CEH v13 Domain 3.1 Practice Test 002

Elijah, a security engineer contracted by a mid-sized healthcare provider, is tasked with conducting a comprehensive vulnerability assessment across all Windows servers in the environment. The organization has strict compliance requirements under HIPAA and needs a thorough inventory of software vulnerabilities, missing patches, and configuration weaknesses. Elijah configures his Nessus scanner with local administrator credentials for each target system rather than running an unauthenticated scan. The credentialed assessment returns 312 findings, while a prior unauthenticated scan of the same targets returned only 47 findings. Why does the credentialed scan return significantly more vulnerability findings than the unauthenticated scan?

A security analyst is reviewing the output of a Qualys vulnerability scan performed against a production web server. She notices a critical finding flagged with a CVSS v3.1 base score of 9.8, calculated with an attack vector of Network, attack complexity of Low, privileges required of None, and user interaction of None. She must prioritize remediation and explain the severity to the development team in a team briefing. Which CVSS v3.1 qualitative severity rating corresponds to a base score of 9.8, and what does the 'Attack Vector: Network' metric indicate about exploitability?

A security team at an enterprise financial institution is designing their annual vulnerability assessment strategy. The CISO has expressed concerns about potential disruption to legacy systems running critical transaction-processing applications during scanning. The team is evaluating active versus passive vulnerability assessment approaches to minimize operational risk. A junior analyst recommends passive assessment for initial baseline discovery. Which of the following best describes a defining characteristic of passive vulnerability assessment that distinguishes it from active vulnerability assessment?

A cloud security analyst at a SaaS company is establishing a vulnerability management program across a hybrid environment consisting of AWS EC2 instances, on-premises Windows and Linux servers, and containerized microservices. She needs to select dedicated vulnerability assessment tools that can perform authenticated network scans, generate risk-prioritized reports tied to CVE data, and integrate with ticketing systems for remediation workflows. The tools must specialize in vulnerability detection and reporting rather than exploitation. The organization's procurement team has shortlisted five tools for evaluation. Which of the following tools are primarily designed for vulnerability assessment and scanning? (Choose two)

Kevin, a junior security analyst at a managed security service provider, is reviewing a vulnerability report generated by a Nessus scan. The report references identifiers including CVE-2021-44228, CWE-502, and supplemental data pulled from the NVD. His senior colleague asks him to explain the purpose of each identifier during a team knowledge-sharing session. Kevin must correctly distinguish the roles of CVE, CWE, and NVD in the vulnerability classification ecosystem. Which of the following correctly describes the relationship between CVE, CWE, and NVD?

A web application security assessor is engaged by a regional e-commerce company to perform an external vulnerability assessment of their customer-facing Apache web server. The assessor needs a tool specifically designed to detect common web server misconfigurations, outdated server software versions, dangerous HTTP methods such as PUT and DELETE, default files and scripts left on the server, and known CGI vulnerabilities. The target is running Apache 2.4.29 on Ubuntu 18.04 and is externally accessible over HTTPS on port 443. Which tool is best suited for this web server vulnerability assessment?

A vulnerability management team at a large hospital network is designing their assessment strategy to comply with HIPAA Security Rule requirements. They must conduct both internal and external vulnerability assessments quarterly. The security architect briefs the CISO on the difference between the two assessment types, explaining that they simulate completely different threat perspectives and should not be used interchangeably. The CISO asks for a clear explanation of what distinguishes an external vulnerability assessment from an internal one in terms of scope, attacker perspective, and targets evaluated. Which of the following best describes the primary distinction between external and internal vulnerability assessments?

Jane, a security consultant, is performing a vulnerability assessment of an industrial control system (ICS) environment at a power generation facility. After completing the scan using a specialized OT-aware scanner, she must classify the discovered vulnerabilities into categories for the executive risk report. Her methodology requires alignment with recognized vulnerability classification frameworks used in professional vulnerability assessments. The facility's compliance officer asks Jane to confirm which categories are valid, industry-recognized vulnerability types used to classify findings. Which of the following represent valid, recognized vulnerability classification categories used in vulnerability assessment methodologies? (Choose two)

A penetration testing firm has just completed a comprehensive vulnerability assessment for a large retail organization covering over 500 hosts across three geographic locations. The engagement generated thousands of raw findings that must now be compiled into a formal deliverable. The lead assessor explains that the report must serve two distinct audiences simultaneously: the executive leadership team, who need to understand business risk, compliance exposure, and strategic recommendations without deep technical jargon; and the IT security operations team, who need specific CVE numbers, affected host IPs, tool output, and step-by-step remediation guidance. Which of the following correctly identifies the two primary structural components of a standard vulnerability assessment report?

An enterprise IT security team is implementing a formal vulnerability management program for the first time across a 2,000-node corporate network. The program manager wants to ensure the team follows a structured, repeatable lifecycle to continuously discover, evaluate, prioritize, and remediate vulnerabilities rather than performing ad-hoc scans in response to incidents. She describes the lifecycle as a continuous loop that starts with understanding what assets exist in the environment and ends with confirming that identified vulnerabilities have been successfully resolved before moving on. Which of the following best represents the correct sequence of phases in a standard vulnerability management lifecycle?