Chapter 11 Quiz: Vulnerability Assessment

Test your understanding of vulnerability assessment concepts, CVE/CVSS frameworks, scanning methodology, and vulnerability management. Select the best answer for each question.

Question 1. What is the primary difference between a vulnerability assessment and a penetration test?

A) Vulnerability assessments use automated tools; penetration tests are always manual B) Vulnerability assessments identify and classify weaknesses; penetration tests attempt to exploit them C) Vulnerability assessments are performed by junior testers; penetration tests require senior expertise D) Vulnerability assessments cover only network vulnerabilities; penetration tests include web applications

Question 2. What does CVE stand for, and what organization maintains it?

A) Common Vulnerability Examination, maintained by NIST B) Common Vulnerabilities and Exposures, maintained by MITRE Corporation C) Certified Vulnerability Enumeration, maintained by CISA D) Critical Vulnerability Evaluation, maintained by OWASP

Question 3. A vulnerability has the CVSS v3.1 vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. What does this indicate about the Attack Vector and Privileges Required?

A) Attack Vector is Local; Privileges Required is High B) Attack Vector is Network; Privileges Required is None C) Attack Vector is Adjacent Network; Privileges Required is Low D) Attack Vector is Physical; Privileges Required is None

Question 4. What is the CVSS v3.1 base score range for a "Critical" severity rating?

A) 7.0–8.9 B) 8.0–9.9 C) 9.0–10.0 D) 10.0 only

Question 5. A vulnerability scanner reports that a server is running Apache 2.4.49 and flags CVE-2021-41773. However, the server is running on Red Hat Enterprise Linux and the package version shows the vulnerability has been backport-patched. This scanner finding is an example of:

A) A true positive B) A false positive C) A false negative D) A confirmed vulnerability

Question 6. How does authenticated (credentialed) vulnerability scanning differ from unauthenticated scanning in terms of findings?

A) Authenticated scanning is faster but finds fewer vulnerabilities B) Authenticated scanning typically finds 5-10x more vulnerabilities, including local patches and configurations C) There is no significant difference in the number of findings D) Unauthenticated scanning finds more vulnerabilities because it tests from an attacker's perspective

Question 7. Which of the following best describes the CISA Known Exploited Vulnerabilities (KEV) catalog?

A) A list of all CVEs published in the current year B) A curated list of vulnerabilities known to be actively exploited in the wild C) A database of zero-day vulnerabilities not yet publicly disclosed D) A commercial vulnerability intelligence feed requiring a subscription

Question 8. You are prioritizing vulnerabilities for a healthcare organization. Which finding should be addressed FIRST?

A) CVSS 10.0 Log4Shell on an isolated development server with no patient data B) CVSS 9.8 SQL injection on an Internet-facing patient portal handling PHI C) CVSS 9.8 EternalBlue on an internal file server with patient records D) CVSS 7.5 default credentials on an internal SNMP-enabled switch

Question 9. What does CWE stand for, and how does it relate to CVE?

A) Common Weakness Enumeration; it categorizes the types of weaknesses that lead to specific CVE vulnerabilities B) Common Weakness Evaluation; it measures the severity of CVE entries C) Critical Weakness Estimation; it predicts which CVEs will be exploited D) Common Weakness Exposure; it identifies affected products for each CVE

Question 10. A vulnerability scanner reports 47 instances of "Apache Struts CVE-2017-5638" on your network. Manual validation reveals only 3 servers are actually running Apache Struts. What is the most likely cause of the discrepancy?

A) The scanner is outdated and using old vulnerability definitions B) The scanner misidentified similar Apache HTTP Server banners as Apache Struts C) The 44 additional servers have Struts installed but not running D) Apache Struts was recently patched on 44 servers

Question 11. Which section of a vulnerability assessment report is most important for a non-technical audience like the board of directors?

A) Detailed Findings with CVSS vectors and technical evidence B) Methodology section describing tools and scan configurations C) Executive Summary with overall risk posture and business impact D) Appendices with full scan output files

Question 12. What is the primary purpose of the CVSS Temporal metrics?

A) To measure how long the vulnerability has existed B) To adjust the base score based on factors that change over time, such as exploit availability and patch status C) To track when the vulnerability will be patched by the vendor D) To schedule when remediation should occur

Question 13. You are conducting a vulnerability assessment and your scanner crashes a legacy medical device that was on the same network segment as your in-scope targets. What should you do?

A) Continue scanning and document the incident in your report B) Immediately stop scanning, notify the client, document the incident, and work to restore the device C) Ignore it since the device was not in scope D) Restart the device and continue scanning at a slower rate

Question 14. Which combination of tools would provide the most comprehensive vulnerability assessment of an enterprise network?

A) Nmap only, since it includes the Nmap Scripting Engine B) A commercial scanner (Nessus) for network/host assessment plus Nuclei or Burp Suite for web applications C) Nikto for web scanning and SNMP-check for network devices D) OpenVAS for everything, since it is the most comprehensive open-source option

Question 15. What is the DREAD risk rating model?

A) A vulnerability scoring system that replaced CVSS B) A risk assessment framework scoring Damage, Reproducibility, Exploitability, Affected users, and Discoverability C) A compliance framework for healthcare organizations D) An incident response methodology

Question 16. Why is it important to include a remediation prioritization roadmap in a vulnerability assessment report?

A) It is required by all compliance frameworks B) It provides specific timelines and priorities that help organizations allocate limited resources to the most impactful fixes first C) It protects the assessor from liability if vulnerabilities are exploited D) It replaces the need for a detailed findings section

Question 17. A scanner flags a finding as "SSL/TLS: Server Supports TLS 1.0." You verify this is true. However, the server is internal-only, behind a network firewall, and accessed by only three authorized administrators. How should you rate this finding?

A) Critical — TLS 1.0 is deprecated and always a critical finding B) The same CVSS score as the NVD assigns, regardless of context C) Risk-adjusted to Low or Medium — technically valid but low exploitability given the compensating controls and limited exposure D) Informational — since it is internal, it is not a real vulnerability

Question 18. What is the primary benefit of performing a retest after the client has remediated vulnerabilities?

A) It generates additional revenue for the assessment firm B) It confirms that remediations were effective and did not introduce new vulnerabilities C) It is required by law before the assessment is considered complete D) It provides an opportunity to find new vulnerabilities that were missed initially

Answer Key

  1. B — Vulnerability assessments focus on identifying and classifying weaknesses across the attack surface. Penetration tests go further by attempting to exploit vulnerabilities to demonstrate real-world impact. Both may use automated and manual techniques.

  2. B — CVE stands for Common Vulnerabilities and Exposures. It is maintained by the MITRE Corporation and funded by CISA.

  3. B — AV:N means Attack Vector is Network (remotely exploitable). PR:N means Privileges Required is None (no authentication needed).

  4. C — CVSS v3.1 Critical severity is 9.0–10.0. High is 7.0–8.9, Medium is 4.0–6.9, and Low is 0.1–3.9.

  5. B — This is a false positive. The scanner detected the version number and flagged a known CVE, but the Linux distribution has backport-patched the vulnerability without changing the version string. The vulnerability does not actually exist on this system.

  6. B — Authenticated scanning logs into hosts to examine local configurations, installed software versions, and patch levels that are not visible from the network. This typically reveals 5-10x more vulnerabilities.

  7. B — The CISA KEV catalog lists vulnerabilities that are confirmed to be actively exploited by adversaries. Vulnerabilities on this list should be prioritized for immediate remediation.

  8. B — While all are serious, the SQL injection on an Internet-facing patient portal handling PHI combines high CVSS with maximum exposure (Internet-facing), sensitive data (PHI with HIPAA implications), and active threat (SQL injection is heavily targeted). The development server (A) has no sensitive data exposure.

  9. A — CWE (Common Weakness Enumeration) categorizes types of software weaknesses (e.g., CWE-89 for SQL Injection). Multiple CVEs may map to the same CWE, enabling trend analysis and root-cause identification.

  10. B — This is a common false positive pattern where scanners misidentify similar banner patterns. Apache HTTP Server and Apache Struts are different products, but automated scanners may confuse them based on the "Apache" identifier.

  11. C — The Executive Summary translates technical findings into business risk, providing the high-level view that non-technical stakeholders need to make resource allocation decisions.

  12. B — Temporal metrics adjust the base score for exploit code maturity (is there a public exploit?), remediation level (is there a patch?), and report confidence (how well-validated is the finding?).

  13. B — Patient safety comes first. Stop scanning immediately, notify the client so they can restore the device, document the incident thoroughly, and adjust your scanning approach to prevent recurrence.

  14. B — A comprehensive assessment combines a dedicated network/host vulnerability scanner (like Nessus with authenticated scanning) with a web application-focused tool. No single tool covers all vulnerability types adequately.

  15. B — DREAD is a risk rating model originally from Microsoft that rates vulnerabilities across five dimensions: Damage potential, Reproducibility, Exploitability, Affected users, and Discoverability.

  16. B — Organizations have limited remediation resources. A prioritized roadmap helps them focus on the highest-risk issues first, ensuring that remediation effort delivers maximum security improvement.

  17. C — Risk-adjusted scoring considers the specific environment. While TLS 1.0 support is a valid finding, the risk is significantly reduced by internal-only access, firewall protection, and limited users. It should be reported but rated lower than the same finding on an Internet-facing server.

  18. B — Retesting confirms that vulnerabilities were properly remediated, that patches were effective, and that the remediation process did not introduce new issues. It provides assurance that the risk has been genuinely reduced.