CySa+ Pretest 1: 2/3

Out of all the protocols listed, which one might be used inside of a virtual system to manage and monitor the network?

What is NOT a good source of information to validate scan results?

You have been asked to scan your company’s website using the OWASP ZAP tool. When you perform the scan, you received the following warning:

“The AUTOCOMPLETE output is not disabled in HTML FORM/INPUT containing password type input. Passwords may be stored in browsers and retrieved.”

You begin to investigate further by reviewing a portion of the HTML code from the website that is listed below:

<form action=authenticate.php”> Enter your username: <BR>

<input type=“text” name=“user” value=“” autofocus><BR> Enter your Password: <BR>

<input type=“password” name=“pass” value=“” maxlength=“32”><BR>

<input type=“submit” value=“submit”> </form>

Based on your analysis, what do you recommend?

When using nmap, what flag do you use in the syntax to conduct operating system identification during the scan?

John is a consultant who wants to sell his services to a new client. He’d like to have a vulnerability scan of their network prior to their initial meeting to show the client, for added security. What is the most significant problem with this approach?

Peter is working with an application team on the remediation of a critical SQL injection vulnerability that exists on a public-facing server. The team is worried that deploying the fix will require several hours of downtime that will also block customer transactions from completing. What is the most reasonable action to take?

What remediation strategies is MOST effective in reducing the risk to an embedded ICS from a network-based compromise?

TRUE or FALSE: Some vulnerability scans require account credentials to log on to scanned servers.

Which of the following is NOT a part of the vulnerability management lifecycle?

A new alert has been distributed throughout the information security community regarding a critical Apache vulnerability. What action could you take to ONLY identify the known vulnerability?