An outside security consultant produces a report of several vulnerabilities for a particular server.
Upon further investigation, it is determine that the vulnerability reported does not apply to the
platform the server is running on. Which of the following should the consultant do in order to
produce more accurate results?
A.
A black box test should be used to increase the validity of the scan
B.
Perform a penetration test in addition to a vulnerability scan
C.
Use banner grabbing to identify the target platform
D.
Use baseline reporting to determine the actual configuration
Another vague question open to many an interpretation. The answer would depend on which interpretation to use
In here we have a “security Consultant” clearly not worth its salt which is tasked to provide a REPORT of possible vulnerabilities for a particular server.
Yet he bases all is findings using the “wrong platform”. What is meant by that?
To my mind it means that he could have done a report on a server supposedly using a Windows Operating System, as opposed to Linux (or the other way around).
Since the report was based on the wrong platform, it has not value whatsoever, and it was both a waste of time and money.
So what does the “security Consultant” do now? He must go back to the drawing board ensuring that he produce more accurate results.” In short he must write a new report, and
i- Determine the correct platform of the server
ii- Then re-write his report based on any vulnerabilities known to be present on that particular platform
So to my mind, the FIRST thing he must do is to:
C. Use banner grabbing to identify the target platform. This is the starting point
Then he could do:
D. Use baseline reporting to determine the actual configuration
I would eliminate the following two from the onset:
** A. A black box test should be used to increase the validity of the scan.
We already know that the “reported vulnerabilities do not apply to the platform the server is running on” so no amount of Black box testing ( or white box for that matter) will change that. Also, the “security Consultant” is tasked to provide a REPORT, and not to conduct testing
** B. Perform a penetration test in addition to a vulnerability scan. To perform a penetration test sounds rather dramatic and a bit of an overkill. We do not even know at this stage what platform is being used, nor what the vulnerabilities are if any.
It is necessary to know what platform is being used, so that we perform the correct tests. And again the “security Consultant” is tasked to provide a REPORT, and not to conduct testing
So I stick with C. Use banner grabbing to identify the target platform.
0
0