Vulnerability Management Flashcards
Objective 4.3: Explain various activities associated with vulnerability management
Scenario:
A company wants to proactively discover potential security weaknesses across its network and applications. They decide to use an automated tool that compares their current system configuration against a database of known vulnerabilities.
Question:
Which of the following best describes the process the company is using?
A. Penetration Testing
B. Vulnerability Scanning
C. Static Analysis
D. Package Monitoring
Answer and Explanation:
A. Penetration Testing: Incorrect. Penetration testing simulates real-world attacks rather than using an automated database lookup.
B. Vulnerability Scanning: Correct. This is the automated method that probes systems, networks, and applications to detect known vulnerabilities using tools like Nessus or OpenVAS.
C. Static Analysis: Incorrect. Static analysis reviews source code for vulnerabilities without executing it.
D. Package Monitoring: Incorrect. Package monitoring continuously scans application dependencies, not the overall system configuration.
Scenario:
Your development team is concerned about vulnerabilities in the codebase of a new custom application. They decide to perform code reviews without executing the application, and also use automated tools to analyze both the source code and compiled binaries.
Question:
Which application security technique(s) are they using?
A. Dynamic Analysis
B. Static Analysis
C. Package Monitoring
D. Penetration Testing
Answer and Explanation:
A. Dynamic Analysis: Incorrect. Dynamic analysis evaluates the application during runtime rather than analyzing code without execution.
B. Static Analysis: Correct. Static analysis involves reviewing the source code (manually or via automated tools) to spot potential vulnerabilities without running the code.
C. Package Monitoring: Incorrect. Package monitoring focuses on ensuring that external libraries and dependencies are secure and updated.
D. Penetration Testing: Incorrect. Pen testing simulates attacks on the system rather than reviewing code directly.
Scenario:
A security team is testing a web application. They use a tool that interacts with the application in real time, simulating attacks to determine if vulnerabilities exist while the application is running.
Question:
Which technique does this scenario illustrate?
A. Static Analysis
B. Dynamic Analysis
C. Vulnerability Scanning
D. System and Process Audits
Answer and Explanation:
A. Static Analysis: Incorrect. Static analysis does not involve running the application.
B. Dynamic Analysis: Correct. This method evaluates the application in its running state to identify vulnerabilities by emulating attack vectors, using tools like OWASP ZAP or Burp Suite.
C. Vulnerability Scanning: Incorrect. Vulnerability scanning is automated and typically does not simulate interactive, real-time attacks.
D. System and Process Audits: Incorrect. Audits review overall processes and policies rather than interact with the application during runtime.
Scenario:
After conducting a penetration test on its network, a company receives a report detailing how attackers could exploit vulnerabilities. The report explains the steps taken by the testers to infiltrate the system.
Question:
What should be the company’s next step following this report?
A. Immediately deploy all reported patches without testing
B. Prioritize and mitigate the vulnerabilities identified in the report
C. Conduct a static analysis of the system’s source code
D. Focus on package monitoring of application dependencies
Answer and Explanation:
A. Immediately deploy all reported patches without testing: Incorrect. Patches must be tested first to ensure they do not create new issues.
B. Prioritize and mitigate the vulnerabilities identified in the report: Correct. The penetration test report should guide the company to prioritize vulnerabilities and implement measures to prevent attackers from exploiting the same vectors.
C. Conduct a static analysis of the system’s source code: Incorrect. Although useful for identifying vulnerabilities, the report already outlines exploit methods, so the focus now should be on mitigation.
D. Focus on package monitoring of application dependencies: Incorrect. While package monitoring is important, the report primarily highlights vulnerabilities exploited through the system, requiring broader mitigation efforts.
Scenario:
An organization wants to ensure that its information systems and security policies meet industry standards and best practices. They decide to perform a comprehensive review of their security procedures, policies, and system configurations.
Question:
This review is best described as:
A. Vulnerability Scanning
B. System and Process Audits
C. Penetration Testing
D. Dynamic Analysis
Answer and Explanation:
A. Vulnerability Scanning: Incorrect. Vulnerability scanning focuses on discovering vulnerabilities via automated tools rather than a comprehensive review of policies and procedures.
B. System and Process Audits: Correct. Auditing involves a thorough review of information systems, security policies, and procedures to ensure compliance with security best practices and industry standards.
C. Penetration Testing: Incorrect. Penetration testing simulates attacks rather than reviewing policies and system configurations.
D. Dynamic Analysis: Incorrect. Dynamic analysis tests an application during runtime and does not include policy or process reviews.
Scenario:
A cybersecurity team is tasked with improving the security of its enterprise network. They decide to follow a four-step process: planning, testing, implementation, and auditing. During the planning phase, they develop policies and decide how they will test and deploy fixes. In the testing phase, they evaluate patches in a controlled environment. During implementation, they deploy the fixes across devices, and finally, they audit the changes to ensure everything was applied correctly.
Question:
Which step is incorrectly matched with its description?
A. Planning: Laying down policies, procedures, and mechanisms to track vulnerabilities
B. Testing: Evaluating patches in a controlled environment before deployment
C. Implementation: Deploying patches without verifying their effectiveness
D. Auditing: Verifying that patches and configuration changes have been implemented effectively
Answer and Explanation:
A. Planning: Correct description. Planning indeed involves establishing policies and procedures to track and evaluate vulnerabilities.
B. Testing: Correct description. Testing involves evaluating patches in a controlled setting to avoid introducing new issues.
C. Implementation: Incorrect description. Implementation should involve deploying patches and then ensuring that the changes are effective—not deploying without verification.
D. Auditing: Correct description. Auditing is the process of verifying that security measures have been applied properly.
Your organization is expanding into the financial sector and must strengthen its cybersecurity strategy. Your security team recommends incorporating threat intelligence into your defense mechanisms.
Which of the following best describes threat intelligence?
A) A process that relies solely on automated tools to block threats in real-time.
B) A continuous process that gathers, analyzes, and provides actionable information about potential or emerging cyber threats.
C) A static database of known cyber threats that requires manual updates.
D) A security strategy that focuses exclusively on monitoring dark web activity.
✅ Correct Answer: B) A continuous process that gathers, analyzes, and provides actionable information about potential or emerging cyber threats.
Explanation:
(B) Correct: Threat intelligence is a continual process that involves analyzing threats based on evidence from multiple sources, helping organizations take proactive security measures.
(A) Incorrect: While automation helps, human oversight and analysis remain critical in threat intelligence.
(C) Incorrect: Threat intelligence is not static; it continuously evolves to track new threats.
(D) Incorrect: Dark web monitoring is one aspect, but threat intelligence gathers data from various sources beyond the dark web.
Historically, cybercriminals focused primarily on server-side attacks due to open ports and protocols. However, as administrators improved server security, attackers shifted their focus.
Which of the following best describes the modern focus of cyber threats?
A) Servers remain the primary target as they store critical business data.
B) Client-side attacks have become more prevalent due to poor user security practices.
C) Attackers have stopped targeting businesses due to stronger cybersecurity measures.
D) Threat actors now only target mobile devices instead of traditional networks.
✅ Correct Answer: B) Client-side attacks have become more prevalent due to poor user security practices.
Explanation:
(B) Correct: Threat actors have shifted to targeting client-side vulnerabilities since many users fail to update software, use weak configurations, or install vulnerable applications.
(A) Incorrect: While servers are still targeted, clients are now an easier target due to their weaker defenses.
(C) Incorrect: Attackers continuously evolve their techniques instead of stopping.
(D) Incorrect: Mobile attacks are increasing, but attackers still target multiple platforms, including cloud environments and traditional enterprise networks.
Which of the following is NOT a common source of Threat Intelligence Feeds?
A) Open-Source Intelligence (OSINT) from security blogs and research articles.
B) Subscription-based feeds from cybersecurity companies like FireEye and Symantec.
C) Threat intelligence gathered from the dark web.
D) Threat data from social media influencers promoting cybersecurity tools.
✅ Correct Answer: D) Threat data from social media influencers promoting cybersecurity tools.
Explanation:
(A) Correct Source: OSINT includes publicly available threat data from forums, blogs, and reports.
(B) Correct Source: Proprietary intelligence feeds offer refined, subscription-based threat insights.
(C) Correct Source: Dark web monitoring provides intelligence on hacker activities, stolen data, and emerging attack techniques.
(D) Incorrect Source: Social media influencers discussing security are not a reliable source of structured threat intelligence.
Your company is deploying a Threat Intelligence Feed to enhance its cybersecurity. Which of the following best describes its function?
A) A real-time data stream that provides updates on emerging threats, vulnerabilities, and attack patterns.
B) A firewall system that automatically blocks all external threats without requiring human intervention.
C) A manual database that security analysts update periodically based on threat reports.
D) A tool used exclusively by law enforcement agencies to track cybercriminal activities.
✅ Correct Answer: A) A real-time data stream that provides updates on emerging threats, vulnerabilities, and attack patterns.
Explanation:
(A) Correct: A Threat Intelligence Feed delivers continuous updates about new threats, helping organizations proactively defend against attacks.
(B) Incorrect: Firewalls are one part of cybersecurity, but Threat Intelligence Feeds provide information that multiple security tools use.
(C) Incorrect: Threat intelligence updates in real-time and is not manually maintained in static databases.
(D) Incorrect: While law enforcement uses threat intelligence, organizations also utilize it to enhance security.
Your organization is considering different Threat Intelligence Feed sources. They are deciding between Open-Source Intelligence (OSINT) and Proprietary (Third-Party) Feeds.
Which of the following statements is true about these two sources?
A) OSINT is always more reliable than proprietary feeds because it’s free and widely available.
B) Proprietary feeds provide more refined and analyzed threat intelligence compared to OSINT.
C) OSINT and proprietary feeds are identical in terms of quality and timeliness of updates.
D) Proprietary feeds rely solely on human analysts, whereas OSINT is fully automated.
✅ Correct Answer: B) Proprietary feeds provide more refined and analyzed threat intelligence compared to OSINT.
Explanation:
(B) Correct: Proprietary feeds are paid services that analyze and refine data, offering higher accuracy and timely insights.
(A) Incorrect: OSINT is useful but can be unreliable due to potential misinformation.
(C) Incorrect: Proprietary feeds are typically more structured and timely than OSINT.
(D) Incorrect: Both sources use a combination of automation and human analysts.
Your security team is considering monitoring the dark web for potential cyber threats. What is the primary benefit of doing this?
A) It allows organizations to actively attack hacker groups before they target the company.
B) It provides insights into stolen data, emerging hacking techniques, and planned cyberattacks.
C) It is the only legitimate way to track cyber threats in real-time.
D) It replaces traditional cybersecurity measures like firewalls and endpoint security.
✅ Correct Answer: B) It provides insights into stolen data, emerging hacking techniques, and planned cyberattacks.
Explanation:
(B) Correct: Security teams monitor the dark web to gather intelligence on stolen data, hacking trends, and potential threats.
(A) Incorrect: Ethical cybersecurity professionals do not conduct offensive attacks.
(C) Incorrect: While useful, the dark web is only one component of a complete threat intelligence strategy.
(D) Incorrect: Dark web intelligence supplements traditional security tools—it does not replace them.
A security researcher discovers a critical vulnerability in a popular web application that allows remote code execution (RCE). The researcher follows responsible disclosure principles.
What should be the researcher’s first step?
A) Immediately post the details of the vulnerability on a public security forum to alert other researchers.
B) Privately notify the software vendor or organization through an official security contact.
C) Exploit the vulnerability to gain unauthorized access and prove its severity.
D) Sell the vulnerability details to a third-party buyer for profit.
✅ Correct Answer: B) Privately notify the software vendor or organization through an official security contact.
Explanation:
(B) Correct: Responsible disclosure requires researchers to report vulnerabilities privately to the affected organization, allowing them time to patch the issue before public disclosure.
(A) Incorrect: Publicly posting a vulnerability before a fix is available increases the risk of exploitation by malicious actors.
(C) Incorrect: Exploiting the vulnerability is unethical and could result in legal consequences.
(D) Incorrect: Selling vulnerabilities for profit without disclosure to the affected organization is unethical and could be illegal.
A company wants to improve its security by launching a bug bounty program. The company offers monetary rewards to security researchers who identify vulnerabilities.
Which of the following is a key benefit of implementing a bug bounty program?
A) It guarantees that all vulnerabilities in the system will be found and fixed.
B) It allows organizations to improve security by leveraging external security researchers.
C) It replaces the need for internal security teams and penetration testers.
D) It ensures that only low-risk vulnerabilities are reported.
✅ Correct Answer: B) It allows organizations to improve security by leveraging external security researchers.
Explanation:
(B) Correct: Bug bounty programs allow external researchers to find vulnerabilities that might have been missed by internal security teams.
(A) Incorrect: No security measure can guarantee that all vulnerabilities will be found.
(C) Incorrect: Bug bounty programs complement security teams, not replace them.
(D) Incorrect: Bug bounty programs can identify both low-risk and high-risk vulnerabilities, with payouts based on severity.
A software company has set up a vulnerability reward structure for its bug bounty program.
Which of the following vulnerabilities would typically receive the highest reward?
A) An information disclosure vulnerability that reveals the software version.
B) A remote code execution (RCE) vulnerability that allows full system compromise.
C) A minor UI bug that does not affect system security.
D) A spelling mistake in the application’s error messages.
✅ Correct Answer: B) A remote code execution (RCE) vulnerability that allows full system compromise.
Explanation:
(B) Correct: RCE vulnerabilities are critical security risks that allow attackers to fully compromise a system, so they receive the highest bounty payouts.
(A) Incorrect: Information disclosure vulnerabilities are low risk and receive lower rewards.
(C) Incorrect: UI bugs that do not impact security are not usually rewarded.
(D) Incorrect: Spelling mistakes are not security vulnerabilities and are not eligible for a bounty.
A company is launching a new bug bounty program. To ensure success, it needs to follow industry best practices.
Which of the following is most important when setting up the program?
A) Providing clear rules of engagement, including scope and testing limitations.
B) Allowing researchers to freely test any system, including unauthorized ones.
C) Offering the same reward amount for all reported vulnerabilities.
D) Keeping reported vulnerabilities secret indefinitely.
✅ Correct Answer: A) Providing clear rules of engagement, including scope and testing limitations.
Explanation:
(A) Correct: A bug bounty program must clearly define scope, rules of engagement, and testing limitations to ensure researchers do not accidentally disrupt services.
(B) Incorrect: Unauthorized testing can be illegal and unethical.
(C) Incorrect: Rewards should be proportional to the severity of vulnerabilities.
(D) Incorrect: Transparency after vulnerabilities are fixed helps the broader security community learn from them.
A company starts a responsible disclosure program but notices that some security researchers hesitate to participate.
What is the most likely reason for this hesitation?
A) The company does not offer any financial rewards for reported vulnerabilities.
B) The company does not publicly acknowledge researchers who find vulnerabilities.
C) The company does not provide clear legal protections for security researchers.
D) The company does not immediately fix every reported vulnerability.
✅ Correct Answer: C) The company does not provide clear legal protections for security researchers.
Explanation:
(C) Correct: Security researchers need legal protection to ensure they are not prosecuted for reporting vulnerabilities in good faith.
(A) Incorrect: While rewards are a motivation, some researchers participate for ethical reasons.
(B) Incorrect: Public recognition is beneficial, but legal concerns are a bigger deterrent.
(D) Incorrect: Fixing every vulnerability immediately is not always possible, but clear communication is key.
A company is launching a bug bounty program and wants to ensure that security researchers are protected from legal consequences while participating.
Which of the following should the company do?
A) Create clear guidelines that specify what testing is allowed and what is off-limits.
B) Allow researchers to test any system without prior authorization.
C) Require researchers to report vulnerabilities publicly before informing the company.
D) Ignore reports from researchers who do not have formal cybersecurity certifications.
✅ Correct Answer: A) Create clear guidelines that specify what testing is allowed and what is off-limits.
Explanation:
(A) Correct: Establishing rules of engagement ensures researchers can test safely while staying within legal boundaries.
(B) Incorrect: Unauthorized testing could be illegal and expose researchers to legal risks.
(C) Incorrect: Publicly disclosing vulnerabilities before informing the company increases the risk of exploitation.
(D) Incorrect: Bug bounty programs are open to all skilled researchers, not just those with certifications.
A security analyst conducts a vulnerability scan on a company’s servers. The scan reports that a critical Microsoft patch is missing on a Linux server.
What type of finding does this represent?
A) True Positive
B) False Positive
C) True Negative
D) False Negative
✅ Correct Answer: B) False Positive
Explanation:
(B) Correct: A false positive occurs when a vulnerability scanner incorrectly identifies a vulnerability that does not actually exist. A Linux server does not require a Microsoft patch, making this a false positive.
(A) Incorrect: A true positive means the vulnerability does exist, but in this case, it does not.
(C) Incorrect: A true negative means the scan correctly identifies that no vulnerability exists. Here, the scan wrongly identifies a vulnerability.
(D) Incorrect: A false negative means the scan fails to detect an actual vulnerability, which is not the case here.
A company recently experienced a data breach despite regular vulnerability scans. A forensic investigation found that the breached system had a known critical vulnerability that the scanner failed to detect.
What type of finding does this represent?
A) True Positive
B) False Positive
C) True Negative
D) False Negative
✅ Correct Answer: D) False Negative
Explanation:
(D) Correct: A false negative occurs when a vulnerability exists but is not detected by the scanner, making it one of the most dangerous security failures.
(A) Incorrect: A true positive means the vulnerability was detected. Here, it was missed.
(B) Incorrect: A false positive means the scanner incorrectly flagged a non-existent vulnerability, which is not the case.
(C) Incorrect: A true negative means the system is correctly identified as secure, but it was actually vulnerable.
A security team detects two vulnerabilities:
Vulnerability A: Allows remote code execution (RCE) on a mission-critical financial system.
Vulnerability B: Affects a test server that is not connected to sensitive data.
Which should be prioritized first, and why?
A) Vulnerability A, because it is more severe and affects a critical system.
B) Vulnerability B, because test servers should always be patched first.
C) Both should be patched at the same time, as all vulnerabilities are equally critical.
D) Vulnerability B, because less critical systems are easier to fix first.
✅ Correct Answer: A) Vulnerability A, because it is more severe and affects a critical system.
Explanation:
(A) Correct: Remote code execution (RCE) is a high-severity vulnerability, and since it affects a financial system, it must be addressed first to prevent major damage.
(B) Incorrect: Test servers do not pose the same risk as critical financial systems.
(C) Incorrect: Not all vulnerabilities are equally critical—prioritization is based on risk, impact, and exploitability.
(D) Incorrect: The ease of fixing a system does not determine priority—risk level does.
Which of the following best describes how the Common Vulnerability Scoring System (CVSS) helps organizations prioritize vulnerabilities?
A) It assigns a unique CVE number to every vulnerability.
B) It provides a standardized framework for scoring vulnerabilities based on severity.
C) It replaces the need for human analysis in vulnerability management.
D) It only ranks vulnerabilities based on exploitability and ignores impact.
✅ Correct Answer: B) It provides a standardized framework for scoring vulnerabilities based on severity.
Explanation:
(B) Correct: CVSS assigns a score based on attack vector, impact, and exploitability, helping security teams prioritize vulnerabilities.
(A) Incorrect: CVSS does not assign CVE numbers—CVE (Common Vulnerabilities and Exposures) does.
(C) Incorrect: Human analysis is still necessary to contextualize vulnerabilities for an organization.
(D) Incorrect: CVSS considers both exploitability and impact to rank vulnerabilities.
A healthcare organization detects a vulnerability that could allow unauthorized access to patient records.
Why should this vulnerability be prioritized highly?
A) Because patient data is sensitive and could lead to regulatory fines if breached.
B) Because healthcare organizations are at lower risk of cyberattacks.
C) Because all vulnerabilities in any industry are equally severe.
D) Because patient records are easily replaceable and not considered critical data.
✅ Correct Answer: A) Because patient data is sensitive and could lead to regulatory fines if breached.
Explanation:
(A) Correct: Healthcare data is highly regulated, and breaches can result in major legal penalties and harm to patients.
(B) Incorrect: Healthcare is a high-risk target for cyberattacks, especially ransomware.
(C) Incorrect: Vulnerability severity varies by industry and system importance.
(D) Incorrect: Patient records are critical and cannot simply be replaced.
An organization’s customer database contains highly sensitive financial information. If an attacker exploited a vulnerability to gain access, what would the exposure factor be?
A) High, because a large portion of valuable data could be compromised.
B) Low, because databases are easily replaceable.
C) Medium, because financial data is only partially sensitive.
D) Zero, because the company has cybersecurity insurance.
✅ Correct Answer: A) High, because a large portion of valuable data could be compromised.
Explanation:
(A) Correct: The exposure factor is high when a large, valuable asset (financial data) is at risk.
(B) Incorrect: Databases cannot be easily replaced when sensitive data is involved.
(C) Incorrect: Financial data is highly sensitive and cannot be considered medium risk.
(D) Incorrect: Cyber insurance does not reduce exposure factor—it only mitigates financial losses.
A tech startup has a high risk tolerance and decides not to fix a low-impact vulnerability immediately.
Why might this decision be justified?
A) The company prioritizes more critical vulnerabilities first.
B) Low-impact vulnerabilities can never be exploited.
C) All vulnerabilities must be patched immediately, regardless of impact.
D) Ignoring vulnerabilities is standard practice in cybersecurity.
✅ Correct Answer: A) The company prioritizes more critical vulnerabilities first.
Explanation:
(A) Correct: High risk tolerance organizations focus on severe vulnerabilities first and may monitor minor ones.
(B) Incorrect: All vulnerabilities can be exploited—it’s a matter of likelihood.
(C) Incorrect: Not all vulnerabilities require immediate remediation—risk management must be strategic.
(D) Incorrect: Ignoring vulnerabilities is poor cybersecurity practice.
A cybersecurity analyst is reviewing a vulnerability report and sees a CVSS score of 9.8 assigned to a newly discovered remote code execution (RCE) vulnerability on a financial system.
What does this CVSS score indicate about the vulnerability?
A) It is a minor vulnerability that does not need immediate attention.
B) It is a critical vulnerability that should be addressed immediately.
C) It is an external vulnerability with no potential impact on the system.
D) It is a vulnerability with limited exploitability, so it can be ignored.
✅ Correct Answer: B) It is a critical vulnerability that should be addressed immediately.
Explanation:
(B) Correct: A CVSS score of 9.8 is classified as critical, meaning it is highly exploitable and has severe consequences. Remote code execution (RCE) is one of the most dangerous types of vulnerabilities, allowing attackers to take full control of a system.
(A) Incorrect: CVSS 9.8 is not minor—it requires urgent remediation.
(C) Incorrect: CVSS scoring applies to both internal and external vulnerabilities, and RCE is a serious threat.
(D) Incorrect: A high CVSS score means high exploitability, not low.
A company discovers two vulnerabilities:
Vulnerability A: CVSS Score 8.5 – Privilege Escalation allowing unauthorized admin access.
Vulnerability B: CVSS Score 4.0 – Information leak exposing system logs.
Which vulnerability should be remediated first, and why?
A) Vulnerability A, because it has a higher CVSS score and allows unauthorized access.
B) Vulnerability B, because it involves leaked logs which might contain passwords.
C) Both should be remediated at the same time, as all vulnerabilities are equally critical.
D) Neither, because CVSS scores do not impact remediation priorities.
✅ Correct Answer: A) Vulnerability A, because it has a higher CVSS score and allows unauthorized access.
Explanation:
(A) Correct: Privilege escalation (CVSS 8.5) is a high-severity vulnerability that can allow attackers to gain administrator rights. It poses a greater risk than an information leak and should be fixed first.
(B) Incorrect: While logs might contain sensitive data, privilege escalation is a bigger immediate risk.
(C) Incorrect: Not all vulnerabilities are equally critical—CVSS helps prioritize them.
(D) Incorrect: CVSS scores are specifically designed to guide remediation priorities.
A company wants to assess its internal security posture and identify vulnerabilities in installed software and misconfigurations.
Which type of vulnerability scan should the company perform?
A) Credentialed scan, because it provides deep insights into the internal system.
B) Non-credentialed scan, because it only tests external security.
C) Credentialed scan, because it only checks for network vulnerabilities.
D) Non-credentialed scan, because it checks software settings and misconfigurations.
✅ Correct Answer: A) Credentialed scan, because it provides deep insights into the internal system.
Explanation:
(A) Correct: A credentialed scan logs into the system to check installed software, internal settings, and misconfigurations, providing detailed security insights.
(B) Incorrect: A non-credentialed scan only detects externally visible vulnerabilities.
(C) Incorrect: Credentialed scans check more than just network vulnerabilities—they examine internal system security.
(D) Incorrect: Non-credentialed scans cannot access internal software settings.
A company wants to test its perimeter security by simulating how an external hacker might try to exploit publicly accessible services.
Which type of vulnerability scan should they use?
A) Credentialed scan, because it mimics an insider attack.
B) Non-credentialed scan, because it simulates an outsider attack.
C) Credentialed scan, because it only checks login credentials.
D) Non-credentialed scan, because it provides deep internal access.
✅ Correct Answer: B) Non-credentialed scan, because it simulates an outsider attack.
Explanation:
(B) Correct: A non-credentialed scan does not use login credentials and simulates an external attacker trying to exploit open ports, services, and publicly accessible vulnerabilities.
(A) Incorrect: A credentialed scan is used for internal security assessments, not external attacks.
(C) Incorrect: A credentialed scan examines system configurations and software vulnerabilities, not just login credentials.
(D) Incorrect: Non-credentialed scans do not provide deep internal access—they focus on external threats.
A security team is running a credentialed scan and realizes that it is identifying vulnerabilities that an attacker with stolen credentials could exploit.
Why is this an important insight?
A) Because a credentialed scan simulates an insider threat and identifies risks that trusted employees or attackers could exploit.
B) Because a non-credentialed scan provides deeper insights than a credentialed scan.
C) Because a credentialed scan only checks for externally visible vulnerabilities.
D) Because credentialed scans do not require login credentials and do not provide useful security insights.
✅ Correct Answer: A) Because a credentialed scan simulates an insider threat and identifies risks that trusted employees or attackers could exploit.
Explanation:
(A) Correct: A credentialed scan simulates an insider attack, revealing security weaknesses that an attacker with valid credentials could abuse.
(B) Incorrect: Non-credentialed scans do not provide deeper insights—they check external attack surfaces.
(C) Incorrect: A credentialed scan looks at internal vulnerabilities, not just external ones.
(D) Incorrect: Credentialed scans require valid credentials to examine internal security settings.
A software company discovers a critical security flaw in its application that allows unauthorized access to customer accounts. The company releases a security patch to fix the issue.
What must users do to mitigate this vulnerability effectively?
A) Reinstall the application and restore old settings.
B) Ignore the update since vulnerabilities do not always lead to attacks.
C) Apply the patch by updating the software to the latest version.
D) Disable security settings until the vulnerability is exploited.
✅ Correct Answer: C) Apply the patch by updating the software to the latest version.
Explanation:
(C) Correct: Patching is the process of applying updates that fix vulnerabilities. Users must install the latest update to eliminate security risks.
(A) Incorrect: Reinstalling the software does not ensure security fixes are applied.
(B) Incorrect: Ignoring updates leaves systems vulnerable to attacks.
(D) Incorrect: Disabling security settings increases exposure to threats.
A small e-commerce company is concerned about financial losses from cyber incidents, such as data breaches and network outages.
Which vulnerability response strategy would best help them mitigate financial losses in case of an attack?
A) Purchase a cybersecurity insurance policy.
B) Perform a vulnerability scan without taking further action.
C) Allow customers to monitor their own accounts for fraud.
D) Ignore cybersecurity concerns until an incident occurs.
✅ Correct Answer: A) Purchase a cybersecurity insurance policy.
Explanation:
(A) Correct: Cybersecurity insurance covers financial losses from cyber incidents, including legal fees, recovery costs, and public relations efforts.
(B) Incorrect: Scanning for vulnerabilities is important but does not mitigate financial losses.
(C) Incorrect: Customers cannot protect the company from cyber threats.
(D) Incorrect: Waiting until an incident occurs can result in severe financial and reputational damage.
A hospital IT department wants to prevent malware infections from spreading between different systems.
Which security measure should they implement?
A) Use network segmentation to isolate critical systems.
B) Turn off antivirus software to improve system speed.
C) Store all patient data on a shared open network.
D) Only use strong passwords without additional security measures.
✅ Correct Answer: A) Use network segmentation to isolate critical systems.
Explanation:
(A) Correct: Network segmentation divides systems into separate segments, preventing malware from spreading. This is crucial for protecting sensitive patient data.
(B) Incorrect: Turning off antivirus software increases vulnerability.
(C) Incorrect: Storing patient data on a shared open network increases risk of breaches.
(D) Incorrect: Passwords alone do not provide adequate protection.
A company requires multi-factor authentication (MFA) for all employees. However, some legacy servers do not support MFA.
What compensating controls could they use until the servers are replaced?
A) Strong password policies and account lockouts after failed attempts.
B) Ignore security concerns and wait for attackers to find the vulnerabilities.
C) Disable authentication completely to improve ease of access.
D) Require employees to manually verify login attempts via email.
✅ Correct Answer: A) Strong password policies and account lockouts after failed attempts.
Explanation:
(A) Correct: Compensating controls are alternative security measures used when standard controls (MFA) cannot be implemented. Strong passwords and account lockouts reduce unauthorized access risks.
(B) Incorrect: Ignoring vulnerabilities increases security risks.
(C) Incorrect: Disabling authentication removes security controls and invites attacks.
(D) Incorrect: Manual verification is not a proper compensating control.
A manufacturing company has an old control system that cannot be updated without disrupting production.
What is the best approach for handling this security issue?
A) Grant a temporary exception until a secure alternative is implemented.
B) Replace the system immediately, regardless of business impact.
C) Ignore the security risks and continue using the system.
D) Shut down the system permanently to prevent exploitation.
✅ Correct Answer: A) Grant a temporary exception until a secure alternative is implemented.
Explanation:
(A) Correct: Exceptions are temporary and allow operations to continue while documenting risks and planning for mitigation.
(B) Incorrect: Immediate replacement may not be feasible, but planning for an upgrade is necessary.
(C) Incorrect: Ignoring risks exposes the organization to cyber threats.
(D) Incorrect: Permanent shutdown is not practical if the system is critical to operations.
A university research department has an expensive supercomputer used for processing historical data.
Because this system cannot support modern security controls, what is the best approach?
A) Grant a permanent exemption and isolate the system from the main network.
B) Forcibly install modern security controls, even if the system malfunctions.
C) Connect the supercomputer to the university’s main network.
D) Ignore security concerns because the system is rarely used.
✅ Correct Answer: A) Grant a permanent exemption and isolate the system from the main network.
Explanation:
(A) Correct: Exemptions are permanent waivers for systems that cannot be upgraded. The best practice is logical and physical isolation from the main network.
(B) Incorrect: Forcing updates could cause system failures.
(C) Incorrect: Connecting an insecure system to the main network increases risk.
(D) Incorrect: Ignoring security risks is never a best practice.
A company applies a security patch to fix a high-risk vulnerability detected in a previous scan. The cybersecurity team now needs to verify whether the patch successfully fixed the issue.
What should be their next step?
A) Perform a rescan of the system to confirm the vulnerability has been resolved.
B) Assume the vulnerability is fixed and proceed to other security tasks.
C) Uninstall the patch to see if the vulnerability reappears.
D) Disable security tools to check if the vulnerability can still be exploited.
✅ Correct Answer: A) Perform a rescan of the system to confirm the vulnerability has been resolved.
Explanation:
(A) Correct: A rescan ensures that the patch successfully mitigated the vulnerability and did not introduce new security issues.
(B) Incorrect: Assumptions should not replace validation—rescanning is necessary.
(C) Incorrect: Uninstalling the patch would reintroduce the vulnerability, defeating its purpose.
(D) Incorrect: Disabling security tools is not a valid verification strategy.
After applying multiple security patches, a cybersecurity team rescans its network. The scan reveals a new vulnerability that was not present in the original scan.
What does this scenario demonstrate?
A) Rescanning helps identify newly emerged vulnerabilities that were not previously detected.
B) Patching always introduces new vulnerabilities, so organizations should avoid installing updates.
C) Rescanning is unnecessary because patches automatically secure all systems.
D) Security patches always fix all vulnerabilities without side effects.
✅ Correct Answer: A) Rescanning helps identify newly emerged vulnerabilities that were not previously detected.
Explanation:
(A) Correct: Rescanning helps identify new vulnerabilities that may have surfaced after remediation efforts.
(B) Incorrect: Patching is necessary, but new vulnerabilities can emerge due to system changes.
(C) Incorrect: Assuming patches fix all issues is a bad security practice—verification is necessary.
(D) Incorrect: Patches may introduce new vulnerabilities, requiring further assessment.
A company wants to ensure that all applied patches and security configurations align with established policies.
Which security practice should they implement?
A) Conduct a security audit to systematically review configurations, logs, and patch statuses.
B) Perform rescans but avoid keeping documentation of vulnerabilities and applied patches.
C) Ignore auditing because applying patches guarantees security compliance.
D) Remove all logs after patches are applied to prevent attackers from accessing them.
✅ Correct Answer: A) Conduct a security audit to systematically review configurations, logs, and patch statuses.
Explanation:
(A) Correct: Auditing ensures that patches were properly applied and configurations meet security standards.
(B) Incorrect: Maintaining documentation is critical for tracking security changes.
(C) Incorrect: Patching alone does not guarantee compliance—audits are necessary.
(D) Incorrect: Logs should be kept to provide a record of security actions.
A financial institution must comply with GLBA (Gramm-Leach-Bliley Act), which requires protection of customer financial data.
Which of the following best ensures compliance with this regulation?
A) Conduct regular audits to verify system configurations align with GLBA requirements.
B) Wait for a cybersecurity incident to occur before reviewing compliance efforts.
C) Disable security measures temporarily to improve network performance.
D) Rely solely on external audits without performing internal checks.
✅ Correct Answer: A) Conduct regular audits to verify system configurations align with GLBA requirements.
Explanation:
(A) Correct: Regular audits ensure compliance with GLBA regulations, protecting customer data.
(B) Incorrect: Waiting for an attack before reviewing compliance is a major security risk.
(C) Incorrect: Disabling security controls undermines compliance efforts.
(D) Incorrect: Both internal and external audits are necessary for effective compliance verification.
A company recently applied security patches and wants to confirm that vulnerabilities can no longer be exploited.
What is the best approach to verify this?
A) Conduct a targeted penetration test to simulate real-world attack scenarios.
B) Manually check patch logs without testing system security.
C) Assume the patches worked and move on to other security tasks.
D) Wait for hackers to attempt an attack and analyze the results.
✅ Correct Answer: A) Conduct a targeted penetration test to simulate real-world attack scenarios.
Explanation:
(A) Correct: Penetration testing is an effective verification method that tests whether vulnerabilities can still be exploited.
(B) Incorrect: Manual checks alone do not confirm that vulnerabilities are fixed.
(C) Incorrect: Assumptions should not replace security testing.
(D) Incorrect: Waiting for real attacks is a high-risk approach.
A cybersecurity team wants to ensure that security risks are detected and addressed in real time.
Which approach should they use?
A) Implement continuous monitoring to detect anomalies and respond quickly.
B) Conduct a one-time audit and assume security remains unchanged.
C) Turn off monitoring tools to reduce system workload.
D) Only scan systems once per year to reduce security alerts.
✅ Correct Answer: A) Implement continuous monitoring to detect anomalies and respond quickly.
Explanation:
(A) Correct: Continuous monitoring detects real-time threats and allows quick responses.
(B) Incorrect: One-time audits do not provide ongoing security assurance.
(C) Incorrect: Disabling monitoring tools increases risk exposure.
(D) Incorrect: Annual scans are insufficient for effective security monitoring.
A company wants to ensure its remediation efforts were effective and that it is compliant with security regulations.
What should they do?
A) Engage an external auditor for an objective evaluation of security efforts.
B) Rely solely on internal teams to assess security controls.
C) Skip verification because patches automatically secure the system.
D) Disable logging features to prevent external auditors from seeing security records.
✅ Correct Answer: A) Engage an external auditor for an objective evaluation of security efforts.
Explanation:
(A) Correct: External auditors provide independent, unbiased verification of security controls and compliance.
(B) Incorrect: Internal teams can be biased or overlook vulnerabilities.
(C) Incorrect: Patching alone is not sufficient—verification is necessary.
(D) Incorrect: Disabling logs prevents proper auditing and accountability.
