect potentially dangerous characters and patterns of characters with a blacklist.

Answer 119

A

A web proxy

A web proxy is a commonly used tool for web application attacks and allows data to be changed after client‐side validation. In general, client‐side validation is not a secure technique because of this.

Answer 120

A

Cross‐site scripting

Cross‐site scripting is the primary threat that is created by not using secure output encoding. Allowing users to enter arbitrary input and then displaying it to other users can result in a cross‐site scripting attack. SQL injection is most common as a direct attack, whereas cross‐site request forgery normally relies on users clicking a malicious link.

Answer 121

A

Automating some security gates

DevSecOps makes security a shared responsibility throughout the development and operations life cycle, and automating some security gates is a common practice to make this happen without causing slowdowns. This means that practitioners must consider both application and infrastructure security constantly from the beginning of the workflow to deployment and support. Implementing zero‐day vulnerabilities would be a terrible idea, and having security practitioners exert more control rather than collaboratively making flows work more effectively and removing security features from the integrated development environment aren’t great ideas either.

Answer 122

A

Output encoding

Output encoding translates special characters to an equivalent that will not be interpreted as part of a script or other significant character by a user’s browser (or other endpoint application). A HIDS would only alarm on potential attacks, rather than stop them; a firewall will not parse the data; and string randomization was made up for this question—but if it did exist, randomized data wouldn’t be useful in most applications when displaying input to a user.

Answer 123

A

To prevent brute‐forcing

OWASP recommends a large session ID value to avoid brute‐force attacks. 2^128 is 340,282,366,920,938,463,463,374,607,431,768,211,456, a number that is far larger than you would need to avoid duplication of numbers, even for very large groups of users across the entire world. If you encounter a question like this and don’t know the answer, you can apply logic. In this case, the number is so large that it doesn’t make sense to use it for simply duplication avoidance, and any reasonable number of users—including the entire population of the world—would require fewer bits.

Answer 124

A

Parameterized queries

This code is an example of one way to parameterize queries. Here, the var1 and var2 variables are bound to specific data objects. In some cases, the CySA+ exam may show you examples of code or configurations that you may not be familiar with. In that case, you should read the example carefully for useful context like the statement bindParam here. That should give you a clue to the parameterized queries answer being the correct option.

Answer 125

A

SQL injection

SQL injection is regularly rated as one of the top web application vulnerabilities, and parameterizing queries is an important way to help prevent it. Parameterized queries, or prepared statements, require developers to define the SQL code they will use, then pass in each parameter to the query. This prevents attackers from changing the intent of the query and allows the query to be used only as intended if properly implemented.

Answer 126

A

SQL injection - query parameterization
XSS - output encoding
Password Reuse (Password Spraying & Credential Stuffing): no password reuse and MFA
On-Path/Man-in-the-Middle Attack: Use TLS
Directory Traversal Attack: Prevent by using appropriate filters or setting appropriate permissions
Buffer Overflow: Employ data execution prevention (DEP) and address space location randomization (ASLR).
Session Hijacking: Implement secure session management

Answer 127

A

Spiral

Spiral places a heavy emphasis on risk assessment and improves from Waterfall by repeating the identification/design/build/evaluation process. This will handle both the complexity that Scott is aware will be involved as well as the late addition of design requirements.

Answer 128

A

Disposition

The disposition phase of SDLC addresses what occurs when a product or system reaches the end of its life. Scott will need to decommission systems and services, identify what will happen to data and other artifacts, and make other decisions before the system can be shut down.

Answer 129

A

Feasibility: Initial investigations determine if the effort should proceed, looking at alternative solutions and high-level costs, resulting in a recommendation.
Analysis and Requirements Definition: During this phase, business rules and models are created.
Design: A software architecture is designed
Coding/Development: This is where the software is written.
Testing and Integration: Testing and debugging are completed in this phase.
Implementation: The new application is installed and replaces the old code.
Operations and maintenance: Activities include support, maintenance, and other operational tasks that happen regularly.
Disposition: This phase occurs when a product or system reaches the end of its life, involving shutting down old products, addressing data preservation or disposal, and knowledge transfer

Answer 130

A

Output validation

Validating the output will not prevent SQL injection from occurring. Using prepared statements with parameterized queries, stored procedures, escaping all user‐supplied input, whitelisting input validation, and applying least privilege to the application and database accounts are all useful techniques to prevent successful SQL injection.

Answer 131

A

SQL injection

Unvalidated parameters in a SQL query are likely to allow SQL injection attacks. An attacker could inject arbitrary SQL code into that parameter, thus gaining additional access to the database and the data stored in it.

Answer 132

A

Feasibility

The feasibility phase of a project like this looks into whether the project should occur and also looks for alternative solutions as well as the costs for each solution proposed.

Answer 133

A

Coding

Although it may seem like code analysis and unit testing should occur in the testing and integration phase, remember that unit testing occurs on individual program components, which means it will occur as the code is written. The same holds true for code analysis, and thus, the first time this happens will be in the coding stage.

Answer 134

A

A SQL injection attack

This shows an attempted SQL injection attack. The query reads 1’ UNION SELECT 0 and then looks for username, user_id, password, and email from the users table.

Answer 135

A

**Printers, move the printers to an internal‐only IP address range
**

You may not remember every common TCP port, but you’ll want to make sure you have a good command of a few of them, including things like the LPR (515), IPP (631), and RAW (9100) ports common to many printers. Since these ports need to be open for printing services, the best option would be to move them to a protected subnet or IP range. RFC 1918 nonroutable IP addresses are often used for this purpose, but James may want to look into why devices like this are exposed to the Internet. He may have a deeper problem!

Answer 136

A

9100 - RAW
515 - LPR - Line Printer Daemon protocol
631 - IPP - Internet Printing Protocol

Answer 137

A

Probability and magnitude

The two factors that determine the severity of a risk are its probability and magnitude. Impact is a synonym for magnitude. Likelihood is a synonym for probability. Controls are a risk mitigation technique that might be applied to reduce the magnitude and/or probability after determining the severity of a risk.

Answer 138

A

Risk avoidance

Gary is changing business practices to eliminate the risk entirely. This is, therefore, an example of risk avoidance.

Answer 139

A

Risk avoidance

This is a tricky question because two options—risk avoidance and risk mitigation—can both limit the probability of a risk occurring. However, risk avoidance is more likely to do so because it eliminates the circumstances that created the risk, whereas risk mitigation simply introduces controls to reduce the likelihood or impact of a risk. Risk acceptance does not change the probability or magnitude of a risk. Risk transference limits the potential magnitude by transferring financial responsibility to another organization but does not impact probability.

Answer 140

A

Have a discussion with his manager.

Kwame should take action to communicate the risk factors to management and facilitate a risk‐informed discussion about possible courses of action. He should do this prior to taking any more aggressive action.

Answer 141

A

50 percent

The exposure factor (EF) is the percentage of the facility that risk managers expect will be damaged if the risk materializes. It is calculated by dividing the amount of damage by the asset value. In this case, that is $5 million in damage divided by the $10 million facility value, or 50 percent.

Answer 142

A

Exposure Factor (EF) is the percentage of asset value expected to be damaged by a risk

To calculate EF:

Determine the amount of damage that will occur to the asset if the risk materializes.
Divide the amount of damage by the asset value.
For example, if an earthquake is expected to cause $5 million in damage to a datacenter valued at $10 million, the EF is 50% ($5 million / $10 million)

Answer 143

A

.005

The annualized rate of occurrence (ARO) is the number of times that risk analysts expect a risk to happen in any given year. In this case, the analysts expect an earthquake once every 200 years, or 0.005 times per year.

Answer 144

A

Annualized Rate of Occurrence (ARO) is the likelihood that a risk will occur in a year. It is expressed as the number of times the risk is expected each year.

A risk expected to occur twice a year has an ARO of 2.0.
A risk expected once every 100 years has an ARO of 0.01.

To calculate ARO:
* Consult with risk analysts and subject matter experts to determine the likelihood of a risk occurring in a given year.
* Express the likelihood as the number of times the risk is expected to occur each year

Answer 145

A

$25,000

The annualized loss expectancy (ALE) is calculated by multiplying the single loss expectancy (SLE) by the annualized rate of occurrence (ARO). In this case, the SLE is $5,000,000 and the ARO is 0.005. Multiplying these numbers together gives you the ALE of $25,000.

Answer 146

A

Annualized Loss Expectancy (ALE) is the amount of damage expected from a risk each year.

To calculate ALE:
* First, calculate the Single Loss Expectancy (SLE) by multiplying the Asset Value (AV) by the Exposure Factor (EF).
* Then, determine the Annualized Rate of Occurrence (ARO), representing how many times a risk is likely to occur in a year.
* Finally, calculate the ALE by multiplying the SLE by the ARO.

Thus, the formula is: ALE = SLE * ARO

For example, consider a risk associated with a denial-of-service (DoS) attack against an email server. The organization uses the server to send product offers to customers, generating $1,000 in sales per hour of operation. It is believed that a DoS attack is likely to occur three times a year and last for three hours before it can be controlled. The ability to send email is the asset, valued at $3,000 for three hours. The risk will occur three times per year, making the ARO 3.0. It is also believed the server would operate at 10% capacity during the DoS attack, so the exposure factor is 90%. The single loss expectancy is calculated by multiplying the asset value ($3,000) by the exposure factor (90%) to get an SLE of $2,700. The annualized loss expectancy is the product of the SLE ($2,700) and the ARO (3.0), or $8,100

Answer 147

A

Single Loss Expectancy (SLE) is the amount of financial damage expected each time a risk materializes.

To calculate SLE:
* Determine the amount of damage that will occur to the asset if the risk materializes, known as the exposure factor (EF), expressed as the percentage of the asset expected to be damaged.
* Then calculate SLE by multiplying the asset value (AV) by the EF.
So, the formula is: SLE = AV * EF

Answer 148

A

Based on the scenario, Colin needs a detective control that can identify fraud that occurs despite other controls. Let’s analyze each option:

A. Separation of duties: This is a preventive control that divides responsibilities among different people to prevent fraud by ensuring no single person has control over all parts of a process.
B. Least privilege: This is a preventive control that restricts access rights to only what’s necessary for users to perform their job functions.
C. Dual control: This is a preventive control requiring two or more people to complete a sensitive task, such as two signatures on checks.
D. Mandatory vacations: This is a detective control where employees must take time off, allowing their duties to be performed by others who might discover fraudulent activities that would otherwise remain hidden.

The answer is D. Mandatory vacations: Mandatory vacations serve as an effective detective control because when an employee is away, their replacement might discover irregularities or fraud that the employee was concealing through their constant presence. This is particularly effective for detecting ongoing fraudulent schemes that require regular maintenance or concealment by the perpetrator.

Answer 149

A

Separation of duties violation

This situation violates the principle of separation of duties. The company appears to have designed the controls to separate the creation of vendors from the issuance of payments, which is a good fraud‐reduction practice. However, the fact that they are cross‐trained to back each other up means that they have the permissions assigned to violate this principle.

Answer 150

A

Combination of quantitative and qualitative risk assessment

Robin would achieve the best results by combining elements of quantitative and qualitative risk assessment. Quantitative risk assessment excels at analyzing tangible, financial risks, whereas qualitative risk assessment is good for intangible risks. Combining the two techniques provides a well‐rounded risk picture.

Answer 151

A

A quantitative risk assessment uses numeric data in the analysis, resulting in assessments that allow the very straightforward prioritization of risks. It follows a methodology to determine asset value, likelihood, damage amount, single loss expectancy and annualized loss expectancy.

Answer 152

A

A qualitative risk assessment substitutes subjective judgment for objective data and uses subjective categories to evaluate the probability and magnitude factors to determine the severity of a risk. It allows the assessment of risks that are difficult to quantify

Answer 153

A

Automated deprovisioning

Automated deprovisioning ties user account removal to human resources systems. Once a user is terminated in the human resources system, the identity and access management infrastructure automatically removes the account. Quarterly user access reviews may identify accounts that should have been disabled, but they would take a long time to do so, so they are not the best solution to the problem. Separation of duties and two‐person control are designed to limit the authority of a user account and would not remove access.

Answer 154

A

Corrective

Backups are used to recover operations in the wake of a security incident. Therefore, they are best described as corrective controls.

Answer 155

A

Proposed revision to the security policy

Requests for an exception to a security policy would not normally include a proposed revision to the policy. Exceptions are documented variances from the policy because of specific technical and/or business requirements. They do not alter the original policy, which remains in force for systems not covered by the exception.

Answer 156

A

Background investigations

Mandatory vacations and job rotation plans are able to detect malfeasance by requiring an employee’s absence from his or her normal duties and exposing them to other employees. Privilege use reviews have a manager review the actions of an employee with privileged system access and would detect misuse of those privileges. Background investigations uncover past acts and would not be helpful in detecting active fraud. They are also typically performed only for new hires.

Answer 157

A

White team

The role of the white team is to control the exercise, serving as a neutral party to facilitate events and moderate disputes. The red team is responsible for offensive operations, whereas the blue team is responsible for defensive operations. The term Swiss team is not used in security exercises.

Answer 158

A

RoE

The rules of engagement (RoE) for a penetration test outline the permissible and impermissible activities for testers. If there are any systems, techniques, or information that is off‐limits, this should be clearly stated in the RoE.

Answer 159

A

Rules of Engagement

Answer 160

A

$75,000

The single loss expectancy (SLE) is the amount of damage expected to occur as the result of a single successful attack. In this case, the scenario provides this information as $75,000.

Answer 161

A

$7,500

The annualized loss expectancy (ALE) is the amount of damage expected in any given year. It is calculated by multiplying the SLE ($75,000) by the ARO (10 percent) to get the ALE ($7,500).

Answer 162

A

Risk mitigation

The purpose of this control is to reduce the probability of an attack. Implementing controls designed to reduce the probability or magnitude of a risk is a risk mitigation activity.

Answer 163

A

Data ownership policy

Sharing data outside the organization normally requires the consent of the data owner. Ruth should consult the data ownership policy for assistance in determining the identities of the appropriate data owner(s) that she should consult.

Answer 164

A

Standard

Standards describe specific security controls that must be in place for an organization. Ryan would not include a list of algorithms in a high‐level policy document, and this information is too general to be useful as a procedure. Guidelines are not mandatory, so they would not be applicable in this scenario.

Answer 165

A

Cross‐training

Succession planning and cross‐training both serve to facilitate continuity of operations by creating a pool of candidates for job vacancies. Of these, only cross‐training encompasses actively involving other people in operational processes, which may also help detect fraud. Dual control and separation of duties are both controls that deter fraud, but they do not facilitate the continuity of operations.

Answer 166

A

Compensating control

Organizations may require all of these items as part of an approved exception request. However, the documentation of scope, duration of the exception, and business justification are designed to clearly describe and substantiate the exception request. The compensating control, on the other hand, is designed to ensure that the organization meets the intent and rigor of the original requirement.

Answer 167

A

Data ownership policy

Data ownership policies clearly state the ownership of information created or used by the organization. Data classification policies describe the classification structure used by the organization and the process used to properly assign classifications to data. Data retention policies outline what information the organization will maintain and the length of time different categories of information will be retained prior to destruction. Account management policies describe the account life cycle from provisioning through active use and decommissioning.

Answer 168

A

Technical control

The automatic blocking of logins is a technical activity and this is, therefore, a technical control. Physical controls are security controls that impact the physical world. Operational controls include the processes that we put in place to manage technology in a secure manner. Managerial controls are procedural mechanisms that an organization follows to implement sound security management practices.

Answer 169

A

Vulnerability scanning tool

A vulnerability scanner is the most appropriate tool for Kevin to use to conduct security baseline scans. Vulnerability scanners are automated tools that can identify known vulnerabilities and misconfigurations on a system. They can scan a wide range of systems, including servers, workstations, and network devices. They are designed to be easy to use, even for IT professionals who are not security experts.

Kevin might be able to obtain similar information using a penetration testing tool, but those tools tend to require skilled cybersecurity professionals to operate and analyst the results.

Patch management and network monitoring tools are useful security tools, but they do not develop a baseline of system configurations.

Answer 170

A

CIS benchmarks

All of these resources provide valuable information to security professionals seeking to design a security program according to industry standards. However, only the Center for Internet Security (CIS) provides detailed baseline standards that include step‐by‐step instructions for configuring systems to meet specific security requirements. The CIS benchmarks are widely used as a resource for securing systems in various industries.

ISO 27001 is a standard for information security management systems (ISMS), which outlines a framework for managing and protecting sensitive information. While it may include some guidance on securing systems, it is not specific to Windows or Linux and is more focused on overall information security management.

Open Web Application Security Project (OWASP) is a nonprofit organization that provides a variety of resources for web application security, including a list of the top 10 most critical web application security risks. While it may include some guidance on securing systems, it is not specific to Windows or Linux and is more focused on web application security.

Payment Card Industry Data Security Standard (PCI DSS) is a standard for securing credit card information. There is no indication in the scenario that Jenna’s organization handles credit card data, so this would not be an appropriate standard for her to use.

Answer 171

A

Center for Internet Security (CIS) provides detailed baseline standards that include step‐by‐step instructions for configuring systems to meet specific security requirements. The CIS benchmarks are widely used as a resource for securing systems in various industries.

Answer 172

A

Java

The Angry IP scanner is a multiplatform tool that is written in the Java language. It does require a Java runtime to function properly. It does not require other scanning tools, such as nmap or Nessus. It also does not require a C compiler, such as gcc.

Answer 173

A

Immunity debugger

The Immunity debugger is designed specifically to support penetration testing and the reverse engineering of malware.

GNU debugger (GDB) is a widely used open source debugger for Linux that works with a variety of programming languages. It may assist Chris in this work, but it is not specifically designed for reverse engineering malware, so it is not as good an answer as Immunity.

Recon‐ng and ZAP are tools designed to assist in website penetration tests. Recon‐ng automates web application reconnaissance, while ZAP serves as an interception proxy. Neither is likely to be useful in reverse engineering malware.

Answer 174

A

Systems will have known vulnerabilities exploited.

Metasploit is an exploitation package that is designed to assist penetration testers. A tester using Metasploit can exploit known vulnerabilities for which an exploit has been created or can create their own exploits using the tool. While Metasploit provides built‐in access to some vulnerability scanning functionality, a tester using Metasploit should primarily be expected to perform actual tests of exploitable vulnerabilities. Similarly, Metasploit supports creating buffer overflow attacks, but it is not a purpose‐built buffer overflow testing tool, and of course testing systems for zero‐day exploits doesn’t work unless they have been released.

Answer 175

A

CSRF

Cross‐site request forgery (XSRF or CSRF) attacks exploit the trust that sites have in a user’s browser by attempting to force the submission of authenticated requests to third‐party sites. Cross‐site scripting (XSS) uses reflected input to trick a user’s browser into executing untrusted code from a trusted site. SQL injection directly attacks a database through a web application. Session hijacking attacks attempt to steal previously authenticated sessions but do not force the browser to submit requests.

Answer 176

A

To reduce the number of threat vectors

Software threat modeling is designed to reduce the number of security‐related design and coding flaws as well as the severity of other flaws. The developer or evaluator of software has no control over the threat environment, because it is external to the organization.

Answer 177

A

A threat vector refers to the method or path an attacker uses to gain access to a target and exploit a vulnerability. These vectors can include various means such as malicious email attachments, compromised websites, or physical access via infected media.

Answer 178

A

Local file inclusion

You might find this question a little confusing because the scenario seems to describe a directory traversal attack and that is not one of the answer choices. The key to successfully answering this question is understanding that a directory traversal attack is a type of local file inclusion (LFI) attack. LFI attacks allow a remote user to access files stored on a server. Directory traversal achieves the attacker’s goal of LFI by navigating the directory structure with navigation commands such as .. and / in the URL. Remote file inclusion (RFI) attacks use a similar approach but allow the attacker to execute code that is hosted on their own computer using the targeted server.

Answer 179

A

Managerial

Security awareness training is an example of a managerial security control because it is an administrative practice. The subject of the training is the use of the VPN, which is a technical control, but the training itself is managerial in nature.

Answer 180

A

Preventive

Notifications and procedures like the signs posted at the company Chris works for are examples of preventive controls because they are designed to stop unauthorized activity from occurring in the first place. They do not identify security incidents, as a detective control would. They do not respond to active security incidents, as a responsive control would, and they do not correct the effects of a security incident, as a corrective control would.

Answer 181

A

Remove unnecessary rights.

The most important step in securing service accounts is to ensure that they have only the rights that are absolutely needed to accomplish the task they are designed for. Disabling interactive logins is important as well and would be the next best answer. Limiting when accounts can log in and using randomized or meaningless account names can both be helpful in some circumstances but are far less important.

Answer 182

A

Monitoring network traffic and analyzing the contents for signs of unpatched systems and applications

Passive discovery techniques involve no interaction with the target system. Monitoring network traffic would, therefore, be a passive technique because it does not actively engage the target system.

Vulnerability scanners, port scanners, and penetration testing techniques are active tools that directly interact with the target system.

Answer 183

A

Validate a random sample of accounts.

Random sampling of accounts is the recommended best practice if all accounts cannot be validated. Selecting only recently changed accounts will not identify long‐term issues or historic issues, and checking only high‐value accounts will not show if there are issues or bad practices with other account types.

Answer 184

A

Improper encryption

APIs typically transfer data for web application via HTTPS, meaning that the API itself is not responsible for encryption. If Frank’s team discovers that TLS is not enabled, they will need to work with the infrastructure or systems administration team to ensure that TLS is enabled and in use rather than making API changes. Authorization for object access, authentication weaknesses, and rate limiting are all common API issues. If you’re not familiar with the types of issues you might encounter in APIs, you can read more about them in the OWASP API security top 10 at https://github.com/OWASP/API‐Security/blob/master/2019/en/dist/owasp‐api‐security‐top‐10.pdf.

Answer 185

A

Fuzzers may not fully cover the code.

Fuzz testers are capable of automatically generating input sequences to test an application. Therefore, testers do not need to manually generate input, although they may do so if they wish. Fuzzers can reproduce errors (and thus, “fuzzers can’t reproduce errors” is not an issue) but typically don’t fully cover the code—code coverage tools are usually paired with fuzzers to validate how much coverage was possible. Fuzzers are often limited to simple errors because they won’t handle business logic or attacks that require knowledge from the application user.