C795- Cybersecurity Management II
UPDATED ACTUAL Questions and
CORRECT Answers
What is a vulnerability? - CORRECT ANSWER- ✔✔a weakness in an information system,
system security procedures, internal controls, or implementation that could be exploited or
triggered by a threat source.
What is a penetration test? - CORRECT ANSWER- ✔✔a simulated cyber attack against your
systems or company
What are the typical steps for a vulnerability test? - CORRECT ANSWER- ✔✔Identify asset
classification list, identify vulnerabilities, test assets against vulnerabilities, and recommend
solutions to either eliminate or mitigate vulnerabilities
What is the first thing an organization should do before defining security requirements? -
CORRECT ANSWER- ✔✔To define security requirements, first an organization must define
its risk appetite.
What is defense in depth? - CORRECT ANSWER- ✔✔defense-in-depth principle; it is by
adding relevant layer of controls (e.g., access control, encryption, and monitoring) that the
expected level of protection is achieved.
What are COTS applications? - CORRECT ANSWER- ✔✔Applications developed by
vendors and installed on the organization's information systems. These applications are
usually purchased outright by organizations with usage based on licensing agreements.
What are SaaS applications? - CORRECT ANSWER- ✔✔Applications developed by service
providers or vendors and installed on the provider or vendor information system.
Organizations typically have an on-demand or pay-per-usage metrics.
What is the goal of a security test? - CORRECT ANSWER- ✔✔Verify that a control is
functioning properly.
,What is a security assessment? - CORRECT ANSWER- ✔✔A comprehensive reviews of the
security of a system, application, or other tested environment
What is the NIST SP 800-53A? - CORRECT ANSWER- ✔✔The National Institute for
Standards and Technology (NIST) offers a special publication that describes best practices in
conducting security and privacy assessments.
What is COBIT? - CORRECT ANSWER- ✔✔the Control Objectives for Information and
related Technologies describes the common requirements that organizations should have in
place surrounding their information systems.
What does ISO 27001 describe? - CORRECT ANSWER- ✔✔A standard approach for setting
up an information security management system
What does ISO 27002 describe? - CORRECT ANSWER- ✔✔It details specifics of
information security controls
What does a vulnerability scan do? - CORRECT ANSWER- ✔✔automatically probe
systems, applications, and networks, looking for weaknesses that may be exploited by an
attacker.
What are the four main categories of vulnerability scans? - CORRECT ANSWER-
✔✔Network discovery scans, network vulnerability scans, web application vulnerability
scans, and database vulnerability scans
What is NMAP? - CORRECT ANSWER- ✔✔The most common tool used for network
discovery scanning
What does a network vulnerability scanner do? - CORRECT ANSWER- ✔✔Probe a targeted
system or network for the presence of known vulnerabilities.
What is a false positive? - CORRECT ANSWER- ✔✔The scanner may not have enough
information to conclusively determine that a vulnerability exists and it reports a vulnerability
when there really is no problem.
, What is a false negative? - CORRECT ANSWER- ✔✔When the vulnerability scanner misses
a vulnerability and fails to alert the administrator to the presence of it
T/F - By default, network vulnerability scanners run unauthenticated scans. - CORRECT
ANSWER- ✔✔True
One way to improve the accuracy of the scanning and reduce false positive and false negative
reports is to perform what kind of scans? - CORRECT ANSWER- ✔✔authenticated scans
What is sqlmap? - CORRECT ANSWER- ✔✔A commonly used open-source database
vulnerability scanner that allows security administrators to probe web applications for
database vulnerabilities
What is Metasploit? - CORRECT ANSWER- ✔✔a tool to automatically execute exploits
against targeted systems
What is a white box penetration test? - CORRECT ANSWER- ✔✔Provides the attackers
with detailed information about the systems they target. This bypasses many of the
reconnaissance steps that normally precede attacks, shortening the time of the attack and
increasing the likelihood that it will find security flaws.
What is a gray box penetration test? - CORRECT ANSWER- ✔✔Also known as partial
knowledge tests, these are sometimes chosen to balance the advantages and disadvantages of
white and black box penetration tests.
What is a black box penetration test? - CORRECT ANSWER- ✔✔Does not provide attackers
with any information prior to the attack. This simulates an external attacker trying to gain
access to information about the business and technical environment before engaging in an
attack.
What is static testing? - CORRECT ANSWER- ✔✔Evaluates the security of software
without running it by analyzing either the source code or the compiled application.
UPDATED ACTUAL Questions and
CORRECT Answers
What is a vulnerability? - CORRECT ANSWER- ✔✔a weakness in an information system,
system security procedures, internal controls, or implementation that could be exploited or
triggered by a threat source.
What is a penetration test? - CORRECT ANSWER- ✔✔a simulated cyber attack against your
systems or company
What are the typical steps for a vulnerability test? - CORRECT ANSWER- ✔✔Identify asset
classification list, identify vulnerabilities, test assets against vulnerabilities, and recommend
solutions to either eliminate or mitigate vulnerabilities
What is the first thing an organization should do before defining security requirements? -
CORRECT ANSWER- ✔✔To define security requirements, first an organization must define
its risk appetite.
What is defense in depth? - CORRECT ANSWER- ✔✔defense-in-depth principle; it is by
adding relevant layer of controls (e.g., access control, encryption, and monitoring) that the
expected level of protection is achieved.
What are COTS applications? - CORRECT ANSWER- ✔✔Applications developed by
vendors and installed on the organization's information systems. These applications are
usually purchased outright by organizations with usage based on licensing agreements.
What are SaaS applications? - CORRECT ANSWER- ✔✔Applications developed by service
providers or vendors and installed on the provider or vendor information system.
Organizations typically have an on-demand or pay-per-usage metrics.
What is the goal of a security test? - CORRECT ANSWER- ✔✔Verify that a control is
functioning properly.
,What is a security assessment? - CORRECT ANSWER- ✔✔A comprehensive reviews of the
security of a system, application, or other tested environment
What is the NIST SP 800-53A? - CORRECT ANSWER- ✔✔The National Institute for
Standards and Technology (NIST) offers a special publication that describes best practices in
conducting security and privacy assessments.
What is COBIT? - CORRECT ANSWER- ✔✔the Control Objectives for Information and
related Technologies describes the common requirements that organizations should have in
place surrounding their information systems.
What does ISO 27001 describe? - CORRECT ANSWER- ✔✔A standard approach for setting
up an information security management system
What does ISO 27002 describe? - CORRECT ANSWER- ✔✔It details specifics of
information security controls
What does a vulnerability scan do? - CORRECT ANSWER- ✔✔automatically probe
systems, applications, and networks, looking for weaknesses that may be exploited by an
attacker.
What are the four main categories of vulnerability scans? - CORRECT ANSWER-
✔✔Network discovery scans, network vulnerability scans, web application vulnerability
scans, and database vulnerability scans
What is NMAP? - CORRECT ANSWER- ✔✔The most common tool used for network
discovery scanning
What does a network vulnerability scanner do? - CORRECT ANSWER- ✔✔Probe a targeted
system or network for the presence of known vulnerabilities.
What is a false positive? - CORRECT ANSWER- ✔✔The scanner may not have enough
information to conclusively determine that a vulnerability exists and it reports a vulnerability
when there really is no problem.
, What is a false negative? - CORRECT ANSWER- ✔✔When the vulnerability scanner misses
a vulnerability and fails to alert the administrator to the presence of it
T/F - By default, network vulnerability scanners run unauthenticated scans. - CORRECT
ANSWER- ✔✔True
One way to improve the accuracy of the scanning and reduce false positive and false negative
reports is to perform what kind of scans? - CORRECT ANSWER- ✔✔authenticated scans
What is sqlmap? - CORRECT ANSWER- ✔✔A commonly used open-source database
vulnerability scanner that allows security administrators to probe web applications for
database vulnerabilities
What is Metasploit? - CORRECT ANSWER- ✔✔a tool to automatically execute exploits
against targeted systems
What is a white box penetration test? - CORRECT ANSWER- ✔✔Provides the attackers
with detailed information about the systems they target. This bypasses many of the
reconnaissance steps that normally precede attacks, shortening the time of the attack and
increasing the likelihood that it will find security flaws.
What is a gray box penetration test? - CORRECT ANSWER- ✔✔Also known as partial
knowledge tests, these are sometimes chosen to balance the advantages and disadvantages of
white and black box penetration tests.
What is a black box penetration test? - CORRECT ANSWER- ✔✔Does not provide attackers
with any information prior to the attack. This simulates an external attacker trying to gain
access to information about the business and technical environment before engaging in an
attack.
What is static testing? - CORRECT ANSWER- ✔✔Evaluates the security of software
without running it by analyzing either the source code or the compiled application.
