Chapter 1
Domain 1.0: Threat and Vulnerability Management

EXAM OBJECTIVES COVERED IN THIS CHAPTER:

1.1 Explain the importance of threat data and intelligence.
- Intelligence sources
- Confidence levels
- Indicator management
- Threat classification
- Threat actors
- Intelligence cycle
- Commodity malware
- Information sharing and analysis communities
1.2 Given a scenario, utilize threat intelligence to support organizational security.
- Attack frameworks
- Threat research
- Threat modeling methodologies
- Threat intelligence sharing with supported functions
1.3 Given a scenario, perform vulnerability management activities.
- Vulnerability identification
- Validation
- Remediation/mitigation
- Scanning parameters and criteria
- Inhibitors to remediation
1.4 Given a scenario, analyze the output from common vulnerability assessment tools.
- Web application scanner
- Infrastructure vulnerability scanner
- Software assessment tools and techniques
- Enumeration
- Wireless assessment tools
- Cloud infrastructure assessment tools
1.5 Explain the threats and vulnerabilities associated with specialized technology.
- Mobile
- Internet of Things (IoT)
- Embedded
- Real-time operating system (RTOS)
- System-on-Chip (SoC)
- Field programmable gate array (FPGA)
- Physical access control
- Building automation systems
- Vehicles and drones
- Workflow and process automation systems
- Industrial control systems (ICS)
- Supervisory control and data acquisition (SCADA)
1.6 Explain the threats and vulnerabilities associated with operating in the cloud.
- Cloud service models
- Cloud deployment models
- Function as a service (FaaS)/serverless architecture
- Infrastructure as code (IaC)
- Insecure application programming interface (API)
- Improper key management
- Unprotected storage
- Logging and monitoring
1.7 Given a scenario, implement controls to mitigate attacks and software vulnerabilities.
- Attack types
- Vulnerabilities

Olivia is considering potential sources for threat intelligence information that she might incorporate into her security program. Which one of the following sources is most likely to be available without a subscription fee?

Vulnerability feeds
Open source
Closed source
Proprietary

During the reconnaissance stage of a penetration test, Cynthia needs to gather information about the target organization's network infrastructure without causing an IPS to alert the target to her information gathering. Which of the following is her best option?

Perform a DNS brute-force attack.
Use an nmap ping sweep.
Perform a DNS zone transfer.
Use an nmap stealth scan.

Roger is evaluating threat intelligence information sources and finds that one source results in quite a few false positive alerts. This lowers his confidence level in the source. What criteria for intelligence is not being met by this source?

Timeliness
Expense
Relevance
Accuracy

What markup language provides a standard mechanism for describing attack patterns, malware, threat actors, and tools?

STIX
TAXII
XML
OpenIOC

A port scan of a remote system shows that port 3306 is open on a remote database server. What database is the server most likely running?

Oracle
Postgres
MySQL
Microsoft SQL

Brad is working on a threat classification exercise, analyzing known threats and assessing the possibility of unknown threats. Which one of the following threat actors is most likely to be associated with an advanced persistent threat (APT)?

Hacktivist
Nation-state
Insider
Organized crime

During a port scan of her network, Cynthia discovers a workstation that shows the following ports open. What should her next action be?

Snapshot depicts the port of a workstation.

Determine the reason for the ports being open.
Investigate the potentially compromised workstation.
Run a vulnerability scan to identify vulnerable services.
Reenable the workstation's local host firewall.

Charles is working with leaders of his organization to determine the types of information that should be gathered in his new threat intelligence program. In what phase of the intelligence cycle is he participating?

Dissemination
Feedback
Analysis
Requirements

As Charles develops his threat intelligence program, he creates and shares threat reports with relevant technologists and leaders. What phase of the intelligence cycle is now occurring?

Dissemination
Feedback
Collection
Requirements

What term is used to describe the groups of related organizations who pool resources to share cybersecurity threat information and analyses?

SOC
ISAC
CERT
CIRT

Which one of the following threats is the most pervasive in modern computing environments?

Zero-day attacks
Advanced persistent threats
Commodity malware
Insider threats

Singh incorporated the Cisco Talos tool into his organization's threat intelligence program. He uses it to automatically look up information about the past activity of IP addresses sending email to his mail servers. What term best describes this intelligence source?

Open source
Behavioral
Reputational
Indicator of compromise

Consider the threat modeling analysis shown here. What attack framework was used to develop this analysis?

Schematic illustration of the threat modeling analysis.

ATT&CK
Cyber Kill Chain
STRIDE
Diamond

Jamal is assessing the risk to his organization from their planned use of AWS Lambda, a serverless computing service that allows developers to write code and execute functions directly on the cloud platform. What cloud tier best describes this service?

SaaS
PaaS
IaaS
FaaS

Lauren's honeynet, shown here, is configured to use a segment of unused network space that has no legitimate servers in it. What type of threats is this design particularly useful for detecting?

Schematic illustration of Lauren’s honeynet which is configured to use a segment of unused network space that has no legitimate servers in it.

Zero-day attacks
SQL injection
Network scans
DDoS attacks

Nara is concerned about the risk of attackers conducting a brute-force attack against her organization. Which one of the following factors is Nara most likely to be able to control?

Attack vector
Adversary capability
Likelihood
Total attack surface

Fred believes that the malware he is tracking uses a fast flux DNS network, which associates many IP addresses with a single fully qualified domain name as well as using multiple download hosts. How many distinct hosts should he review based on the NetFlow shown here?

Date flow start   Duration     Proto    Src      IP Addr:Port  Dst IP Addr:Port      Packets   Bytes   Flows 
2020-07-11        14:39:30.606 0.448    TCP      192.168.2.1:1451->10.2.3.1:443      10        1510    1
2020-07-11        14:39:30.826 0.448    TCP      10.2.3.1:443->192.168.2.1:1451      7         360     1
2020-07-11        14:45:32.495 18.492   TCP      10.6.2.4:443->192.168.2.1:1496      5         1107    1
2020-07-11        14:45:32.255 18.888   TCP      192.168.2.1:1496->10.6.2.4:443      11        1840    1
2020-07-11        14:46:54.983 0.000    TCP      192.168.2.1:1496->10.6.2.4:443      1         49      1
2020-07-11        16:45:34.764 0.362    TCP      10.6.2.4:443->192.168.2.1:4292      4         1392    1
2020-07-11        16:45:37.516 0.676    TCP      192.168.2.1:4292->10.6.2.4:443      4         462     1
2020-07-11        16:46:38.028 0.000    TCP      192.168.2.1:4292->10.6.2.4:443      2         89      1
2020-07-11        14:45:23.811 0.454    TCP      192.168.2.1:1515->10.6.2.5:443      4         263     1
2020-07-11        14:45:28.879 1.638    TCP      192.168.2.1:1505->10.6.2.5:443      18        2932    1
2020-07-11        14:45:29.087 2.288    TCP      10.6.2.5:443->192.168.2.1:1505      37        48125   1
2020-07-11        14:45:54.027 0.224    TCP      10.6.2.5:443->192.168.2.1:1515      2         1256    1
2020-07-11        14:45:58.551 4.328    TCP      192.168.2.1:1525->10.6.2.5:443      10        648     1
2020-07-11        14:45:58.759 0.920    TCP      10.6.2.5:443->192.168.2.1:1525      12        15792   1
2020-07-11        14:46:32.227 14.796   TCP      192.168.2.1:1525->10.8.2.5:443      31        1700    1
2020-07-11        14:46:52.983 0.000    TCP      192.168.2.1:1505->10.8.2.5:443      1         40      1

Which one of the following functions is not a common recipient of threat intelligence information?

Legal counsel
Risk management
Security engineering
Detection and monitoring

Alfonzo is an IT professional at a Portuguese university who is creating a cloud environment for use only by other Portuguese universities. What type of cloud deployment model is he using?

Public cloud
Private cloud
Hybrid cloud
Community cloud

During a network reconnaissance exercise, Chris gains access to a PC located in a secure network. If Chris wants to locate database and web servers that the company uses, what command-line tool can he use to gather information about other systems on the local network without installing additional tools or sending additional traffic?

ping
traceroute
nmap
netstat

Kaiden's organization uses the AWS public cloud environment. He uses the CloudFormation tool to write scripts that create the cloud resources used by his organization. What type of service is CloudFormation?

SaaS
IAC
FaaS
API

What is the default nmap scan type when nmap is not provided with a scan type flag?

A TCP FIN scan
A TCP connect scan
A TCP SYN scan
A UDP scan

Isaac wants to grab the banner from a remote web server using commonly available tools. Which of the following tools cannot be used to grab the banner from the remote host?

Netcat
Telnet
Wget
FTP

Lakshman wants to limit what potential attackers can gather during passive or semipassive reconnaissance activities. Which of the following actions will typically reduce his organization's footprint the most?

Limit information available via the organizational website without authentication.
Use a secure domain registration.
Limit technology references in job postings.
Purge all document metadata before posting.

Cassandra's nmap scan of an open wireless network (192.168.10/24) shows the following host at IP address 192.168.1.1. Which of the following is most likely to be the type of system at that IP address based on the scan results shown?

Snapshot of Cassandra’s nmap scan of an open wireless network.

A virtual machine
A wireless router
A broadband router
A print server

Several organizations recently experienced security incidents when their AWS secret keys were published in public GitHub repositories. What is the most significant threat that could arise from this improper key management?

Total loss of confidentiality
Total loss of integrity
Total loss of availability
Total loss of confidentiality, integrity, and availability

Latisha has local access to a Windows workstation and wants to gather information about the organization that it belongs to. What type of information can she gain if she executes the command nbtstat -c?

MAC addresses and IP addresses of local systems
NetBIOS name-to-IP address mappings
A list of all NetBIOS systems that the host is connected to
NetBIOS MAC-to-IP address mappings

Tracy believes that a historic version of her target's website may contain data she needs for her reconnaissance. What tool can she use to review snapshots of the website from multiple points in time?

Time Machine
Morlock
Wayback Machine
Her target's web cache

After Kristen received a copy of an nmap scan run by a penetration tester that her company hired, she knows that the tester used the -O flag. What type of information should she expect to see included in the output other than open ports?

OCMP status
Other ports
Objective port assessment data in verbose mode
Operating system and Common Platform Enumeration (CPE) data

Andrea wants to conduct a passive footprinting exercise against a target company. Which of the following techniques is not suited to a passive footprinting process?

WHOIS lookups
Banner grabbing
BGP looking glass usage
Registrar checks

While gathering reconnaissance data for a penetration test, Charlene uses the MXToolbox MX Lookup tool. What can she determine from the response to her query shown here?

Snapshot of the MXToolbox MX Lookup tool.

The mail servers are blacklisted.
The mail servers have failed an SMTP test.
The mail servers are clustered.
There are two MX hosts listed in DNS.

Alex wants to scan a protected network and has gained access to a system that can communicate to both his scanning system and the internal network, as shown in the image here. What type of nmap scan should Alex conduct to leverage this host if he cannot install nmap on system A?

Schematic illustration of a protected network and a system to communicate.

A reflection scan
A proxy scan
A randomized host scan
A ping-through scan

As a member of a blue team, Lukas observed the following behavior during an external penetration test. What should he report to his managers at the conclusion of the test?

Graph depicts a type of behavior during an external penetration test.

A significant increase in latency
A significant increase in packet loss
Latency and packet loss both increased.
No significant issues were observed.

As part of an organizationwide red team exercise, Frank is able to use a known vulnerability to compromise an Apache web server. Once he has gained access, what should his next step be if he wants to use the system to pivot to protected systems behind the DMZ that the web server resides in?

Vulnerability scanning
Privilege escalation
Patching
Installing additional tools

Maddox is conducting an inventory of access permissions on cloud-based object buckets, such as those provided by the AWS S3 service. What threat is he seeking to mitigate?

Insecure APIs
Improper key management
Unprotected storage
Insufficient logging and monitoring

Alex has been asked to assess the likelihood of reconnaissance activities against her organization (a small, regional business). Her first assignment is to determine the likelihood of port scans against systems in her organization's DMZ. How should she rate the likelihood of this occurring?

Low
Medium
High
There is not enough information for Alex to provide a rating.

Lucy recently detected a cross-site scripting vulnerability in her organization's web server. The organization operates a support forum where users can enter HTML tags and the resulting code is displayed to other site visitors. What type of cross-site scripting vulnerability did Lucy discover?

Persistent
Reflected
DOM-based
Blind

Which one of the following tools is capable of handcrafting TCP packets for use in an attack?

Arachni
Hping
Responder
Hashcat

Which one of the following IoT components contains hardware that can be dynamically reprogrammed by the end user?

RTOS
SoC
FPGA
MODBUS

Florian discovered a vulnerability in a proprietary application developed by his organization. The application performs memory management using the malloc() function and one area of memory allocated in this manner has an overflow vulnerability. What term best describes this overflow?

Buffer overflow
Stack overflow
Integer overflow
Heap overflow

The company that Maria works for is making significant investments in infrastructure-as-a-service hosting to replace its traditional datacenter. Members of her organization's management have Maria's concerns about data remanence when Lauren's team moves from one virtual host to another in their cloud service provider's environment. What should she instruct her team to do to avoid this concern?

Zero-wipe drives before moving systems.
Use full-disk encryption.
Use data masking.
Span multiple virtual disks to fragment data.

Lucca wants to prevent workstations on his network from attacking each other. If Lucca's corporate network looks like the network shown here, what technology should he select to prevent laptop A from being able to attack workstation B?

Schematic illustration of Lucca’s corporate network in which technology can be used to prevent laptop A from being able to attack workstation B.

An IPS
An IDS
An HIPS
An HIDS

Geoff is reviewing logs and sees a large number of attempts to authenticate to his VPN server using many different username and password combinations. The same usernames are attempted several hundred times before moving on to the next one. What type of attack is most likely taking place?

Credential stuffing
Password spraying
Brute-force
Rainbow table

The company that Dan works for has recently migrated to an SaaS provider for its enterprise resource planning (ERP) software. In its traditional on-site ERP environment, Dan conducted regular port scans to help with security validation for the systems. What will Dan most likely have to do in this new environment?

Use a different scanning tool.
Rely on vendor testing and audits.
Engage a third-party tester.
Use a VPN to scan inside the vendor's security perimeter.

Lakshman uses Network Miner to review packet captures from his reconnaissance of a target organization. One system displayed the information shown here. What information has Network Miner used to determine that the PC is a Hewlett-Packard device?

Snapshot of information displaying in one system in which Lakshman uses Network Miner to review packet captures from his reconnaissance of a target organization.

The MAC address
The OS flags
The system's banner
The IP address

Kaiden is configuring a SIEM service in his IaaS cloud environment that will receive all of the log entries generated by other devices in that environment. Which one of the following risks is greatest with this approach in the event of a DoS attack or other outage?

Inability to access logs
Insufficient logging
Insufficient monitoring
Insecure API

Which one of the following languages is least susceptible to an injection attack?

HTML
SQL
STIX
XML

Which one of the following types of malware would be most useful in a privilege escalation attack?

Rootkit
Worm
Virus
RAT

Ricky discovered a vulnerability in an application where privileges are checked at the beginning of a series of steps, may be revoked during those steps, and then are not checked before new uses of them later in the sequence. What type of vulnerability did he discover?

Improper error handling
Race condition
Dereferencing
Sensitive data exposure

Matthew is analyzing some code written in the C programming language and discovers that it is using the functions listed here. Which of these functions poses the greatest security vulnerability?

strcpy()
main()
printf()
scanf()

Abdul is conducting a security audit of a multicloud computing environment that incorporates resources from AWS and Microsoft Azure. Which one of the following tools will be most useful to him?

ScoutSuite
Pacu
Prowler
CloudSploit

Jake is performing a vulnerability assessment and comes across a CAN bus specification. What type of environment is most likely to include a CAN bus?

Physical access control system
Building automation system
Vehicle control system
Workflow and process automation system

Darcy is conducting a test of a wireless network using the Reaver tool. What technology does Reaver specifically target?

WPA
WPA2
WPS
WEP

Azra believes that one of her users may be taking malicious action on the systems she has access to. When she walks past her user's desktop, she sees the following command on the screen:

user12@workstation:/home/user12# ./john -wordfile:/home/user12/mylist.txt -format:lm hash.txt

What is the user attempting to do?

They are attempting to hash a file.
They are attempting to crack hashed passwords.
They are attempting to crack encrypted passwords.
They are attempting a pass-the-hash attack.

nmap provides a standardized way to name hardware and software that it detects. What is this called?

CVE
HardwareEnum
CPE
GearScript

Lakshman wants to detect port scans using syslog so that he can collect and report on the information using his SIEM. If he is using a default CentOS system, what should he do?

Search for use of privileged ports in sequential order.
Search for connections to ports in the /var/syslog directory.
Log all kernel messages to detect scans.
Install additional tools that can detect scans and send the logs to syslog.

Greg is concerned about the use of DDoS attack tools against his organization, so he purchased a mitigation service from his ISP. What portion of the threat model did Greg reduce?

Likelihood
Total attack surface
Impact
Adversary capability

Lucas believes that an attacker has successfully compromised his web server. Using the following output of ps, identify the process ID he should focus on.

root      507  0.0  0.1 258268  3288 ?     Ssl  15:52  0:00 /usr/sbin/rsyslogd -n
message+  508  0.0  0.2  44176  5160 ?     Ss   15:52  0:00 /usr/bin/dbusdaemon --system --address=systemd: --nofork --nopidfile --systemd-activa
root      523  0.0  0.3 281092  6312 ?     Ssl  15:52  0:00 /usr/lib/accountsservice/accounts-daemon
root      524  0.0  0.7 389760 15956 ?     Ssl  15:52  0:00 /usr/sbin/NetworkManager --no-daemon
root      527  0.0  0.1  28432  2992 ?     Ss   15:52  0:00 /lib/systemd/systemd-logind
apache    714  0.0  0.1  27416  2748 ?     Ss   15:52  0:00 /www/temp/webmin
root      617  0.0  0.1  19312  2056 ?     Ss   15:52  0:00 /usr/sbin/irqbalance --pid=/var/run/irqbalance.pid
root      644  0.0  0.1 245472  2444 ?     Sl   15:52  0:01 /usr/sbin/VBoxService
root      653  0.0  0.0  12828  1848 tty1  Ss+  15:52  0:00 /sbin/agetty --noclear tty1 linux
root      661  0.0  0.3 285428  8088 ?     Ssl  15:52  0:00 /usr/lib/policykit-1/polkitd --no-debug
root      663  0.0  0.3 364752  7600 ?     Ssl  15:52  0:00 /usr/sbin/gdm3
root      846  0.0  0.5 285816 10884 ?     Ssl  15:53  0:00 /usr/lib/upower/upowerd
root      867  0.0  0.3 235180  7272 ?     Sl   15:53  0:00 gdm-session-worker [pam/gdm-launch-environment]
Debian-+  877  0.0  0.2  46892  4816 ?     Ss   15:53  0:00 /lib/systemd/systemd --user
Debian-+  878  0.0  0.0  62672  1596 ?     S    15:53  0:00 (sd-pam)

Geoff is responsible for hardening systems on his network and discovers that a number of network appliances have exposed services, including telnet, FTP, and web servers. What is his best option to secure these systems?

Enable host firewalls.
Install patches for those services.
Turn off the services for each appliance.
Place a network firewall between the devices and the rest of the network.

While conducting reconnaissance of his own organization, Ian discovers that multiple certificates are self-signed. What issue should he report to his management?

Self-signed certificates do not provide secure encryption for site visitors.
Self-signed certificates can be revoked only by the original creator.
Self-signed certificates will cause warnings or error messages.
None of the above.

During the reconnaissance stage of a penetration test, Fred calls a number of staff at the target organization. Using a script he prepared, Fred introduces himself as part of the support team for their recently installed software and asks for information about the software and its configuration. What is this technique called?

Pretexting
OSINT
A tag-out
Profiling

Carrie needs to lock down a Windows workstation that has recently been scanned using nmap with the results shown here. She knows that the workstation needs to access websites and that the system is part of a Windows domain. What ports should she allow through the system's firewall for externally initiated connections?

Snapshot of the result of a Windows workstation which has recently been scanned using nmap.

80, 135, 139, and 445
80, 445, and 3389
135, 139, and 445
No ports should be open.

Adam's port scan returns results on six TCP ports: 22, 80, 443, 515, 631, and 9100. If Adam needs to guess what type of device this is based on these ports, what is his best guess?

A web server
An FTP server
A printer
A proxy server

In his role as the SOC operator, Manish regularly scans a variety of servers in his organization. After two months of reporting multiple vulnerabilities on a Windows file server, Manish recently escalated the issue to the server administrator's manager.

At the next weekly scan window, Manish noticed that all the vulnerabilities were no longer active; however, ports 137, 139, and 445 were still showing as open. What most likely happened?

The server administrator blocked the scanner with a firewall.
The server was patched.
The vulnerability plug-ins were updated and no longer report false positives.
The system was offline.

While conducting reconnaissance, Piper discovers what she believes is an SMTP service running on an alternate port. What technique should she use to manually validate her guess?

Send an email via the open port.
Send an SMTP probe.
Telnet to the port.
SSH to the port.

What two pieces of information does nmap need to estimate network path distance?

IP address and TTL
TTL and operating system
Operating system and BGP flags
TCP flags and IP address

Helen is using the Lockheed Martin Cyber Kill Chain to analyze an attack that took place against her organization. During the attack, the perpetrator attached a malicious tool to an email message that was sent to the victim. What phase of the Cyber Kill Chain includes this type of activity?

Weaponization
Delivery
Exploitation
Actions on objectives

During an on-site penetration test of a small business, Ramesh scans outward to a known host to determine the outbound network topology. What information can he gather from the results provided by Zenmap?

Snapshot of an on-site penetration test of a small business.

There are two nodes on the local network.
There is a firewall at IP address 96.120.24.121.
There is an IDS at IP address 96.120.24.121.
He should scan the 10.0.2.0/24 network.

Use the following network diagram and scenario to answer questions 69–71.

Schematic illustration of a network diagram.

Marta is a security analyst who has been tasked with performing nmap scans of her organization's network. She is a new hire and has been given this logical diagram of the organization's network but has not been provided with any additional detail.

Marta wants to determine what IP addresses to scan from location A. How can she find this information?

Scan the organization's web server and then scan the other 255 IP addresses in its subnet.
Query DNS and WHOIS to find her organization's registered hosts.
Contact ICANN to request the data.
Use traceroute to identify the network that the organization's domain resides in.

If Marta runs a scan from location B that targets the servers on the datacenter network and then runs a scan from location C, what differences is she most likely to see between the scans?

The scans will match.
Scans from location C will show no open ports.
Scans from location C will show fewer open ports.
Scans from location C will show more open ports.

Marta wants to perform regular scans of the entire organizational network but only has a budget that supports buying hardware for a single scanner. Where should she place her scanner to have the most visibility and impact?

Location A
Location B
Location C
Location D

Andrea needs to add a firewall rule that will prevent external attackers from conducting topology gathering reconnaissance on her network. Where should she add a rule intended to block this type of traffic?

Schematic illustration of adding a firewall rule in a network.

The firewall
The router
The distribution switch
The Windows server

Brandon wants to perform a WHOIS query for a system he believes is located in Europe. Which NIC should he select to have the greatest likelihood of success for his query?

AFRINIC
APNIC
RIPE
LACNIC

While reviewing Apache logs, Janet sees the following entries as well as hundreds of others from the same source IP. What should Janet report has occurred?

[ 21/Jul/2020:02:18:33 -0500] - - 10.0.1.1 "GET /scripts/sample.php" "-" 302 336 0
[ 21/Jul/2020:02:18:35 -0500] - - 10.0.1.1 "GET /scripts/test.php" "-" 302 336 0
[ 21/Jul/2020:02:18:37 -0500] - - 10.0.1.1 "GET /scripts/manage.php" "-" 302 336 0
[ 21/Jul/2020:02:18:38 -0500] - - 10.0.1.1 "GET /scripts/download.php" "-" 302 336 0
[ 21/Jul/2020:02:18:40 -0500] - - 10.0.1.1 "GET /scripts/update.php" "-" 302 336 0
[ 21/Jul/2020:02:18:42 -0500] - - 10.0.1.1 "GET /scripts/new.php" "-" 302 336 0

A denial-of-service attack
A vulnerability scan
A port scan
A directory traversal attack

Chris wants to gather as much information as he can about an organization using DNS harvesting techniques. Which of the following methods will most easily provide the most useful information if they are all possible to conduct on the network he is targeting?

DNS record enumeration
Zone transfer
Reverse lookup
Domain brute-forcing

Geoff wants to perform passive reconnaissance as part of an evaluation of his organization's security controls. Which of the following techniques is a valid technique to perform as part of a passive DNS assessment?

A DNS forward or reverse lookup
A zone transfer
A WHOIS query
Using maltego

Mike's penetration test requires him to use passive mapping techniques to discover network topology. Which of the following tools is best suited to that task?

Wireshark
nmap
netcat
Angry IP Scanner

While gathering DNS information about an organization, Ryan discovered multiple AAAA records. What type of reconnaissance does this mean Ryan may want to consider?

Second-level DNS queries
IPv6 scans
Cross-domain resolution
A CNAME verification

After Carlos completes a topology discovery scan of his local network, he sees the Zenmap topology shown here. What can Carlos determine from the Zenmap topology view?

Schematic illustration of the Zenmap topology.

There are five hosts with port security enabled.
DemoHost2 is running a firewall.
DemoHost4 is running a firewall.
There are four hosts with vulnerabilities and seven hosts that do not have vulnerabilities.

Scott is part of the white team who is overseeing his organization's internal red and blue teams during an exercise that requires each team to only perform actions appropriate to the penetration test phase they are in. During the reconnaissance phase, he notes the following behavior as part of a Wireshark capture. What should he report?

Snapshot of a type of behavior that is a part of Wireshark capture during the reconnaissance phase.

The blue team has succeeded.
The red team is violating the rules of engagement.
The red team has succeeded.
The blue team is violating the rules of engagement.

Jennifer analyzes a Wireshark packet capture from a network that she is unfamiliar with. She discovers that a host with IP address 10.11.140.13 is running services on TCP ports 636 and 443. What services is that system most likely running?

LDAPS and HTTPS
FTPS and HTTPS
RDP and HTTPS
HTTP and Secure DNS

Kai has identified a privilege escalation flaw on the system she targeted in the first phase of her penetration test and is now ready to take the next step. According to the NIST 800-115 standard, what is step C that Kai needs to take, as shown in this diagram?

Schematic illustration of the steps involved in the penetration test.

System browsing
Scanning
Rooting
Consolidation

When Scott performs an nmap scan with the -T flag set to 5, what variable is he changing?

How fast the scan runs
The TCP timeout flag it will set
How many retries it will perform
How long the scan will take to start up

While conducting a port scan of a remote system, Henry discovers TCP port 1433 open. What service can he typically expect to run on this port?

Oracle
VNC
IRC
Microsoft SQL

While application vulnerability scanning one of her target organizations web servers, Andrea notices that the server's hostname is resolving to a cloudflare.com host. What does Andrea know about her scan?
1. It is being treated like a DDoS attack.
2. It is scanning a CDN-hosted copy of the site.
3. It will not return useful information.
4. She cannot determine anything about the site based on this information.

While tracking a potential APT on her network, Cynthia discovers a network flow for her company's central file server. What does this flow entry most likely show if 10.2.2.3 is not a system on her network?

Date flow start     Duration Proto          Src   IP Addr:Port   Dst IP Addr:Port   Packets    Bytes    Flows 
2017-07-11          13:06:46.343 21601804   TCP   10.1.1.1:1151->10.2.2.3:443       9473640    9.1 G    1 
2017-07-11          13:06:46.551 21601804   TCP   10.2.2.3:443->10.1.1.1:1151       8345101    514 M    1

A web browsing session
Data exfiltration
Data infiltration
A vulnerability scan

Part of Tracy's penetration testing assignment is to evaluate the WPA2 Enterprise protected wireless networks of her target organization. What major differences exist between reconnaissances of a wired network versus a wireless network?
1. Encryption and physical accessibility
2. Network access control and encryption
3. Port security and physical accessibility
4. Authentication and encryption
Ian's company has an internal policy requiring that they perform regular port scans of all of their servers. Ian has been part of a recent effort to move his organization's servers to an infrastructure as a service (IaaS) provider. What change will Ian most likely need to make to his scanning efforts?
1. Change scanning software
2. Follow the service provider's scan policies
3. Sign a security contract with the provider
4. Discontinue port scanning
During a regularly scheduled PCI compliance scan, Fred has discovered port 3389 open on one of the point-of-sale terminals that he is responsible for managing. What service should he expect to find enabled on the system?
1. MySQL
2. RDP
3. TOR
4. Jabber
Saanvi knows that the organization she is scanning runs services on alternate ports to attempt to reduce scans of default ports. As part of her intelligence-gathering process, she discovers services running on ports 8080 and 8443. What services are most likely running on these ports?
1. Botnet C&C
2. Nginx
3. Microsoft SQL Server instances
4. Web servers
Lauren wants to identify all the printers on the subnets she is scanning with nmap. Which of the following nmap commands will not provide her with a list of likely printers?
1. nmap -sS -p 9100,515,631 10.0.10.15/22 -oX printers.txt
2. nmap -O 10.0.10.15/22 -oG - | grep printer >> printers.txt
3. nmap -sU -p 9100,515,631 10.0.10.15/22 -oX printers.txt
4. nmap -sS -O 10.0.10.15/22 -oG | grep >> printers.txt
Chris knows that systems have connected to a remote host on TCP ports 1433 and 1434. If he has no other data, what should his best guess be about what the host is?
1. A print server
2. A Microsoft SQL server
3. A MySQL server
4. A secure web server running on an alternate port
What services will the following nmap scan test for?
```
nmap -sV -p 22,25,53,389 192.168.2.50/27
```
1. Telnet, SMTP, DHCP, MS-SQL
2. SSH, SMTP, DNS, LDAP
3. Telnet, SNMP, DNS, LDAP
4. SSH, SNMP, DNS, RDP
While conducting a topology scan of a remote web server, Susan notes that the IP addresses returned for the same DNS entry change over time. What has she likely encountered?
1. A route change
2. Fast-flux DNS
3. A load balancer
4. An IP mismatch
Kwame is reviewing his team's work as part of a reconnaissance effort and is checking Wireshark packet captures. His team reported no open ports on 10.0.2.15. What issue should he identify with their scan based on the capture shown here?
1. The host was not up.
2. Not all ports were scanned.
3. The scan scanned only UDP ports.
4. The scan was not run as root.
Allan's nmap scan includes a line that starts with cpe:/o. What type of information should he expect to gather from the entry?
1. Common privilege escalation
2. Operating system
3. Certificate performance evaluation
4. Hardware identification
While scanning a network, Frank discovers a host running a service on TCP ports 1812 and 1813. What type of server has Frank most likely discovered?
1. RADIUS
2. VNC
3. Kerberos
4. Postgres
Nihar wants to conduct an nmap scan of a firewalled subnet. Which of the following is not an nmap firewall evasion technique he could use?
1. Fragmenting packets
2. Changing packet header flags
3. Spoofing the source IP
4. Appending random data
Which of the following commands will provide Ben with the most information about a host?
1. dig -x [ip address]
2. host [ip address]
3. nslookup [ip address]
4. zonet [ip address]
Fred's reconnaissance of an organization includes a search of the Censys network search engine. There, he discovers multiple certificates with validity dates as shown here:
Validity

2018-07-07 00:00:00 to 2019-08-11 23:59:59 (400 days, 23:59:59)

2017-07-08 00:00:00 to 2019-08-12 23:59:59 (400 days, 23:59:59)

2018-07-11 00:00:00 to 2019-08-15 23:59:59 (400 days, 23:59:59)

What should Fred record in his reconnaissance notes?
1. The certificates expired as expected, showing proper business practice.
2. The certificates were expired by the CA, possibly due to nonpayment.
3. The system that hosts the certificates may have been compromised.
4. The CA may have been compromised, leading to certificate expiration.
When Casey scanned a network host, she received the results shown here. What does she know based on the scan results?
1. The device is a Cisco device.
2. The device is running CentO.
3. The device was built by IBM.
4. None of the above.
Fred conducts an SNMP sweep of a target organization and receives no-response replies from multiple addresses that he believes belong to active hosts. What does this mean?
1. The machines are unreachable.
2. The machines are not running SNMP servers.
3. The community string he used is invalid.
4. Any or all of the above may be true.
Angela wants to gather detailed information about the hosts on a network passively. If she has access to a Wireshark PCAP file from the network, which of the following tools can she use to provide automated analysis of the file?
1. Ettercap
2. NetworkMiner
3. Sharkbait
4. Dradis
While performing reconnaissance of an organization's network, Angela discovers that web.organization.com, www.organization.com, and documents.organization.com all point to the same host. What type of DNS record allows this?
1. A CNAME
2. An MX record
3. An SPF record
4. An SOA record
Aidan operates the point-of-sale network for a company that accepts credit cards and is thus required to be compliant with PCI DSS. During his regular assessment of the point-of-sale terminals, he discovers that a recent Windows operating system vulnerability exists on all of them. Since they are all embedded systems that require a manufacturer update, he knows that he cannot install the available patch. What is Aidan's best option to stay compliant with PCI DSS and protect his vulnerable systems?
1. Replace the Windows embedded point-of-sale terminals with standard Windows systems.
2. Build a custom operating system image that includes the patch.
3. Identify, implement, and document compensating controls.
4. Remove the POS terminals from the network until the vendor releases a patch.
What occurs when Mia uses the following command to perform an nmap scan of a network?
```
nmap -sP 192.168.2.0/24
```
1. A secure port scan of all hosts in the 192.168.0.0 to 192.168.2.255 network range
2. A scan of all hosts that respond to ping in the 192.168.0.0 to 192.168.255.255 network range
3. A scan of all hosts that respond to ping in the 192.168.2.0 to 192.168.2.255 network range
4. A SYN-based port scan of all hosts in the 192.168.2.0 to 192.168.2.255 network range
Amir's remote scans of a target organization's class C network block using nmap ( nmap -sS 10.0.10.1/24) show only a single web server. If Amir needs to gather additional reconnaissance information about the organization's network, which of the following scanning techniques is most likely to provide additional detail?
1. Use a UDP scan.
2. Perform a scan from on-site.
3. Scan using the -p 1-65535 flag.
4. Use nmap's IPS evasion techniques.
Damian wants to limit the ability of attackers to conduct passive fingerprinting exercises on his network. Which of the following practices will help to mitigate this risk?
1. Implement an IPS.
2. Implement a firewall.
3. Disable promiscuous mode for NICs.
4. Enable promiscuous mode for NICs.
Wang submits a suspected malware file to malwr.com and receives the following information about its behavior. What type of tool is malwr.com?
1. A reverse-engineering tool
2. A static analysis sandbox
3. A dynamic analysis sandbox
4. A decompiler sandbox
As part of his active reconnaissance activities, Frank is provided with a shell account accessible via SSH. If Frank wants to run a default nmap scan on the network behind the firewall shown here, how can he accomplish this?
1. ssh -t 192.168.34.11 nmap 192.168.34.0/24
2. ssh -R 8080:192.168.34.11:8080 [remote account:remote password]
3. ssh -proxy 192.168.11 [remote account:remote password]
4. Frank cannot scan multiple ports with a single ssh command.
Angela captured the following packets during a reconnaissance effort run by her organization's red team. What type of information are they looking for?
1. Vulnerable web applications
2. SQL injection
3. Directory traversal attacks
4. Passwords
Which sources are most commonly used to gather information about technologies a target organization uses during intelligence gathering?
1. OSINT searches of support forums and social engineering
2. Port scanning and social engineering
3. Social media review and document metadata
4. Social engineering and document metadata
Sarah has been asked to assess the technical impact of suspected reconnaissance performed against her organization. She is informed that a reliable source has discovered that a third party has been performing reconnaissance by querying WHOIS data. How should Sarah categorize the technical impact of this type of reconnaissance?
1. High
2. Medium
3. Low
4. She cannot determine this from the information given.

Rick is reviewing flows of a system on his network and discovers the following flow logs. What is the system doing?

ICMP "Echo request"
Date flow start   Duration       Proto         Src IP Addr:Port->Dst IP Addr:Port   Packets   Bytes   Flows
2019-07-11        04:58:59.518   10.000 ICMP   10.1.1.1:0->10.2.2.6:8.0             11        924     1
2019-07-11        04:58:59.518   10.000 ICMP   10.2.2.6:0->10.1.1.1:0.0             11        924     1
2019-07-11        04:58:59.518   10.000 ICMP   10.1.1.1:0->10.2.2.7:8.0             11        924     1
2019-07-11        04:58:59.518   10.000 ICMP   10.2.2.7:0->10.1.1.1:0.0             11        924     1
2019-07-11        04:58:59.518   10.000 ICMP   10.1.1.1:0->10.2.2.8:8.0             11        924     1
2019-07-11        04:58:59.518   10.000 ICMP   10.2.2.8:0->10.1.1.1:0.0             11        924     1
2019-07-11        04:58:59.518   10.000 ICMP   10.1.1.1:0->10.2.2.9:8.0             11        924     1
2019-07-11        04:58:59.518   10.000 ICMP   10.2.2.9:0->10.1.1.1:0.0             11        924     1
2019-07-11        04:58:59.518   10.000 ICMP   10.1.1.1:0->10.2.2.10:8.0            11        924     1
2019-07-11        04:58:59.518   10.000 ICMP   10.2.2.10:0->10.1.1.1:0.0            11        924     1
2019-07-11        04:58:59.518   10.000 ICMP   10.1.1.1:0->10.2.2.6:11.0            11        924     1
2019-07-11        04:58:59.518   10.000 ICMP   10.2.2.11:0->10.1.1.1:0.0            11        924     1

A port scan
A failed three-way handshake
A ping sweep
A traceroute

Ryan's passive reconnaissance efforts resulted in the following packet capture. Which of the following statements cannot be verified based on the packet capture shown for the host with IP address 10.0.2.4?
1. The host does not have a DNS entry.
2. It is running a service on port 139.
3. It is running a service on port 445.
4. It is a Windows system.
Stacey encountered a system that shows as “filtered” and “firewalled” during an nmap scan. Which of the following techniques should she not consider as she is planning her next scan?
1. Packet fragmentation
2. Spoofing the source address
3. Using decoy scans
4. Spoofing the destination address
Kim is preparing to deploy a new vulnerability scanner and wants to ensure that she can get the most accurate view of configuration issues on laptops belonging to traveling salespeople. Which technology will work best in this situation?
1. Agent-based scanning
2. Server-based scanning
3. Passive network monitoring
4. Noncredentialed scanning
Carla runs a vulnerability scan of a new appliance that engineers are planning to place on her organization's network and finds the results shown here. Of the actions listed, which would correct the highest criticality vulnerability?
1. Block the use of TLS v1.0.
2. Replace the expired SSL certificate.
3. Remove the load balancer.
4. Correct the information leakage vulnerability.
In what type of attack does the adversary leverage a position on a guest operating system to gain access to hardware resources assigned to other operating systems running in the same hardware environment?
1. Buffer overflow
2. Directory traversal
3. VM escape
4. Cross-site scripting
Sadiq is responsible for the security of a network used to control systems within his organization's manufacturing plant. The network connects manufacturing equipment, sensors, and controllers. He runs a vulnerability scan on this network and discovers that several of the controllers are running very out-of-date firmware that introduces security issues. The manufacturer of the controllers is out of business. What action can Sadiq take to best remediate this vulnerability in an efficient manner?
1. Develop a firmware update internally and apply it to the controllers.
2. Post on an Internet message board seeking other organizations that have developed a patch.
3. Ensure that the ICS is on an isolated network.
4. Use an intrusion prevention system on the ICS network.
Vic scanned a Windows server used in his organization and found the result shown here. The server is on an internal network with access limited to IT staff and is not part of a domain. How urgently should Vic remediate this vulnerability?
1. Vic should drop everything and remediate this vulnerability immediately.
2. While Vic does not need to drop everything, this vulnerability requires urgent attention and should be addressed quickly.
3. This is a moderate vulnerability that can be scheduled for remediation at a convenient time.
4. This vulnerability is informational in nature and may be left in place.
Rob's manager recently asked him for an overview of any critical security issues that exist on his network. He looks at the reporting console of his vulnerability scanner and sees the options shown here. Which of the following report types would be his best likely starting point?
1. Technical Report
2. High Severity Report
3. Qualys Patch Report
4. Unknown Device Report
Wendy is the security administrator for a membership association that is planning to launch an online store. As part of this launch, she will become responsible for ensuring that the website and associated systems are compliant with all relevant standards. What regulatory regime specifically covers credit card information?
1. PCI DSS
2. FERPA
3. HIPAA
4. SOX
During a port scan of a server, Miguel discovered that the following ports are open on the internal network:
- TCP port 25
- TCP port 80
- TCP port 110
- TCP port 443
- TCP port 1433
- TCP port 3389
The scan results provide evidence that a variety of services are running on this server. Which one of the following services is not indicated by the scan results?
1. Web
2. Database
3. SSH
4. RDP
Nina is a software developer and she receives a report from her company's cybersecurity team that a vulnerability scan detected a SQL injection vulnerability in one of her applications. She examines her code and makes a modification in a test environment that she believes corrects the issue. What should she do next?
1. Deploy the code to production immediately to resolve the vulnerability.
2. Request a scan of the test environment to confirm that the issue is corrected.
3. Mark the vulnerability as resolved and close the ticket.
4. Hire a consultant to perform a penetration test to confirm that the vulnerability is resolved.
George recently ran a port scan on a network device used by his organization. Which one of the following open ports represents the most significant possible security vulnerability?
1. 22
2. 23
3. 161
4. 443
Use the following scenario to answer questions 127–129.

Harold runs a vulnerability scan of a server that he is planning to move into production and finds the vulnerability shown here.
What operating system is most likely running on the server in this vulnerability scan report?
1. macOS
2. Windows
3. CentOS
4. RHEL
Harold is preparing to correct the vulnerability. What service should he inspect to identify the issue?
1. SSH
2. HTTPS
3. RDP
4. SFTP
Harold would like to secure the service affected by this vulnerability. Which one of the following protocols/versions would be an acceptable way to resolve the issue?
1. SSL v2.0
2. SSL v3.0
3. TLS v1.0
4. None of the above
Seth found the vulnerability shown here in one of the systems on his network. What component requires a patch to correct this issue?
1. Operating system
2. VPN concentrator
3. Network router or switch
4. Hypervisor
Quentin ran a vulnerability scan of a server in his organization and discovered the results shown here. Which one of the following actions is not required to resolve one of the vulnerabilities on this server?
1. Reconfigure cipher support.
2. Apply Window security patches.
3. Obtain a new SSL certificate.
4. Enhance account security policies.
The presence of ____________ triggers specific vulnerability scanning requirements based on law or regulation.
1. Credit card information
2. Protected health information
3. Personally identifiable information
4. Trade secret information
Use the scenario to answer questions 133–135.

Stella is analyzing the results of a vulnerability scan and comes across the vulnerability shown here on a server in her organization. The SharePoint service in question processes all of the organization's work orders and is a critical part of the routine business workflow.
What priority should Stella place on remediating this vulnerability?
1. Stella should make this vulnerability one of her highest priorities.
2. Stella should remediate this vulnerability within the next several weeks.
3. Stella should remediate this vulnerability within the next several months.
4. Stella does not need to assign any priority to remediating this vulnerability.
What operating system is most likely running on the server in this vulnerability scan report?
1. macOS
2. Windows
3. CentOS
4. RHEL
What is the best way that Stella can correct this vulnerability?
1. Deploy an intrusion prevention system.
2. Apply one or more application patches.
3. Apply one or more operating system patches.
4. Disable the service.
Harry is developing a vulnerability scanning program for a large network of sensors used by his organization to monitor a transcontinental gas pipeline. What term is commonly used to describe this type of sensor network?
1. WLAN
2. VPN
3. P2P
4. SCADA
This morning, Eric ran a vulnerability scan in an attempt to detect a vulnerability that was announced by a software manufacturer yesterday afternoon. The scanner did not detect the vulnerability although Eric knows that at least two of his servers should have the issue. Eric contacted the vulnerability scanning vendor, who assured him that they released a signature for the vulnerability overnight. What should Eric do as a next step?
1. Check the affected servers to verify a false positive.
2. Check the affected servers to verify a false negative.
3. Report a bug to the vendor.
4. Update the vulnerability signatures.
Natalie ran a vulnerability scan of a web application recently deployed by her organization, and the scan result reported a blind SQL injection. She reported the vulnerability to the developers, who scoured the application and made a few modifications but did not see any evidence that this attack was possible. Natalie reran the scan and received the same result. The developers are now insisting that their code is secure. What is the most likely scenario?
1. The result is a false positive.
2. The code is deficient and requires correction.
3. The vulnerability is in a different web application running on the same server.
4. Natalie is misreading the scan report.
Kasun discovers a missing Windows security patch during a vulnerability scan of a server in his organization's data center. Upon further investigation, he discovers that the system is virtualized. Where should he apply the patch?
1. To the virtualized system
2. The patch is not necessary
3. To the domain controller
4. To the virtualization platform
Joaquin is frustrated at the high level of false positive reports produced by his vulnerability scans and is contemplating a series of actions designed to reduce the false positive rate. Which one of the following actions is least likely to have the desired effect?
1. Moving to credentialed scanning
2. Moving to agent-based scanning
3. Integrating asset information into the scan
4. Increasing the sensitivity of scans
Joe is conducting a network vulnerability scan against his datacenter and receives reports from system administrators that the scans are slowing down their systems. There are no network connectivity issues, only performance problems on individual hosts. He looks at the scan settings shown here. Which setting would be most likely to correct the problem?
1. Scan IP addresses in a random order
2. Network timeout (in seconds)
3. Max simultaneous checks per host
4. Max simultaneous hosts per scan
Isidora runs a vulnerability scan of the management interface for her organization's DNS service. She receives the vulnerability report shown here. What should be Isidora's next action?
1. Disable the use of cookies on this service.
2. Request that the vendor rewrite the interface to avoid this vulnerability.
3. Investigate the contents of the cookie.
4. Shut down the DNS service.
Zara is prioritizing vulnerability scans and would like to base the frequency of scanning on the information asset value. Which of the following criteria would be most appropriate for her to use in this analysis?
1. Cost of hardware acquisition
2. Cost of hardware replacement
3. Types of information processed
4. Depreciated hardware cost
Laura is working to upgrade her organization's vulnerability management program. She would like to add technology that is capable of retrieving the configurations of systems, even when they are highly secured. Many systems use local authentication, and she wants to avoid the burden of maintaining accounts on all of those systems. What technology should Laura consider to meet her requirement?
1. Credentialed scanning
2. Uncredentialed scanning
3. Server-based scanning
4. Agent-based scanning
Javier discovered the vulnerability shown here in a system on his network. He is unsure what system component is affected. What type of service is causing this vulnerability?
1. Backup service
2. Database service
3. File sharing
4. Web service
Alicia runs a vulnerability scan of a server being prepared for production and finds the vulnerability shown here. Which one of the following actions is least likely to reduce this risk?
1. Block all connections on port 22.
2. Upgrade OpenSSH.
3. Disable AES-GCM in the server configuration.
4. Install a network IPS in front of the server.
After scanning his organization's email server, Singh discovered the vulnerability shown here. What is the most effective response that Singh can take in this situation?
1. Upgrade to the most recent version of Microsoft Exchange.
2. Upgrade to the most recent version of Microsoft Windows.
3. Implement the use of strong encryption.
4. No action is required.
A SQL injection exploit typically gains access to a database by exploiting a vulnerability in a(n)__________.
1. Operating system
2. Web application
3. Database server
4. Firewall
Use the following scenario to answer questions 149–151.

Ryan ran a vulnerability scan of one of his organization's production systems and received the report shown here. He would like to understand this vulnerability better and then remediate the issue.
Ryan will not be able to correct the vulnerability for several days. In the meantime, he would like to configure his intrusion prevention system to watch for issues related to this vulnerability. Which one of the following protocols would an attacker use to exploit this vulnerability?
1. SSH
2. HTTPS
3. FTP
4. RDP
Which one of the following actions could Ryan take to remediate the underlying issue without disrupting business activity?
1. Disable the IIS service.
2. Apply a security patch.
3. Modify the web application.
4. Apply IPS rules.
If an attacker is able to exploit this vulnerability, what is the probable result that will have the highest impact on the organization?
1. Administrative control of the server
2. Complete control of the domain
3. Access to configuration information
4. Access to web application logs
Ted is configuring vulnerability scanning for a file server on his company's internal network. The server is positioned on the network as shown here. What types of vulnerability scans should Ted perform to balance the efficiency of scanning effort with expected results?
1. Ted should not perform scans of servers on the internal network.
2. Ted should only perform internal vulnerability scans.
3. Ted should only perform external vulnerability scans.
4. Ted should perform both internal and external vulnerability scans.
Zahra is attempting to determine the next task that she should take on from a list of security priorities. Her boss told her that she should focus on activities that have the most “bang for the buck.” Of the tasks shown here, which should she tackle first?
1. Task 1
2. Task 2
3. Task 3
4. Task 4
Kyong manages the vulnerability scans for his organization. The senior director that oversees Kyong's group provides a report to the CIO on a monthly basis on operational activity, and he includes the number of open critical vulnerabilities. He would like to provide this information to his director in as simple a manner as possible each month. What should Kyong do?
1. Provide the director with access to the scanning system.
2. Check the system each month for the correct number and email it to the director.
3. Configure a report that provides the information to automatically send to the director's email at the proper time each month.
4. Ask an administrative assistant to check the system and provide the director with the information.
Morgan is interpreting the vulnerability scan from her organization's network, shown here. She would like to determine which vulnerability to remediate first. Morgan would like to focus on vulnerabilities that are most easily exploitable by someone outside her organization. Assuming the firewall is properly configured, which one of the following vulnerabilities should Morgan give the highest priority?
1. Severity 5 vulnerability in the workstation
2. Severity 1 vulnerability in the file server
3. Severity 5 vulnerability in the web server
4. Severity 1 vulnerability in the mail server
Mike runs a vulnerability scan against his company's virtualization environment and finds the vulnerability shown here in several of the virtual hosts. What action should Mike take?
1. No action is necessary because this is an informational report.
2. Mike should disable HTTP on the affected devices.
3. Mike should upgrade the version of OpenSSL on the affected devices.
4. Mike should immediately upgrade the hypervisor.
Juan recently scanned a system and found that it was running services on ports 139 and 445. What operating system is this system most likely running?
1. Ubuntu
2. MacOS
3. CentOS
4. Windows
Gene is concerned about the theft of sensitive information stored in a database. Which one of the following vulnerabilities would pose the most direct threat to this information?
1. SQL injection
2. Cross-site scripting
3. Buffer overflow
4. Denial of service
Which one of the following protocols is not likely to trigger a vulnerability scan alert when used to support a virtual private network (VPN)?
1. IPsec
2. SSL v2
3. PPTP
4. SSL v3
Rahul ran a vulnerability scan of a server that will be used for credit card processing in his environment and received a report containing the vulnerability shown here. What action must Rahul take?
1. Remediate the vulnerability when possible.
2. Remediate the vulnerability prior to moving the system into production and rerun the scan to obtain a clean result.
3. Remediate the vulnerability within 90 days of moving the system to production.
4. No action is required.
Use the following scenario to answer questions 161–162.

Aaron is scanning a server in his organization's data center and receives the vulnerability report shown here. The service is exposed only to internal hosts.
What is the normal function of the service with this vulnerability?
1. File transfer
2. Web hosting
3. Time synchronization
4. Network addressing
What priority should Aaron place on remediating this vulnerability?
1. Aaron should make this vulnerability his highest priority.
2. Aaron should remediate this vulnerability urgently but does not need to drop everything.
3. Aaron should remediate this vulnerability within the next month.
4. Aaron does not need to assign any priority to remediating this vulnerability.
Without access to any additional information, which one of the following vulnerabilities would you consider the most severe if discovered on a production web server?
1. CGI generic SQL injection
2. Web application information disclosure
3. Web server uses basic authentication without HTTPS
4. Web server directory enumeration
Gina ran a vulnerability scan on three systems that her organization is planning to move to production and received the results shown here. How many of these issues should Gina require be resolved before moving to production?
1. 0
2. 1
3. 3
4. All of these issues should be resolved
Ji-won recently restarted an old vulnerability scanner that had not been used in more than a year. She booted the scanner, logged in, and configured a scan to run. After reading the scan results, she found that the scanner was not detecting known vulnerabilities that were detected by other scanners. What is the most likely cause of this issue?
1. The scanner is running on an outdated operating system.
2. The scanner's maintenance subscription is expired.
3. Ji-won has invalid credentials on the scanner.
4. The scanner does not have a current, valid IP address.
Isabella runs both internal and external vulnerability scans of a web server and detects a possible SQL injection vulnerability. The vulnerability only appears in the internal scan and does not appear in the external scan. When Isabella checks the server logs, she sees the requests coming from the internal scan and sees some requests from the external scanner but no evidence that a SQL injection exploit was attempted by the external scanner. What is the most likely explanation for these results?
1. A host firewall is blocking external network connections to the web server.
2. A network firewall is blocking external network connections to the web server.
3. A host IPS is blocking some requests to the web server.
4. A network IPS is blocking some requests to the web server.
Rick discovers the vulnerability shown here in a server running in his datacenter. What characteristic of this vulnerability should concern him the most?
1. It is the subject of a recent security bulletin.
2. It has a CVSS score of 7.6.
3. There are multiple Bugtraq and CVE IDs.
4. It affects kernel-mode drivers.
Carla is designing a vulnerability scanning workflow and has been tasked with selecting the person responsible for remediating vulnerabilities. Which one of the following people would normally be in the best position to remediate a server vulnerability?
1. Cybersecurity analyst
2. System administrator
3. Network engineer
4. IT manager
During a recent vulnerability scan, Ed discovered that a web server running on his network has access to a database server that should be restricted. Both servers are running on his organization's VMware virtualization platform. Where should Ed look first to configure a security control to restrict this access?
1. VMware
2. Datacenter firewall
3. Perimeter (Internet) firewall
4. Intrusion prevention system
Carl runs a vulnerability scan of a mail server used by his organization and receives the vulnerability report shown here. What action should Carl take to correct this issue?
1. Carl does not need to take any action because this is an informational report.
2. Carl should replace SSL with TLS on this server.
3. Carl should disable weak ciphers.
4. Carl should upgrade OpenSSL.
Renee is configuring a vulnerability scanner that will run scans of her network. Corporate policy requires the use of daily vulnerability scans. What would be the best time to configure the scans?
1. During the day when operations reach their peak to stress test systems
2. During the evening when operations are minimal to reduce the impact on systems
3. During lunch hour when people have stepped away from their systems but there is still considerable load
4. On the weekends when the scans may run unimpeded
Ahmed is reviewing the vulnerability scan report from his organization's central storage service and finds the results shown here. Which action can Ahmed take that will be effective in remediating the highest-severity issue possible?
1. Upgrade to SNMP v3.
2. Disable the use of RC4.
3. Replace the use of SSL with TLS.
4. Disable remote share enumeration.
Use the following scenario to answer questions 173–174.

Glenda ran a vulnerability scan of workstations in her organization. She noticed that many of the workstations reported the vulnerability shown here. She would like to not only correct this issue but also prevent the likelihood of similar issues occurring in the future.
What action should Glenda take to achieve her goals?
1. Glenda should uninstall Chrome from all workstations and replace it with Internet Explorer.
2. Glenda should manually upgrade Chrome on all workstations.
3. Glenda should configure all workstations to automatically upgrade Chrome.
4. Glenda does not need to take any action.
What priority should Glenda place on remediating this vulnerability?
1. Glenda should make this vulnerability her highest priority.
2. Glenda should remediate this vulnerability urgently but does not need to drop everything.
3. Glenda should remediate this vulnerability within the next several months.
4. Glenda does not need to assign any priority to remediating this vulnerability.
After reviewing the results of a vulnerability scan, Gabriella discovered a flaw in her Oracle database server that may allow an attacker to attempt a direct connection to the server. She would like to review NetFlow logs to determine what systems have connected to the server recently. What TCP port should Gabriella expect to find used for this communication?
1. 443
2. 1433
3. 1521
4. 8080
Greg runs a vulnerability scan of a server in his organization and finds the results shown here. What is the most likely explanation for these results?
1. The organization is running web services on nonstandard ports.
2. The scanner is providing a false positive error report.
3. The web server has mirrored ports available.
4. The server has been compromised by an attacker.
Binh is reviewing a vulnerability scan of his organization's VPN appliance. He wants to remove support for any insecure ciphers from the device. Which one of the following ciphers should he remove?
1. ECDHE-RSA-AES128-SHA256
2. AES256-SHA256
3. DHE-RSA-AES256-GCM-SHA384
4. EDH-RSA-DES-CBC3-SHA
Terry recently ran a vulnerability scan against his organization's credit card processing environment that found a number of vulnerabilities. Which vulnerabilities must he remediate in order to have a “clean” scan under PCI DSS standards?
1. Critical vulnerabilities
2. Critical and high vulnerabilities
3. Critical, high, and moderate vulnerabilities
4. Critical, high, moderate, and low vulnerabilities
Himari discovers the vulnerability shown here on several Windows systems in her organization. There is a patch available, but it requires compatibility testing that will take several days to complete. What type of file should Himari be watchful for because it may directly exploit this vulnerability?
1. Private key files
2. Word documents
3. Image files
4. Encrypted files
During a vulnerability scan, Patrick discovered that the configuration management agent installed on all of his organization's Windows servers contains a serious vulnerability. The manufacturer is aware of this issue, and a patch is available. What process should Patrick follow to correct this issue?
1. Immediately deploy the patch to all affected systems.
2. Deploy the patch to a single production server for testing and then deploy to all servers if that test is successful.
3. Deploy the patch in a test environment and then conduct a staged rollout in production.
4. Disable all external access to systems until the patch is deployed.
Aaron is configuring a vulnerability scan for a Class C network and is trying to choose a port setting from the list shown here. He would like to choose a scan option that will efficiently scan his network but also complete in a reasonable period of time. Which setting would be most appropriate?
1. None
2. Full
3. Standard Scan
4. Light Scan
Haruto is reviewing the results of a vulnerability scan, shown here, from a web server in his organization. Access to this server is restricted at the firewall so that it may not be accessed on port 80 or 443. Which of the following vulnerabilities should Haruto still address?
1. OpenSSL version
2. Cookie information disclosure
3. TRACK/TRACE methods
4. Haruto does not need to address any of these vulnerabilities because they are not exposed to the outside world
Brian is considering the use of several different categories of vulnerability plug-ins. Of the types listed here, which is the most likely to result in false positive reports?
1. Registry inspection
2. Banner grabbing
3. Service interrogation
4. Fuzzing
Binh conducts a vulnerability scan and finds three different vulnerabilities, with the CVSS scores shown here. Which vulnerability should be his highest priority to fix, assuming all three fixes are of equal difficulty?
1. Vulnerability 1
2. Vulnerability 2
3. Vulnerability 3
4. Vulnerabilities 1 and 3 are equal in priority
Which one of the following is not an appropriate criterion to use when prioritizing the remediation of vulnerabilities?
1. Network exposure of the affected system
2. Difficulty of remediation
3. Severity of the vulnerability
4. All of these are appropriate.
Landon is preparing to run a vulnerability scan of a dedicated Apache server that his organization is planning to move into a DMZ. Which one of the following vulnerability scans is least likely to provide informative results?
1. Web application vulnerability scan
2. Database vulnerability scan
3. Port scan
4. Network vulnerability scan
Ken recently received the vulnerability report shown here that affects a file server used by his organization. What is the primary nature of the risk introduced by this vulnerability?
1. Confidentiality
2. Integrity
3. Availability
4. Nonrepudiation
Aadesh is creating a vulnerability management program for his company. He has limited scanning resources and would like to apply them to different systems based on the sensitivity and criticality of the information that they handle. What criteria should Aadesh use to determine the vulnerability scanning frequency?
1. Data remanence
2. Data privacy
3. Data classification
4. Data privacy
Tom recently read a media report about a ransomware outbreak that was spreading rapidly across the Internet by exploiting a zero-day vulnerability in Microsoft Windows. As part of a comprehensive response, he would like to include a control that would allow his organization to effectively recover from a ransomware infection. Which one of the following controls would best achieve Tom's objective?
1. Security patching
2. Host firewalls
3. Backups
4. Intrusion prevention systems
Kaitlyn discovered the vulnerability shown here on a workstation in her organization. Which one of the following is not an acceptable method for remediating this vulnerability?
1. Upgrade WinRAR
2. Upgrade Windows
3. Remove WinRAR
4. Replace WinRAR with an alternate compression utility
Brent ran a vulnerability scan of several network infrastructure devices on his network and obtained the result shown here. What is the extent of the impact that an attacker could have by exploiting this vulnerability directly?
1. Denial of service
2. Theft of sensitive information
3. Network eavesdropping
4. Reconnaissance
Yashvir runs the cybersecurity vulnerability management program for his organization. He sends a database administrator a report of a missing database patch that corrects a high severity security issue. The DBA writes back to Yashvir that he has applied the patch. Yashvir reruns the scan, and it still reports the same vulnerability. What should he do next?
1. Mark the vulnerability as a false positive.
2. Ask the DBA to recheck the database.
3. Mark the vulnerability as an exception.
4. Escalate the issue to the DBA's manager.
Manya is reviewing the results of a vulnerability scan and identifies the issue shown here in one of her systems. She consults with developers who check the code and assure her that it is not vulnerable to SQL injection attacks. An independent auditor confirms this for Manya. What is the most likely scenario?
1. This is a false positive report.
2. The developers are wrong, and the vulnerability exists.
3. The scanner is malfunctioning.
4. The database server is misconfigured.
Erik is reviewing the results of a vulnerability scan and comes across the vulnerability report shown here. Which one of the following services is least likely to be affected by this vulnerability?
1. HTTPS
2. HTTP
3. SSH
4. VPN
Use the following scenario to answer questions 195–196.

Larry recently discovered a critical vulnerability in one of his organization's database servers during a routine vulnerability scan. When he showed the report to a database administrator, the administrator responded that they had corrected the vulnerability by using a vendor-supplied workaround because upgrading the database would disrupt an important process. Larry verified that the workaround is in place and corrects the vulnerability.
How should Larry respond to this situation?
1. Mark the report as a false positive.
2. Insist that the administrator apply the vendor patch.
3. Mark the report as an exception.
4. Require that the administrator submit a report describing the workaround after each vulnerability scan.
What is the most likely cause of this report?
1. The vulnerability scanner requires an update.
2. The vulnerability scanner depends on version detection.
3. The database administrator incorrectly applied the workaround.
4. Larry misconfigured the scan.
Mila ran a vulnerability scan of a server in her organization and found the vulnerability shown here. What is the use of the service affected by this vulnerability?
1. Web server
2. Database server
3. Email server
4. Directory server
Margot discovered that a server in her organization has a SQL injection vulnerability. She would like to investigate whether attackers have attempted to exploit this vulnerability. Which one of the following data sources is least likely to provide helpful information?
1. NetFlow logs
2. Web server logs
3. Database logs
4. IDS logs
Krista is reviewing a vulnerability scan report and comes across the vulnerability shown here. She comes from a Linux background and is not as familiar with Windows administration. She is not familiar with the runas command mentioned in this vulnerability. What is the closest Linux equivalent command?
1. sudo
2. grep
3. su
4. ps
After scanning a web application for possible vulnerabilities, Barry received the result shown here. Which one of the following best describes the threat posed by this vulnerability?
1. An attacker can eavesdrop on authentication exchanges.
2. An attacker can cause a denial-of-service attack on the web application.
3. An attacker can disrupt the encryption mechanism used by this server.
4. An attacker can edit the application code running on this server.
Javier ran a vulnerability scan of a network device used by his organization and discovered the vulnerability shown here. What type of attack would this vulnerability enable?
1. Denial of service
2. Information theft
3. Information alteration
4. Reconnaissance
Akari scans a Windows server in her organization and finds that it has multiple critical vulnerabilities, detailed in the report shown here. What action can Akari take that will have the most significant impact on these issues without creating a long-term outage?
1. Configure the host firewall to block inbound connections.
2. Apply security patches.
3. Disable the guest account on the server.
4. Configure the server to only use secure ciphers.
Ben is preparing to conduct a vulnerability scan for a new client of his security consulting organization. Which one of the following steps should Ben perform first?
1. Conduct penetration testing.
2. Run a vulnerability evaluation scan.
3. Run a discovery scan.
4. Obtain permission for the scans.
Katherine coordinates the remediation of security vulnerabilities in her organization and is attempting to work with a system engineer on the patching of a server to correct a moderate impact vulnerability. The engineer is refusing to patch the server because of the potential interruption to a critical business process that runs on the server. What would be the most reasonable course of action for Katherine to take?
1. Schedule the patching to occur during a regular maintenance cycle.
2. Exempt the server from patching because of the critical business impact.
3. Demand that the server be patched immediately to correct the vulnerability.
4. Inform the engineer that if he does not apply the patch within a week that Katherine will file a complaint with his manager.
During a recent vulnerability scan of workstations on her network, Andrea discovered the vulnerability shown here. Which one of the following actions is least likely to remediate this vulnerability?
1. Remove JRE from workstations.
2. Upgrade JRE to the most recent version.
3. Block inbound connections on port 80 using the host firewall.
4. Use a web content filtering system to scan for malicious traffic.
Grace ran a vulnerability scan and detected an urgent vulnerability in a public-facing web server. This vulnerability is easily exploitable and could result in the complete compromise
of the server. Grace wants to follow best practices regarding change control while also mitigating this threat as quickly as possible. What would be Grace's best course of action?
1. Initiate a high-priority change through her organization's change management process and wait for the change to be approved.
2. Implement a fix immediately and document the change after the fact.
3. Schedule a change for the next quarterly patch cycle.
4. Initiate a standard change through her organization's change management process.
Doug is preparing an RFP for a vulnerability scanner for his organization. He needs to know the number of systems on his network to help determine the scanner requirements. Which one of the following would not be an easy way to obtain this information?
1. ARP tables
2. Asset management tool
3. Discovery scan
4. Results of scans recently run by a consultant
Mary runs a vulnerability scan of her entire organization and shares the report with another analyst on her team. An excerpt from that report appears here. Her colleague points out that the report contains only vulnerabilities with severities of 3, 4, or 5. What is the most likely cause of this result?
1. The scan sensitivity is set to exclude low-importance vulnerabilities.
2. Mary did not configure the scan properly.
3. Systems in the datacenter do not contain any level 1 or 2 vulnerabilities.
4. The scan sensitivity is set to exclude high-impact vulnerabilities.
Mikhail is reviewing the vulnerability shown here, which was detected on several servers in his environment. What action should Mikhail take?
1. Block TCP/IP access to these servers from external sources.
2. Upgrade the operating system on these servers.
3. Encrypt all access to these servers.
4. No action is necessary.
Which one of the following approaches provides the most current and accurate information about vulnerabilities present on a system because of the misconfiguration of operating system settings?
1. On-demand vulnerability scanning
2. Continuous vulnerability scanning
3. Scheduled vulnerability scanning
4. Agent-based monitoring
Use the following scenario to answer questions 211–213.

Pete recently conducted a broad vulnerability scan of all the servers and workstations in his environment. He scanned the following three networks:
- DMZ network that contains servers with public exposure
- Workstation network that contains workstations that are allowed outbound access only
- Internal server network that contains servers exposed only to internal systems
He detected the following vulnerabilities:
- Vulnerability 1: A SQL injection vulnerability on a DMZ server that would grant access to a database server on the internal network (severity 5/5)
- Vulnerability 2: A buffer overflow vulnerability on a domain controller on the internal server network (severity 3/5)
- Vulnerability 3: A missing security patch on several hundred Windows workstations on the workstation network (severity 2/5)
- Vulnerability 4: A denial-of-service vulnerability on a DMZ server that would allow an attacker to disrupt a public-facing website (severity 2/5)
- Vulnerability 5: A denial-of-service vulnerability on an internal server that would allow an attacker to disrupt an internal website (severity 4/5)
Note that the severity ratings assigned to these vulnerabilities are directly from the vulnerability scanner and were not assigned by Pete.
Absent any other information, which one of the vulnerabilities in the report should Pete remediate first?
1. Vulnerability 1
2. Vulnerability 2
3. Vulnerability 3
4. Vulnerability 4
Pete is working with the desktop support manager to remediate vulnerability 3. What would be the most efficient way to correct this issue?
1. Personally visit each workstation to remediate the vulnerability.
2. Remotely connect to each workstation to remediate the vulnerability.
3. Perform registry updates using a remote configuration tool.
4. Apply the patch using a GPO.
Pete recently conferred with the organization's CISO, and the team is launching an initiative designed to combat the insider threat. They are particularly concerned about the theft of information by employees seeking to exceed their authorized access. Which one of the vulnerabilities in this report is of greatest concern given this priority?
1. Vulnerability 2
2. Vulnerability 3
3. Vulnerability 4
4. Vulnerability 5
Wanda recently discovered the vulnerability shown here on a Windows server in her organization. She is unable to apply the patch to the server for six weeks because of operational issues. What workaround would be most effective in limiting the likelihood that this vulnerability would be exploited?
1. Restrict interactive logins to the system.
2. Remove Microsoft Office from the server.
3. Remove Internet Explorer from the server.
4. Apply the security patch.
Garrett is configuring vulnerability scanning for a new web server that his organization is deploying on its DMZ network. The server hosts the company's public website. What type of scanning should Garrett configure for best results?
1. Garrett should not perform scanning of DMZ systems.
2. Garrett should perform external scanning only.
3. Garrett should perform internal scanning only.
4. Garrett should perform both internal and external scanning.
Frank recently ran a vulnerability scan and identified a POS terminal that contains an unpatchable vulnerability because of running an unsupported operating system. Frank consults with his manager and is told that the POS is being used with full knowledge of management and, as a compensating control, it has been placed on an isolated network with no access to other systems. Frank's manager tells him that the merchant bank is aware of the issue. How should Frank handle this situation?
1. Document the vulnerability as an approved exception.
2. Explain to his manager that PCI DSS does not permit the use of unsupported operating systems.
3. Decommission the POS system immediately to avoid personal liability.
4. Upgrade the operating system immediately.
James is configuring vulnerability scans of a dedicated network that his organization uses for processing credit card transactions. What types of scans are least important for James to include in his scanning program?
1. Scans from a dedicated scanner on the card processing network
2. Scans from an external scanner on his organization's network
3. Scans from an external scanner operated by an approved scanning vendor
4. All three types of scans are equally important.
Helen performs a vulnerability scan of one of the internal LANs within her organization and finds a report of a web application vulnerability on a device. Upon investigation, she discovers that the device in question is a printer. What is the most likely scenario in this case?
1. The printer is running an embedded web server.
2. The report is a false positive result.
3. The printer recently changed IP addresses.
4. Helen inadvertently scanned the wrong network.
Joe discovered a critical vulnerability in his organization's database server and received permission from his supervisor to implement an emergency change after the close of business. He has eight hours before the planned change window. In addition to planning the technical aspects of the change, what else should Joe do to prepare for the change?
1. Ensure that all stakeholders are informed of the planned outage.
2. Document the change in his organization's change management system.
3. Identify any potential risks associated with the change.
4. All of the above.
Julian recently detected the vulnerability shown here on several servers in his environment. Because of the critical nature of the vulnerability, he would like to block all access to the affected service until it is resolved using a firewall rule. He verifies that the following TCP ports are open on the host firewall. Which one of the following does Julian not need to block to restrict access to this service?
1. 137
2. 139
3. 389
4. 445
Ted recently ran a vulnerability scan of his network and was overwhelmed with results. He would like to focus on the most important vulnerabilities. How should Ted reconfigure his vulnerability scanner?
1. Increase the scan sensitivity.
2. Decrease the scan sensitivity.
3. Increase the scan frequency.
4. Decrease the scan frequency.
After running a vulnerability scan, Janet discovered that several machines on her network are running Internet Explorer 8 and reported the vulnerability shown here. Which one of the following would not be a suitable replacement browser for these systems?
1. Internet Explorer 11
2. Google Chrome
3. Mozilla Firefox
4. Microsoft Edge
Sunitha discovered the vulnerability shown here in an application developed by her organization. What application security technique is most likely to resolve this issue?
1. Bounds checking
2. Network segmentation
3. Parameter handling
4. Tag removal
Sherry runs a vulnerability scan and receives the high-level results shown here. Her priority is to remediate the most important vulnerabilities first. Which system should be her highest priority?
1. A
2. B
3. C
4. D
Victor is configuring a new vulnerability scanner. He set the scanner to run scans of his entire datacenter each evening. When he went to check the scan reports at the end of the week, he found that they were all incomplete. The scan reports noted the error “Scan terminated due to start of preempting job.” Victor has no funds remaining to invest in the vulnerability scanning system. He does want to cover the entire datacenter. What should he do to ensure that scans complete?
1. Reduce the number of systems scanned.
2. Increase the number of scanners.
3. Upgrade the scanner hardware.
4. Reduce the scanning frequency.
Vanessa ran a vulnerability scan of a server and received the results shown here. Her boss instructed her to prioritize remediation based on criticality. Which issue should she address first?
1. Remove the POP server.
2. Remove the FTP server.
3. Upgrade the web server.
4. Remove insecure cryptographic protocols.
Gil is configuring a scheduled vulnerability scan for his organization using the QualysGuard scanner. If he selects the Relaunch On Finish scheduling option shown here, what will be the result?
1. The scan will run once each time the schedule occurs.
2. The scan will run twice each time the schedule occurs.
3. The scan will run twice the next time the schedule occurs and once on each subsequent schedule interval.
4. The scan will run continuously until stopped.
Terry is reviewing a vulnerability scan of a Windows server and came across the vulnerability shown here. What is the risk presented by this vulnerability?
1. An attacker may be able to execute a buffer overflow and execute arbitrary code on the server.
2. An attacker may be able to conduct a denial-of-service attack against this server.
3. An attacker may be able to determine the operating system version on this server.
4. There is no direct vulnerability, but this information points to other possible vulnerabilities on the server.
Andrea recently discovered the vulnerability shown here on the workstation belonging to a system administrator in her organization. What is the major likely threat that should concern Andrea?
1. An attacker could exploit this vulnerability to take control of the administrator's workstation.
2. An attacker could exploit this vulnerability to gain access to servers managed by the administrator.
3. An attacker could exploit this vulnerability to prevent the administrator from using the workstation.
4. An attacker could exploit this vulnerability to decrypt sensitive information stored on the administrator's workstation.
Mateo completed the vulnerability scan of a server in his organization and discovered the results shown here. Which one of the following is not a critical remediation action dictated by these results?
1. Remove obsolete software.
2. Reconfigure the host firewall.
3. Apply operating system patches.
4. Apply application patches.
Tom's company is planning to begin a bring your own device (BYOD) policy for mobile devices. Which one of the following technologies allows the secure use of sensitive information on personally owned devices, including providing administrators with the ability to wipe corporate information from the device without affecting personal data?
1. Remote wipe
2. Strong passwords
3. Biometric authentication
4. Containerization
Sally discovered during a vulnerability scan that a system that she manages has a high-priority vulnerability that requires a patch. The system is behind a firewall and there is no imminent threat, but Sally wants to get the situation resolved as quickly as possible. What would be her best course of action?
1. Initiate a high-priority change through her organization's change management process.
2. Implement a fix immediately and then document the change after the fact.
3. Implement a fix immediately and then inform her supervisor of her action and the rationale.
4. Schedule a change for the next quarterly patch cycle.
Gene runs a vulnerability scan of his organization's datacenter and produces a summary report to share with his management team. The report includes the chart shown here. When Gene's manager reads the report, she points out that the report is burying important details because it is highlighting too many unimportant issues. What should Gene do to resolve this issue?
1. Tell his manager that all vulnerabilities are important and should appear on the report.
2. Create a revised version of the chart using Excel.
3. Modify the sensitivity level of the scan.
4. Stop sharing reports with the management team.
Avik recently conducted a PCI DSS vulnerability scan of a web server and noted a critical PHP vulnerability that required an upgrade to correct. She applied the update. How soon must Avik repeat the scan?
1. Within 30 days
2. At the next scheduled quarterly scan
3. At the next scheduled annual scan
4. Immediately
Chandra's organization recently upgraded the firewall protecting the network where they process credit card information. This network is subject to the provisions of PCI DSS. When is Chandra required to schedule the next vulnerability scan of this network?
1. Immediately
2. Within one month
3. Before the start of next month
4. Before the end of the quarter following the upgrade
Fahad is concerned about the security of an industrial control system that his organization uses to monitor and manage systems in their factories. He would like to reduce the risk of an attacker penetrating this system. Which one of the following security controls would best mitigate the vulnerabilities in this type of system?
1. Network segmentation
2. Input validation
3. Memory protection
4. Redundancy
Glenda routinely runs vulnerability scans of servers in her organization. She is having difficulty with one system administrator who refuses to correct vulnerabilities on a server used as a jump box by other IT staff. The server has had dozens of vulnerabilities for weeks and would require downtime to repair. One morning, her scan reports that all of the vulnerabilities suddenly disappeared overnight, while other systems in the same scan are reporting issues. She checks the service status dashboard, and the service appears to be running properly with no outages reported in the past week. What is the most likely cause of this result?
1. The system administrator corrected the vulnerabilities.
2. The server is down.
3. The system administrator blocked the scanner.
4. The scan did not run.
Raphael discovered during a vulnerability scan that an administrative interface to one of his storage systems was inadvertently exposed to the Internet. He is reviewing firewall logs and would like to determine whether any access attempts came from external sources. Which one of the following IP addresses reflects an external source?
1. 10.15.1.100
2. 12.8.1.100
3. 172.16.1.100
4. 192.168.1.100
Nick is configuring vulnerability scans for his network using a third-party vulnerability scanning service. He is attempting to scan a web server that he knows exposes a CIFS file share and contains several significant vulnerabilities. However, the scan results only show ports 80 and 443 as open. What is the most likely cause of these scan results?
1. The CIFS file share is running on port 443.
2. A firewall configuration is preventing the scan from succeeding.
3. The scanner configuration is preventing the scan from succeeding.
4. The CIFS file share is running on port 80.
Thomas learned this morning of a critical security flaw that affects a major service used by his organization and requires immediate patching. This flaw was the subject of news reports and is being actively exploited. Thomas has a patch and informed stakeholders of the issue and received permission to apply the patch during business hours. How should he handle the change management process?
1. Thomas should apply the patch and then follow up with an emergency change request after work is complete.
2. Thomas should initiate a standard change request but apply the patch before waiting for approval.
3. Thomas should work through the standard change approval process and wait until it is complete to apply the patch.
4. Thomas should file an emergency change request and wait until it is approved to apply the patch.
After running a vulnerability scan of systems in his organization's development shop, Mike discovers the issue shown here on several systems. What is the best solution to this vulnerability?
1. Apply the required security patches to this framework.
2. Remove this framework from the affected systems.
3. Upgrade the operating system of the affected systems.
4. No action is necessary.
Tran is preparing to conduct vulnerability scans against a set of workstations in his organization. He is particularly concerned about system configuration settings. Which one of the following scan types will give him the best results?
1. Unauthenticated scan
2. Credentialed scan
3. External scan
4. Internal scan
Brian is configuring a vulnerability scan of all servers in his organization's datacenter. He is configuring the scan to only detect the highest-severity vulnerabilities. He would like to empower system administrators to correct issues on their servers but also have some insight into the status of those remediations. Which approach would best serve Brian's interests?
1. Give the administrators access to view the scans in the vulnerability scanning system.
2. Send email alerts to administrators when the scans detect a new vulnerability on their servers.
3. Configure the vulnerability scanner to open a trouble ticket when they detect a new vulnerability on a server.
4. Configure the scanner to send reports to Brian who can notify administrators and track them in a spreadsheet.
Xiu Ying is configuring a new vulnerability scanner for use in her organization's datacenter. Which one of the following values is considered a best practice for the scanner's update frequency?
1. Daily
2. Weekly
3. Monthly
4. Quarterly
Ben was recently assigned by his manager to begin the remediation work on the most vulnerable server in his organization. A portion of the scan report appears here. What remediation action should Ben take first?
1. Install patches for Adobe Flash.
2. Install patches for Firefox.
3. Run Windows Update.
4. Remove obsolete software.
Tom is planning a series of vulnerability scans and wants to ensure that the organization is meeting its customer commitments with respect to the scans' performance impact. What two documents should Tom consult to find these obligations?
1. SLAs and MOUs
2. SLAs and DRPs
3. DRPs and BIAs
4. BIAs and MOUs
Zhang Wei is evaluating the success of his vulnerability management program and would like to include some metrics. Which one of the following would be the least useful metric?
1. Time to resolve critical vulnerabilities
2. Number of open critical vulnerabilities over time
3. Total number of vulnerabilities reported
4. Number of systems containing critical vulnerabilities
Zhang Wei completed a vulnerability scan of his organization's virtualization platform from an external host and discovered the vulnerability shown here. How should he react?
1. This is a critical issue that requires immediate adjustment of firewall rules.
2. This issue has a very low severity and does not require remediation.
3. This issue should be corrected as time permits.
4. This is a critical issue, and Zhang Wei should shut down the platform until it is corrected.
Elliott runs a vulnerability scan of one of the servers belonging to his organization and finds the results shown here. Which one of these statements is not correct?
1. This server requires one or more Linux patches.
2. This server requires one or more Oracle database patches.
3. This server requires one or more Firefox patches.
4. This server requires one or more MySQL patches.
Donna is working with a system engineer who wants to remediate vulnerabilities in a server that he manages. Of the report templates shown here, which would be most useful to the engineer?
1. Qualys Top 20 Report
2. PCI Technical Report
3. Executive Report
4. Technical Report
Abdul received the vulnerability report shown here for a server in his organization. The server runs a legacy application that cannot easily be updated. What risks does this vulnerability present?
1. Unauthorized access to files stored on the server
2. Theft of credentials
3. Eavesdropping on communications
4. All of the above
Tom
runs a vulnerability scan of the file server shown here.

He receives the vulnerability report shown next. Assuming that the firewall is configured properly, what action should Tom take immediately?
1. Block RDP access to this server from all hosts.
2. Review and secure server accounts.
3. Upgrade encryption on the server.
4. No action is required.
Dave is running a vulnerability scan of a client's network for the first time. The client has never run such a scan and expects to find many results. What security control is likely to remediate the largest portion of the vulnerabilities discovered in Dave's scan?
1. Input validation
2. Patching
3. Intrusion prevention systems
4. Encryption
Kai is planning to patch a production system to correct a vulnerability detected during a scan. What process should she follow to correct the vulnerability but minimize the risk of a system failure?
1. Kai should deploy the patch immediately on the production system.
2. Kai should wait 60 days to deploy the patch to determine whether bugs are reported.
3. Kai should deploy the patch in a sandbox environment to test it prior to applying it in production.
4. Kai should contact the vendor to determine a safe timeframe for deploying the patch in production.
William is preparing a legal agreement for his organization to purchase services from a vendor. He would like to document the requirements for system availability, including the vendor's allowable downtime for patching. What type of agreement should William use to incorporate this requirement?
1. MOU
2. SLA
3. BPA
4. BIA
Given no other information, which one of the following vulnerabilities would you consider the greatest threat to information confidentiality?
1. HTTP TRACE/TRACK methods enabled
2. SSL Server with SSL v3 enabled vulnerability
3. phpinfo information disclosure vulnerability
4. Web application SQL injection vulnerability
Which one of the following mobile device strategies is most likely to result in the introduction of vulnerable devices to a network?
1. COPE
2. TLS
3. BYOD
4. MDM
Sophia discovered the vulnerability shown here on one of the servers running in her organization. What action should she take?
1. Decommission this server.
2. Run Windows Update to apply security patches.
3. Require strong encryption for access to this server.
4. No action is required.
Ling recently completed the security analysis of a web browser deployed on systems in her organization and discovered that it is susceptible to a zero-day integer overflow attack. Who is in the best position to remediate this vulnerability in a manner that allows continued use of the browser?
1. Ling
2. The browser developer
3. The network administrator
4. The domain administrator
Jeff's team is preparing to deploy a new database service, and he runs a vulnerability scan of the test environment. This scan results in the four vulnerability reports shown here. Jeff is primarily concerned with correcting issues that may lead to a confidentiality breach. Which vulnerability should Jeff remediate first?
1. Rational ClearCase Portscan Denial of Service vulnerability
2. Non-Zero Padding Bytes Observed in Ethernet Packets
3. Oracle Database TNS Listener Poison Attack vulnerability
4. Hidden RPC Services
Eric is a security consultant and is trying to sell his services to a new client. He would like to run a vulnerability scan of their network prior to their initial meeting to show the client the need for added security. What is the most significant problem with this approach?
1. Eric does not know the client's infrastructure design.
2. Eric does not have permission to perform the scan.
3. Eric does not know what operating systems and applications are in use.
4. Eric does not know the IP range of the client's systems.
Renee is assessing the exposure of her organization to the denial-of-service vulnerability in the scan report shown here. She is specifically interested in determining whether an external attacker would be able to exploit the denial-of-service vulnerability. Which one of the following sources of information would provide her with the best information to complete this assessment?
1. Server logs
2. Firewall rules
3. IDS configuration
4. DLP configuration
Mary is trying to determine what systems in her organization should be subject to vulnerability scanning. She would like to base this decision on the criticality of the system to business operations. Where should Mary turn to best find this information?
1. The CEO
2. System names
3. IP addresses
4. Asset inventory
Paul ran a vulnerability scan of his vulnerability scanner and received the result shown here. What is the simplest fix to this issue?
1. Upgrade Nessus.
2. Remove guest accounts.
3. Implement TLS encryption.
4. Renew the server certificate.
Kamea is designing a vulnerability management system for her organization. Her highest priority is conserving network bandwidth. She does not have the ability to alter the configuration or applications installed on target systems. What solution would work best in Kamea's environment to provide vulnerability reports?
1. Agent-based scanning
2. Server-based scanning
3. Passive network monitoring
4. Port scanning
Aki is conducting a vulnerability scan when he receives a report that the scan is slowing down the network for other users. He looks at the performance configuration settings shown here. Which setting would be most likely to correct the issue?
1. Enable safe checks.
2. Stop scanning hosts that become unresponsive during the scan.
3. Scan IP addresses in random order.
4. Max simultaneous hosts per scan.
Laura received a vendor security bulletin that describes a zero-day vulnerability in her organization's main database server. This server is on a private network but is used by publicly accessible web applications. The vulnerability allows the decryption of administrative connections to the server. What reasonable action can Laura take to address this issue as quickly as possible?
1. Apply a vendor patch that resolves the issue.
2. Disable all administrative access to the database server.
3. Require VPN access for remote connections to the database server.
4. Verify that the web applications use strong encryption.
Emily discovered the vulnerability shown here on a server running in her organization. What is the most likely underlying cause for this vulnerability?
1. Failure to perform input validation
2. Failure to use strong passwords
3. Failure to encrypt communications
4. Failure to install antimalware software
Raul is replacing his organization's existing vulnerability scanner with a new product that will fulfill that functionality moving forward. As Raul begins to build the policy, he notices some conflicts in the scanning settings between different documents. Which one of the following document sources should Raul give the highest priority when resolving these conflicts?
1. NIST guidance documents
2. Vendor best practices
3. Corporate policy
4. Configuration settings from the prior system
Rex recently ran a vulnerability scan of his organization's network and received the results shown here. He would like to remediate the server with the highest number of the most serious vulnerabilities first. Which one of the following servers should be on his highest priority list?
1. 10.0.102.58
2. 10.0.16.58
3. 10.0.46.116
4. 10.0.69.232
Abella is configuring a vulnerability scanning tool. She recently learned about a privilege escalation vulnerability that requires the user already have local access to the system. She would like to ensure that her scanners are able to detect this vulnerability as well as future similar vulnerabilities. What action can she take that would best improve the scanner's ability to detect this type of issue?
1. Enable credentialed scanning.
2. Run a manual vulnerability feed update.
3. Increase scanning frequency.
4. Change the organization's risk appetite.
Kylie reviewed the vulnerability scan report for a web server and found that it has multiple SQL injection and cross-site scripting vulnerabilities. What would be the least difficult way for Kylie to address these issues?
1. Install a web application firewall.
2. Recode the web application to include input validation.
3. Apply security patches to the server operating system.
4. Apply security patches to the web server service.
Pietro is responsible for distributing vulnerability scan reports to system engineers who will remediate the vulnerabilities. What would be the most effective and secure way for Pietro to distribute the reports?
1. Pietro should configure the reports to generate automatically and provide immediate, automated notification to administrators of the results.
2. Pietro should run the reports manually and send automated notifications after he reviews them for security purposes.
3. Pietro should run the reports on an automated basis and then manually notify administrators of the results after he reviews them.
4. Pietro should run the reports manually and then manually notify administrators of the results after he reviews them.
Karen ran a vulnerability scan of a web server used on her organization's internal network. She received the report shown here. What circumstances would lead Karen to dismiss this vulnerability as a false positive?
1. The server is running SSL v2.
2. The server is running SSL v3.
3. The server is for internal use only.
4. The server does not contain sensitive information.
Which one of the following vulnerabilities is the most difficult to confirm with an external vulnerability scan?
1. Cross-site scripting
2. Cross-site request forgery
3. Blind SQL injection
4. Unpatched web server
Ann would like to improve her organization's ability to detect and remediate security vulnerabilities by adopting a continuous monitoring approach. Which one of the following is not a characteristic of a continuous monitoring program?
1. Analyzing and reporting findings
2. Conducting forensic investigations when a vulnerability is exploited
3. Mitigating the risk associated with findings
4. Transferring the risk associated with a finding to a third party
Holly ran a scan of a server in her datacenter and the most serious result was the vulnerability shown here. What action is most commonly taken to remediate this vulnerability?
1. Remove the file from the server.
2. Edit the file to limit information disclosure.
3. Password protect the file.
4. Limit file access to a specific IP range.
Nitesh would like to identify any systems on his network that are not registered with his asset management system because he is concerned that they might not be remediated to his organization's current security configuration baseline. He looks at the reporting console of his vulnerability scanner and sees the options shown here. Which of the following report types would be his best likely starting point?
1. Technical Report
2. High Severity Report
3. Qualys Patch Report
4. Unknown Device Report
What strategy can be used to immediately report configuration changes to a vulnerability scanner?
1. Scheduled scans
2. Continuous monitoring
3. Automated remediation
4. Automatic updates
During a recent vulnerability scan, Mark discovered a flaw in an internal web application that allows cross-site scripting attacks. He spoke with the manager of the team responsible for that application and was informed that he discovered a known vulnerability and the manager worked with other leaders and determined that the risk is acceptable and does not require remediation. What should Mark do?
1. Object to the manager's approach and insist on remediation.
2. Mark the vulnerability as a false positive.
3. Schedule the vulnerability for remediation in six months.
4. Mark the vulnerability as an exception.
Jacquelyn recently read about a new vulnerability in Apache web servers that allows attackers to execute arbitrary code from a remote location. She verified that her servers have this vulnerability, but this morning's vulnerability scan report shows that the servers are secure. She contacted the vendor and determined that they have released a signature for this vulnerability and it is working properly at other clients. What action can Jacquelyn take that will most likely address the problem efficiently?
1. Add the web servers to the scan.
2. Reboot the vulnerability scanner.
3. Update the vulnerability feed.
4. Wait until tomorrow's scan.
Vincent is a security manager for a U.S. federal government agency subject to FISMA. Which one of the following is not a requirement that he must follow for his vulnerability scans to maintain FISMA compliance?
1. Run complete scans on at least a monthly basis.
2. Use tools that facilitate interoperability and automation.
3. Remediate legitimate vulnerabilities.
4. Share information from the vulnerability scanning process.
Sharon is designing a new vulnerability scanning system for her organization. She must scan a network that contains hundreds of unmanaged hosts. Which of the following techniques would be most effective at detecting system configuration issues in her environment?
1. Agent-based scanning
2. Credentialed scanning
3. Server-based scanning
4. Passive network monitoring
Use the following scenario to answer questions 284–286.

Arlene ran a vulnerability scan of a VPN server used by contractors and employees to gain access to her organization's network. An external scan of the server found the vulnerability shown here.
Which one of the following hash algorithms would not trigger this vulnerability?
1. MD4
2. MD5
3. SHA-1
4. SHA-256
What is the most likely result of failing to correct this vulnerability?
1. All users will be able to access the site.
2. All users will be able to access the site, but some may see an error message.
3. Some users will be unable to access the site.
4. All users will be unable to access the site.
How can Arlene correct this vulnerability?
1. Reconfigure the VPN server to only use secure hash functions.
2. Request a new certificate.
3. Change the domain name of the server.
4. Implement an intrusion prevention system.
After reviewing the results of a vulnerability scan, Bruce discovered that many of the servers in his organization are susceptible to a brute-force SSH attack. He would like to determine what external hosts attempted SSH connections to his servers and is reviewing firewall logs. What TCP port would relevant traffic most likely use?
1. 22
2. 636
3. 1433
4. 1521
Joaquin runs a vulnerability scan of the network devices in his organization and sees the vulnerability report shown here for one of those devices. What action should he take?
1. No action is necessary because this is an informational report.
2. Upgrade the version of the certificate.
3. Replace the certificate.
4. Verify that the correct ciphers are being used.
Lori is studying vulnerability scanning as she prepares for the CySA+ exam. Which of the following is not one of the principles she should observe when preparing for the exam to avoid causing issues for her organization?
1. Run only nondangerous scans on production systems to avoid disrupting a production service.
2. Run scans in a quiet manner without alerting other IT staff to the scans or their results to minimize the impact of false information.
3. Limit the bandwidth consumed by scans to avoid overwhelming an active network link.
4. Run scans outside of periods of critical activity to avoid disrupting the business.
Meredith is configuring a vulnerability scan and would like to configure the scanner to perform credentialed scans. Of the menu options shown here, which will allow her to directly configure this capability?
1. Manage Discovery Scans
2. Configure Scan Settings
3. Configure Search Lists
4. Set Up Host Authentication
Norman is working with his manager to implement a vulnerability management program for his company. His manager tells him that he should focus on remediating critical and high-severity risks and that the organization does not want to spend time worrying about risks rated medium or lower. What type of criteria is Norman's manager using to make this decision?
1. Risk appetite
2. False positive
3. False negative
4. Data classification
After running a vulnerability scan against his organization's VPN server, Luis discovered the vulnerability shown here. What type of cryptographic situation does a birthday attack leverage?
1. Unsecured key
2. Meet-in-the-middle
3. Man-in-the-middle
4. Collision
Meredith recently ran a vulnerability scan on her organization's accounting network segment and found the vulnerability shown here on several workstations. What would be the most effective way for Meredith to resolve this vulnerability?
1. Remove Flash Player from the workstations.
2. Apply the security patches described in the Adobe bulletin.
3. Configure the network firewall to block unsolicited inbound access to these workstations.
4. Install an intrusion detection system on the network.
Nabil is the vulnerability manager for his organization and is responsible for tracking vulnerability remediation. There is a critical vulnerability in a network device that Nabil has handed off to the device's administrator, but it has not been resolved after repeated reminders to the engineer. What should Nabil do next?
1. Threaten the engineer with disciplinary action.
2. Correct the vulnerability himself.
3. Mark the vulnerability as an exception.
4. Escalate the issue to the network administrator's manager.
Sara's organization has a well-managed test environment. What is the most likely issue that Sara will face when attempting to evaluate the impact of a vulnerability remediation by first deploying it in the test environment?
1. Test systems are not available for all production systems.
2. Production systems require a different type of patch than test systems.
3. Significant configuration differences exist between test and production systems.
4. Test systems are running different operating systems than production systems.
How many vulnerabilities listed in the report shown here are significant enough to warrant immediate remediation in a typical operating environment?
1. 22
2. 14
3. 5
4. 0
Maria discovered an operating system vulnerability on a system on her network. After tracing the IP address, she discovered that the vulnerability is on a proprietary search appliance installed on her network. She consulted with the responsible engineer who informed her that he has no access to the underlying operating system. What is the best course of action for Maria?
1. Contact the vendor to obtain a patch.
2. Try to gain access to the underlying operating system and install the patch.
3. Mark the vulnerability as a false positive.
4. Wait 30 days and rerun the scan to see whether the vendor corrected the vulnerability.
Which one of the following types of data is subject to regulations in the United States that specify the minimum frequency of vulnerability scanning?
1. Driver's license numbers
2. Insurance records
3. Credit card data
4. Medical records
Chang is responsible for managing his organization's vulnerability scanning program. He is experiencing issues with scans aborting because the previous day's scans are still running when the scanner attempts to start the current day's scans. Which one of the following solutions is least likely to resolve Chang's issue?
1. Add a new scanner.
2. Reduce the scope of the scans.
3. Reduce the sensitivity of the scans.
4. Reduce the frequency of the scans.
Trevor is working with an application team on the remediation of a critical SQL injection vulnerability in a public-facing service. The team is concerned that deploying the fix will require several hours of downtime and that will block customer transactions from completing. What is the most reasonable course of action for Trevor to suggest?
1. Wait until the next scheduled maintenance window.
2. Demand that the vulnerability be remediated immediately.
3. Schedule an emergency maintenance for an off-peak time later in the day.
4. Convene a working group to assess the situation.
While conducting a vulnerability scan of his organization's datacenter, Annika discovers that the management interface for the organization's virtualization platform is exposed to the scanner. In typical operating circumstances, what is the proper exposure for this interface?
1. Internet
2. Internal networks
3. No exposure
4. Management network
Bhanu is scheduling vulnerability scans for her organization's datacenter. Which one of the following is a best practice that Bhanu should follow when scheduling scans?
1. Schedule scans so that they are spread evenly throughout the day.
2. Schedule scans so that they run during periods of low activity.
3. Schedule scans so that they all begin at the same time.
4. Schedule scans so that they run during periods of peak activity to simulate performance under load.
Kevin is concerned that an employee of his organization might fall victim to a phishing attack and wishes to redesign his social engineering awareness program. What type of threat is he most directly addressing?
1. Nation-state
2. Hacktivist
3. Unintentional insider
4. Intentional insider
Alan recently reviewed a vulnerability report and determined that an insecure direct object reference vulnerability existed on the system. He implemented a remediation to correct the vulnerability. After doing so, he verifies that his actions correctly mitigated the vulnerability. What term best describes the initial vulnerability report?
1. True positive
2. True negative
3. False positive
4. False negative
Gwen is reviewing a vulnerability report and discovers that an internal system contains a serious flaw. After reviewing the issue with her manager, they decide that the system is sufficiently isolated and they will take no further action. What risk management strategy are they adopting?
1. Risk avoidance
2. Risk mitigation
3. Risk transference
4. Risk acceptance
Thomas discovers a vulnerability in a web application that is part of a proprietary system developed by a third-party vendor and he does not have access to the source code. Which one of the following actions can he take to mitigate the vulnerability without involving the vendor?
1. Apply a patch
2. Update the source code
3. Deploy a web application firewall
4. Conduct dynamic testing
Kira is using the aircrack-ng tool to perform an assessment of her organization’s security. She ran a scan and is now reviewing the results. Which one of the following issues is she most likely to detect with this tool?
1. Insecure WPA key
2. SQL injection vulnerability
3. Cross-site scripting vulnerability
4. Man-in-the-middle attack
Walt is designing his organization’s vulnerability management program and is working to
identify potential inhibitors to vulnerability remediation. He has heard concern from functional leaders that remediating vulnerabilities will impact the ability of a new system to fulfill user requests. Which one of the following inhibitors does not apply to this situation?
1. Degrading functionality
2. Organizational governance
3. Legacy systems
4. Business process interruption