Practice Tests - Chapter 2: Domain 2.0: Vulnerability Management Flashcards

Question

22- Carrie needs to lock down a Windows workstation that has recently been scanned using Nmap with the results shown here. She knows that the workstation needs to access websites and that the system is part of a Windows domain. What ports should she allow through the system’s firewall for externally initiated connections? Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-25 21:08 EDT Nmap scan report for dynamo (192.168.1.14) Host is up (0.00023s latency) Not shown: 65524 closed ports PORT STATE SERVICE 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 902/tcp open iss-realsecure 912/tcp open apex-mesh 2869/tcp open icslap 3389/tcp open ms-wbt-server 5357/tcp open wsdapi 7680/tcp open unknown 22350/tcp open CodeMeter 49677/tcp open unknown MAC Address: BC:5F:F4:7B:4B:7D (ASRock Incorporation) Nmap done: 1 IP address (1 host up) scanned in 105.78 seconds * 80, 135, 139, and 445. * 80, 445, and 3389. * 135, 139, and 445. * No ports should be open.

Answer 1

**No ports should be open.** The uses described for the workstation that Carrie is securing do not require inbound access to the system on any of these ports. Web browsing and Active Directory domain membership traffic can be handled by traffic initiated by the system.

Answer 2

**A printer** Whereas the first three ports are common to many of the devices listed, TCP 515 is the LPR/LPD port, 631 is the IPP port commonly used by many print servers, and TCP port 9100 is the RAW, or direct, IP port. Although this could be another type of device, it is most likely a network‐connected printer.

Answer 3

**The server was patched.** The system is showing normal ports for a Windows file server. It is most likely that Manish’s escalation to management resulted in action by the server administrator.

Answer 4

**Telnet to the port.** Using telnet to connect to remote services to validate their response is a useful technique for service validation. It doesn’t always work, but it can allow you to interact with the service to gather information manually. While telnet is an insecure service and should not typically be used, the telnet command is a valuable way to test connectivity to an SMTP server. A more secure tool that uses encryption, such as SSH, would not provide visibility into the SMTP service because SMTP is not set up to accept SSH connections.

Answer 5

**Query DNS and WHOIS to find her organization’s registered hosts.** Marta’s best option from this list is to query DNS using WHOIS. She might also choose to use a BGP looking glass, but most of the information she will need will be in WHOIS. If she simply scans the network the web server is in, she may end up scanning a third‐party hosting provider or other systems that aren’t owned by her organization in the /24 subnet range. Contacting ICANN isn’t necessary with access to WHOIS, and depending on what country Marta is in, ICANN may not have the data she wants. Finally, using traceroute will only show the IP address of the system she queries; she needs more data to perform a useful scan in most instances.

Answer 6

**Scans from location C will show fewer open ports.** Scans from location C will show fewer open ports because most datacenter firewalls are configured to only allow the ports for publicly accessible services through to other networks. Location C is on an internal network, so Marta will probably see more ports than if she tried to scan datacenter systems from location A, but it is likely that she will see far fewer ports than a port scan of the datacenter from inside the datacenter firewall will show.

Answer 7

**Location B** Marta will see the most important information about her organization at location B, which provides a view of datacenter servers behind the datacenter firewall. To get more information, she should request that the client network firewall ruleset include a rule allowing her scanner to scan through the firewall to all ports for all systems on all protocols.

Answer 8

**Zone transfer** If Chris can perform a zone transfer, he can gather all of the organization’s DNS information, including domain servers, hostnames, MX and CNAME records, time to live records, zone serial number data, and other information. This is the easiest way to gather the most information about an organization via DNS if it is possible. Unfortunately, for penetration testers (and attackers!), few organizations allow untrusted systems to perform zone transfers. Nick: this is so stupid because zone transfers cannot be done by untrusted sources!

Answer 9

**A WHOIS query** Performing a WHOIS query is the only passive reconnaissance technique listed. Each of the other techniques performs an active reconnaissance task.

Answer 10

Maltego is a powerful OSINT visual link analysis and data mining tool used widely in cybersecurity, digital forensics, and intelligence analysis. It allows users to gather information about relationships between people, companies, websites, domains, IP addresses, and other entities from various public and private data sources

Answer 11

**Encryption and physical accessibility** Tracy knows that most wired networks do not use end‐to‐end encryption by default and that wireless networks are typically more easily accessible than a wired network that requires physical access to a network jack or a VPN connection from an authorized account. Without more detail, she cannot determine whether authentication is required for both networks, but NAC is a common security feature of wired networks, and WPA3 Enterprise requires authentication as well. Port security is used only for wired network connections.

Answer 12

**nmap -sU -p 9100,515,631 10.0.10.15/22 -oX printers.txt** Using a UDP scan, as shown in option C with the -sU flag, will not properly identify printers since print service ports are TCP ports. The other commands will properly scan and identify many printers based on either their service ports (515, 631, 9100) or their OS version.

Answer 13

**SSH, SMTP, DNS, LDAP** This nmap scan will scan for SSH (22), SMTP (25), DNS (53), and LDAP (389) on their typical ports. If the services are running on an alternate port, this scan will completely miss those and any other services.

Answer 14

**Changing packet header flags** nmap supports quite a few firewall evasion techniques including spoofing the MAC (hardware) address, appending random data, setting scan delays, using decoy IP addresses, spoofing the source IP or port, modifying the MTU size, or intentionally fragmenting packets.

Answer 15

**A scan of all hosts that respond to ping in the 192.168.2.0 to 192.168.2.255 network range** The -sP flag for nmap indicates a ping scan, and /24 indicates a range of 255 addresses. In this case, that means nmap will scan for hosts that respond to ping in the 192.168.2.0 to 192.168.2.255 IP address range.

Answer 16

**Perform a scan from on‐site.** Performing a scan from an on‐site network connection is the most likely to provide more detail. Many organizations have a strong external network defense but typically provide fewer protections for on‐site network connections to allow internal users to access services. It is possible that the organization uses services found only on less common ports or UDP only services, but both of these options have a lower chance of being true than for an on‐site scan to succeed. Nmap does provide firewall and IPS evasion capabilities, but this is also a less likely scenario.

Answer 17

**Disable promiscuous mode for NICs.** Passive fingerprinting relies on the ability of a system to capture traffic to analyze. Preventing systems from using promiscuous mode will provide attackers with very little data when performing passive fingerprinting. Both intrusion prevention systems and firewalls can help with active fingerprinting but will do nothing to stop passive fingerprinting.

Answer 18

**Frank cannot scan multiple ports with a single ssh command.** While SSH port forwarding and SSH tunneling are both useful techniques for pivoting from a host that allows access, nmap requires a range of ports open for default scans. He could write a script and forward the full range of ports that nmap checks, but none of the commands listed will get him there. If Frank has access to proxy chains, he could do this with two commands.

Answer 19

**Spoofing the destination address** nmap has a number of built‐in antifirewall capabilities, including packet fragmentation, decoy scans, spoofing of the source IP address and source port, and scan timing techniques that make detection less likely. Spoofing the target IP address won’t help; her packets still need to get to the actual target.

Answer 20

**Ensure that the ICS is on an isolated network.** Sadiq should ensure that the industrial control system (ICS) is on an isolated network, unreachable from any Internet‐connected system. This greatly reduces the risk of exploitation. It would not be cost‐effective to develop a patch himself, and Sadiq should not trust any software that he obtains from an Internet forum. An intrusion prevention system, while a good idea, is not as strong a control as network isolation.

Answer 21

**23** Port 23 is used by telnet, an insecure unencrypted communications protocol. George should ensure that telnet is disabled and blocked. Secure shell (SSH) runs on port 22 and serves as a secure alternative. Port 161 is used by the Simple Network Management Protocol (SNMP), and port 443 (HTTPS) is used for secure web connections.

Answer 22

**Apply Window security patches.** Quentin should reconfigure cipher support to resolve the issues surrounding the weak cipher support of SSL/TLS and RDP. He should also obtain a new SSL certificate to resolve multiple issues with the current certificate. He should add account security requirements to resolve the naming of guest accounts and the expiration of administrator passwords. There is no indication that any Windows patches are missing on this system.

Answer 23

**Credit card information** Although all of these categories of information should trigger vulnerability scanning for assets involved in their storage, processing, or transmission, only credit card information has specific regulations covering these scans. The Payment Card Industry Data Security Standard (PCI DSS) contains detailed requirements for vulnerability scanning.

Answer 24

**Update the vulnerability signatures.** The most likely issue is that Eric’s scanner has not pulled the most recent signatures from the vendor’s vulnerability feed. Eric should perform a manual update and rerun the scan before performing an investigation of the servers in question or filing a bug report.

Answer 25

**The result is a false positive.** Blind SQL injection vulnerabilities are difficult to detect and are a notorious source of false positive reports. Natalie should verify the results of the tests performed by the developers but should be open to the possibility that this is a false positive report, since that is the most likely scenario.

Answer 26

**Increasing the sensitivity of scans** Joaquin can improve the quality and quantity of information available to the scanner by moving to credentialed scanning, moving to agent‐based scanning, and integrating asset information into the scans. Any of these actions is likely to reduce the false positive rate. Increasing the sensitivity of scans would likely have the opposite effect, causing the scanner to report even more false positives.

Answer 27

**Types of information processed** Information asset value refers to the value that the organization places on data stored, processed, or transmitted by an asset. In this case, the types of information processed (e.g., regulated data, intellectual property, personally identifiable information) helps to determine information asset value. The cost of server acquisition, cost of hardware replacement, and depreciated cost all refer to the financial value of the hardware, which is a different concept than information asset value.

Answer 28

refers to the value that an organization places on **data that is stored, processed, or transmitted by an asset**

Answer 29

**Severity 5 vulnerability in the web server** If the firewall is properly configured, the workstation and file server are not accessible by an external attacker. Of the two remaining choices, the web server vulnerability (at severity 5) is more severe than the mail server vulnerability (at severity 1). Most organizations do not bother to remediate severity 1 vulnerabilities because they are usually informational in nature.

Answer 30

**IPsec** IPsec is a secure protocol for establishing VPN links. Organizations should no longer use the obsolete Secure Sockets Layer (SSL) or Point‐to‐Point Tunneling Protocol (PPTP) for VPN connections or other secure connections.

Answer 31

**No action is required.** Rahul does not need to take any action on this vulnerability because it has a severity rating of 2 on a five‐point scale. PCI DSS only requires the remediation of vulnerabilities with at least a “high” rating, and this vulnerability does not clear that threshold.

Answer 32

**Aaron does not need to assign any priority to remediating this vulnerability.** Aaron should treat this vulnerability as a fairly low priority and may never get around to remediating it if there are more critical issues on his network. The vulnerability has a severity rating of 2 (out of 5), and the vulnerability is further mitigated by the fact that the server is accessible only from the local network.

Answer 33

**CGI generic SQL injection** The SQL injection attack could be quite serious, since it may allow an attacker to retrieve and/or modify information stored in the back‐end database. The second‐highest priority should be resolving the use of unencrypted authentication, because it may allow the theft of user credentials. The remaining two vulnerabilities are less serious, because they pose only a reconnaissance risk. *Nick: Not sure I agree with this, as if you get creds, you can get into the DB. Soooo how is that worse?*

Answer 34

**0** The report notes that all of the vulnerabilities for these three servers are in Fixed status. This indicates that the vulnerabilities existed but have already been remediated and no additional work is required.

Answer 35

**The scanner’s maintenance subscription is expired.** The most likely issue is that the maintenance subscription for the scanner expired while it was inactive and the scanner is not able to retrieve current signatures from the vendor’s vulnerability feed. The operating system of the scanner should not affect the scan results. Ji‐won would not be able to access the scanner at all if she had invalid credentials or the scanner had an invalid IP address.

Answer 36

**A network IPS is blocking some requests to the web server.** The most likely scenario is that a network IPS is blocking SQL injection attempts sent to this server, and the internal scanner is positioned on the network in such a way that it is not filtered by the network IPS. If a host IPS were blocking the requests, the vulnerability would likely not appear on internal scans either. If a firewall were blocking the requests, then no external scanner entries would appear in the log file.

Answer 37

**It affects kernel‐mode drivers.** The fact that this vulnerability affects kernel‐mode drivers is very serious, because it indicates that an attacker could compromise the core of the operating system in an escalation of privilege attack. The other statements made about this vulnerability are all correct, but they are not as serious as the kernel‐mode issue.

Answer 38

**Carl should upgrade OpenSSL.** This is an example of the POODLE vulnerability that exploits weaknesses in the OpenSSL encryption library. While replacing SSL with TLS and disabling weak ciphers are good practices, they will not correct this issue. Carl should upgrade OpenSSL to a more current version that does not contain this vulnerability.

Answer 39

**1521** Oracle database servers use port 1521 for database connections. Port 443 is used for HTTPS connections to a web server. Microsoft SQL Server uses port 1433 for database connections. Port 8080 is a nonstandard port for web services.

Answer 40

**Critical and high vulnerabilities** The PCI DSS standard requires that merchants and service providers present a clean scan result that shows no critical or high vulnerabilities in order to maintain compliance.

Answer 41

* Class A: Subnet Mask: 255.0.0.0 (8 bits); CIDR: /8 * Class B: Subnet Mask: 255.255.0.0 (16 bits); CIDR: /16 * Class C: Subnet Mask: 255.255.255.0 (24 bits); CIDR: /24 * Class D: Subnet Mask: 255.255.255.255 (32 bits); CIDR: /32

Answer 42

**Standard Scan** The standard scan of 1,900 common ports is a reasonably thorough scan that will conclude in a realistic period of time. If Aaron knows of specific ports used in his organization that are not included in the standard list, he could specify them using the Additional section of the port settings. A full scan of all 65,535 ports would require an extremely long period of time on a Class C network. Choosing the Light Scan setting would exclude a large number of commonly used ports, whereas the None setting would not scan any ports.

Answer 43

**OpenSSL version.** From the information given in the scenario, you can conclude that all of the HTTP/HTTPS vulnerabilities are not exploitable by an attacker because of the firewall restrictions. However, OpenSSL is an encryption package used for other services, in addition to HTTPS. Therefore, it may still be exposed via SSH or other means. Haruto should replace it with a current, supported version because running an end‐of‐life (EOL) version of this package exposes the organization to potentially unpatchable security vulnerabilities.

Answer 44

**Banner grabbing** Banner grabbing scans are notorious for resulting in false positive reports because the only validation they do is to check the version number of an operating system or application against a list of known vulnerabilities. This approach is unable to detect any remediation activities that may have taken place that do not alter the version number.

Answer 45

**Vulnerability 3.** Vulnerability 3 has a CVSS score of 10.0 because it received the highest possible ratings on all portions of the CVSS vector. All three vulnerabilities have ratings of “high” for the confidentiality, integrity, and availability impact metrics. Vulnerabilities 1 and 2 have lower values for one or more of the exploitability metrics, meaning that weaponization of those vulnerabilities would likely be more difficult.

Answer 46

Attack Vector (AV) - How the vulnerability is exploited: * N: Network - Exploitable remotely across a network * A: Adjacent - Requires access to local network * L: Local - Requires local access to the system * P: Physical - Requires physical access to the system Attack Complexity (AC) - Conditions beyond the attacker's control: * L: Low - No special conditions needed * H: High - Special conditions required Privileges Required (PR) - Level of privileges needed: * N: None - No privileges required * L: Low - Basic user privileges required * H: High - Administrative privileges required User Interaction (UI) - Whether a user must participate: * N: None - No user interaction required * R: Required - User interaction needed Scope (S) - Whether the vulnerability impacts resources beyond its security scope: * U: Unchanged - Affects only resources managed by the same authority * C: Changed - Can affect resources beyond the vulnerable component Confidentiality (C) - Impact to data confidentiality: * N: None - No impact * L: Low - Limited impact * H: High - Total information disclosure Integrity (I) - Impact to data or system integrity: * N: None - No impact * L: Low - Limited modification possible * H: High - Total compromise of system integrity Availability (A) - Impact to system availability: * N: None - No impact * L: Low - Reduced performance or interruptions * H: High - Total shutdown of the affected resource

Answer 47

**Database vulnerability scan** There is no indication in the scenario that the server is running a database; in fact, the scenario indicates that the server is dedicated to running the Apache web service. Therefore, it is unlikely that a database vulnerability scan would yield any results. Landon should run the other three scans, and if they indicate the presence of a database server, he could follow up with a specialized database vulnerability scan.

Answer 48

**property that prevents someone from denying they performed an action like sending a message or signing a document**. It's typically implemented using digital signatures, secure timestamps, and audit logs to provide verifiable proof of who did what and when.

Answer 49

**Data classification** Data classification is a set of labels applied to information based on their degree of sensitivity and/or criticality. It would be the most appropriate choice in this scenario. Data retention requirements dictate the length of time that an organization should maintain copies of records. Data remanence is an issue where information thought to be deleted may still exist on systems. Data privacy may contribute to data classification but does not encompass the entire field of data sensitivity and criticality in the same manner as data classification. For example, a system may process proprietary business information that would be very highly classified and require frequent vulnerability scanning. Unless that system also processed personally identifiable information, it would not trigger scans under a system based solely on data privacy.

Answer 50

**Ask the DBA to recheck the database server.** In this case, Yashvir should ask the DBA to recheck the server to ensure that the patch was properly applied. It is not yet appropriate to mark the issue as a false positive report until Yashvir performs a brief investigation to confirm that the patch is applied properly. This is especially true because the vulnerability relates to a missing patch, which is not a common source of false positive reports. There was no acceptance of this vulnerability, so Yashvir should not mark it as an exception. He should not escalate this issue to management because the DBA is working with him in good faith.

Answer 51

**This is a false positive report.** This is most likely a false positive report. The vulnerability description says “note that this script is experimental and may be prone to false positives.” It is less likely that the developers and independent auditors are all incorrect. The scanner is most likely functioning properly, and there is no indication that either it or the database server is misconfigured.

Answer 52

**Mark the report as a false positive.** This is an example of a false positive report. The administrator demonstrated that the database is not subject to the vulnerability because of the workaround, and Larry went a step further and verified this himself. Therefore, he should mark the report as a false positive in the vulnerability scanner.

Answer 53

**The vulnerability scanner depends on version detection.** False positive reports like the one described in this scenario are common when a vulnerability scanner depends on banner grabbing and version detection. The primary solution to this issue is applying a patch that the scanner would detect by noting a new version number. However, the administrator performed the perfectly acceptable action of remediating the vulnerability in a different manner without applying the patch, but the scanner is unable to detect that remediation activity and is reporting a false positive result.

Answer 54

**NetFlow logs** Margot can expect to find relevant results in the web server logs because they would contain records of HTTP requests to the server. Database server logs would contain records of the queries made against the database. IDS logs may contain logs of SQL injection alerts. NetFlow logs would not contain useful information because they record only traffic flows, not the details of the communications.

Answer 55

**sudo** The runas command allows an administrator to execute a command using the privileges of another user. Linux offers the same functionality with the sudo command. The Linux su command is similar but allows an administrator to switch user identities, rather than simply execute a command using another user’s identity. The ps command in Linux lists active processes, whereas the grep command is used to search for text matching a pattern.

Answer 56

**Apply security patches.** The majority of the most serious issues in this scan report relate to missing security updates to Windows and applications installed on the server. Akari should schedule a short outage to apply these updates. Blocking inbound connections at the host firewall would prevent the exploitation of these vulnerabilities, but it would also prevent users from accessing the server. Disabling the guest account and configuring the use of secure ciphers would correct several vulnerabilities, but they are not as severe as the vulnerabilities related to patches.

Answer 57

**ARP tables** Although ARP tables may provide the necessary information, this is a difficult way to enumerate hosts and is prone to error. Doug would have much greater success if he consulted the organization’s asset management tool, ran a discovery scan, or looked at the results of other recent scans.

Answer 58

**The scan sensitivity is set to exclude low‐importance vulnerabilities.** The most likely reason for this result is that the scan sensitivity is set to exclude low‐impact vulnerabilities rated as 1 or 2. There is no reason to believe that Mary configured the scan improperly because this is a common practice to limit information overload and is likely intentional. It is extremely unlikely that systems in the datacenter contain no low‐impact vulnerabilities when they have high‐impact vulnerabilities. If Mary excluded high‐impact vulnerabilities, the report would not contain any vulnerabilities rated 4 or 5.

Answer 59

**Agent‐based monitoring** Vulnerability scans can only provide a snapshot in time of a system’s security status from the perspective of the vulnerability scanner. Agent‐based monitoring provides a detailed view of the system’s configuration from an internal perspective and is likely to provide more accurate results, regardless of the frequency of vulnerability scanning.

Answer 60

**Apply the patch using a GPO.** Pete and the desktop support team should apply the patch using a Group Policy Object (GPO) or other centralized configuration management tool. This is much more efficient than visiting each workstation individually, either in person or via remote connection. There is no indication in the scenario that a registry update would remediate this issue.

Answer 61

**Vulnerability 2** An insider would have the network access required to connect to a system on the internal server network and exploit this buffer overflow vulnerability. Buffer overflow vulnerabilities typically allow the execution of arbitrary code, which may allow an attacker to gain control of the server and access information above their authorization level. Vulnerability 3 may also allow the theft of information, but it has a lower severity level than vulnerability 2. Vulnerabilities 4 and 5 are denial‐of‐service vulnerabilities that would allow the disruption of service, not the theft of information.

Answer 62

**Restrict interactive logins to the system.** Wanda should restrict interactive logins to the server. The vulnerability report states that “The most severe of these vulnerabilities could allow remote code execution if a user either visits a specially crafted website or opens a specially crafted document.” If Wanda restricts interactive login, it greatly reduces the likelihood of this type of activity. Removing Internet Explorer or Microsoft Office might lower some of the risk, but it would not be as effective as completely restricting logins. Applying the security patch is not an option because of the operational concerns cited in the question.

Answer 63

**Garrett should perform both internal and external scanning.** For best results, Garret should combine both internal and external vulnerability scans. The external scan provides an “attacker’s eye view” of the web server, whereas the internal scan may uncover vulnerabilities that would only be exploitable by an insider or an attacker who has gained access to another system on the network.

Answer 64

**Document the vulnerability as an approved exception.** The scenario describes an acceptable use of a compensating control that has been reviewed with the merchant bank. Frank should document this as an exception and move on with his scans. Other actions would go against his manager’s wishes and are not required by the situation.

Answer 65

**389** Port 389 is used by the Lightweight Directory Access Protocol (LDAP) and is not part of the SMB communication. SMB may be accessed directly over TCP port 445 or indirectly by using NetBIOS over TCP/IP on TCP ports 137 and 139.

Answer 66

**Reduce the scanning frequency.** The problem Victor is experiencing is that the full scan does not complete in the course of a single day and is being cancelled when the next full scan tries to run. He can fix this problem by reducing the scanning frequency. For example, he could set the scan to run once a week so that it completes. Reducing the number of systems scanned would not meet his requirement to scan the entire datacenter. He cannot increase the number of scanners or upgrade the hardware because he has no funds to invest in the system

Answer 67

**There is no direct vulnerability, but this information points to other possible vulnerabilities on the server.** This scan result does not directly indicate a vulnerability. However, it does indicate that the server is configured for compatibility with 16‐bit applications, and those applications may have vulnerabilities. It is an informational result that does not directly require action on Terry’s behalf.

Answer 68

**An attacker could exploit this vulnerability to gain access to servers managed by the administrator.** PuTTY is a commonly used remote login application used by administrators to connect to servers and other networked devices. If an attacker gains access to the SSH private keys used by PuTTY, the attacker could use those keys to gain access to the systems managed by that administrator. This vulnerability does not necessarily give the attacker any privileged access to the administrator’s workstation, and the SSH key is not normally used to encrypt stored information.

Answer 69

**Immediately** PCI DSS requires that networks be scanned quarterly or after any “significant change in the network.” A firewall upgrade definitely qualifies as a significant network change, and Chanda should schedule a vulnerability scan immediately to maintain PCI DSS compliance.

Answer 70

**A firewall configuration is preventing the scan from succeeding.** The most likely issue here is that there is a network firewall between the server and the third‐party scanning service. This firewall is blocking inbound connections to the web server and preventing the external scan from succeeding. CIFS generally runs on port 445, not port 80 or 443. Those ports are commonly associated with web services. The scanner is not likely misconfigured because it is successfully detecting other ports on the server. Nick should either alter the firewall rules to allow the scan to succeed or, preferably, place a scanner on a network in closer proximity to the web server.

Answer 71

**Thomas should apply the patch and then follow up with an emergency change request after work is complete.** Change management processes should always include an emergency change procedure. This procedure should allow applying emergency security patches without working through the standard change process. Thomas has already secured stakeholder approval on an informal basis, so he should proceed with the patch and then file a change request after the work is complete. Taking the time to file the change request before completing the work would expose the organization to a critical security flaw during the time required to complete the paperwork.

Answer 72

**Configure the scanner to send reports to Brian who can notify administrators and track them in a spreadsheet.** The best path for Brian to follow would be to leverage the organization’s existing trouble ticket system. Administrators likely already use this system on a regular basis, and it can handle reporting and escalation of issues. Brian might want to give administrators access to the scanner and/or have emailed reports sent automatically as well, but those will not provide the tracking that he desires.

Answer 73

**Run Windows Update.** Ben is facing a difficult challenge and should likely perform all of the actions described in this question. However, the best starting point would be to run Windows Update to install operating system patches. Many of the critical vulnerabilities relate to missing Windows patches. The other actions may also resolve critical issues, but they all involve software that a user must run on the server before they can be exploited. This makes them slightly lower priorities than the Windows flaws that may be remotely exploitable with no user action.

Answer 74

**This is a critical issue that requires immediate adjustment of firewall rules.** Although the vulnerability scan report does indicate that this is a low‐severity vulnerability, Zhang Wei must take this information in context. The management interface of a virtualization platform should never be exposed to external hosts, and it also should not use unencrypted credentials. In that context, this is a critical vulnerability that could allow an attacker to take control of a large portion of the computing environment. He should work with security and network engineers to block this activity at the firewall as soon as possible. Shutting down the virtualization platform is not a good alternative because it would be extremely disruptive, and the firewall adjustment is equally effective from a security point of view.

Answer 75

**Patching** Although all the solutions listed may remediate some of the vulnerabilities discovered by Dave’s scan, the vast majority of issues in an unmaintained network result from missing security updates. Applying patches will likely resolve quite a few vulnerabilities, if not the majority of them.

Answer 76

**The browser developer** Ling or the domain administrator could remove the software from the system, but this would not allow continued use of the browser. The network administrator could theoretically block all external web browsing, but this is not a practical solution. The browser developer is the only one in a good situation to correct an overflow error because it is a flaw in the code of the web browser.

Answer 77

**Asset inventory** Mary should consult the organization’s asset inventory. If properly constructed and maintained, this inventory should contain information about asset criticality. The CEO may know some of this information, but it is unlikely that they would have all the necessary information or the time to review it. System names and IP addresses may contain some hints to asset criticality but would not be as good a source as an asset inventory that clearly identifies criticality.

Answer 78

**Passive network monitoring** Passive network monitoring meets Kamea’s requirements to minimize network bandwidth consumption while not requiring the installation of an agent. Kamea cannot use agent‐based scanning because it requires application installation. She should not use server‐based scanning because it consumes bandwidth. Port scanning does not provide vulnerability reports.

Answer 79

**Require VPN access for remote connections to the database server.** The issue raised by this vulnerability is the possibility of eavesdropping on administrative connections to the database server. Requiring the use of a VPN would add strong encryption to this connection and negate the effect of the vulnerability. A patch is not an option because this is a zero‐day vulnerability, meaning that a patch is not yet available. Disabling administrative access to the database server would be unnecessarily disruptive to the business. The web server’s encryption level is irrelevant to the issue as it would affect connections to the web server, not the database server.

Answer 80

**Install a web application firewall.** Applying patches to the server will not correct SQL injection or cross‐site scripting flaws, since these reside within the web applications themselves. Kylie could correct the root cause by recoding the web applications to use input validation, but this is the more difficult path. A web application firewall would provide immediate protection with lower effort.

Answer 81

**The server is for internal use only.** This error indicates that the vulnerability scanner was unable to verify the signature on the digital certificate used by the web server. If the organization is using a self‐signed digital certificate for this internal application, this would be an expected result.

Answer 82

**Blind SQL injection** Cross‐site scripting and cross‐site request forgery vulnerabilities are normally easy to detect with vulnerability scans because the scanner can obtain visual confirmation of a successful attack. Unpatched web servers are often identified by using publicly accessible banner information. Although scanners can often detect many types of SQL injection vulnerabilities, it is often difficult to confirm blind SQL injection vulnerabilities because they do not return results to the attacker but rely on the silent (blind) execution of code.

Answer 83

**Remove the file from the server.** The phpinfo file is a testing file often used by web developers during the initial configuration of a server. Although any of the solutions provided here may remediate this vulnerability, the most common course of action is to simply remove this file before the server is moved into production or made publicly accessible.

Answer 84

**Server‐based scanning** It would be difficult for Sharon to use agent‐based or credentialed scanning in an unmanaged environment because she would have to obtain account credentials for each scanned system. Of the remaining two technologies, server‐based scanning is more effective at detecting configuration issues than passive network monitoring.

Answer 85

**All users will be able to access the site, but some may see an error message.** This vulnerability should not prevent users from accessing the site, but it will cause their browsers to display a warning that the site is not secure.

Answer 86

**Request a new certificate.** This error is a vulnerability in the certificate itself and may be corrected only by requesting a new certificate from the certificate authority (CA) that uses a secure hash algorithm in the certificate signature.

Answer 87

**Test systems are not available for all production systems.** In a well‐managed test environment, the test systems should be configured in a near‐identical manner to production systems. They should be running the same operating systems and require the same patches. However, in almost every organization, there are systems running in production that do not have mirror deployments in test environments because of cost, legacy system issues, and other reasons.

Answer 88

**Credit card data** Credit card information is subject to the Payment Card Industry Data Security Standard (PCI DSS), which contains specific provisions that dictate the frequency of vulnerability scanning. Although the other data types mentioned in the question are regulated, none of those regulations contains specific provisions that identify a required vulnerability scanning frequency.

Answer 89

**Reduce the sensitivity of the scans.** Chang could resolve this issue by adding additional scanners to balance the load, reducing the frequency of scans or reducing the scope (number of systems) of the scan. Changing the sensitivity level would not likely have a significant impact on the scan time.

Answer 90

**Design** Security artifacts created during the Design phase include security architecture documentation and data flow diagrams.

Answer 91

**Disposition** Disposition is a separate SDLC phase that is designed to ensure that data is properly purged at the end of an application life cycle. Operations and maintenance activities include ongoing vulnerability scans, patching, and regression testing after upgrades.

Answer 92

**$** The $ character does not necessarily represent a security issue. The greater than/less than brackets (<>) are used to enclose HTML tags and require further inspection to determine whether they are part of a cross‐site scripting attack. The single quotation mark (') could be used as part of a SQL injection attack.

Answer 93

**A WAF** A web application firewall (WAF) can often be used to address the specific SQL injection attack. Claire can either write a rule based on the SQL injection attack or use a broader SQL injection prevention ruleset. An IDS would only detect the attack and would not stop it, whereas data loss prevention (DLP) tools might help if data was being stolen but won’t stop SQL injection. Some firewalls may have WAF functionality built in, but here the best option is the dedicated web application firewall.