Cysa+ (CS0-003)

Implementing Vulnerability Scanning Methods &

Performing Vulnerability Analysis

Objectives: 2.1

Copyright © 2023 CompTIA, Inc. All Rights Reserved. | CompTIA.org 1

2
Syllabus

3
Objectives
• Understand industry regulations.
• Explore vulnerability scanning concepts.
• Review security baselines.
• Understand special scanning considerations.
• Review operational technology.

4
Explaining Compliance Requirements

Copyright © 2023 CompTIA, Inc. All Rights Reserved. | CompTIA.org

5
Explore Industry Standard Publishers
• National Institute of Standards and Technology (NIST)
• Nonregulatory agency in the United States
• Establishes standards and best practices across science and technology field

• International Organization for Standardization (ISO)

• An independent, non-governmental international organization of
168 national standards bodies

• Developed almost 25000 International Standards

• ISO 27k cybersecurity framework

6
Explain Regulations and Standards
• Using Legal Contracts to Require Standards Compliance
• Enforce compliance with external standards

• Center for Internet Security (CIS) Benchmarks

• A set of security configuration best practices developed by a consensus
community of experts

• Open Web Application Security Project (OWASP)

• A nonprofit foundation
• Their Goal: improve the security of web applications and services
• "OWASP Top 10"
7
Explain Regulations and Standards cont.
• Payment Card Industry Data Security Standard (PCI DSS)
• Global use
• Established and maintained by a consortium of payment card companies
• Controls designed to prevent fraud and protect credit/debit data
• https://www.pcisecuritystandards.org/document_library

8
Explain Regulations and Standards cont.
• Capability Maturity Model Integration (CMMI)
• Five levels of maturity within operational or software capabilities
• Initial
• Managed
• Defined
• Quantitatively Managed
• Optimizing

9
Explaining Compliance Requirements cont.
• Cloud Security Alliance (CSA) STAR Certification
• Security, Trust & Assurance registry (STAR)
• Publicly available
• Describes cloud providers
• Includes CSA STAR assessment details

• Measures the security/privacy controls of a cloud service provider against

the CSA Cloud Controls Matrix (CCM)

10
Important Privacy Regulations
• Children's Online Privacy Protection Act (COPPA)
• A U.S. federal law that applies to children under age 13
• Applies inside and outside of the United States

• General Data Protection Regulation (GDPR)

• Enforces rules for organizations that offer services or collect information for
entities in the European Union (EU)
• Applies inside and outside of the European Union
• Dictates how and where data can be stored
• "The world's toughest privacy laws"
11
Open Web Application Security Project (OWASP)
• Their Mission: raise awareness of the risks of building insecure
software
• Provides free web application security tools, training, and other
materials
• Helps organizations identify and fix application security
vulnerabilities.

12
Open Web Application Security Project (OWASP) cont.
• Most common web application vulnerabilities
• Cross-site scripting (XSS)
• SQL injection
• Path traversal
• Broken authentication and authorization
• Insecure direct object references (IDOR)

13
Open Web Application Security Project (OWASP) cont.
• The OWASP Top 10
1. Broken Access Control
2. Cryptographic Failures
3. Injection
4. Insecure Design
5. Security Misconfiguration
6. Vulnerable and Outdated Components
7. Identification and Authentication Failures
8. Software and Data Integrity Failures
9. Security Logging and Monitoring Failures (Image courtesy of OWASP Foundation, Inc.)
10. Server-Side Request Forgery
https://owasp.org/Top10/

14
Center for Internet Security (CIS) Benchmarks
• Continually updated
• Based on industry research and
feedback
• A robust set of best practices
• Secure configuration of IT systems

• Secure configuration of applications

(Image courtesy of CIS Benchmarks™)

• Increase security
• Reduce vulnerabilities
• Improve system performance
15
Payment Card Industry Data Security Standard (PCI DSS)
• Security measures for businesses that accept credit and debit cards
• 12 main requirements (1-6):
1. Install and maintain a firewall.
2. Do not use vendor-supplied defaults.
3. Protect all systems against malicious code.
4. Use and regularly update antivirus software.
5. Develop and maintain a secure web application and data transmission.
6. Protect all systems against loss and unauthorized access.

Continued. on next slide

16
Payment Card Industry Data Security Standard (PCI DSS)
• 12 main requirements (7-12):
7. Regularly monitor and test networks.
8. Track and monitor all system components.
9. Employ strong password management.
10. Regularly review and assess the PCI DSS compliance status.
11. Maintain a PCI compliance policy.
12. Maintain a PCI compliance program with written management authorization.

17
Payment Card Industry Data Security Standard (PCI DSS) cont.
• Organizations must be audited regularly
• Lower-risk organizations: once per year
• High-risk organizations: once per quarter
• Compliance is measured on a continuum of implementation
• PCI Attestation of Compliance (AoC)
• Demonstrates an organization’s compliance with PCI DSS requirements
• AoC should be completed by a
• Qualified Security Assessor (QSA)
• Merchant (such as a bank) responsible for processing transactions

18
 Review Activity: Compliance Requirements
1. This nonprofit organization is focused on improving the security of
software and publishes a popular top 10 web application security
risks.
2. True or False. ModSecurity is a tool developed by the Center for
Internet Security.
3. What is the name of the document designed to demonstrate an
organization’s compliance with PCI DSS requirements?
4. These best practices are maintained by a group of public and
private sector security experts working with organizations to
improve their information systems security.
19
Understanding Vulnerability Scanning
Methods

Copyright © 2023 CompTIA, Inc. All Rights Reserved. | CompTIA.org

20
Explain Assessment Scope Considerations
• External Scans
• View of devices and services from the "outside"
• Unauthenticated access and visibility
• Urgent patching priority

21
Explain Assessment Scope Considerations cont.
• Internal Scans
• "inside" or authenticated access level
• Internal remediation is more methodical, allowing
• Careful testing and evaluation of patches and workarounds
• Scheduling patches to minimize business disruption as appropriate
• Actively exploited, high severity vulnerabilities override normal patch
processes

22
Vulnerability Scanning Devices
• Network hosts • Intermediate systems
• Clients and servers • Routers
• Switches
• Access points
• Firewalls

23
Vulnerability Scanning Attributes
• Patch level
• Security configuration and policies
• Network shares
• Unused accounts
• Weak passwords
• Rogue devices
• Antivirus configuration
• Many other attributes
24
Vulnerability Scanning Attributes cont.
• All Vulnerability scanners can:
• Collect information from devices with or without credentials, allowing the
scanner to authenticate to the device
• Both Noncredentialed/Credentialed have advantages

• Noncredentialed scans
• Simple to implement
• Low impact on the device
• Provide insight regarding vulnerabilities discoverable to non-
authenticated users

25
Vulnerability Scanning Attributes cont.
• Credentialed scans
• Most effective scanner credentials have privileged access
• Comprehensive evaluation of devices
• Installed software
• File system
• Configuration data
• User accounts
• Many other attributes
26
Vulnerability Scanning Attributes cont.
• Credentialed scans
• Can be abused or potentially exposed and stolen
• Overwhelming amount of data in initial phases of vulnerability
scanning program
• Don’t use root, Domain Administrator, or Administrator accounts
• Use purpose-specific, carefully provisioned credentials with only
necessary access

27
Vulnerability Scanning
• Agentless scans
• Simplest to implement
• Collect information from endpoints using
• SSH
• WMI
• SNMP
• Some organizations prohibit WMI and SNMP by policy
• Network firewalls block communication
28
Vulnerability Scanning cont.
• Agent-based
• Require the installation of special-purpose software on endpoints
• Time and effort to test, deploy, and maintain
• Adds a new attack vector
• Additional software to track and patch
• Collect information and pass to the vulnerability scanner
• Improved vulnerability and host configuration data
• Less processing overhead on the vulnerability scanner server
• Simplified communication across network firewalls

29
Active Vulnerability Scanning
• Directly interacting with a device or software
• General purpose vulnerability scanner
• Nessus
• OpenVAS
• Qualys
• Enumerating services
• Banner grabbing
• Content enumeration
• Web application scanners
• Burp Suite
• OWASP ZAP
30
Passive Vulnerability Scanning
• Passive scanning describes
• Identify vulnerabilities without direct interaction
• Network packet capture
• Insecure protocols
• Cleartext credentials
• Inadequate encryption methods
• DNS query data
• Other similar issues
31
Vulnerability Scanning cont.
• Criticality Ranking
• Vulnerability scan provides lots of information
• Rankings of items
• Based on a standardized scoring mechanism
• Help prioritize remediation efforts

• Ranking and prioritization warrants careful analysis

• Some items ranked as informational or low priority may be highly
concerning within the context of the environment

32
Understanding Vulnerability Scanning Methods
• Mapping/Enumeration and Scope
• Range of hosts or subnets included within a single scan job
• Single IP address or range of IP addresses
• All software or targeted software packages and services

33
Understanding Vulnerability Scanning Methods cont.
• Benefits and considerations
• Reduce the performance impact
• Easier to analyze results
• Used to identify specific issues or
• Meet a specific compliance goal
• Asset criticality affects scanning scope
• Critical assets scheduled more often

34
Vulnerability Scanning Types Summary

• Internal/External
• Credentialed/Non-credentialed
• Agents/Agentless
• Active/Passive

35
Compliance Scans and Regulatory Requirements
• Identify a security framework or checklist of the controls and
configuration settings that must be in place.
• SIEM, and vulnerability scanners can be programmed with
compliance templates
• May dictate scanning frequency

36
Understand Vulnerability Analysis Methods
• Map/Discovery Scan
• Identify devices connected to a network or network segment

• Device Fingerprinting
• Specifically identify details about an individual device

37
Understand Vulnerability Analysis Methods cont.
• Static Analysis
• Manual inspection of source code
• Specialty applications or add-ons to development tools
• Identify well-known coding/method/library problems

38
Understand Vulnerability Analysis Methods cont.
• Understand Vulnerability Analysis Methods
• Dynamic Analysis
• Evaluation of a system or software while it is running
• Manual and automated interactions with running software and services

39
Fuzzing
• Specialty software tools
• Purposely input or injecting malformed data
• A fuzzer tool automatically generates and injects data
• Different number formats,
• Character types,
• Text values, and/or
• Binary values
• Sequences and values known to be problematic
• https://owasp.org/www-community/Fuzzing

40
Reverse Engineering
• Deconstructing software and hardware to determine how it is crafted
• Extract source code,
• Identify software methods and
• Languages used,
• Developer comments,
• Variable names and types,
• System and web calls, and
• Many other elements.
• Adversary can reverse engineer software patches too!

41
Explain Device Hardening Options
• Putting an operating system or application in a secure configuration
• Reduce Attack Surface
• Intended use
• Restrict system access and capabilities
• Balance against access requirements and usability tests

• Best Practice frameworks

• DoD Security Technical Implementation Guides (STIGs)
• CIS Benchmarks
42
Understand Configuration Baselines
• Outlines the minimum set of requirements
• May be based on a framework
• Represents a "measuring stick" for security analysts
• Determine if an endpoint is configured correctly

43
 Review Activity: Vulnerability Scanning Methods
1. What type of scanning describes indirect methods of assessment,
such as inspecting traffic flows and protocols?
2. ______________________________ describes the effort taken
to more specifically identify details about a device.
3. A configuration _____________________________ details the
recommended settings for services and policy configuration for a
device or software operating in a specific role.

44
Exploring Special Considerations in
Vulnerability Scanning

Copyright © 2023 CompTIA, Inc. All Rights Reserved. | CompTIA.org

45
Explore Special Considerations for Scanning
• Performance Considerations
• Identification of Operating System
• Scanning Interval
• Automated scans (convenience)
• Scan Speed

46
Explore Special Considerations for Scanning cont.
• Performance Considerations cont.
• Vulnerability Database
• Scanning Type
• Authentication
• False Positives

47
Explain Different Types of Industrial Computer Systems
• Critically important computing
infrastructure
• Not scannable using traditional
methods

• Contain exploitable vulnerabilities

• Require special care and consideration

• Strict segmentation or isolation

• Physical security control

• Configuration management (Image © 123RF.com.)

• Integrity/change monitoring

48
Different Types of Industrial Computer Systems cont.
• Operational Technology (OT)
• Industrial Control Systems (ICSs)
• Supervisory Control and Data Acquisition (SCADA)
• Programmable Logic Controller (PLC)

49
 Review Activity: Special Considerations in Vulnerability Scanning
1. True or False. Vulnerability scanning can be performed at any time
because it is a tool used to locate and resolve security issues.
2. ______________________ ____________
_________________________ are used in industrial settings and are a
form of digital computer designed to enable automation in assembly
lines.
3. _______________________ _________________________ is the
hardware and software technologies used to manage physical devices,
processes, and events within an organization.

50
Cysa+ (CS0-003)

Performing Vulnerability Analysis

Exam Objective: 2.3

Copyright © 2023 CompTIA, Inc. All Rights Reserved. | CompTIA.org
51
Objectives
• Review Security Content Automation Protocol (SCAP).
• Explore the Common Vulnerability Scoring System (CVSS).
• Understand vulnerability validation concepts.
• Understand important contextual considerations.

52
Understanding Vulnerability Scoring
Concepts

Copyright © 2023 CompTIA, Inc. All Rights Reserved. | CompTIA.org

53
Explain Security Content Automation Protocol (SCAP)
• Suite of specifications
• Standardize identification
• Software flaws
• Misconfigurations
• Vulnerabilities

54
SCAP Languages
• Open Vulnerability and Assessment Language (OVAL)
• Consistent and interoperable
• Assess information regardless of the security tools
• Asset Reporting Format (ARF)
• Correlate reporting formats
• Independent from any specific application or vendor product
• Extensible Configuration Checklist Description Format (XCCDF)
• Written in XML
• Standardized benchmark definitions and security checks

55
SCAP Identification Schemes
• Common Platform Enumeration (CPE)
• Syntax like Uniform Resource Identifiers (URI)
• Standardized naming format to identify systems and software

• Common Vulnerabilities and Exposures (CVE)

• Each item contains a unique identifier used to
• Describe publicly known vulnerabilities
• Unique identifiers - CVE-YEAR-#####

• Common Configuration Enumeration (CCE)

• Similar to CVE
• Focused on configuration issues
56
Explore Common Vulnerability Scoring System (CVSS)
• Industry-standard method for assessing the severity of vulnerabilities
• Allowing IT teams to prioritize remediation efforts
• CVSS assigns a score based on a wide range of factors
• CVSS Vector String
• Vulnerability identifier
• Impact
• Environmental concerns
• "Additional information"
57
Benefits of CVSS
• Objective measure of risk
• Provide insight into vulnerabilities
• Helps teams to focus efforts
• Provides insight into a vulnerability's potential impact
• Different scanning tools, same nomenclature

58
Challenges of CVSS
• Does not identify or describe exploitability
• Scoring methodology changes from version to version
• CVSS v2 vs V3

• "Severe" vs "Informational" labels may not reveal the entire risk

profile
• "Informational" label but highly exploitable
• "Severe" label but practically impossible to exploit

59
Common Vulnerability Scoring System (CVSS) Metrics
• Generate a score from 0 to 10 based on:
• Intrinsic characteristics of the vulnerability (base)
• Environment in which the exposure occurs
• Changing characteristics of the vulnerability over time (temporal)

60
Common Vulnerability Scoring System (CVSS) Metrics

Score Description

0+ None

0.1+ Low

4+ Medium

7+ High

9+ Critical

61
Understanding Vulnerability Scoring Concepts
Common Vulnerability Scoring System (CVSS v3.1) Metrics

Base Metrics Possible Value

Attack Vector (AV) Physical (P), Local (L), Adjacent

network (A), or Network (N)
Attack Complexity (AC) High (H) or Low (L)

Privileges Required (PR) None (N), Low (L), or High (H)

User Interaction (UI) None (N) or Required (R)

Scope (S) Unchanged (U) or Changed (C)

Confidentiality (C), Integrity (I), and High (H), Low (L), or None (N)
Availability (A)

62
National Vulnerability Database

(Screenshot courtesy of NIST - National Vulnerability Database.)

63
 Review Activity: Vulnerability Scoring Concepts
1. What is the attack complexity identified in the following vector?
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

2. What is the impact to integrity identified in the following vector?

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

3. Physical (P), Local (L), Adjacent network (A), or Network (N) are all
values for which base metric?

64
Exploring Vulnerability Context
Considerations

Copyright © 2023 CompTIA, Inc. All Rights Reserved. | CompTIA.org

65
Explore Vulnerability Validation Concepts
• False positive: Identify a vulnerability or misconfiguration is
present, when it is not

• True positive: Correctly identify a vulnerability is present

• False negative: Miss an issue – e.g., a clean scan when in fact an

issue is present

• True negative: Correctly identify that a system or device does not

have a vulnerability.

66
Explore Vulnerability Validation Concepts

67
Explore CVSS Scoring Considerations
• Vulnerability scores are not static
• Consider a variety of special considerations
• Availability of patches
• Impact of the vulnerability
• Level of sophistication needed

• Organizations can adjust scores accordingly

68
Explore CVSS Scoring Considerations
• Factors influencing score adjustments
• Availability of patches
• Impact of the vulnerability
• Level of sophistication of threat actors
• Asset value
• Weaponization/Exploitability

69
Exploring Vulnerability Context Considerations
• Factors influencing score adjustments - Example
• Hypothetical remote code execution (RCE) vulnerability
• CVSS score of 10
• Requires attacker connected to same network

• Vulnerable application runs on a fully air-gapped system

• Justifiable reason to lower the score

70
CVSS Score Calculations
• Categories • Metrics
• Impact • Scope
• Exploitability • Confidentiality
• Remediation • Integrity
• Availability
• Privacy
• Operations
• Other
71
Metric Categories

72
 Review Activity: Exploring Vulnerability Context Considerations
1. This describes when a vulnerability scan incorrectly indicates that
a vulnerability or misconfiguration is present when it is not.

2. What type of vulnerability cannot be detected by vulnerability

scanning tools?

3. The three categories in a CVSS score include impact, exploitability,

and __________________.

73
 Review Activity:

Review @ 1100 PM Eastern

74
A security engineer is improving their company’s security posture. During
that process, they are looking to implement an industry-grade framework.
The engineer is looking for one known for its practical information about
application security. Which organization best fits this need and description?

A. OWASP
B. CIS
C. PCI DSS
D. ISO

75
A security engineer is improving their company’s security posture. During
that process, they are looking to implement an industry-grade framework.
The engineer is looking for one known for its practical information about
application security. Which organization best fits this need and description?

A. OWASP
B. CIS
C. PCI DSS
D. ISO

76
An implementation consultant is completing a project for a client
implementing Microsoft Intune. Part of that mobile device management
platform project is the requirement to implement baseline benchmarks for
device policy. Which organization defines the best practice approaches to
patching and hardening?

A. OWASP
B. ISO
C. CIS
D. PCI DSS

77
An implementation consultant is completing a project for a client
implementing Microsoft Intune. Part of that mobile device management
platform project is the requirement to implement baseline benchmarks for
device policy. Which organization defines the best practice approaches to
patching and hardening?

A. OWASP
B. ISO
C. CIS
D. PCI DSS

78
A small vendor is working to sell their point-of-sale register product to a large
pharmacy chain. Before the vendor can complete the sale, they must attest
to their controls designed to prevent fraud and protect consumer financial
data. Which industry framework should the vendor adopt in product planning
and implementation?

A. ISO
B. PCI DSS
C. CIS
D. OWASP

79
A small vendor is working to sell their point-of-sale register product to a large
pharmacy chain. Before the vendor can complete the sale, they must attest
to their controls designed to prevent fraud and protect consumer financial
data. Which industry framework should the vendor adopt in product planning
and implementation?

A. ISO
B. PCI DSS
C. CIS
D. OWASP

80
A local city council tasked its Information Technology (IT) department to
implement an international-scale cybersecurity framework. The requirement
is coming from their cyber security insurance vendor. The vendor warned that
this set of frameworks is not freely available. Which industry framework
should the IT department investigate?

A. CIS
B. PCI DSS
C. OWASP
D. ISO

81
A local city council tasked its Information Technology (IT) department to
implement an international-scale cybersecurity framework. The requirement
is coming from their cyber security insurance vendor. The vendor warned that
this set of frameworks is not freely available. Which industry framework
should the IT department investigate?

A. CIS
B. PCI DSS
C. OWASP
D. ISO

82
A financial firm recently introduced a new email service for its employees.
One of the main reasons for the new service was that the cloud provider has
integrated tools to better control security and are tailored specifically for their
industry. Why would this feature reduce the overall risk for the financial firm?
A. It allows the firm to meet regulatory requirements.
B. It allows the firm to cut costs.
C. It allows the firm to get building insurance
D. It allows the firm to increase costs to cut taxable income.

83
A financial firm recently introduced a new email service for its employees.
One of the main reasons for the new service was that the cloud provider has
integrated tools to better control security and are tailored specifically for their
industry. Why would this feature reduce the overall risk for the financial firm?
A. It allows the firm to meet regulatory requirements.
B. It allows the firm to cut costs.
C. It allows the firm to get building insurance
D. It allows the firm to increase costs to cut taxable income.

84
A large multinational bank completed an upgrade of its device management,
security practices, and user training. The next step in their project is to hire a
third-party penetration testing company to attempt to breach their systems.
The bank wants the vendor to approach it from the outside. What kind of
penetration testing should the vendor conduct?

A. External scan
B. Internal scan
C. Map scan
D. Baseline scan

85
A large multinational bank completed an upgrade of its device management,
security practices, and user training. The next step in their project is to hire a
third-party penetration testing company to attempt to breach their systems.
The bank wants the vendor to approach it from the outside. What kind of
penetration testing should the vendor conduct?

A. External scan
B. Internal scan
C. Map scan
D. Baseline scan

86
A large multinational bank completed an upgrade of its device management,
security practices, and user training. The next step in their project is to hire a
third-party penetration testing company to attempt to breach their systems.
The bank wants the vendor to approach it from the outside. What kind of
penetration testing should the vendor conduct?

A. External scan
B. Internal scan
C. Map scan
D. Baseline scan

87
A security engineer is looking to improve the security posture of their
organization. One of the issues the security engineer finds is that they need
to know what devices are on the network. What kind of scan can help the
engineer get visibility into what is on the network?

A. Baseline scan
B. External scan
C. Fuzzing
D. Map scan

88
A security engineer is looking to improve the security posture of their
organization. One of the issues the security engineer finds is that they need
to know what devices are on the network. What kind of scan can help the
engineer get visibility into what is on the network?

A. Baseline scan
B. External scan
C. Fuzzing
D. Map scan

89
A Chief Investment Officer (CIO) wants to compare their policies and
practices to industry best practices. Which kind of scan can help the CIO
understand what gaps they have?

A. Map scan
B. Fuzzing
C. Baseline scan
D. Internal scan

90
A Chief Investment Officer (CIO) wants to compare their policies and
practices to industry best practices. Which kind of scan can help the CIO
understand what gaps they have?

A. Map scan
B. Fuzzing
C. Baseline scan
D. Internal scan

91
A boutique crafts company would like to set up a new eCommerce website.
They are checking out vendors who have put a high level of detail in the
security practices and implementation. They want to test a specific vendor's
system to verify that it is not vulnerable to malicious actors injecting
malformed data into the checkout process. Which kind of scan or test can the
company run with permission?

A. Baseline scan
B. Map scan
C. Fuzzing
D. Internal scan

92
A boutique crafts company would like to set up a new eCommerce website.
They are checking out vendors who have put a high level of detail in the
security practices and implementation. They want to test a specific vendor's
system to verify that it is not vulnerable to malicious actors injecting
malformed data into the checkout process. Which kind of scan or test can the
company run with permission?

A. Baseline scan
B. Map scan
C. Fuzzing
D. Internal scan

93
A defense contractor discovered that a competitor duplicated some of their
products. While the contractor is afraid of losing revenue, the more significant
concern is how the competitor was able to duplicate the product. What term
describes how this situation occurred?

A. Reverse engineering
B. Internal scan
C. Fuzzing
D. External scan

94
A defense contractor discovered that a competitor duplicated some of their
products. While the contractor is afraid of losing revenue, the more significant
concern is how the competitor was able to duplicate the product. What term
describes how this situation occurred?

A. Reverse engineering
B. Internal scan
C. Fuzzing
D. External scan

95
During a morning standup meeting, the network operations manager reported
a large spike in traffic that spawned dozens of end-user tickets. These tickets
stated that the company shared drives were inaccessible. The security
operations manager confirmed that the security team was running a
vulnerability scan during that time. What should the security team consider
when running a vulnerability scan?

A. Sensitivity levels
B. Scheduling
C. Segmentation
D. Host performance

96
During a morning standup meeting, the network operations manager reported
a large spike in traffic that spawned dozens of end-user tickets. These tickets
stated that the company shared drives were inaccessible. The security
operations manager confirmed that the security team was running a
vulnerability scan during that time. What should the security team consider
when running a vulnerability scan?

A. Sensitivity levels
B. Scheduling
C. Segmentation
D. Host performance

97
Recent industry reports are pushing a data analytics company to implement
better vulnerability scanning to prevent improper access and distribution of
intellectual property. What should the company take into account when
running the next scan to ensure proper classification of the data?

A. Scheduling
B. Host performance
C. Sensitivity levels
D. Segmentation

98
Recent industry reports are pushing a data analytics company to implement
better vulnerability scanning to prevent improper access and distribution of
intellectual property. What should the company take into account when
running the next scan to ensure proper classification of the data?

A. Scheduling
B. Host performance
C. Sensitivity levels
D. Segmentation

99
A company has set up various virtual local area networks (VLANs) to protect
access to sensitive data. The Security Operations (SecOps) team finished a
recent vulnerability scan and found no issues. The Chief Information Security
Officer (CISO) followed up with the SecOps team to see if they considered all
VLANs during the scan. The CISO is thinking about what special
consideration?

A. Segmentation
B. Sensitivity levels
C. Scheduling
D. Host performance

100
A company has set up various virtual local area networks (VLANs) to protect
access to sensitive data. The Security Operations (SecOps) team finished a
recent vulnerability scan and found no issues. The Chief Information Security
Officer (CISO) followed up with the SecOps team to see if they considered all
VLANs during the scan. The CISO is thinking about what special
consideration?

A. Segmentation
B. Sensitivity levels
C. Scheduling
D. Host performance

101
The Security Operations (SecOps) completed a rollout of a next-generation
antivirus solution that will better protect the company from known viruses and
provide heuristic scanning for unknown viruses. After the implementation, the
team received a flood of tickets complaining about computer sluggishness.
What did the SecOps team fail to consider with the new antivirus and its
effects on potential settings?

A. Segmentation
B. Sensitivity levels
C. Performance
D. Scheduling

102
The Security Operations (SecOps) completed a rollout of a next-generation
antivirus solution that will better protect the company from known viruses and
provide heuristic scanning for unknown viruses. After the implementation, the
team received a flood of tickets complaining about computer sluggishness.
What did the SecOps team fail to consider with the new antivirus and its
effects on potential settings?

A. Segmentation
B. Sensitivity levels
C. Performance
D. Scheduling

103
A ticket came in about the badging system crashing after a recent
vulnerability scan. The ticket response team found that a specific service on
the system was incompatible with the software that ran the scan. What
special considerations should the team take into account when choosing the
specific software to avoid this situation??

A. Segmentation
B. Operations
C. Scheduling
D. Sensitivity levels

104
A ticket came in about the badging system crashing after a recent
vulnerability scan. The ticket response team found that a specific service on
the system was incompatible with the software that ran the scan. What
special considerations should the team take into account when choosing the
specific software to avoid this situation??

A. Segmentation
B. Operations
C. Scheduling
D. Sensitivity levels

105
A security operations center is responding to an alert that a team member
found a USB thumb drive connected to a computer. The company has a
policy that prohibits the use of USB thumb drives on the company’s
computers. What is this policy referencing in regard to the Common
Vulnerability Scoring System (CVSS)?

A. User interaction
B. Attack vectors
C. Scope
D. Availability

106
A security operations center is responding to an alert that a team member
found a USB thumb drive connected to a computer. The company has a
policy that prohibits the use of USB thumb drives on the company’s
computers. What is this policy referencing in regard to the Common
Vulnerability Scoring System (CVSS)?

A. User interaction
B. Attack vectors
C. Scope
D. Availability

107
A company hired a forensics team to determine how their systems got
infected with a crypto locker virus. The team concluded that an employee
opened a malicious attachment that installed a trojan virus, leading to the
crypto locker virus taking over the network. Which Common Vulnerability
Scoring System (CVSS) base metric would this affect?

A. Scope
B. User interaction
C. Attack vectors
D. Integrity

108
A company hired a forensics team to determine how their systems got
infected with a crypto locker virus. The team concluded that an employee
opened a malicious attachment that installed a trojan virus, leading to the
crypto locker virus taking over the network. Which Common Vulnerability
Scoring System (CVSS) base metric would this affect?

A. Scope
B. User interaction
C. Attack vectors
D. Integrity

109
Blocking USBs would affect which metric on the Common Vulnerability
Scoring System (CVSS)?

A. User interaction
B. Availability
C. Scope
D. Attack vectors

110
Blocking USBs would affect which metric on the Common Vulnerability
Scoring System (CVSS)?

A. User interaction
B. Availability
C. Scope
D. Attack vectors

111
What would cause the attack complexity to be high in the Common
Vulnerability Scoring System (CVSS)? (Pick the true statement)

A. If an attack is complex, it cannot be protected against.

B. More complexity may mean more chance of success.
C. More complexity may mean less chance of success.
D. If an attack is simple, it would not succeed.

112
What would cause the attack complexity to be high in the Common
Vulnerability Scoring System (CVSS)? (Pick the true statement)

A. If an attack is complex, it cannot be protected against.

B. More complexity may mean more chance of success.
C. More complexity may mean less chance of success.
D. If an attack is simple, it would not succeed.

113
A security engineer reviews current vulnerabilities and notices that the entire
company is open to exploitation. However, the exploit must use administrator
credentials. Why would the engineer not worry about this exposure?

A. Employee user accounts have limited access to change things on their

devices
B. Employee user accounts have full access to change things on their
devices
C. Non-IT employees know not to use the IT administrator credentials
D. The computers are not valuable
114
A security engineer reviews current vulnerabilities and notices that the entire
company is open to exploitation. However, the exploit must use administrator
credentials. Why would the engineer not worry about this exposure?

A. Employee user accounts have limited access to change things on their

devices
B. Employee user accounts have full access to change things on their
devices
C. Non-IT employees know not to use the IT administrator credentials
D. The computers are not valuable
115
A systems administrator in charge of the company’s antivirus software is going
through alerts. The administrator sees two alerts: one for a suspicious login from the
same Internet Protocol (IP) address as the corporate office and one for a suspicious
login from a foreign country from an employee located at the corporate office. What
type of scan result would the first alert be classified as?

A. False negative
B. False positive
C. True positive
D. True negative

116
A systems administrator in charge of the company’s antivirus software is going
through alerts. The administrator sees two alerts: one for a suspicious login from the
same Internet Protocol (IP) address as the corporate office and one for a suspicious
login from a foreign country from an employee located at the corporate office. What
type of scan result would the first alert be classified as?

A. False negative
B. False positive
C. True positive
D. True negative

117
A security engineer is demoing new antivirus software. The engineer installed a
standardized imitation virus to see if the new software would catch it. The engineer
found that the old antivirus software did not detect it, but the new one did. What is
happening with the old antivirus software?

A. False positive
B. True positive
C. False negative
D. True negative
118
A security engineer is demoing new antivirus software. The engineer installed a
standardized imitation virus to see if the new software would catch it. The engineer
found that the old antivirus software did not detect it, but the new one did. What is
happening with the old antivirus software?

A. False positive
B. True positive
C. False negative
D. True negative
119
A company is forced to disable the pre-boot management engine on all of its
computers due to a flaw with no available patch, making the vulnerability exploitable.
Which type of vulnerability does this describe?

A. False positive
B. False negative
C. Low value
D. Zero-day

120
A company is forced to disable the pre-boot management engine on all of its
computers due to a flaw with no available patch, making the vulnerability exploitable.
Which type of vulnerability does this describe?

A. False positive
B. False negative
C. Low value
D. Zero-day

121
A defense contractor has taken all their machines offline due to an 'unpatchable'
vulnerability in the embedded Unified Extensible Firmware Interface (UEFI) boot
subsystem. Due to the extremely sensitive data on their systems, the contractor
cannot risk having their machines breached. What describes this kind of vulnerability?

A. High asset value

B. Low asset value
C. False positive
D. True negative

122
A defense contractor has taken all their machines offline due to an 'unpatchable'
vulnerability in the embedded Unified Extensible Firmware Interface (UEFI) boot
subsystem. Due to the extremely sensitive data on their systems, the contractor
cannot risk having their machines breached. What describes this kind of vulnerability?

A. High asset value

B. Low asset value
C. False positive
D. True negative

123
A video production company has a server farm with high-end graphics cards that
allows the company to generate computer-generated imagery. Although the servers
do not currently store any data, the company wants to ensure the security of its
equipment. What is a compelling reason why the company should be proactive in
preventing server vulnerabilities?

A. Exploitability
B. Low asset value
C. High asset value
D. Save power consumption

124
A video production company has a server farm with high-end graphics cards that
allows the company to generate computer-generated imagery. Although the servers
do not currently store any data, the company wants to ensure the security of its
equipment. What is a compelling reason why the company should be proactive in
preventing server vulnerabilities?

A. Exploitability
B. Low asset value
C. High asset value
D. Save power consumption

125