Ann, a security analyst, is preparing for an upcoming security audit. To ensure that she identifies unapplied security controls and patches without attacking or compromising the system, Ann would use which of the following?
A. Vulnerability scanning
B. SQL injection
C. Penetration testing
D. Antivirus update
Correct Answer: A
Section: Threats and Vulnerabilities
A vulnerability scan is the process of scanning the network and/or I.T. infrastructure for threats and vulnerabilities. The threats and vulnerabilities are then evaluated in a risk
assessment and the necessary actions taken to resolve and vulnerabilities. A vulnerability scan scans for known weaknesses such as missing patches or security updates.
A vulnerability scan is the automated process of proactively identifying security vulnerabilities of computing systems in a network in order to determine if and where a system can be
exploited and/or threatened. While public servers are important for communication and data transfer over the Internet, they open the door to potential security breaches by threat
agents, such as malicious hackers.
Vulnerability scanning employs software that seeks out security flaws based on a database of known flaws, testing systems for the occurrence of these flaws and generating a report of
the findings that an individual or an enterprise can use to tighten the network’s security.
B: SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the
database contents to the attacker). SQL injection must exploit a security vulnerability in an application’s software, for example, when user input is either incorrectly filtered for string
literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites
but can be used to attack any type of SQL database.
SQL injection is not a method used to test for unapplied security controls and patches.
C: Penetration testing evaluates an organization’s ability to protect its networks, applications, computers and users from attempts to circumvent its security controls to gain
unauthorized or privileged access to protected assets.
The difference between a vulnerability scan and a penetration test is that by performing a penetration test, you are actually trying to access a system by exploiting a weakness in the
system. This question states that you need to test for unapplied security controls and patches without attacking or compromising the system.
D: An antivirus update is the process of updating the virus definition files used by antivirus software. It is not used to test for unapplied security controls and patches.