assets threats and vulnerabilities coursera weekly challenge 3 answers
Test your knowledge: Flaws in the system
1. Which of the following are steps in the vulnerability management process. Select two answers.
- Identify vulnerabilities
- Catalog organizational assets
- Assign a CVE® ID
- Prepare defenses against threats
2. An organization is attacked by a vulnerability that was previously unknown. What is this exploit an example of?
- A cipher
- An asset
- A zero-day
- A perimeter layer
3. Which layer of the defense in depth strategy is a user authentication layer that mainly filters external access?
- Endpoint
- Data
- Network
- Perimeter
4. A security researcher reports a new vulnerability to the CVE® list. Which of the following criteria must the vulnerability meet before it receives a CVE® ID? Select two answers.
- It must affect multiple applications.
- The submission must have supporting evidence.
- The vulnerability must be unknown to the developer.
- It must be independently fixable.
Test your knowledge: Identify system vulnerabilities
5. Fill in the blank: A vulnerability ____ refers to the internal review process of an organization’s security systems.
- assessment
- scoring
- patch
- scanner
6. What are the goals of a vulnerability assessment? Select two answers.
- To reduce overall threat exposure
- To detect network traffic
- To audit regulatory compliance
- To identify existing weaknesses
7. Which of the following remediation examples might be implemented after a vulnerability scan? Select two answers.
- Training employees to follow new security procedures
- Identifying misconfigurations in an application
- Locating vulnerabilities in workstations
- Installing software updates and patches
8. What are two types of vulnerability scans? Select two answers.
- Patch or upgrade
- Authenticated or unauthenticated
- Limited or comprehensive
- Risk or threat
Test your knowledge: Cyber attacker mindset
9. What is the difference between an attack vector and an attack surface?
- An attack surface refers to all the weaknesses of an asset that can be attacked; an attack vector refers to an outdated and vulnerable network.
- An attack vector refers to the pathways attackers use to penetrate security defenses; an attack surface refers to all the vulnerabilities of an asset that can be exploited.
- An attack surface refers to the specific pathway of exploiting a weakness; an attack vector refers to all the weaknesses of an asset that can be exploited.
- An attack surface refers to the specific method of attack; an attack vector refers to an outdated and vulnerable network.
10. What are examples of security hardening? Select three answers.
- Restarting a crashed application
- Hashing all user passwords
- Keeping systems patched and updated
- Disabling inactive network ports
11. Which steps are applied when using an attacker mindset? Select three answers.
- Evaluate a target’s attack vectors
- Identify a target
- Stay in communication with a target
- Determine how a target can be accessed
12. How can businesses reduce the number of attack vectors they must defend? Select three answers.
- By educating users so they can participate in preventing attacks
- By totally restricting information from being shared
- By controlling access and authorization to assets
- By implementing security controls that protect information
Weekly challenge 3
13. Consider the following scenario:
A cloud service provider has misconfigured a cloud drive. They’ve forgotten to change the default sharing permissions. This allows all of their customers to access any data that is stored on the drive.
This misconfigured cloud drive is an example of what?
- A threat
- An exploit
- A security control
- A vulnerability
14. Fill in the blank: The five layers of the defense in depth model are: perimeter, network, endpoint, application, and _____.
- session
- transport
- physical
- data
15. What is the difference between the application and data layers of the defense in depth model?
- The application layer authorizes users who have access to perform a duty. The data layer maintains the integrity of information with controls like encryption and hashing.
- The data layer includes controls like encryption and hashing to secure data at rest. The application layer authorizes users who have access to perform a duty.
- The application layer secures information with controls that are programmed into the application itself. The data layer maintains the integrity of information with controls like encryption and hashing.
- The data layer authenticates users to only allow access to trusted parties. The application layer secures information with controls that are programmed into the application itself.
16. What is the main purpose of the CVE® list?
- To create a dictionary of threats to organizational assets that must be addressed
- To share a standard way of identifying and categorizing known vulnerabilities and exposures
- To keep a record of the coding mistakes of major software developers
- To collect information on vulnerabilities and exposures performed by independent researchers
17. A security team is preparing new workstations that will be installed in an office.
Which vulnerability management steps should they take to prepare these workstations? Select three answers.
- Download the latest patches and updates for each system.
- Install a suite of collaboration tools on each workstation.
- Consider who will be using each computer.
- Configure the company firewall to allow network access.
18. A security team is conducting a periodic vulnerability assessment on their security procedures. Their objective is to review gaps in their current procedures that could lead to a data breach. After identifying and analyzing current procedures, the team conducts a risk assessment.
What is the purpose of performing a risk assessment?
- To adjust current security procedures
- To score vulnerabilities based on their severity and impact
- To simulate attacks that could be performed against each vulnerability
- To fix vulnerabilities that have been identified
19. Fill in the blank: All the potential vulnerabilities that a threat actor could exploit is called an attack _____.
- database
- vector
- surface
- network
20. An online newspaper suffered a data breach. The attackers exploited a vulnerability in the login form of their website. The attackers were able to access the newspaper’s user database, which did not encrypt personally identifiable information (PII).
What attack vectors did the malicious hackers use to steal user information? Select two answers.
- The online login form
- The unencrypted PII
- The newspaper’s website
- The user database
21. A security team is performing a vulnerability assessment on a banking app that is about to be released. Their objective is to identify the tools and methods that an attacker might use.
Which steps of an attacker mindset should the team perform to figure this out? Select three answers.
- Consider potential threat actors.
- Identify a target.
- Evaluate attack vectors that can be exploited.
- Determine how the target can be accessed.
22. Consider the following scenario:
You are working as a security professional for a school district. An application developer with the school district created an app that connects students to educational resources. You’ve been assigned to evaluate the security of the app.
Using an attacker mindset, which of the following steps would you take to evaluate the application? Select two answers.
- Integrate the app with existing educational resources.
- Identify the types of users who will interact with the app.
- Ensure the app’s login form works.
- Evaluate how the app handles user data.
23. An application has broken access controls that fail to restrict any user from creating new accounts. This allows anyone to add new accounts with full admin privileges.
The application’s broken access controls are an example of what?
- A vulnerability
- An exploit
- A threat
- A security control
24. Which of the following layers do not provide protection for information that users provide? Select two answers.
- The perimeter layer
- The network layer
- The data layer
- The application layer
25. Which layer of the defense in depth model is a user authentication layer that can include usernames and passwords?
- Perimeter
- Network
- Endpoint
- Application
26. Which of the following are characteristics of the vulnerability management process? Select two answers.
- Vulnerability management is a way to discover new assets.
- Vulnerability management is a way to limit security risks.
- Vulnerability management should consider various perspectives.
- Vulnerability management should be a one-time process.
27. What are the two types of attack surfaces that security professionals defend? Select two answers.
- Digital
- Physical
- Intellectual property
- Brand reputation
28. A project manager at a utility company receives a suspicious email that contains a file attachment. They open the attachment and it installs malicious software on their laptop.
What are the attack vectors used in this situation? Select two answers.
- The suspicious email
- The infected workstation
- The malicious software
- The file attachment
29. What is not a step of practicing an attacker mindset?
- Evaluate attack vectors that can be exploited.
- Determine how a target can be accessed.
- Identify ways to fix existing vulnerabilities.
- Find the tools and methods of attack.
30. A hotel chain has outdated WiFi routers in their guest rooms. An attacker hacked into the devices and stole sensitive information from several guests.
The outdated WiFi router is an example of what?
- An exploit
- A vulnerability
- A threat
- An access control
31. Which layer of the defense in depth model relates to user devices that have accessed a network?
- Endpoint
- Application
- Perimeter
- Data
32. Which of the following are criteria that a vulnerability must meet to qualify for a CVE® ID? Select all that apply.
- It can only affect one codebase.
- It must be submitted with supporting evidence.
- It must be independent of other issues.
- It must be recognized as a potential security risk.
- It must pose a financial risk.
33. Which of the following are reasons that security teams practice an attacker mindset? Select three answers.
- To identify attack vectors
- To exploit flaws in an application’s codebase
- To uncover vulnerabilities that should be monitored
- To find insights into the best security controls to use
34. Fill in the blank: According to the CVE® list, a vulnerability with a score of _____ or above is considered to be a critical risk to company assets that should be addressed right away.
- 11
- 1
- 9
- 4
35. You are tasked with performing a vulnerability assessment of an onsite server. After scanning the server, you discover that its operating system is missing several new updates.
What are two steps that you might take next to complete the vulnerability assessment? Select two answers.
- Investigate critical system updates that are available.
- Scan the millions of devices that connect to the server
- Perform a risk assessment of the old operating system.
- Deactivate the server because its operating system is outdated