Vulnerability Scanning Flashcards
Ryan is conducting a penetration test and is targeting a database server. Which one of the following tools would best assist him in detecting vulnerabilities on that server?
a. Nessus
b. Nikto
c. SQLmap
d. OpenVAS
c. SQLmap is a dedicated database vulnerability scanner and is the most appropriate tool for use in this scenario. Ryan might discover the same vulnerabilities using the general purpose Nessus or OpenVAS scanners, but they are not dedicated database vulnerability scanning tools. Nikto is a web application vulnerability scanner.
Gary is conducting a black-box penetration test against an organization and is being provided with the results of vulnerability scans that the organization already ran for use in his tests. Which one of the following scans is most likely to provide him with helpful information within the bounds of his test?
a. Stealth internal scan
b. Full internal scan
c. Stealth external scan
d Full external scan
d. A full scan is likely to provide more useful and actionable results because it includes more tests. There is no requirement in the scenario that Gary avoid detection, so a stealth scan is not necessary. However, this is a black box test, so it would not be appropriate for Gary to have access to scans conducted on the internal network.
What tool can white-box penetration testers use to help identify the systems present on a network prior to conducting vulnerability scans?
a. Asset inventory
b. Web application assessment
c. Router
d. DLP
a. An asset inventory supplements automated tools with other information to detect systems present on a network. The asset inventory provides critical information for vulnerability scans. It is appropriate to share this information with penetration testers during a white box penetration test.
Tonya is configuring vulnerability scans for a system that is subject to the PCI DSS compliance standard. What is the minimum frequency with which she must conduct scans?
a. Daily
b. Weekly
c. Monthly
d. Quarterly
d. PCI DSS requires that organizations conduct vulnerability scans on at least a quarterly basis, although many organizations choose to conduct scans on a much more frequent basis.
Which one of the following is not an example of a vulnerability scanning tool?
a. Qualys
b. Snort
c. Nessus
d. OpenVAS
b. QualysGuard, Nessus, and OpenVAS are all example of vulnerability scanning tools. Snort is an intrusion detection system.
Which one of the following technologies, when used within an organization, is the least likely to interfere with vulnerability scanning results achieved by external penetration testers?
a. Encryption
b. Firewall
c. Containerization
d. Intrusion prevention system
a. Encryption technology is unlikely to have any effect on the results of vulnerability scans because it does not change the services exposed by a system. Firewalls and intrusion prevention systems may block inbound scanning traffic before it reaches target systems. Containerized and virtualized environments may prevent external scanners from seeing services exposed within the containerized virtualized environment.
Renee is configuring her vulnerability management solution to perform credentialed scans of servers on her network. What type of account should she provide to the scanner?
a. Domain administrator
b. Local administrator
c. Root
d. Read-only
d. Credentialed scans only require read-only access to target servers. Renee should follow the principle of least privilege and limit the access available to the scanner.
Jason is writing a report about a potential security vulnerability in a software product and wishes to use standardized product names to ensure that other security analysts understand the report. Which SCAP component can Jason turn to for assistance?
a. CVSS
b. CVE
c. CPE
d. OVAL
c. Common Product Enumeration CPE is a SCAP component that provides standardized nomenclature for product names and versions.
Ken is planning to conduct a vulnerability scan of an organization as part of a penetration test. He is conducting a black-box test. When would it be appropriate to conduct an internal scan of the network?
a. During the planning stage of the test
b. As soon as the contract is signed
c. After receiving permission from an administrator
d. After compromising an internal host
d. Because this is a black-box scan, Ken should not (and most likely cannot) conduct an internal scan until he first compromises an internal host. Once he gains this foothold on the network, he can use that compromised system as the launching point for internal scans.
Which type of organization is the most likely to be impacted by a law requiring them to conduct vulnerability scans?
a. Bank
b. Hospital
c. Government agency
d. Doctor’s office
c. The Federal Information Security Management Act (FISMA) requires that government agencies conduct vulnerability scans. HIPAA, which governs hospitals and doctors’ offices, doesn’t include a vulnerability scanning requirement, nor does the Gramm-Leach-Bliley Act, which covers financial institutions.
Which one of the following categories of systems is most likely to be disrupted during a vulnerability scan?
a. External web server
b. Internal web server
c. IoT device
d. Firewall
c. Internet of Things IOT devices are example of nontraditional systems that may be fragile and highly susceptible to failure during vulnerability scans. Web servers and firewalls are typically designed for exposure to wider networks and are less likely to fail during a scan.
What term describes an organization’s willingness to tolerate risk in their computing environment?
a. Risk landscape
b. Risk appetite
c. Risk level
d. Risk adaptation
b. The organization’s risk appetite is its willingness to tolerate risk within the environment. If and organization is extremely risk-averse, it may choose to conduct scans more frequently to minimize the amount of time between when a vulnerability comes into existence and when it is detected by a scan.
Which one of the following factors is least likely to impact vulnerability scanning schedules?
a. Regulatory requirements
b. Technical constraints
c. Business constraints
d. Staff availability
d. Scan schedules are most often determined by the organization’s risk appetite, regulatory requirements, technical constraints, business constraints, and licensing limitations. Most scans are automated and do not require staff availability
Adam is conducting a penetration test of an organization and is reviewing the source code of an application for vulnerabilities. What type of code testing is Adam conducting?
a. Mutation testing
b. Static code analysis
c. Dynamic code analysis
d. Fuzzing
b. Adam is conducting static code analysis by reviewing the source code. Dynamic code analysis requires running the program and both mutation testing and fuzzing are types of dynamic analysis.
Ryan is planning to conduct a vulnerability scan of a business-critical system using dangerous plug-ins. What would be the best approach for the initial scan?
a. Run the scan against production systems to achieve the most
realistic results possible.
b. Run the scan during business hours
c. Run the scan in a test environment
d. Do not run the scan to avoid disrupting the business
c. Ryan should first run his scan against a test environment to identify likely vulnerabilities and assess whether the scan itself might disrupt business activities.