Security+ Ch4

Flashcard maker : Lily Taylor
A ________ is a systematic and methodical evaluation of the exposure of assets to attackers, forces of nature, or any other entity that is a potential harm.
Vulnerability Assessment
Each of the following can be classified as an asset except ________.
Accounts Payable
Note: Assets include People (Employees, Business Partners), Buildings, and Data (databases)
Each of the following is a step in risk management except ________.
Attack Assessment
Which of the following is true regarding vulnerability appraisal? p28
Every asset must be viewed in light of each threat.
A Threat agent ________.
Is a person or entity with the power to carry out a threat against an asset.
________ constructs scenarios of the types of threats that assets can face in order to learn who the attackers are, why they attack, and what types of attacks may occur.
Threat Modeling
What is a current snapshot of the security of an organization?
Vulnerability Appraisal
The ________ is the proportion of an asset’s value that is likely to be destroyed by a particular risk.
Exposure Factor (EF)
Which of the following is NOT an option for dealing with risk.
Eliminate the risk
________ is a comparison of the present security state of a system compared to a standard established by the organization.
Baseline Reporting
Each of the following is a state of a port that can be returned by a port scanner except ________.
Busy
Each of the following is true regarding TCP SYN port scanning except _________.
It uses FIN messages that can pass through firewalls and avoid detection.
The protocol File Transfer Protocol (FTP) uses which two ports?
20 (data) and 21 (control)
A protocol analyzer places the computer’s network interface card (NIC) adapter into ________ mode.
Promiscuous
Each of the following is a function of a vulnerability scanner except ________.
Alert users when a new patch cannot be found
Which of the following is true of the Open Vulnerability and Assessment Language (OVAL)?
It attempts to standardize vulnerability assessments.
Which of the following is NOT true regarding a honeypot? p139
* It cannot be part of a Honeynet.
* It contains real data files because attackers can easily identify fake files.
Which of the following is true of vulnerability scanning?
It uses automated software to scan for vulnerabilities
If a tester is given the IP addresses, network diagrams, and source code of customer applications, then she is using which technique?
White Box
If a software applications aborts and leaves the program open, which control structure is it using?
Fail Open
What are the five parts of Vulnerability Assessment.
Asset Identification
Threat Evaluation
Vulnerability Appraisal
Risk Assessment
Risk Mitigation
Attack Tree
visual image of the attacks that may occur.
Threat Modeling
Understand who the attackers are and why they attack, and what types of attacks they may use.

Get instant access to
all materials

Become a Member