MOD5: Vulnerability Analysis

Question 1

Vulnerabilities are classified based on:

a) severity level (high, medium, low)
b) exploit range (local or remote)
c) all of the above

Answer 1

c) all of the above

Question 2

When will an administrator need vulnerability research?

a) to gather info regarding trends, threats, attack surfaces, attack vendors, techniques
b) gather info to aid in prevention of security issues
c) to know how to recover from a network attack
d) to discover weaknesses in the OS and applications and alert the network administrator before a network attack
e) all of the above

Answer 2

e) all of the above

Question 3

What is vulnerability assessment?

Answer 3

An in-depth examination of the ability of a system or application, including security procedures and controls, to withstand the exploitation.
It recognizes, measure and classifies security vulnerabilities in a computer system, network and communication channels.

Question 4

What type of info can be obtained from a vulnerability scanner?

a) network vulnerabilities
b) open ports and running services
c) application and services vulnerabilities
d) application and services configuration errors
e) all of the above

Answer 4

e) all of the above

Question 5

What is the Vulnerability-Management life cycle?

Answer 5

1. Identify Assets and create a baseline
2. Vulnerability scan
3. Risk Assessment
4. Remediation
5. Verification
6. Monitor

Question 6

What can vulnerabilities be classified under?

Answer 6

1. Misconfiguration
2. Default installations
3. Buffer overflows
4. Unpatched servers
5. Design Flaws
6. OS flaws
7. Application flaws
8. Open services
9. Default passwords

Question 7

What types of vulnerability assessments are there?

Answer 7

1. Active Assessment
2. Passive Assessment
3. External Assessment
4. Internal Assessment
5. Host-based Assessment
6. Network-based Assessment
7. Application Assessment
8. Database Assessment

Question 8

Uses a network scanner to find hosts, services and vulnerabilities is an example of what kind of vulnerability assessment?

1. Active Assessment
2. Passive Assessment
3. External Assessment
4. Internal Assessment
5. Host-based Assessment
6. Network-based Assessment
7. Application Assessment
8. Database Assessment

Answer 8

1. Active Assessment

Question 9

Scans the internal infrastructure to discover exploits an vulnerabilities is an example of what kind of vulnerability assessment?

1. Active Assessment
2. Passive Assessment
3. External Assessment
4. Internal Assessment
5. Host-based Assessment
6. Network-based Assessment
7. Application Assessment
8. Database Assessment

Answer 9

4. Internal Assessment

Question 10

Determines possible network security attacks that may occur on the organization’s system is an example of what kind of vulnerability assessment?

1. Active Assessment
2. Passive Assessment
3. External Assessment
4. Internal Assessment
5. Host-based Assessment
6. Network-based Assessment
7. Application Assessment
8. Database Assessment

Answer 10

6. Network-based Assessment

Question 11

Used to sniff the network traffic to discover present active systems, network services, applications, and vulnerabilities present is an example of what kind of vulnerability assessment?

1. Active Assessment
2. Passive Assessment
3. External Assessment
4. Internal Assessment
5. Host-based Assessment
6. Network-based Assessment
7. Application Assessment
8. Database Assessment

Answer 11

2. Passive Assessment

Question 12

Focuses on testing databases, such as MYSQL, MSSQL, ORACLE, POSTGRESQL, etc., for the presence of data exposure or injection type vulnerabilities is an example of what kind of vulnerability assessment?

1. Active Assessment
2. Passive Assessment
3. External Assessment
4. Internal Assessment
5. Host-based Assessment
6. Network-based Assessment
7. Application Assessment
8. Database Assessment

Answer 12

8. Database assessment

Question 13

Assess the network form a hacker’s perspective to discover exploits and vulnerabilities that are accessible to the outside world, is an example of what kind of vulnerability assessment?

1. Active Assessment
2. Passive Assessment
3. External Assessment
4. Internal Assessment
5. Host-based Assessment
6. Network-based Assessment
7. Application Assessment
8. Database Assessment

Answer 13

3. External Assessment

Question 14

Conducts a configuration-level check to identify system configurations, user directories, file systems, registry settings, etc., to evaluate the possibility of compromise, is an example of what kind of vulnerability assessment?

1. Active Assessment
2. Passive Assessment
3. External Assessment
4. Internal Assessment
5. Host-based Assessment
6. Network-based Assessment
7. Application Assessment
8. Database Assessment

Answer 14

5. Host-based Assessment

Question 15

Tests and analyzes all elements of the web infrastructure for any misconfigurations, outdated content, or known vulnerabilities, is an example of what kind of vulnerability assessment?

1. Active Assessment
2. Passive Assessment
3. External Assessment
4. Internal Assessment
5. Host-based Assessment
6. Network-based Assessment
7. Application Assessment
8. Database Assessment

Answer 15

7. Application Assessment

Question 16

Name a vulnerability assessment tool.

Answer 16

OpenVAS

Nikto

Question 17

What type of information do vulnerability assessment reports contain?

a) disclosing the risks detected after scanning a network
b) the report alerts the organization of possible attacks and suggests countermeasures
c) info available in the reports is used to fix security flaws
d) all of the above

Answer 17

d) all of the above

Question 18

What 3 key pieces of information are listed in a vulnerability assessment report?

Answer 18

scan info
target info
results