Security+ Chapters 15 quiz

Flashcard maker : Lily Taylor
d. Threat evaluation
At what point in a vulnerability assessment would an attack tree be utilized?
a. vulnerability appraisal
b. risk assessment
c. risk mitigation
d. threat evaluation
c. As of the functional and design specifications are being developed based on the requirements
In the software development process, when should a design review be conducted?
a. at the completion of the project
b. at the same time as the code review
c. as the functional and design specifications are being developed based on the requirements
d. during verification
a. Intrusive vulnerability scan
A(n) ___________ attempts to penetrate a system in order to perform a simulated attack.
a. intrusive vulnerability scan
b. vulnerability risk scan
c. PACK scan
d. master level scan
c. Memorandum of understanding (MOU)
A(n) ___________ is an agreement between two parties that is not legally enforceable.
a. Service Level Agreement (SLA)
b. Blanket Purchase Agreement (BPA)
c. Memorandum of Understanding (MOU)
d. Interconnection Security Agreement (ISA)
c. Vulnerability assessment
A ___________ is a systematic and methodical evaluation of the exposure of assets to attackers, forces of nature, and any other entity that could cause potential harm.
a. penetration test
b. vulnerability scan
c. vulnerability assessment
d. risk appraisal (RAP)
d. Accounts payable
Each of these can be classified as an asset EXCEPT __________.
a. business partners
b. buildings
c. employee databases
d. accounts payable
a. Attack assessment
Each of these is a step in risk management EXCEPT _________.
a. attack assessment
b. vulnerability appraisal
c. threat evaluation
d. risk mitigation
a. Vulnerability appraisal is always the easiest and quickest step
Which statement regarding vulnerability appraisal is NOT true?
a. Vulnerability appraisal is always the easiest and quickest step
b. Every asset must be viewed in light of each threat
c. Each threat could reveal multiple vulnerabilities
d. Each vulnerability should be cataloged.
d. Threat modeling
__________ constructs scenarios of the types of threats that assets can face in order to learn who the attackers are, why they attack, and what types of attacks may occur.
a. Vulnerability prototyping
b. Risk assessment
c. Attack assessment
d. Threat modeling
a. Vulnerability appraisal
What is a current snapshot of the security of an organization?
a. vulnerability appraisal
b. risk evaluation
c. threat mitigation
d. liability reporting
b. Baseline reporting
__________ is a comparison of the present security state of a system to a standard established by the organization.
a. Risk mitigation
b. Baseline reporting
c. Comparative Resource Appraisal (CRA)
d. Horizontal comparables
b. Busy
Which of these is NOT a state of a port that can be returned by a port scanner?
a. open
b. busy
c. blocked
d. closed
a. It uses FIN messages that can pass through firewalls and avoid detection
Which statement regarding TCP SYN port scanning is NOT true?
a. It uses FIN messages that can pass through firewalls and avoid detection
b. Instead of using the operating system’s network functions, the port scanner generates IP packets itself and monitors for responses.
c. The scanner host closes the connection before the handshake is completed.
d. This scan type is also known as ‘half-open scanning” because it never actually opens a full TCP connection.
b. 20 and 21
The protocol File Transfer Protocol (FTP) uses which two ports?
a. 19 and 20
b. 20 and 21
c. 21 and 22
d. 22 and 23
b. Alerts users when a new patch cannot be found
Each of these is a function of a vulnerability scanner EXCEPT ___.
a. detects which ports are served and which ports are browsed for each individual system.
b. alerts users when a new patch cannot be found
c. maintains a log of all interactive network sessions.
d. detects when an application is compromised.
b. It attempts to standardized vulnerability assessment
Which statement about the Open Vulnerability and Assessment Language (OVAL) is true?
a. It only funtions on Linux-based computers
b. It attempts to standardize vulnerability assessment
c. It has been replaced by XML.
d. It is a European standard and is not used in the Americas.
c. It cannot be part of a honeynet
Which statement regarding a honeypot is NOT true?
a. It is typically located in an area with limited security
b. It is intentionally configured with security vulnerabilities.
c. It cannot be part of a honeynet.
d. It can direct an attacker’s attention away from legitimate servers.
a. It uses automated software to scan for vulnerabilities
Which statement about vulnerability scanning is true?
a. It uses automated software to scan for vulnerabilities
b. The testers are always outside of the security perimeter
c. It may disrupt the operation of the network or systems
d. It produces a short report of the attack methods and value of the exploited data.
b. White box
If a tester is given the IP addresses, network diagrams, and source code of customer applications, the tester is using which technique?
a. black box
b. white box
c. gray box
d. blue box
c. Fail-open
If a software application aborts and leaves the program open, which control structure is it using?
a. fail-safe
b. fail-secure
c. fail-open
d. fail-right

Get instant access to
all materials

Become a Member