Explore all topics
Start Free Trial
Need Help? Contact us
back arrowfull exam logo
search
ai logoChat with AI
Servicesarrow
Discoverarrow

Topics

Explore all topics
Discover more topics

Deck 4: Vulnerability Assessment and Mitigating Attacks

Full screen (f)
exit full mode
Question
Vulnerability scans are usually performed from outside the security perimeter.
Use Space or
up arrow
down arrow
to flip the card.
Question
____ is a comparison of the present state of a system compared to its baseline.

A) Baseline reporting
B) Compliance reporting
C) Baseline assessment
D) Compliance review
Question
A ____ in effect takes a snapshot of the current security of the organization.

A) threat analysis
B) vulnerability appraisal
C) risk assessment
D) threat assessment
Question
While the code for a program is being written, it is being analyzed by a ____.

A) black box
B) code review
C) white box
D) scanner
Question
When performing a vulnerability assessment, many organizations use ____ software to search a system for any port vulnerabilities.

A) threat scanner
B) vulnerability profiler
C) port scanner
D) application profiler
Question
If port 20 is available, then an attacker can assume that FTP is being used.
Question
A ____ outlines the major security considerations for a system and becomes the starting point for solid security.

A) profile
B) threat
C) control
D) baseline
Question
A(n) ____ indicates that no process is listening at this port.

A) open port
B) open address
C) closed address
D) closed port
Question
The ____ for software is the code that can be executed by unauthorized users.

A) vulnerability surface
B) risk profile
C) input surface
D) attack surface
Question
A(n) ____ is hardware or software that captures packets to decode and analyze its contents.

A) application analyzer
B) protocol analyzer
C) threat profiler
D) system analyzer
Question
____ is the probability that a risk will occur in a particular year.

A) SLE
B) ALE
C) ARO
D) EF
Question
The first step in a vulnerability assessment is to determine the assets that need to be protected.
Question
____ is a means by which an organization can transfer the risk to a third party who can demonstrate a higher capability at managing or reducing risks.

A) Insourcing
B) Outsourcing
C) Outcasting
D) Inhousing
Question
A(n) ____ means that the application or service assigned to that port is listening for any instructions.

A) open port
B) empty port
C) closed port
D) interruptible system
Question
The goal of ____ is to better understand who the attackers are, why they attack, and what types of attacks might occur.

A) threat mitigation
B) threat profiling
C) risk modeling
D) threat modeling
Question
In an empty box test, the tester has no prior knowledge of the network infrastructure that is being tested.
Question
____ is the proportion of an asset's value that is likely to be destroyed by a particular risk.

A) SLE
B) ARO
C) EF
D) ER
Question
A ____ is a computer typically located in an area with limited security and loaded with software and data files that appear to be authentic, yet they are actually imitations of real data files.

A) port scanner
B) write blocker
C) honeypot
D) honeycomb
Question
The ____ is the expected monetary loss every time a risk occurs.

A) SLE
B) ARO
C) ALE
D) SRE
Question
A healthy security posture results from a sound and workable strategy toward managing risks.
Question
A ____ tester has an in-depth knowledge of the network and systems being tested, including network diagrams, IP addresses, and even the source code of custom applications.

A) white box
B) black box
C) replay
D) system
Question
The end product of a penetration test is the penetration ____.

A) test profile
B) test report
C) test system
D) test view
Question
Discuss one type of asset that an organization might have.
Question
____________________ for organizations are intended to identify vulnerabilities and alert network administrators to these problems.
Question
Most vulnerability scanners maintain a(n) ____________________ that categorizes and describes the vulnerabilities that it can detect.
Question
List and describe the elements that make up a security posture.
Question
A(n) ____________________ box test is one in which some limited information has been provided to the tester.
Question
List four things that a vulnerability scanner can do.
Question
Describe the purpose of a honeypot.
Question
A(n) ____________________ scan uses various techniques to avoid detection.
Question
Describe a penetration testing report.
Question
A ____ is a network set up with intentional vulnerabilities.

A) honeynet
B) honeypot
C) honeycomb
D) honey hole
Question
Released in 1995, one of the first tools that was widely used for penetration testing was ____.

A) GOPHER
B) SAINT
C) SATAN
D) NESSUS
Question
When using a black box test, many testers use ____________________ tricks to learn about the network infrastructure from inside employees.
Question
A security weakness is known as a(n) ____.

A) threat
B) vulnerability
C) risk
D) opportunity
Question
List and describe two common uses for a protocol analyzer.
Question
Discuss the purpose of OVAL.
Question
A(n) ____ examines the current security in a passive method.

A) application scan
B) system scan
C) threat scan
D) vulnerability scan
Question
List and describe the three categories that TCP/IP divides port numbers into.
Question
When a security hardware device fails or a program aborts, which state should it go into?
Question
List two types of hardening techniques.
Question
Match between columns
Premises:
Responses:
An automated software search through a system for any known security weaknesses
Vulnerability assessment
An automated software search through a system for any known security weaknesses
Asset identification
An automated software search through a system for any known security weaknesses
Threat evaluation
An automated software search through a system for any known security weaknesses
Vulnerability appraisal
An automated software search through a system for any known security weaknesses
Risk assessment
An automated software search through a system for any known security weaknesses
Risk mitigation
An automated software search through a system for any known security weaknesses
Vulnerability scan
An automated software search through a system for any known security weaknesses
Penetration testing
An automated software search through a system for any known security weaknesses
Hardening
Identify what damages could result from the threats
Vulnerability assessment
Identify what damages could result from the threats
Asset identification
Identify what damages could result from the threats
Threat evaluation
Identify what damages could result from the threats
Vulnerability appraisal
Identify what damages could result from the threats
Risk assessment
Identify what damages could result from the threats
Risk mitigation
Identify what damages could result from the threats
Vulnerability scan
Identify what damages could result from the threats
Penetration testing
Identify what damages could result from the threats
Hardening
Designed to actually exploit any weaknesses in systems that are vulnerable
Vulnerability assessment
Designed to actually exploit any weaknesses in systems that are vulnerable
Asset identification
Designed to actually exploit any weaknesses in systems that are vulnerable
Threat evaluation
Designed to actually exploit any weaknesses in systems that are vulnerable
Vulnerability appraisal
Designed to actually exploit any weaknesses in systems that are vulnerable
Risk assessment
Designed to actually exploit any weaknesses in systems that are vulnerable
Risk mitigation
Designed to actually exploit any weaknesses in systems that are vulnerable
Vulnerability scan
Designed to actually exploit any weaknesses in systems that are vulnerable
Penetration testing
Designed to actually exploit any weaknesses in systems that are vulnerable
Hardening
Identify what needs to be protected
Vulnerability assessment
Identify what needs to be protected
Asset identification
Identify what needs to be protected
Threat evaluation
Identify what needs to be protected
Vulnerability appraisal
Identify what needs to be protected
Risk assessment
Identify what needs to be protected
Risk mitigation
Identify what needs to be protected
Vulnerability scan
Identify what needs to be protected
Penetration testing
Identify what needs to be protected
Hardening
Eliminating as many security risks as possible and make the system more secure
Vulnerability assessment
Eliminating as many security risks as possible and make the system more secure
Asset identification
Eliminating as many security risks as possible and make the system more secure
Threat evaluation
Eliminating as many security risks as possible and make the system more secure
Vulnerability appraisal
Eliminating as many security risks as possible and make the system more secure
Risk assessment
Eliminating as many security risks as possible and make the system more secure
Risk mitigation
Eliminating as many security risks as possible and make the system more secure
Vulnerability scan
Eliminating as many security risks as possible and make the system more secure
Penetration testing
Eliminating as many security risks as possible and make the system more secure
Hardening
Identify what to do about threats
Vulnerability assessment
Identify what to do about threats
Asset identification
Identify what to do about threats
Threat evaluation
Identify what to do about threats
Vulnerability appraisal
Identify what to do about threats
Risk assessment
Identify what to do about threats
Risk mitigation
Identify what to do about threats
Vulnerability scan
Identify what to do about threats
Penetration testing
Identify what to do about threats
Hardening
A systematic and methodical evaluation of the exposure of assets to attackers, forces of nature, or any other entity that is potentially harmful
Vulnerability assessment
A systematic and methodical evaluation of the exposure of assets to attackers, forces of nature, or any other entity that is potentially harmful
Asset identification
A systematic and methodical evaluation of the exposure of assets to attackers, forces of nature, or any other entity that is potentially harmful
Threat evaluation
A systematic and methodical evaluation of the exposure of assets to attackers, forces of nature, or any other entity that is potentially harmful
Vulnerability appraisal
A systematic and methodical evaluation of the exposure of assets to attackers, forces of nature, or any other entity that is potentially harmful
Risk assessment
A systematic and methodical evaluation of the exposure of assets to attackers, forces of nature, or any other entity that is potentially harmful
Risk mitigation
A systematic and methodical evaluation of the exposure of assets to attackers, forces of nature, or any other entity that is potentially harmful
Vulnerability scan
A systematic and methodical evaluation of the exposure of assets to attackers, forces of nature, or any other entity that is potentially harmful
Penetration testing
A systematic and methodical evaluation of the exposure of assets to attackers, forces of nature, or any other entity that is potentially harmful
Hardening
Identifying what the pressures are against a company
Vulnerability assessment
Identifying what the pressures are against a company
Asset identification
Identifying what the pressures are against a company
Threat evaluation
Identifying what the pressures are against a company
Vulnerability appraisal
Identifying what the pressures are against a company
Risk assessment
Identifying what the pressures are against a company
Risk mitigation
Identifying what the pressures are against a company
Vulnerability scan
Identifying what the pressures are against a company
Penetration testing
Identifying what the pressures are against a company
Hardening
Identifying how susceptible the current protection is
Vulnerability assessment
Identifying how susceptible the current protection is
Asset identification
Identifying how susceptible the current protection is
Threat evaluation
Identifying how susceptible the current protection is
Vulnerability appraisal
Identifying how susceptible the current protection is
Risk assessment
Identifying how susceptible the current protection is
Risk mitigation
Identifying how susceptible the current protection is
Vulnerability scan
Identifying how susceptible the current protection is
Penetration testing
Identifying how susceptible the current protection is
Hardening
Unlock Deck
Sign up to unlock the cards in this deck!
Unlock Deck
Unlock Deck
1/42
auto play flashcards
Play
simple tutorial
Full screen (f)
exit full mode
Deck 4: Vulnerability Assessment and Mitigating Attacks
1
Vulnerability scans are usually performed from outside the security perimeter.
False
2
____ is a comparison of the present state of a system compared to its baseline.

A) Baseline reporting
B) Compliance reporting
C) Baseline assessment
D) Compliance review
A
3
A ____ in effect takes a snapshot of the current security of the organization.

A) threat analysis
B) vulnerability appraisal
C) risk assessment
D) threat assessment
B
4
While the code for a program is being written, it is being analyzed by a ____.

A) black box
B) code review
C) white box
D) scanner
Unlock Deck
Unlock for access to all 42 flashcards in this deck.
Unlock Deck
k this deck
5
When performing a vulnerability assessment, many organizations use ____ software to search a system for any port vulnerabilities.

A) threat scanner
B) vulnerability profiler
C) port scanner
D) application profiler
Unlock Deck
Unlock for access to all 42 flashcards in this deck.
Unlock Deck
k this deck
6
If port 20 is available, then an attacker can assume that FTP is being used.
Unlock Deck
Unlock for access to all 42 flashcards in this deck.
Unlock Deck
k this deck
7
A ____ outlines the major security considerations for a system and becomes the starting point for solid security.

A) profile
B) threat
C) control
D) baseline
Unlock Deck
Unlock for access to all 42 flashcards in this deck.
Unlock Deck
k this deck
8
A(n) ____ indicates that no process is listening at this port.

A) open port
B) open address
C) closed address
D) closed port
Unlock Deck
Unlock for access to all 42 flashcards in this deck.
Unlock Deck
k this deck
9
The ____ for software is the code that can be executed by unauthorized users.

A) vulnerability surface
B) risk profile
C) input surface
D) attack surface
Unlock Deck
Unlock for access to all 42 flashcards in this deck.
Unlock Deck
k this deck
10
A(n) ____ is hardware or software that captures packets to decode and analyze its contents.

A) application analyzer
B) protocol analyzer
C) threat profiler
D) system analyzer
Unlock Deck
Unlock for access to all 42 flashcards in this deck.
Unlock Deck
k this deck
11
____ is the probability that a risk will occur in a particular year.

A) SLE
B) ALE
C) ARO
D) EF
Unlock Deck
Unlock for access to all 42 flashcards in this deck.
Unlock Deck
k this deck
12
The first step in a vulnerability assessment is to determine the assets that need to be protected.
Unlock Deck
Unlock for access to all 42 flashcards in this deck.
Unlock Deck
k this deck
13
____ is a means by which an organization can transfer the risk to a third party who can demonstrate a higher capability at managing or reducing risks.

A) Insourcing
B) Outsourcing
C) Outcasting
D) Inhousing
Unlock Deck
Unlock for access to all 42 flashcards in this deck.
Unlock Deck
k this deck
14
A(n) ____ means that the application or service assigned to that port is listening for any instructions.

A) open port
B) empty port
C) closed port
D) interruptible system
Unlock Deck
Unlock for access to all 42 flashcards in this deck.
Unlock Deck
k this deck
15
The goal of ____ is to better understand who the attackers are, why they attack, and what types of attacks might occur.

A) threat mitigation
B) threat profiling
C) risk modeling
D) threat modeling
Unlock Deck
Unlock for access to all 42 flashcards in this deck.
Unlock Deck
k this deck
16
In an empty box test, the tester has no prior knowledge of the network infrastructure that is being tested.
Unlock Deck
Unlock for access to all 42 flashcards in this deck.
Unlock Deck
k this deck
17
____ is the proportion of an asset's value that is likely to be destroyed by a particular risk.

A) SLE
B) ARO
C) EF
D) ER
Unlock Deck
Unlock for access to all 42 flashcards in this deck.
Unlock Deck
k this deck
18
A ____ is a computer typically located in an area with limited security and loaded with software and data files that appear to be authentic, yet they are actually imitations of real data files.

A) port scanner
B) write blocker
C) honeypot
D) honeycomb
Unlock Deck
Unlock for access to all 42 flashcards in this deck.
Unlock Deck
k this deck
19
The ____ is the expected monetary loss every time a risk occurs.

A) SLE
B) ARO
C) ALE
D) SRE
Unlock Deck
Unlock for access to all 42 flashcards in this deck.
Unlock Deck
k this deck
20
A healthy security posture results from a sound and workable strategy toward managing risks.
Unlock Deck
Unlock for access to all 42 flashcards in this deck.
Unlock Deck
k this deck
21
A ____ tester has an in-depth knowledge of the network and systems being tested, including network diagrams, IP addresses, and even the source code of custom applications.

A) white box
B) black box
C) replay
D) system
Unlock Deck
Unlock for access to all 42 flashcards in this deck.
Unlock Deck
k this deck
22
The end product of a penetration test is the penetration ____.

A) test profile
B) test report
C) test system
D) test view
Unlock Deck
Unlock for access to all 42 flashcards in this deck.
Unlock Deck
k this deck
23
Discuss one type of asset that an organization might have.
Unlock Deck
Unlock for access to all 42 flashcards in this deck.
Unlock Deck
k this deck
24
____________________ for organizations are intended to identify vulnerabilities and alert network administrators to these problems.
Unlock Deck
Unlock for access to all 42 flashcards in this deck.
Unlock Deck
k this deck
25
Most vulnerability scanners maintain a(n) ____________________ that categorizes and describes the vulnerabilities that it can detect.
Unlock Deck
Unlock for access to all 42 flashcards in this deck.
Unlock Deck
k this deck
26
List and describe the elements that make up a security posture.
Unlock Deck
Unlock for access to all 42 flashcards in this deck.
Unlock Deck
k this deck
27
A(n) ____________________ box test is one in which some limited information has been provided to the tester.
Unlock Deck
Unlock for access to all 42 flashcards in this deck.
Unlock Deck
k this deck
28
List four things that a vulnerability scanner can do.
Unlock Deck
Unlock for access to all 42 flashcards in this deck.
Unlock Deck
k this deck
29
Describe the purpose of a honeypot.
Unlock Deck
Unlock for access to all 42 flashcards in this deck.
Unlock Deck
k this deck
30
A(n) ____________________ scan uses various techniques to avoid detection.
Unlock Deck
Unlock for access to all 42 flashcards in this deck.
Unlock Deck
k this deck
31
Describe a penetration testing report.
Unlock Deck
Unlock for access to all 42 flashcards in this deck.
Unlock Deck
k this deck
32
A ____ is a network set up with intentional vulnerabilities.

A) honeynet
B) honeypot
C) honeycomb
D) honey hole
Unlock Deck
Unlock for access to all 42 flashcards in this deck.
Unlock Deck
k this deck
33
Released in 1995, one of the first tools that was widely used for penetration testing was ____.

A) GOPHER
B) SAINT
C) SATAN
D) NESSUS
Unlock Deck
Unlock for access to all 42 flashcards in this deck.
Unlock Deck
k this deck
34
When using a black box test, many testers use ____________________ tricks to learn about the network infrastructure from inside employees.
Unlock Deck
Unlock for access to all 42 flashcards in this deck.
Unlock Deck
k this deck
35
A security weakness is known as a(n) ____.

A) threat
B) vulnerability
C) risk
D) opportunity
Unlock Deck
Unlock for access to all 42 flashcards in this deck.
Unlock Deck
k this deck
36
List and describe two common uses for a protocol analyzer.
Unlock Deck
Unlock for access to all 42 flashcards in this deck.
Unlock Deck
k this deck
37
Discuss the purpose of OVAL.
Unlock Deck
Unlock for access to all 42 flashcards in this deck.
Unlock Deck
k this deck
38
A(n) ____ examines the current security in a passive method.

A) application scan
B) system scan
C) threat scan
D) vulnerability scan
Unlock Deck
Unlock for access to all 42 flashcards in this deck.
Unlock Deck
k this deck
39
List and describe the three categories that TCP/IP divides port numbers into.
Unlock Deck
Unlock for access to all 42 flashcards in this deck.
Unlock Deck
k this deck
40
When a security hardware device fails or a program aborts, which state should it go into?
Unlock Deck
Unlock for access to all 42 flashcards in this deck.
Unlock Deck
k this deck
41
List two types of hardening techniques.
Unlock Deck
Unlock for access to all 42 flashcards in this deck.
Unlock Deck
k this deck
42
Match between columns
Premises:
Responses:
An automated software search through a system for any known security weaknesses
Vulnerability assessment
An automated software search through a system for any known security weaknesses
Asset identification
An automated software search through a system for any known security weaknesses
Threat evaluation
An automated software search through a system for any known security weaknesses
Vulnerability appraisal
An automated software search through a system for any known security weaknesses
Risk assessment
An automated software search through a system for any known security weaknesses
Risk mitigation
An automated software search through a system for any known security weaknesses
Vulnerability scan
An automated software search through a system for any known security weaknesses
Penetration testing
An automated software search through a system for any known security weaknesses
Hardening
Identify what damages could result from the threats
Vulnerability assessment
Identify what damages could result from the threats
Asset identification
Identify what damages could result from the threats
Threat evaluation
Identify what damages could result from the threats
Vulnerability appraisal
Identify what damages could result from the threats
Risk assessment
Identify what damages could result from the threats
Risk mitigation
Identify what damages could result from the threats
Vulnerability scan
Identify what damages could result from the threats
Penetration testing
Identify what damages could result from the threats
Hardening
Designed to actually exploit any weaknesses in systems that are vulnerable
Vulnerability assessment
Designed to actually exploit any weaknesses in systems that are vulnerable
Asset identification
Designed to actually exploit any weaknesses in systems that are vulnerable
Threat evaluation
Designed to actually exploit any weaknesses in systems that are vulnerable
Vulnerability appraisal
Designed to actually exploit any weaknesses in systems that are vulnerable
Risk assessment
Designed to actually exploit any weaknesses in systems that are vulnerable
Risk mitigation
Designed to actually exploit any weaknesses in systems that are vulnerable
Vulnerability scan
Designed to actually exploit any weaknesses in systems that are vulnerable
Penetration testing
Designed to actually exploit any weaknesses in systems that are vulnerable
Hardening
Identify what needs to be protected
Vulnerability assessment
Identify what needs to be protected
Asset identification
Identify what needs to be protected
Threat evaluation
Identify what needs to be protected
Vulnerability appraisal
Identify what needs to be protected
Risk assessment
Identify what needs to be protected
Risk mitigation
Identify what needs to be protected
Vulnerability scan
Identify what needs to be protected
Penetration testing
Identify what needs to be protected
Hardening
Eliminating as many security risks as possible and make the system more secure
Vulnerability assessment
Eliminating as many security risks as possible and make the system more secure
Asset identification
Eliminating as many security risks as possible and make the system more secure
Threat evaluation
Eliminating as many security risks as possible and make the system more secure
Vulnerability appraisal
Eliminating as many security risks as possible and make the system more secure
Risk assessment
Eliminating as many security risks as possible and make the system more secure
Risk mitigation
Eliminating as many security risks as possible and make the system more secure
Vulnerability scan
Eliminating as many security risks as possible and make the system more secure
Penetration testing
Eliminating as many security risks as possible and make the system more secure
Hardening
Identify what to do about threats
Vulnerability assessment
Identify what to do about threats
Asset identification
Identify what to do about threats
Threat evaluation
Identify what to do about threats
Vulnerability appraisal
Identify what to do about threats
Risk assessment
Identify what to do about threats
Risk mitigation
Identify what to do about threats
Vulnerability scan
Identify what to do about threats
Penetration testing
Identify what to do about threats
Hardening
A systematic and methodical evaluation of the exposure of assets to attackers, forces of nature, or any other entity that is potentially harmful
Vulnerability assessment
A systematic and methodical evaluation of the exposure of assets to attackers, forces of nature, or any other entity that is potentially harmful
Asset identification
A systematic and methodical evaluation of the exposure of assets to attackers, forces of nature, or any other entity that is potentially harmful
Threat evaluation
A systematic and methodical evaluation of the exposure of assets to attackers, forces of nature, or any other entity that is potentially harmful
Vulnerability appraisal
A systematic and methodical evaluation of the exposure of assets to attackers, forces of nature, or any other entity that is potentially harmful
Risk assessment
A systematic and methodical evaluation of the exposure of assets to attackers, forces of nature, or any other entity that is potentially harmful
Risk mitigation
A systematic and methodical evaluation of the exposure of assets to attackers, forces of nature, or any other entity that is potentially harmful
Vulnerability scan
A systematic and methodical evaluation of the exposure of assets to attackers, forces of nature, or any other entity that is potentially harmful
Penetration testing
A systematic and methodical evaluation of the exposure of assets to attackers, forces of nature, or any other entity that is potentially harmful
Hardening
Identifying what the pressures are against a company
Vulnerability assessment
Identifying what the pressures are against a company
Asset identification
Identifying what the pressures are against a company
Threat evaluation
Identifying what the pressures are against a company
Vulnerability appraisal
Identifying what the pressures are against a company
Risk assessment
Identifying what the pressures are against a company
Risk mitigation
Identifying what the pressures are against a company
Vulnerability scan
Identifying what the pressures are against a company
Penetration testing
Identifying what the pressures are against a company
Hardening
Identifying how susceptible the current protection is
Vulnerability assessment
Identifying how susceptible the current protection is
Asset identification
Identifying how susceptible the current protection is
Threat evaluation
Identifying how susceptible the current protection is
Vulnerability appraisal
Identifying how susceptible the current protection is
Risk assessment
Identifying how susceptible the current protection is
Risk mitigation
Identifying how susceptible the current protection is
Vulnerability scan
Identifying how susceptible the current protection is
Penetration testing
Identifying how susceptible the current protection is
Hardening
Unlock Deck
Unlock for access to all 42 flashcards in this deck.
Unlock Deck
k this deck
locked card icon
Unlock Deck
Unlock for access to all 42 flashcards in this deck.
Examlex
Examlex
Work With Us
Policies
Download the App
Scan to downloadDownload the App
qr-code
Links
Links
Work With Us
Download the App

Scan to downloadDownload the App
qr-code

Copyright © 2025 Examlex LLC.
  • facebook-footer
  • instagram-footer
  • x-footer
  • tiktok
  • Linktree