Vulnerability Management Quiz

Question 1

Vulnerability scanning: (Select all that apply)

A) Identifies lack of security controls

B) Actively tests security controls

C) Identifies common misconfigurations

D) Exploits vulnerabilities

E) Passively tests security controls

Answer 1

A) Identifies lack of security controls

C) Identifies common misconfigurations

E) Passively tests security controls

Question 2

Which of the answers listed below refer to the characteristic features of static code analysis? (Select 3 answers)

A) Involves examining the code without executing it

B) Often used early in the development process

C) Examines code structure, syntax, and semantics to detect issues like syntax errors, coding standards violations, security vulnerabilities, and bugs

D) Typically used later in the software development lifecycle

E) Involves executing the code and analyzing its behavior at runtime

F) Analyzes runtime properties like memory usage, performance, and error handling to identify issues such as memory leaks, performance bottlenecks, and runtime errors

Answer 2

A) Involves examining the code without executing it

B) Often used early in the development process

C) Examines code structure, syntax, and semantics to detect issues like syntax errors, coding standards violations, security vulnerabilities, and bugs

Question 3

Which of the terms listed below refers to tracking and managing software application components, such as third-party libraries and other dependencies?

A) Version control
B) Package monitoring
C) Configuration enforcement
D) Application hardening

Answer 3

B) Package monitoring

Question 4

Which of the following statements describe the features of dynamic code analysis? (Select 3 answers)

A) Typically used later in the software development lifecycle

B) Involves examining the code without executing it

C) Analyzes runtime properties like memory usage, performance, and error handling to identify issues such as memory leaks, performance bottlenecks, and runtime errors

D) Often used early in the development process

E) Examines code structure, syntax, and semantics to detect issues like syntax errors, coding standards violations, security vulnerabilities, and bugs

F) Involves executing the code and analyzing its behavior at runtime

Answer 4

A) Typically used later in the software development lifecycle

C) Analyzes runtime properties like memory usage, performance, and error handling to identify issues such as memory leaks, performance bottlenecks, and runtime errors

F) Involves executing the code and analyzing its behavior at runtime

Question 5

Which of the following terms refers to threat intelligence gathered from publicly available sources?

A) IoC
B) OSINT
C) RFC
D) CVE/NVD

Answer 5

B) OSINT

Question 6

Which of the terms listed below refers to a US government initiative for real-time sharing of cyber threat indicators?

A) AIS
B) STIX
C) TTP
D) CVSS

Answer 6

A) AIS

Question 7

What is STIX?

A) A type of vulnerability database

B) Common language for describing cyber threat information

C) US government initiative for real-time sharing of cyber threat indicators

D) Transport mechanism for cyber threat information

Answer 7

B) Common language for describing cyber threat information

Question 8

A dedicated transport mechanism for cyber threat information is called:

A) TCP/IP
B) TLS
C) TAXII
D) S/MIME

Answer 8

C) TAXII

Question 9

Which of the following provides insights into the methods and tools used by cybercriminals to carry out attacks?

A) CVE
B) IoC
C) AIS
D) TTP

Answer 9

D) TTP

Question 10

Which of the following statements does not apply to dark web?

A) Typically requires specialized software to access its contents

B) Forms a large part of the deep web

C) Not indexed by traditional search engines

D) Often associated with trading stolen data, malware, and cyber threats

Answer 10

B) Forms a large part of the deep web

Question 11

Penetration testing: (Select all that apply)

A) Bypasses security controls

B) Only identifies lack of security controls

C) Actively tests security controls

D) Exploits vulnerabilities

E) Passively tests security controls

Answer 11

A) Bypasses security controls

C) Actively tests security controls

D) Exploits vulnerabilities

Question 12

A responsible disclosure program is a formal process established by an organization to encourage security researchers and ethical hackers to report vulnerabilities they discover in the organization’s systems or software. A bug bounty program is a specific type of responsible disclosure program that offers financial rewards to security researchers for reporting valid vulnerabilities.

A) True
B) False

Answer 12

A) True

Question 13

An antivirus software identifying non-malicious file as a virus due to faulty virus signature file is an example of:

A) Fault tolerance
B) False positive error
C) Quarantine feature
D) False negative error

Answer 13

B) False positive error

Question 14

Which of the answers listed below refers to a situation where no alarm is raised when an attack has taken place?

A) False negative
B) True positive
C) False positive
D) True negative

Answer 14

A) False negative

Question 15

A measure of the likelihood that a security system will incorrectly reject an access attempt by an authorized user is referred to as:

A) FAR
B) CER
C) CRC
D) FRR

Answer 15

D) FRR

Question 16

Which of the following terms refers to a framework and knowledge base that provides understanding of TTPs used during cyberattacks?

A) CVSS
B) ATT&CK
C) STIX
D) TAXII

Answer 16

B) ATT&CK

Question 17

Which of the answers listed below refers to an industry standard for assessing and scoring the severity of computer system security vulnerabilities?

A) SIEM
B) CVSS
C) OSINT
D) SOAR

Answer 17

B) CVSS

Question 18

Which of the following refers to a system that identifies, defines, and catalogs publicly known cybersecurity vulnerabilities?

A) TAXII
B) CVE
C) STIX
D) CVSS

Answer 18

B) CVE

Question 19

What is Exposure Factor (EF) in vulnerability analysis?

A) The likelihood that a vulnerability will be exploited in a real-world scenario

B) The rate at which vulnerabilities are discovered and reported

C) The degree of loss that a realized threat would have on a specific asset

D) The measure of the potential impact of a vulnerability on an organization’s assets

Answer 19

C) The degree of loss that a realized threat would have on a specific asset

Question 20

Which of the statements listed below does not refer to a vulnerability response and remediation technique?

A) Applying updates or fixes provided by software vendors to address the vulnerability (patching)

B) Ensuring financial recovery from the costs associated with a successful cyberattack (insurance)

C) Dividing a network into smaller, isolated zones to limit the potential impact of a vulnerability (segmentation)

D) Mitigating the risk associated with a vulnerability that cannot be immediately patched by implementing alternative security measures (compensating controls)

E) Delaying or forgoing a patch for a specific system, e.g., when applying a patch may not be feasible due to compatibility issues or potential disruptions to critical systems (exceptions and exemptions)

F) All of the above answers are examples of vulnerability response and remediation techniques

Answer 20

F) All of the above answers are examples of vulnerability response and remediation techniques