Exam SY0-501 topic 1 question 457 discussion

"a specific version of a technology the company uses to support many critical application. " let's do a penetration test! you gotta be kidding me...

"to what extent the company could be harmed." It seems like that this is the key part of the question. With a pen test they can see how much damage can be done to their critical system.

"The CIO wants to know if this reported vulnerability exists in the organization and, if so, to what extent the company could be harmed." I am assuming things based on the question... I think vuln scan is done already. Now, he wants to take the matter further and by that he means do a pentest to see the possible damages it can do. From there the CIO will get a clear view to further protect his org by reviewing the result of the pentest.

CIO already knwos the importance of vulnerability scan ,but he want to go further and know of these known vulnerability can be exploited meaning if the identified problem can give accesses to strangers or can to access information from the server using back doors this require pen testers because vulnerability scan does not tell the detail . Here's a good analogy: A vulnerability scan is like walking up to a door, checking to see if it is unlocked, and stopping there. A penetration test goes a bit further; it not only checks to see if the door is unlocked, but it also opens the door and walks right in.

It's on the news that it exists with the same version that the company uses so there is no need to do a vulnerability scan which would only confirm it. The CIO wants to know "to what extent the company could be harmed". A penetration test will answer that. Since it's recent and probably no patch available yet, the scanner won't have this vulnerability stored in the scanner's database. Remember these scanners use a database or dictionary of known vulnerabilities to test systems/networks against. Once you know what harm it does, they can work on implementing a patch if needed.

CORRECT PENTEST

Since the technology has some security flaws already, a vulnerability scan won't do much other than confirming that it exists. We already know there is a flaw so a scan would show it'll exist. I think A is correct to measure what extent the company could be harmed. How will a vulnerability scan accomplish this? It won't. A IS CORRECT!!

I mean, it's really straightforward. To know if the vulnerability exists, you'll need to do a vulnerability scan, to determine how much harm can be done, you'll need a penetration test. And if my memory serves me right, a vulnerability scan is one of the penetration testing stages!. We really need to quit overthinking things.

It's a trick question. There's an "if/then" premise: if you have technology "x", then you have the significant security flaw. Since you know from the first sentence that your company does have this software, then you know that you already have the vulnerability. What you don't know is "the extent to which the company could be harmed". So that's why you need the penetration test.

shouldn't be b Vulnerability scan !!?

Vulnerability scan.

I will go with a B.

I think you all forgot about risk score which is available after vulnerability scan is done. With that you know the risk the vulnerability entails.

I think you all forgot about risk score which is available after vulnerability scared is done. With that you know the risk the vulnerability entails.

So a penetration testing does not include vulnerability scanning/reconnaisance active or passive? All need to hit the books again!!!

Vulnerability only shows an exploit exists but a penetration test will show the extent damage done to the system so the answer is correct, penetration test

The question asks in this order: - does the vulnerability exist? = vulnerability scan - yo what extent the company could be harmed = pen test Therefore, perform the vulnerability scan first.