Vulnerability Management Ch 4 – 6 Exam 24 Questions with Verified Answers D. Quarterly PCI DSS requires that organizations conduct vulnerability scans on at least a quarterly basis, although... many organizations choose to conduct scans on a much more frequent basis. - CORRECT ANSWER Tonya is configuring vulnerability scans for a system that is subject to the PCI DSS compliance standard. What is the minimum frequency with which she must conduct scans? A. Daily B. Weekly C. Monthly D. Quarterly B. Snort Qualys, Nessus, and OpenVAS are all examples of vulnerability scanning tools. Snort is an intrusion detection system. - CORRECT ANSWER Which one of the following is not an example of a vulnerability scanning tool? A. Qualys B. Snort C. Nessus D. OpenVAS D. Read-only Credentialed scans only require read-only access to target servers. Renee should follow the principle of least privilege and limit the access available to the scanner. - CORRECT ANSWER Renee is configuring her vulnerability management solution to perform credentialed scans of servers on her network. What type of account should she provide to the scanner? A. Domain administrator B. Local administrator C. Root D. Read-only C. CPE Common Platform Enumeration (CPE) is an SCAP component that provides standardized nomenclature for product names and versions. - CORRECT ANSWER Jason is writing a report about a potential security vulnerability in a software product and wishes to use standardized product names to ensure that other security analysts understand the report. Which SCAP component can Jason turn to for assistance? A. CVSS B. CVE C. CPE D. OVAL C. Government agency The Federal Information Security Management Act (FISMA) requires that government agencies conduct vulnerability scans. HIPAA, which governs hospitals and doctors' offices, does not include a vulnerability scanning requirement, nor does GLBA, which covers financial institutions. Banks may be required to conduct scans under PCI DSS, but this is a contractual obligation and not a statutory requirement. - CORRECT ANSWER Which type of organization is the most likely to face a statutory requirement to conduct vulnerability scans? A. Bank B. Hospital C. Government agency D. Doctor's office C. High Control enhancement number 4 requires that an organization determine what information about the system is discoverable by adversaries. This enhancement only applies to FISMA high systems. - CORRECT ANSWER What minimum level of impact must a system have under FISMA before the organization is required to determine what information about the system is discoverable by adversaries? A. Low B. Moderate C. High D. Severe C. Reporting Although reporting and communication are an important part of vulnerability management, they are not included in the life cycle. The three life-cycle phases are detection, remediation, and testing. - CORRECT ANSWER Which one of the following activities is not part of the vulnerability management life cycle? A. Detection B. Remediation C. Reporting D. Testing A. Continuous monitoring Continuous monitoring incorporates data from agent-based approaches to vulnerability detection and reports security-related configuration changes to the vulnerability management platform as soon as they occur, providing the ability to analyze those changes for potential vulnerabilities. - CORRECT ANSWER What approach to vulnerability scanning incorporates information from agents running on the target servers? A. Continuous monitoring B. Ongoing scanning C. On-demand scanning D. Alerting B. Moderate impact Systems have a moderate impact from a confidentiality perspective if the unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. - CORRECT ANSWER Brian is seeking to determine the appropriate impact categorization for a federal information system as he plans the vulnerability scanning controls for that system. After consulting management, he discovers that the system contains information that, if disclosed improperly, would have a serious adverse impact on the organization. How should this system be categorized? A. Low impact B. Moderate impact C. High impact D. Severe impact A. CVSS The Common Vulnerability Scoring System (CVSS) provides a standardized approach for measuring and describing the severity of security vulnerabilities. Jessica could use this scoring system to prioritize issues raised by different source systems. - CORRECT ANSWER Jessica is reading reports from vulnerability scans run by different parts of her organization using different products. She is responsible for assigning remediation resources and is having difficulty prioritizing issues from different sources. What SCAP component can help Jessica with this task? A. CVSS B. CVE C. CPE D. XCCDF B. NAT Although the network can support any of these protocols, internal IP disclosure vulnerabilities occur when a network uses Network Address Translation (NAT) to map public and private IP addresses but a server inadvertently discloses its private IP address to remote systems. - CORRECT ANSWER Tom is reviewing a vulnerability scan report and finds that one of the servers on his network suffers from an internal IP address disclosure vulnerability. What technology is likely in use on this network that resulted in this vulnerability? A. TLS B. NAT C. SSH D. VPN C. PR The privileges required (PR) metric indicates the type of account access the attacker must have. - CORRECT ANSWER Which one of the CVSS metrics would contain information about the type of account access that an attacker must have to execute an attack? A. AV B. C C. PR D. AC C. Low An attack complexity of "low" indicates that exploiting the vulnerability does not require any specialized conditions. - CORRECT ANSWER Which one of the following values for the CVSS attack complexity metric would indicate that the specified attack is simplest to exploit? A. High B. Medium C. Low D. Severe D. 3.1 Version 3.1 of CVSS is currently available but is not as widely used as the more common CVSS version 2.0. - CORRECT ANSWER What is the most recent version of CVSS that is currently available? A. 1.0 B. 2.0 C. 2.5 D. 3.1 A. VM escape VM escape vulnerabilities are the most serious issue that can exist in a virtualized environment, particularly when a virtual host runs systems of differing security levels. In an escape attack, the attacker has access to a single virtual host and then manages to leverage that access to intrude on the resources assigned to a different virtual machine. - CORRECT ANSWER In what type of attack does the attacker seek to gain access to resources assigned to a different virtual machine? A. VM escape B. Management interface brute force C. LDAP injection D. DNS amplification B. IDS Intrusion detection systems (IDSs) are a security control used to detect network or host attacks. The Internet of Things (IoT), supervisory control and data acquisition (SCADA) systems, and industrial control systems (ICSs) are all associated with connecting physical world objects to a network. - CORRECT ANSWER Which one of the following terms is not typically used to describe the connection of physical devices to a network? A. IoT B. IDS C. ICS D. SCADA D. Cross-site scripting In a cross-site scripting (XSS) attack, an attacker embeds scripting commands on a website that will later be executed by an unsuspecting visitor accessing the site. The idea is to trick a user visiting a trusted site into executing malicious code placed there by an untrusted third party. - CORRECT ANSWER Monica discovers that an attacker posted a message in a web forum that she manages that is attacking users who visit the site. Which one of the following attack types is most likely to have occurred? A. SQL injection B. Malware injection C. LDAP injection D. Cross-site scripting B. ScoutSuite ScoutSuite is the only cloud assessment tool listed here that performs security scans of Azure environments. Inspector and Prowler are AWS-specific tools. Pacu is an exploitation framework used in penetration testing. - CORRECT ANSWER Amanda would like to run a security configuration scan of her Microsoft Azure cloud environment. Which one of the following tools would be most appropriate for her needs? A. Inspector B. ScoutSuite C. Prowler D. Pacu D. Data In the shared responsibility model, the customer always retains either full or partial responsibility for data security. Responsibility for hardware and physical datacenters is the cloud provider's responsibility under all models. Responsibility for applications is the customer's responsibility under IaaS, the provider's responsibility under SaaS, and a shared responsibility under PaaS. - CORRECT ANSWER Under the shared responsibility model, which component always remains the responsibility of the customer, regardless of the cloud service model used? A. Application B. Hardware C. Datacenter D. Data B. DeepLens AWS Lambda, Google Cloud Functions, and Microsoft Azure Functions are all examples of function as a service (FaaS) computing. AWS DeepLens is an AI-enabled camera. - CORRECT ANSWER Which one of the following services is not an example of FaaS computing? A. Lambda B. DeepLens C. Google Cloud Functions D. Azure Functions D. Hybrid cloud Hybrid cloud environments blend elements of public, private, and/or community cloud solutions. A hybrid cloud requires the use of technology that unifies the different cloud offerings into a single, coherent platform. - CORRECT ANSWER Which cloud computing deployment model requires the use of a unifying technology platform to tie together components from different providers? A. Public cloud B. Private cloud C. Community cloud D. Hybrid cloud C. Using a cloud provider's web interface to provision resources Infrastructure as code is any approach that automates the provisioning, management, and deprovisioning of cloud resources. Defining resources through JSON or YAML is IaC, as is writing code that interacts with an API. Provisioning resources through a web interface is manual, not automated, and therefore does not qualify as IaC. - CORRECT ANSWER Which one of the following is not an example of infrastructure as code? A. Defining infrastructure in JSON B. Writing code to interact with a cloud provider's API C. Using a cloud provider's web interface to provision resources D. Defining infrastructure in YAML C. Inline CASB solutions can monitor activity but cannot actively enforce policy. Inline CASB solutions require either network reconfiguration or the use of a software agent. They intercept requests from users to cloud providers and, by doing so, are able to both monitor activity and enforce policy. - CORRECT ANSWER Which one of the following statements about inline CASB is incorrect? A. Inline CASB solutions often use software agents on endpoints. B. Inline CASB solutions intercept requests from users to cloud providers. C. Inline CASB solutions can monitor activity but cannot actively enforce policy. D. Inline CASB solutions may require network reconfiguration. D. Pacu Pacu is an AWS-specific exploitation framework. It is particularly well suited to identifying the permissions available to an account during a penetration test. ScoutSuite, Inspector, and Prowler are all assessment tools that would not directly provide the information that Gina seeks. - CORRECT ANSWER Gina gained access to a client's AWS account during a penetration test. She would like to determine what level of access she has to the account. Which one of the following tools would best meet her need? A. ScoutSuite B. Inspector C. Prowler D. Pacu [Show More]
Last updated: 4 months ago
Preview 1 out of 10 pages
*NURSING> EXAM > EDF 6225 Foundations (Breaux) DECK 1 Exam 48 Questions with Verified Answers,100% CORRECT (All)
EDF 6225 Foundations (Breaux) DECK 1 Exam 41 Questions with Verified Answers Decrease - CORRECT ANSWER Negative punishment is to _____ as negative reinforcement is to increase. Negative punish...
By securegrades , Uploaded: Dec 17, 2023
*NURSING> EXAM > Telemetry quiz 66 Questions with Verified Answers,100% CORRECT (All)
Telemetry quiz 66 Questions with Verified Answers Rule of 1500 - CORRECT ANSWER Calculate rate by counting the number of small boxes between 2 consecutive beats and divide into 1500 8 small boxe...
By Nolan19 , Uploaded: Dec 14, 2023
Business> EXAM > CPSI #2 and CPSI Exam 20 Questions with Verified Answers,100% CORRECT (All)
CPSI #2 and CPSI Exam 20 Questions with Verified Answers 2010 Standards for - CORRECT ANSWER Accessible Design Test method for accessibility on safety surfacing for playgrounds - CORRECT ANSWER...
By Nolan19 , Uploaded: Dec 11, 2023
Business> EXAM > CPSI Registration Exam 98 Questions with Verified Answers,100% CORRECT (All)
CPSI Registration Exam 98 Questions with Verified Answers How do you know if a a number on a profile is a SSN or a profile number? - CORRECT ANSWER SSN starts with a 0 followed by 8 digits, profile...
By Nolan19 , Uploaded: Dec 11, 2023
Health Care> EXAM > NFPA 10 Standards for Portable Fire Extinguishers (Part 1) 74 Questions with Verified Answers,100% CORRECT (All)
NFPA 10 Standards for Portable Fire Extinguishers (Part 1) 74 Questions with Verified Answers What is the scope of the NFPA 10 (what does it deal with and pertain to)? (1.1) - CORRECT ANSWER Appl...
By securegrades , Uploaded: Dec 09, 2023
*NURSING> EXAM > Certification Course for Playground Safety Inspectors Exam 212 Questions with Verified Answers,100% CORRECT (All)
Certification Course for Playground Safety Inspectors Exam 212 Questions with Verified Answers What was the first equipment recommended to be removed for safety reasons? - CORRECT ANSWER Giant Stri...
By securegrades , Uploaded: Dec 06, 2023
*NURSING> EXAM > CPS Practice Exam 55 Questions with Verified Answers,100% CORRECT (All)
CPS Practice Exam 55 Questions with Verified Answers Novel ideas that will be useful. - CORRECT ANSWER What is the definition for creativity for this class? fluency, flexibility, originality - C...
By securegrades , Uploaded: Dec 06, 2023
*NURSING> EXAM > CRAT exam 53 Questions with Verified Answers,100% CORRECT (All)
CRAT exam 53 Questions with Verified Answers The first negative deflection noted in the QRS complex - CORRECT ANSWER Q wave Atrial fibrillation with a slow ventricular response has an - CORRECT...
By securegrades , Uploaded: Dec 02, 2023
Business> EXAM > ASQ Quality Glossary Exam 200 Questions with Verified Answers,100% CORRECT (All)
ASQ Quality Glossary Exam 200 Questions with Verified Answers Academic Quality Improvement Project (AQIP) - CORRECT ANSWER A forum for higher education institutions to review one another's action p...
By securegrades , Uploaded: Nov 29, 2023
Health Care> EXAM > Orange Theory Test 42 Questions with Verified Answers,100% CORRECT (All)
Orange Theory Test 42 Questions with Verified Answers Corporate mission statement - CORRECT ANSWER Our HEARTBEAT is to deliver proven fitness results for a healthier world. Niche fitness Mission...
By securegrades , Uploaded: Nov 27, 2023
Connected school, study & course
About the document
Oct 09, 2023
Number of pages
This document has been written for:
Oct 09, 2023
Avoid resits and achieve higher grades with the best study guides, textbook notes, and class notes written by your fellow students
Your fellow students know the appropriate material to use to deliver high quality content. With this great service and assistance from fellow students, you can become well prepared and avoid having to resits exams.
Your fellow student knows the best materials to research on and use. This guarantee you the best grades in your examination. Your fellow students use high quality materials, textbooks and notes to ensure high quality
Get paid by selling your notes and study materials to other students. Earn alot of cash and help other students in study by providing them with appropriate and high quality study materials.
Florida State University
Great way to get paid for all of the hard work!.
It is an excellent site to post assignment.
Florida State University
Awesome and a great way to make money!.
Thank you so much for this nice platform.
University Of South Florida
Great! It is a good place to share knowledge.
University of Windsor
G D Goenka University
It is helpful Platform for offering the notes
Louisiana State University
I love this site, they make everything so easy
Florida State University
Great tool for learning! I wish you success.
In Browsegrades, a student can earn by offering help to other student. Students can help other students with materials by upploading their notes and earn money.
Copyright © Browsegrades · High quality services·