SEC+ Ch.8 Review Test

B is correct. The annual loss expectancy (ALE) is $2,400. It is calculated as single loss expectancy (SLE) × annual rate of occurrence (ARO). Each failure has resulted in a 10 percent loss (meaning that it cost 10 percent of the asset value to repair it). The SLE is 10 percent of $4,000 ($400), and the ARO is 6. 6 × $400 is $2400.

C is correct. A risk register lists all known risks for an asset, such as a database server, and it typically includes a risk score (the combination of the likelihood of occurrence and the impact of the risk). Risk assessments (including qualitative and quantitative risk assessments) might use a risk register, but they are not risk registers. Residual risk refers to the remaining risk after applying security controls to mitigate a risk.

D is correct. A supply chain assessment evaluates all the elements used to create, sell, and distribute a product. The National Institute of Standards and

Technology (NIST) Risk Management Framework (RMF) (NIST SP 800-

37 r2) provides steps for reducing supply chain risks. Risk assessments (including both quantitative and qualitative risk assessments) evaluate risks, but don’t evaluate the supply chain required to support an e-commerce website. Threat hunting is the process of actively looking for threats within a network before an automated tool detects and reports on the threat.

A and C are correct. Intelligence fusion and advisories and bulletins are part of threat hunting. Threat hunting is the process of actively looking for threats within a network before an automated tool detects and reports on the threat. Vulnerability scans are used as part of a security assessment. Although a history of vulnerability scans and related logs may be part of the intelligence fusion, CompTIA objectives specifically list the following four elements: intelligence fusion, advisories and bulletins, threat feeds, and predictions of how attackers may maneuver though the network. A configuration review verifies that systems are configured correctly.

D is correct. Nmap is a network scanner, and it can detect the protocols and services running on a server. The dnsenum command will enumerate (or list) Domain Name System (DNS) records for domains. An IP scanner detects IPs active on a network but not the services running on the individual hosts. Passive reconnaissance uses open source intelligence (OSINT) instead of active tools.

D is correct. A port scanner identifies open ports on a system and is commonly used to determine what services are running on the system. Vulnerability scanners often include port-scanning capabilities, and they can help identify potential weak configurations. A penetration test attempts to exploit a vulnerability. A protocol analyzer can analyze traffic and discover protocols in use, but this would be much more difficult than using a port scanner. A non-credentialed scan refers to a vulnerability scan, and while a vulnerability scan may reveal services running on a server, it won’t be as specific as a port scan.

A is correct. A false negative occurs if a vulnerability scanner does not report a known vulnerability. A false positive occurs when a vulnerability scanner reports a vulnerability that doesn’t exist. The scenario doesn’t indicate if the scan was run under the context of an account (credentialed) or anonymously (non-credentialed), so these answers aren’t relevant to the question.

D is correct. A vulnerability scan determines if the system has current patches. None of the other answers will detect missing patches. A network scan will discover devices on the network. It might look for and detect vulnerabilities on network devices, but it would not be used to scan a single server for patches. A port scan identifies open ports. A protocol analyzer (sniffer) captures traffic for analysis.

A is correct. Running the scans as credentialed scans (within the context of a valid account) allows the scan to see more information and typically results in fewer false positives. A false positive indicates the scan reported a vulnerability that doesn’t exist. Non-credentialed scans run without any user credentials and can be less accurate. Choosing either passive or active scans won’t reduce false positives.

C is correct. Lateral movement refers to actions taken to move through a network after successfully exploiting a single system. While not available as a possible answer, this could also be described as pivoting, which is the process of accessing other systems through a single compromised system. Partially known environment testing (sometimes called gray box testing) indicates the testers have some knowledge of a system or network before starting, but there is no indication in the scenario about their level of knowledge. Persistence refers to maintaining a presence on the system or network after the initial exploit. Privilege escalation refers to gaining higher privileges after an initial exploit.