PRACTICE

08 Vulnerability Management
Mini Quiz Answers

Question 1: A security researcher discovers a critical vulnerability in a widely used web browser that allows attackers to gain Remote Code Execution. The browser vendor is unaware of the flaw, and no patch currently exists. The organization must implement temporary protective measures, such as installing a WAF, while awaiting a vendor-supplied fix. What type of vulnerability is described?

  • A. Known vulnerability. This is incorrect because a known vulnerability has been disclosed to the vendor and typically has a patch or workaround available; the scenario describes a flaw that is unknown to the vendor with no existing fix.
  • B. Zero-day. This is correct because a zero-day vulnerability is one that is unknown to the vendor and for which no patch exists, requiring temporary compensating controls like WAFs until a fix is developed.
  • C. Misconfiguration. This is incorrect because misconfigurations involve improper settings or deployments of systems, not unknown code flaws in software.
  • D. Legacy system vulnerability. This is incorrect because this term refers to vulnerabilities in outdated or end-of-life systems that no longer receive updates, not newly discovered unknown flaws in current software.

Question 2: During a security audit, an assessor finds that a newly deployed network storage appliance still uses the factory default administrator credentials "admin/admin" and has unnecessary Telnet ports open to the internet. Which description BEST explains what caused this situation to occur?

  • A. OS vulnerability. This is incorrect because this refers to flaws in the operating system code itself, not the configuration settings applied by administrators.
  • B. Misconfiguration. This is correct because using factory default credentials and leaving unnecessary ports open are configuration errors rather than software bugs.
  • C. Cryptographic weakness. This is incorrect because this involves flawed encryption implementations or weak algorithms, not default passwords or open ports.
  • D. Buffer overflow. This is incorrect because this is a memory corruption vulnerability, unrelated to default credentials or network service configuration.

Question 3: A threat actor compromises a control panel in a public-facing web server and forces it to reconfigure itself to accept connections using TLS 1.0 and 1.1 instead of TLS 1.3. Which type of action is being described?

  • A. Protocol misconfiguration. This is incorrect because while the end state involves misconfigured protocols, the action described is an active attack forcing the downgrade rather than a static configuration error.
  • B. Misconfigured cipher suites. This is incorrect because this refers to the specific encryption algorithms selected within TLS, not the protocol version downgrade itself.
  • C. Downgrade attack. This is correct because the attacker is actively forcing the system to use older, weaker protocol versions (TLS 1.0/1.1) instead of the secure version (TLS 1.3).
  • D. Race condition. This is incorrect because this involves timing issues between operations, not protocol version manipulation.

Question 4: A legacy application written in the C++ language processes user input without bounds checking, allowing an attacker to write data into a memory location that exceeds the variable size of this memory location allocated by the host operating system. This leads to the attacker being able to execute arbitrary code. Which type of attack is involved AND which secure development practice would have prevented this vulnerability?

  • A. This is a buffer overflow attack that could be prevented by using memory-safe languages. This is correct because the scenario describes writing beyond buffer boundaries (buffer overflow), and type-safe languages like Java or Rust manage memory automatically to prevent such bounds violations.
  • B. This is a buffer overflow attack that could be prevented by implementing client-side input validation. This is incorrect because while input validation helps, client-side validation can be bypassed; memory-safe languages are the fundamental solution for buffer overflows, and the attack described is server-side.
  • C. This is a legacy ICS vulnerability that could be prevented by creating a risk register. This is incorrect because the scenario describes a software vulnerability in an application, not an industrial control system, and risk registers document risks rather than prevent technical vulnerabilities.
  • D. This is an SSRF vulnerability that could be prevented using secure libraries. This is incorrect because SSRF (Server-Side Request Forgery) involves forcing servers to make unauthorized requests, not memory corruption via buffer overflow.

Question 5: Following a series of successful cyber attacks on a company's web applications, like SQL injection and directory traversal attacks, the CISO asks for two suggestions to mitigate these attacks in the future. Which TWO solutions are the BEST approaches?

  • A. Using type-safe languages like Java or Rust. This is incorrect because while these prevent memory corruption issues like buffer overflows, they do not specifically prevent SQL injection or directory traversal, which are input validation issues.
  • B. Implement client-side input validation and sanitised error pages. This is incorrect because client-side validation can be bypassed by attackers; server-side validation is required for security.
  • C. Enforce MFA and PAM. This is incorrect because Multi-Factor Authentication and Privileged Access Management strengthen authentication but do not prevent injection attacks or directory traversal vulnerabilities in application code.
  • D. Implement server-side input validation and stored procedures. This is correct because server-side validation ensures malicious input is caught before processing, and stored procedures prevent SQL injection by separating code from data.

Question 6: An attacker who has gained access to the internal network sends a command to the legitimate Windows process lsass.exe to harvest credential hashes from memory. The attacker then uses the stolen NTLM hashes to authenticate to the Windows backend authentication service without knowing the user's plaintext password. Which type of attack is this?

  • A. Pass-the-Hash attack. This is correct because the scenario describes using stolen NTLM hashes from memory (via lsass.exe) to authenticate without knowing the plaintext password, which is the definition of Pass-the-Hash.
  • B. DLL injection. This is incorrect because while the attacker may have used injection to access lsass.exe initially, the specific attack described using the stolen hashes to authenticate is Pass-the-Hash, not the injection itself.
  • C. SQL injection. This is incorrect because this involves database query manipulation, not credential theft from Windows memory.
  • D. Lateral movement via named pipes. This is incorrect because while Pass-the-Hash enables lateral movement, the specific technique described is Pass-the-Hash, not the transport mechanism (named pipes).

Question 7: An application checks if a user has write permissions to a configuration file, then opens the file 200 milliseconds later. During that time, an attacker replaces the file with a symlink pointing to a critical system file. Which vulnerability type does this describe?

  • A. Buffer overflow. This is incorrect because this involves writing beyond memory boundaries, not timing issues between permission checks and file access.
  • B. TOCTOU. This is correct because Time-of-Check to Time-of-Use describes the race condition where an attacker changes a file between the permission check and the file opening operation.
  • C. Replay attack. This is incorrect because this involves capturing and retransmitting data packets, not manipulating files between check and use.
  • D. Session hijacking. This is incorrect because this involves stealing session tokens to impersonate users, not file system race conditions.

Question 8: An employee, frustrated by corporate Mobile Device Management restrictions, downloads a productivity app APK from a third-party website instead of the official app store, accidentally installing malware that bypasses the organization's Acceptable Use Policy. Which risk is this?

  • A. Rooting. This is incorrect because rooting refers to gaining root/administrative privileges on a device, not installing applications from unofficial sources.
  • B. Sideloading. This is correct because sideloading is the installation of applications from sources other than the official app store (e.g., downloading APKs from websites), which bypasses organizational vetting.
  • C. Jailbreaking. This is incorrect because this term specifically refers to bypassing iOS restrictions on Apple devices, not Android APK installation.
  • D. Malicious updates. This is incorrect because this refers to compromised vendor update mechanisms, not user-initiated installations from third-party websites.

Question 9: An attacker posts a comment on a public social media page that contains a malicious JavaScript payload. When other users view the comment, their session cookies are sent to the attacker's server. Which type of XSS is this?

  • A. Reflected XSS. This is incorrect because reflected XSS requires the victim to click a malicious link or submit a form, and the payload is not stored on the server.
  • B. Stored XSS (Persistent). This is correct because the malicious JavaScript is stored persistently in the database (as a comment) and executes when other users view the page.
  • C. DOM-based XSS. This is incorrect because this occurs when client-side JavaScript modifies the DOM based on attacker input without server interaction, whereas this payload is stored server-side.
  • D. Blind XSS. This is incorrect because blind XSS occurs when the payload executes in a context the attacker cannot see (like an admin panel), whereas this executes in the attacker's viewable social media page.

Question 10: A web application's search function constructs queries by concatenating user input directly into the query string: query = "SELECT * FROM products WHERE name = '" + userInput + "'";. An attacker inputs ' OR '1'='1 to extract all data without authorisation. Which vulnerability is present?

  • A. Command injection. This is incorrect because this involves executing operating system commands on the server, not database queries.
  • B. SQL injection. This is correct because the attacker is injecting SQL code (' OR '1'='1) into a query constructed via string concatenation to bypass authentication or extract data.
  • C. LDAP injection. This is incorrect because this targets Lightweight Directory Access Protocol queries, not standard SQL databases.
  • D. SAML injection. This is incorrect because this targets Security Assertion Markup Language authentication protocols, not database queries.

Question 11: An attacker captures a valid authentication request containing encrypted credentials from a legacy system that does not use timestamps or session tokens. The attacker retransmits this exact packet a day later and successfully gains access via a legitimate authenticated session. Which attack type is being described?

  • A. Replay attack. This is correct because the attacker is capturing a valid transmission and retransmitting it later to gain unauthorized access, which is the definition of a replay attack.
  • B. Man-in-the-middle. This is incorrect because this involves intercepting and potentially modifying communications between two parties, not simply retransmitting captured packets later.
  • C. Session fixation. This is incorrect because this involves forcing a user to use a specific session ID known to the attacker, not capturing and replaying authentication packets.
  • D. Cross-site request forgery. This is incorrect because this involves tricking a user's browser into performing unwanted actions on a website where they are authenticated, not capturing network traffic.

Question 12: An attacker rents a botnet to flood a company's internet connection with 500 Gbps of UDP traffic, saturating the available bandwidth and preventing legitimate users from accessing the company's website. Which is the most accurate description of this attack?

  • A. SYN flood. This is incorrect because this is a specific protocol attack that exploits the TCP handshake, not a bandwidth saturation attack.
  • B. Layer 7. This is incorrect because this refers to application-layer attacks (like HTTP floods) that exhaust server resources, not raw bandwidth saturation.
  • C. Volumetric attack. This is correct because 500 Gbps of UDP traffic is designed to saturate the available bandwidth, which is the definition of a volumetric DDoS attack.
  • D. Reflection/amplification attack. This is incorrect because while the attack might use reflection techniques, "volumetric" is the most accurate description of the 500 Gbps bandwidth flood described.

Question 13: An employee plugs a personal Wireless Access Point into an Ethernet socket in a conference room to get better Wi-Fi coverage, creating an unsecured entry point into the corporate LAN that bypasses the corporate firewall. Which threat is described?

  • A. Evil twin. This is incorrect because an evil twin impersonates a legitimate SSID wirelessly without physical network access, whereas this involves physically plugging hardware into the corporate LAN.
  • B. Rogue AP. This is correct because a rogue access point is an unauthorized wireless access point physically connected to the corporate network, bypassing security controls.
  • C. Jamming. This is incorrect because this involves RF interference to disrupt wireless signals, not creating an access point.
  • D. Dissociation attack. This is incorrect because this involves sending deauthentication frames to disconnect clients, not creating an unauthorized access point.

Question 14: An attacker sets up a Wireless Access Point named "CompanyGuest" that mimics the legitimate "Company-Guest" SSID and captures credentials through a fake captive portal login page. What is the best description for this attack?

  • A. Rogue AP. This is incorrect because a rogue AP is an unauthorized access point physically connected to the network, not an impersonation of a legitimate SSID via a fake portal.
  • B. Bluejacking. This is incorrect because this involves sending unsolicited messages to Bluetooth devices, not Wi-Fi access point impersonation.
  • C. War driving. This is incorrect because this involves scanning for wireless networks while moving, not setting up fake access points.
  • D. Evil twin. This is correct because an evil twin attack involves creating a fake wireless access point with a name mimicking a legitimate SSID to capture credentials via a captive portal.

Question 15: An attacker attempts to authenticate to thousands of user accounts using the same common password "Summer2026!" to avoid triggering account lockout policies that would occur by trying to brute force a single account. Which attack is taking place?

  • A. Offline attack. This is incorrect because password spraying occurs online against live authentication services, not offline against stolen hash databases.
  • B. Password spraying. This is correct because this attack uses a few common passwords against many accounts to avoid account lockout thresholds that would trigger with brute force against single accounts.
  • C. Credential stuffing. This is incorrect because this involves using username/password combinations from previous data breaches, not trying common passwords across many accounts.
  • D. Pass-the-hash. This is incorrect because this involves using stolen password hashes to authenticate, not guessing plaintext passwords.

Question 16: After breaching a user database, an attacker exfiltrates the stolen password hashes and uses a GPU-powered cracking setup with rainbow tables and Hashcat to determine the plaintext passwords without interacting with the target system. Which is the BEST description for this attack?

  • A. Brute force. This is incorrect because while brute force is a method used, "offline attack" more accurately describes the context of cracking stolen hashes without interacting with the target system.
  • B. Password spraying. This is incorrect because this is an online attack against live systems, not offline hash cracking.
  • C. Kerberoasting. This is incorrect because this specifically targets Kerberos service tickets in Windows domains, not general password hash databases.
  • D. Offline attack. This is correct because the attacker is cracking stolen hashes locally using GPU power and rainbow tables without network interaction with the target system.

Question 17: To get accurate patch levels and check for registry configuration issues, a vulnerability scanner logs into target Windows servers using valid domain administrator authentication to inspect installed software and system settings. Which scan type is this?

  • A. Non-credentialed scan. This is incorrect because this type of scan does not log into systems and would miss patch levels and registry settings that require authentication.
  • B. Credentialed scan. This is correct because this scan type uses valid authentication credentials (like domain admin accounts) to log in and inspect installed software, patches, and configurations.
  • C. Port scan. This is incorrect because this only identifies open network ports and services, not detailed patch levels or registry configurations.
  • D. Network discovery scan. This is incorrect because this only maps network topology and identifies live hosts, not vulnerability details requiring authentication.

Question 18: A security analyst uses publicly available search engines to identify and index webpages belonging to their organization that are exposed to the public internet. Which threat intelligence gathering method is this?

  • A. Dark web monitoring. This is incorrect because this involves monitoring hidden services on Tor or I2P networks, not public search engines.
  • B. OSINT. This is correct because Open Source Intelligence involves gathering information from publicly available sources like search engines, social media, and Shodan.
  • C. ISAC sharing. This is incorrect because Information Sharing and Analysis Centers involve sector-specific threat sharing between organizations, not individual use of public search engines.
  • D. HUMINT. This is incorrect because Human Intelligence involves gathering information from human sources, not technical data mining from public sources.

Question 19: A vulnerability scanner reports that a Linux server is vulnerable to CVE-2019-6572 because the installed OpenSSL version appears to be an old version. However, the organization's security team has manually verified that the vendor applied the correct security patch to the installed version, so the vulnerability does not actually exist. What is this scanner result called?

  • A. False negative. This is incorrect because a false negative occurs when a scanner misses a vulnerability that actually exists (underreporting).
  • B. False positive. This is correct because a false positive occurs when a scanner reports a vulnerability that does not actually exist, such as when backported patches make the system secure despite appearing to have an old version number.
  • C. True positive. This is incorrect because this would mean the vulnerability actually exists and was correctly identified, whereas the scenario states the vulnerability does not exist.
  • D. CVSS misconfiguration. This is incorrect because this would involve incorrect scoring of vulnerability severity, not incorrect detection of existence.

Question 20: An organization's vulnerability scanner is configured to only check for CVEs published before 2023. A critical vulnerability in a web application discovered in 2024 is present but not detected by the scan, leaving the organization unaware of the exposure to risk. What is this type of scanning error?

  • A. False positive. This is incorrect because this refers to incorrectly reporting vulnerabilities that don't exist, not missing real ones.
  • B. False negative. This is correct because a false negative occurs when a scanner fails to detect a vulnerability that is actually present, leaving the organization unaware of the risk.
  • C. Configuration drift. This is incorrect because this refers to systems deviating from secure baselines over time, not scanner detection failures.
  • D. Zero-day exception. This is incorrect because this is not a standard term for scanner errors; zero-day refers to unknown vulnerabilities, not configuration errors in scanning tools.