11. Which steps are applied when using an attacker mindset? Select three answers.
- Evaluate a target’s attack vectors
- Identify a target
- Stay in communication with a target
- Determine how a target can be accessed
12. How can businesses reduce the number of attack vectors they must defend? Select three answers.
- By educating users so they can participate in preventing attacks
- By totally restricting information from being shared
- By controlling access and authorization to assets
- By implementing security controls that protect information
Weekly challenge 3
13. Consider the following scenario:
A cloud service provider has misconfigured a cloud drive. They’ve forgotten to change the default sharing permissions. This allows all of their customers to access any data that is stored on the drive.
This misconfigured cloud drive is an example of what?
- A threat
- An exploit
- A security control
- A vulnerability
14. Fill in the blank: The five layers of the defense in depth model are: perimeter, network, endpoint, application, and _____.
- session
- transport
- physical
- data
15. What is the difference between the application and data layers of the defense in depth model?
- The application layer authorizes users who have access to perform a duty. The data layer maintains the integrity of information with controls like encryption and hashing.
- The data layer includes controls like encryption and hashing to secure data at rest. The application layer authorizes users who have access to perform a duty.
- The application layer secures information with controls that are programmed into the application itself. The data layer maintains the integrity of information with controls like encryption and hashing.
- The data layer authenticates users to only allow access to trusted parties. The application layer secures information with controls that are programmed into the application itself.
16. What is the main purpose of the CVE® list?
- To create a dictionary of threats to organizational assets that must be addressed
- To share a standard way of identifying and categorizing known vulnerabilities and exposures
- To keep a record of the coding mistakes of major software developers
- To collect information on vulnerabilities and exposures performed by independent researchers
17. A security team is preparing new workstations that will be installed in an office.
Which vulnerability management steps should they take to prepare these workstations? Select three answers.
- Download the latest patches and updates for each system.
- Install a suite of collaboration tools on each workstation.
- Consider who will be using each computer.
- Configure the company firewall to allow network access.
18. A security team is conducting a periodic vulnerability assessment on their security procedures. Their objective is to review gaps in their current procedures that could lead to a data breach. After identifying and analyzing current procedures, the team conducts a risk assessment.
What is the purpose of performing a risk assessment?
- To adjust current security procedures
- To score vulnerabilities based on their severity and impact
- To simulate attacks that could be performed against each vulnerability
- To fix vulnerabilities that have been identified
Shuffle Q/A 2
19. Fill in the blank: All the potential vulnerabilities that a threat actor could exploit is called an attack _____.
- database
- vector
- surface
- network
20. An online newspaper suffered a data breach. The attackers exploited a vulnerability in the login form of their website. The attackers were able to access the newspaper’s user database, which did not encrypt personally identifiable information (PII).
What attack vectors did the malicious hackers use to steal user information? Select two answers.
- The online login form
- The unencrypted PII
- The newspaper’s website
- The user database