CompTIA Security+ Training Kit: Vulnerability Assessment and Management

  • 9/15/2013


This section contains the answers to the questions for the “Chapter review” section in this chapter.

  1. Correct Answer: D

    1. Incorrect: Vulnerability detection system is a made-up term.
    2. Incorrect: Port scanners are tools used to scan for open services.
    3. Incorrect: A darknet is an unused network set up and instrumented to detect attacks—any traffic sent to a darknet is suspect, because no valid systems should exist there.
    4. Correct: A honeypot is designed to allow attackers to compromise a fake system, providing the opportunity to study their actions.
  2. Correct Answer: C

    1. Incorrect: A penetration test tests a broad variety of security controls by attacking systems and networks to attempt to gain access.
    2. Incorrect: A vulnerability scan scans for vulnerabilities by using a scanning tool.
    3. Correct: A design or architecture review investigates the design of a system, network, or application.
    4. Incorrect: A code review targets the source code of an application or service to check it for vulnerabilities and bugs.
  3. Correct Answer: A

    1. Correct: A risk is the potential that a threat will exploit vulnerabilities.
    2. Incorrect: A vulnerability is a weakness in a system or asset that can be exploited.
    3. Incorrect: A threat is a possible danger that might exploit a vulnerability, resulting in harm to the organization.
    4. Incorrect: An exploit is a successful attack against a vulnerability, or a known method of attacking a vulnerability successfully.
  4. Correct Answer: D

    1. Incorrect: Likelihood is important to risk, but vulnerability isn’t used in the calculation.
    2. Incorrect: Impact is important to risk, but vulnerability isn’t used in the calculation.
    3. Incorrect: Neither vulnerability nor threats are used in the calculation of risk.
    4. Correct: Risk is calculated by multiplying likelihood and impact. This makes higher-impact or higher-probability risks more important.
  5. Correct Answer: C

    1. Incorrect: Red box is not a term associated with penetration testing.
    2. Incorrect: White box or crystal box penetration testing allows full visibility and knowledge of the penetration test target.
    3. Correct: Gray box penetration testing provides partial knowledge of the target.
    4. Incorrect: Black box testing provides no knowledge of the testing target.
  6. Correct Answer: A

    1. Correct: A port scan provides information about open ports, helping to identify services on a network.
    2. Incorrect: A port scan is often part of a penetration test, but you are unlikely to perform a complete penetration test to identify services.
    3. Incorrect: Vulnerability scans search for vulnerable services but are not the best way to identify them.
    4. Incorrect: A ping sweep tries to ping a series of machines to see if they are online and responding to pings—something that most modern operating systems don’t do by default.

Related resources

There are currently no related titles.