Chapter 85 · Quiz

Analyzing Vulnerabilities — Quiz

Six multiple-choice questions and four matching questions. Submit for instant scoring and explanations.

Question 1 of 6
A vulnerability scanner reports that a server is running a version of OpenSSL with a known buffer overflow vulnerability. The security analyst investigates and discovers that the vendor released a hotfix three weeks ago that patched the code path without changing the version number. The scanner cannot detect the hotfix. This finding is best classified as:
Question 2 of 6
A healthcare organization ran its weekly vulnerability scan on Monday. On Wednesday, a critical zero-day was publicly disclosed with active exploitation confirmed. The organization reviews Monday's scan report, finds no mention of the new vulnerability, and concludes no systems are affected. What type of scan error is most likely, and what should the team do next?
Question 3 of 6
An analyst receives two scan reports for the same CVE: one tool reports a CVSS score of 6.5 and another reports 9.1. When the analyst checks the NVD, she finds the CVE has a CVSS 2.0 score of 6.5 and a CVSS 3.x score of 9.1. Which score should drive remediation priority, and why?
Question 4 of 6
A utility company discovers a vulnerability in its power distribution monitoring system. The same CVE affects a comparable software installation at a retail company. The utility rates the finding as Critical and plans to patch within 24 hours; the retail company rates it High and plans to patch within 7 days. Which of the following best explains this difference?
Question 5 of 6
An asset with a value of $400,000 hosts a service with a vulnerability that could completely disable it if exploited. What is the Single Loss Expectancy (SLE) for this vulnerability?
Question 6 of 6
A patch is released for a Critical (CVSS 9.8) vulnerability in an internet-facing web application. Within hours, threat intelligence confirms active exploitation. The organization's standard patch policy requires 72 hours of testing. What does appropriate risk tolerance suggest in this scenario?

Matching

Match each description to the correct term.

1. Scanner reports a vulnerability that does not actually exist on the system
2. A real vulnerability exists on the system but does not appear in the scan report
3. Percentage of asset value or service capacity potentially lost if a vulnerability is exploited
4. The level of risk an organization accepts during the window between vulnerability discovery and completed remediation
A. False positive
B. False negative
C. Exposure factor
D. Risk tolerance