|
True |
The first step in a vulnerability assessment is to determine the assets that need to be protected. |
|
True |
If TCP port 20 is open, then an attacker can assume that FTP is being used. |
|
False |
Vulnerability scans are usually performed from outside the security perimeter. |
|
True |
A healthy security posture results from a sound and workable strategy toward managing risks. |
|
True |
A port scanner can be used to search a system for port vulnerabilities. The RADMIN port scanner is an example of this type of software. |
|
threat modeling |
The goal of what type of threat evaluation is to better understand who the attackers are, why they attack, and what types of attacks might occur? |
|
vulnerability appraisal |
What is the name of the process that takes a snapshot of the current security of an organization? |
|
baseline |
Which item below is an imaginary line by which an element is measured or compared, and can be seen as the standard? |
|
Baseline reporting |
The comparison of the present state of a system to its baseline is known as what? |
|
code review |
In order to minimize vulnerabilities in software, code should be subject to and analyzed while it is being written in what option below? |
|
attack surface |
What is the name for the code that can be executed by unauthorized users within a software product? |
|
port scanner |
During a vulnerability assessment, what type of software can be used to search a system for port vulnerabilities? |
|
open port |
A port in what state below implies that an application or service assigned to that port is listening for any instructions? |
|
closed port |
An administrator running a port scan wants to ensure that no processes are listening on port 23. What state should the port be in? |
|
protocol analyzer |
An administrator needs to view packets and decode and analyze their contents. What type of application should the administrator use? |
|
honeypot |
Which is the term for a computer typically located in an area with limited security and loaded with software and data files that appear to be authentic, yet they are actually imitations of real data files. |
|
honeynet |
What is the term for a network set up with intentional vulnerabilities? |
|
vulnerability |
What is another term used for a security weakness? |
|
vulnerability scan |
Which scan examines the current security, in a passive method? |
|
penetration test report |
What is the end result of a penetration test? |
|
white box |
Which tester has an in-depth knowledge of the network and systems being tested, including network diagrams, IP addresses, and even the source code of custom applications? |
|
Service Level Agreement (SLA) |
A service contract between a vendor and a client that specifies what services will be provided, the responsibilities of each party, and any guarantees of service, is known as a: |
|
Blanket Purchase Agreement (BPA) |
What term below describes a prearranged purchase or sale agreement between a government agency and a business? |
|
Integrity |
What security goal do the following common controls address: hashing, digital signatures, certificates, nonrepudiation tools? |
|
On-boarding |
What term below describes the start-up relationship between partners? |
|
Vulnerability scanners |
____________________ for organizations are intended to identify vulnerabilities and alert network administrators to these problems. |
|
database |
Most vulnerability scanners maintain a(n) ____________________ that categorizes and describes the vulnerabilities that it can detect. |
|
social engineering |
When using a black box test, many testers use ____________________ tricks to learn about the network infrastructure from inside employees. |
|
gray |
A(n) ____________________ box test is one in which some limited information has been provided to the tester. |
|
black box |
In a __________ test, the tester has no prior knowledge of the network infrastructure that is being tested. |
|
Architectural design |
In software development, the process of defining a collection of hardware and sfotware components along with their interfaces in order to create the framework for software development. |
|
Attack surface |
The code that can be executed by unauthorized users in a software program |
|
Interoperability agreement |
An agreement through which parties in a relationship can reach an understanding of their relationships and responsibilities. |
|
Gray box |
A penetration test where some limited information has been provided to the tester. |
|
On-boarding |
The start-up relationship agreement between parties. |
|
Honeypot |
A computer typically located in an area with limited security and loaded with software and data files that appear to be authentic, but are actually imitations of real data files, to trick attackers into revealing their attack techniques. |
|
Baseline reporting |
A comparison of the present state of a system to its baseline. |
|
Port security |
Disabling unused application/service ports to reduce the number of threat vectors. |
|
Code review |
In software development, presenting the code to multiple reviewers in order to reach agreement about its security. |
|
Off-boarding |
The termination of an agreement between parties. |
|
End chapter 15 |
… |
Share This
Flashcard
