Chapter 08 – Using Risk Management Tools

CompTIA Security+ (SY0-701) – Chapter 8

1 / 141

What does the term ’mitigation’ refer to in the context of risk management?

2 / 141

What best describes the approach of testers during an unknown environment test in security testing?

3 / 141

What is the risk associated with ’Software compliance/licensing’ in an organization?

4 / 141

In risk assessment, why is it important to identify the value of an asset?

5 / 141

What is considered an ’external’ risk in relation to CompTIA Security+ understanding?

6 / 141

What does the term ’Control risk’ refer to in the context of risk management?

7 / 141

What is the role of senior management in risk management?

8 / 141

What is the purpose of the Monitor Security Controls step in the Risk Management Framework?

9 / 141

In a qualitative risk assessment, how would experts likely rate the probability and impact of risks associated with a web server selling products on the Internet?

10 / 141

What process do personnel follow during the ’Select security controls’ step of the RMF as defined by NIST SP 800-37?

11 / 141

What different types of methods do penetration testers use during the reconnaissance phase?

12 / 141

What does the Common Vulnerability Scoring System (CVSS) do?

13 / 141

What does Single loss expectancy (SLE) in a quantitative risk assessment represent?

14 / 141

What does the Intellectual Property (IP) theft risk category refer to?

15 / 141

What is the significance of open ports and services in the context of system vulnerabilities?

16 / 141

What is the primary function of the Curl in network reconnaissance and discovery?

17 / 141

What is the primary challenge associated with a qualitative risk assessment?

18 / 141

How are intrusive and non-intrusive scan methods comparable to penetration testing and vulnerability scanning?

19 / 141

What does the SOC 2 Type I report cover in an organization?

20 / 141

Which of the following is NOT typically included in the ’Cleanup’ step of a penetration test?

21 / 141

What is the purpose of a protocol analyzer in respect to packet capture and replay?

22 / 141

What does a supply chain include according to the given text?

23 / 141

What is the primary risk related to legacy systems and platforms?

24 / 141

Which of the following accurately describes Threat Hunting?

25 / 141

What characterizes known environment testing in the context of system and application tests?

26 / 141

What is the primary function of an exploitation framework?

27 / 141

What is the difference between offline and online password crackers?

28 / 141

What is a common technique used by penetration testers and attackers to maintain persistence within a network?

29 / 141

What is the best way to define risk in the context of cybersecurity?

30 / 141

What information does the output of a vulnerability scan typically show?

31 / 141

What is the difference between SOC 2 Type I and SOC 2 Type II report in terms of operational effectiveness?

32 / 141

What step of the Risk Management Framework (RMF) involves determining the adverse impact to operations and assets if there is a loss of confidentiality, integrity, and availability?

33 / 141

What is a cybersecurity framework?

34 / 141

Which of the following correctly explains the function and purpose of the Common Vulnerability Scoring System (CVSS)?

35 / 141

What is the primary difference between a vulnerability scan and a penetration test?

36 / 141

What is the primary focus of ISO 27701 in regards to cybersecurity?

37 / 141

What does a vulnerability scanner detect with relation to weak configurations?

38 / 141

Which of the following best describes the ’Scanless’ tool?

39 / 141

What are the five functions of the ’Framework core’ in the NIST Cybersecurity Framework (CSF)?

40 / 141

Which of the following is NOT considered a risk type based on the given text?

41 / 141

Which of the following is NOT typically included in the high-level steps of a vulnerability assessment?

42 / 141

Which techniques are often used by penetration testers to gain more privileges in a system?

43 / 141

What is Open Source Intelligence (OSINT) and where can it be sourced from?

44 / 141

What does the ’likelihood of occurrence’ refer to in a qualitative risk assessment?

45 / 141

What step does a senior management official authorize information systems in the seven-step process of the Risk Management Framework (RMF)?

46 / 141

What is the purpose of threat intelligence fusion in the process of threat hunting?

47 / 141

What is the main function of the Dnsenum command in network reconnaissance?

48 / 141

Which of the following methods that a network scanner uses involves checking for open ports on a system?

49 / 141

What are the forms of threats discussed in the context of risk management?

50 / 141

What is the primary role of the white team in cybersecurity readiness exercises?

51 / 141

Which of the following describes a Multiparty risk?

52 / 141

Which of the following is an example of a vulnerability due to lack of organizational policies?

53 / 141

What type of tool was discussed in this section that is used to capture network traffic?

54 / 141

What is the definition of a false positive in vulnerability scanning?

55 / 141

Which team in a cybersecurity exercise is responsible for attacking systems, breaking into defenses, and exploiting vulnerabilities?

56 / 141

What is the purpose of a risk register in cybersecurity?

57 / 141

What is a reference architecture in cybersecurity?

58 / 141

What is the main difference between NetFlow and sFlow protocols?

59 / 141

Which risk management strategy involves transferring the risk to an entity?

60 / 141

What is one primary use of the Metasploit Framework?

61 / 141

Which of the following correctly describes partially known environment testing?

62 / 141

What happens if root accounts, such as the Administrator account on Windows systems or the Root account on Linux systems, are not protected with strong passwords?

63 / 141

What would be the best practice when configuring a Windows system for increased security?

64 / 141

What is the purpose of Framework profiles as a part of the NIST Cybersecurity Framework?

65 / 141

What does a risk matrix do?

66 / 141

Which risk management strategy does an organization use when it decides not to provide a service or participate in an activity it deems too risky?

67 / 141

What does it mean when a system is not ’hardened’?

68 / 141

What is the Common Vulnerability Scoring System (CVSS)?

69 / 141

What is the main purpose of ISO 27002 standard?

70 / 141

What is a reason for not using Secure Sockets Layer (SSL) as per the text?

71 / 141

What does vulnerability scanner include to discover weak passwords and verify the strength of the passwords?

72 / 141

What could potentially happen if a system lacks malware protection or updated definitions?

73 / 141

What is the primary function of Nessus in security testing?

74 / 141

What is one of the primary benefits of bug bounty programs for companies?

75 / 141

Which standard provides organizations with best practices guidance in complement to ISO 27001?

76 / 141

What is the purpose of a configuration compliance scanner in the configuration review process?

77 / 141

Why are open permissions considered a potential vulnerability on systems?

78 / 141

What does ARO stand for in quantitative risk assessment, and what does it signify?

79 / 141

What does the term ’Risk awareness’ in the context of risk management represent?

80 / 141

What is a Risk Register in the context of cybersecurity risk analysis?

81 / 141

Which of the following is a true statement about Nmap based on the passage?

82 / 141

What is one purpose of threat feeds in relation to threat hunting?

83 / 141

What is an ARP ping scan used for in network scanning?

84 / 141

What is the primary function of the ’Red team’ in a cybersecurity exercise?

85 / 141

What does ’Lateral Movement’ refer to in the context of cyber security?

86 / 141

What does the Annual Loss Expectancy (ALE) represent in a quantitative risk assessment?

87 / 141

What is the purpose of OS detection as used by a network scanner?

88 / 141

What are Internal risks in the context of risk categories?

89 / 141

What is the purpose or function of a Syn stealth scan when used by a network scanner?

90 / 141

How does a credentialed scan differ from a non-credentialed scan in terms of results and impacts on the system?

91 / 141

What is the main difference between vulnerability scanners and penetration tests?

92 / 141

What differentiates a service scan from a port scan?

93 / 141

What is the term for the scenario when an organization decides to tolerate the risk because the cost of implementing controls exceeds the risk?

94 / 141

What is the main functionality of the Sn1per tool during the network reconnaissance and discovery phase?

95 / 141

Which network reconnaissance tool uses plug-ins to perform various scans against both Windows and Unix systems and is often used for configuration reviews?

96 / 141

What is the main differentiation between passive and active reconnaissance based on the given passage?

97 / 141

What is one of the vulnerabilities associated with a system’s default configurations?

98 / 141

What does ’True negative’ mean in the context of a vulnerability scanner?

99 / 141

What does a Port Scan in network scanning signify?

100 / 141

What is the main purpose of conducting ’Initial Exploitation’ as part of a penetration testing process?

101 / 141

What is the role of the Blue team in cybersecurity exercises?

102 / 141

What is the primary purpose of the Netcat tool?

103 / 141

Which command, as discussed in Chapter 1, can be used to send pings using TCP, UDP, or ICMP and also scan systems for open ports on remote systems?

104 / 141

What are some examples of unsecure protocols mentioned in the text?

105 / 141

What is the purpose of changing many default settings as mentioned in system security?

106 / 141

What is a primary use of a protocol analyzer?

107 / 141

What is the role of the ’Assess security controls’ step in the Risk Management Framework (RMF)?

108 / 141

What is the focus of BeEF (Browser Exploitation Framework)?

109 / 141

What is the primary purpose of ISO 27001 in the context of cybersecurity?

110 / 141

What is the correct formula for calculating Annual Loss Expectancy (ALE) in a quantitative risk assessment?

111 / 141

What does the term ’Risk appetite’ refer to in the context of risk management?

112 / 141

What is the purpose of the ’Categorize information systems’ step in the Risk Management Framework (RMF) as described in the NIST SP 800-37?

113 / 141

What differentiates the three types of testing environments – Unknown, Known, and Partially Known?

114 / 141

What is the primary purpose of the Common Vulnerability Scoring System (CVSS)?

115 / 141

What is a ’True Positive’ as referenced in scanning a system for vulnerabilities?

116 / 141

Which among these is not a function of the tcpdump command?

117 / 141

What are the three main categories of threats discussed in the section ’Environmental threats’?

118 / 141

What is the purpose of the ’Prepare’ step in the Risk Management Framework (RMF) outlined in NIST SP 800-37?

119 / 141

What is the role of the Purple team in cybersecurity readiness exercises?

120 / 141

What is the purpose of the final phase of a risk assessment?

121 / 141

In a qualitative risk assessment, how was the risk of a library computer categorized?

122 / 141

What are Adversary tactics, techniques, and procedures (TTPs) as defined by The National Institute of Standards and Technology (NIST)?

123 / 141

What are the four tiers in the Framework implementation component of the NIST Cybersecurity Framework (CSF)?

124 / 141

What is the process of footprinting in the context of penetration testing?

125 / 141

What is a false positive in context of vulnerability scanning?

126 / 141

What does fingerprinting technique in a penetration test typically identify?

127 / 141

What does the ISO 31000 family of standards provide?

128 / 141

Which of the following best describes an accidental human threat as mentioned in the context of risk management?

129 / 141

What actions are commonly included in a vulnerability scan?

130 / 141

What are the two methods of reconnaissance used by penetration testers?

131 / 141

What is the stated goal of the w3af (Web Application Attack and Audit Framework)?

132 / 141

What is the result of improper or weak patch management?

133 / 141

What is an example of an accidental human threat within a system?

134 / 141

What is the primary advantage of performing a penetration test on test systems rather than the live production systems?

135 / 141

Which of the following is NOT a risk management strategy employed by organizations?

136 / 141

What is residual risk in the context of risk management?

137 / 141

Why is obtaining authorization before beginning any vulnerability or penetration testing important?

138 / 141

What does impact refer to in the context of a qualitative risk assessment?

139 / 141

What is a false negative in the context of vulnerability scanning?

140 / 141

What are the seven steps in the Risk Management Framework (RMF) according to NIST SP 800-37?

141 / 141

What does the process of ’Pivoting’ refer to in the context of a penetration test?

Your score is

Boost Your Skills with Free Anki Flashcards

Click the download button to get the CompTIA Security+ Anki deck.

Anki deck of CompTIA A+ Practice Questions images

Boost your IT skills with our free CompTIA Security+ practice test focusing on Chapter 08: Using Risk Management Tools. Whether you’re entering the IT industry or advancing in cyber security, our resources are here to help you succeed in the CompTIA Exam.

Why Choose Our CompTIA Security+ Practice Test?

  • Skill Enhancement:

Covers essential techniques for using risk management tools crucial for the CompTIA Exam.

  • Career Advancement:

Passing the CompTIA Security+ exam can open doors to new job opportunities and significant career changes in the IT industry.

  • Vulnerability Management:

Master the art of using risk management tools, a key skill in cyber security.

Free Anki Deck Download

Download our free Anki Deck, reviewed by industry expert Josh Madakor, who has extensive experience in IT and cyber security, including work with Microsoft and government sectors. Learn more about Anki on the official site.

 

Get Started with Your IT Career Change Today!

Visit the CompTIA Security+ official site and the CompTIA Network+ official site for more information.

Explore our other free practice tests:
Share the Post:

Related Posts

RSS  
  • Discover How to Work Remotely and Travel!
    Have you ever dreamed about working from beautiful places like Thailand or Japan, but weren’t sure if it’s possible? I’m here to share my adventures and some tips on how to make working remotely while exploring the world a reality.  Who Am I? My name is Josh, and I’m all about creating helpful content on […]
  • Why Contract Work in IT Can Be a Good Start for Your Career
    Hey buddies! Are you curious about what it’s like to work in IT and cyber security? Well, you’re in luck because today we’re diving into the world of contract work and how it might just be the jumpstart your career needed! Getting Into the World of Contract Work in IT Josh, an expert in IT […]
  • Is Cyber Security a Career That Will Last Forever?
    Hey everyone! Have you ever wondered if choosing a career in cyber security is a good idea for the long haul? Well, let’s dive into this topic with the help of Josh Maor’s insights, and find out why cyber security might just be one of the smartest career choices out there. What Is Cyber Security? […]
IT Course

The Affordable, Hands-On Josh Madakor IT Course that gets Results!

Ready to get started your journey?
Cyber Course

The Affordable, Hands-On Cyber Security that gets Results!

Ready to get started your journey?

JOIN OUR

NEWSLETTER

Sign up for our free newsletters.

by joining 8000+ others in my weekly newsletter 

where you’ll get a dose of my thoughts on self-improvement, career,

and life!