Study Guide - Chapter 7: Analyzing Vulnerability Scans

Question 1

1- Tom is reviewing a vulnerability scan report and finds that one of the servers on his network suffers from an internal IP address disclosure vulnerability. What technology is likely in use on this network that resulted in this vulnerability?

• TLS
• NAT
• SSH
• VPN

Answer 1

NAT

Although the network can support any of these protocols, internal IP disclosure vulnerabilities occur when a network uses Network Address Translation (NAT) to map public and private IP addresses but a server inadvertently discloses its private IP address to remote systems.

Question 2

2- Which one of the CVSS metrics would contain information about the type of account access that an attacker must have to execute an attack?

• AV
• C
• PR
• AC

Answer 2

PR

The privileges required (PR) metric indicates the type of account access the attacker must have.

Question 3

CVSS metrics

Answer 3

• PR - privileges required
• S - Scope
• C - Confidentiality
• I - Integrity
• A - Availability
• AC - Attack complexity
• AV - Attack vector
• UI - User interaction

Question 4

3- Which one of the following values for the CVSS attack complexity metric would indicate that the specified attack is simplest to exploit?

• High
• Medium
• Low
• Severe

Answer 4

Low

An attack complexity of “low” indicates that exploiting the vulnerability does not require any specialized conditions.

Question 5

4- Which one of the following values for the confidentiality, integrity, or availability CVSS metric would indicate the potential for total compromise of a system?

• N
• L
• M
• H

Answer 5

H

A value of High (H) for an impact metric indicates the potential for complete loss of confidentiality, integrity, and/or availability.

Question 6

What is the most recent version of CVSS that is currently available?

• 2.0
• 2.5
• 3.1
• 3.2

Answer 6

3.1

CVSS 3.1 is the most recent version of the standard as of the time this book was published in 2023.

Note: 4.0 was released in Nov 2023, after this test was live

Question 7

Kevin recently identified a new software vulnerability and computed its CVSS base score as 6.5. Which risk category would this vulnerability fall into?

• Low
• Medium
• High
• Critical

Answer 7

Medium

Vulnerabilities with CVSS base scores between 4.0 and 6.9 fit into the medium risk category.

Question 8

CVSS score risk categories

Answer 8

• 0.0: None
• 0.1–3.9: Low
• 4.0–6.9: Medium
• 7.0–8.9: High
• 9.0–10.0: Critical

Question 9

9- Which one of the following is not a common source of information that may be correlated with vulnerability scan results?

• Logs
• Database tables
• SIEM
• Configuration management system

Answer 9

Database tables

It is unlikely that a database table would contain information relevant to assessing a vulnerability scan report. Logs, SIEM reports, and configuration management systems are much more likely to contain relevant information.

Question 10

12- The Dirty COW attack is an example of what type of vulnerability?

Malicious code
Privilege escalation
Buffer overflow
LDAP injection

Answer 10

Privilege escalation

In October 2016, security researchers announced the discovery of a Linux kernel vulnerability dubbed Dirty COW. This vulnerability, present in the Linux kernel for nine years, was extremely easy to exploit and provided successful attackers with administrative control of affected systems.

Question 11

15- Which one of the following conditions would not result in a certificate warning during a vulnerability scan of a web server?

• Use of an untrusted CA
• Inclusion of a public encryption key
• Expiration of the certificate
• Mismatch in certificate name

Answer 11

Inclusion of a public encryption key

Digital certificates are intended to provide public encryption keys, and this would not cause an error. The other circumstances are all causes for concern and would trigger an alert during a vulnerability scan.

Question 12

16- What type of attack depends on the fact that users are often logged into many websites simultaneously in the same browser?

• SQL injection
• Cross‐site scripting
• Cross‐site request forgery
• File inclusion

Answer 12

Cross‐site request forgery

XSRF attacks work by making the reasonable assumption that users are often logged into many different websites at the same time. Attackers then embed code in one website that sends a command to a second website.

Question 13

18- Which one of the following terms is not typically used to describe the connection of physical devices to a network?

• IoT
• IDS
• SCADA
• ICS

Answer 13

IDS

Intrusion detection systems (IDSs) are a security control used to detect network or host attacks. The Internet of Things (IoT), supervisory control and data acquisition (SCADA) systems, and industrial control systems (ICSs) are all associated with connecting physical world objects to a network.

Question 14

19- Monica discovers that an attacker posted a message in a web forum that she manages that is attacking users who visit the site. Which one of the following attack types is most likely to have occurred?

• SQL injection
• Malware injection
• LDAP injection
• Cross‐site scripting

Answer 14

Cross‐site scripting

In a cross‐site scripting (XSS) attack, an attacker embeds scripting commands on a website that will later be executed by an unsuspecting visitor accessing the site. The idea is to trick a user visiting a trusted site into executing malicious code placed there by an untrusted third party.

Question 15

20- Alan is reviewing web server logs after an attack and finds many records that contain semicolons and apostrophes in queries from end users. What type of attack should he suspect?

• SQL injection
• LDAP injection
• Cross‐site scripting
• Buffer overflow

Answer 15

SQL injection

In a SQL injection attack, the attacker seeks to use a web application to gain access to an underlying database. Semicolons and apostrophes are characteristic of these attacks.