Exam SY0-701 topic 1 question 101 discussion

False Positive: A false positive occurs when a vulnerability scanner incorrectly identifies a vulnerability that doesn’t actually exist. In this case, the initial vulnerability report flagged the use of an insecure network protocol (Telnet) on the server at 192.168.14.6. However, the follow-up test using Nmap with the telnet-encryption script revealed that the Telnet server supports encryption. Since encryption enhances security, the initial report was incorrect. Therefore, the conclusion is that the initial report was a false positive.

Why This Is a False Positive: 1. Understanding Telnet: General Security Issues: Telnet typically transmits data in plaintext, making it susceptible to eavesdropping and other security vulnerabilities. This is why it is often flagged in security scans. 2. Encryption Support: Security Enhancement: The presence of encryption changes the security profile of Telnet. If encryption is supported and properly implemented, the transmission of data is secure, counteracting the usual vulnerabilities associated with Telnet. 3. Initial Assessment: Misinterpretation: The initial report indicated a vulnerability due to a general assumption that Telnet is insecure, without verifying the specific configuration that includes encryption. 4. Conclusion: False Positive: Since the Telnet server supports encryption, the assumption of insecurity was incorrect. The vulnerability scanner flagged an issue based on typical characteristics rather than the actual configuration of this specific Telnet implementation.

The vulnerability scanning report initially flags the Telnet service as using an insecure protocol. Traditionally, Telnet sends data, including credentials, in cleartext, which makes it inherently insecure when compared to encrypted protocols like SSH. However, the security analyst's follow-up test using Nmap with the --script telnet-encryption option reveals that the Telnet server actually supports encryption. This means that the Telnet service in question is not transmitting data in cleartext as a standard Telnet service would. So clearly it is false positive.

I thought D at first but now I believe it is A and here is why. The scan just picks up on Telnet which is not secure. The command ...telnet-encryption, was ran to see if encryption was enabled. It is enabled so therefore it is secure. The analyst didn't enable it or change anything but is now aware that it is safe and therefore a false positive.

I think Compensating Control exist might acrually be the right answear, the Vulnerability scan has correctly identified the vulnerability in this case, port 23 is open, the fact that there is a compensating control doesn't make it a false positive. What do you think?

Yes, compensating controls probably do exist here, however, the end result is that it IS a false positive.

I think D may be the better answer. The presence of a Telnet server, even with support for encryption, indicates a vulnerability due to the potential risks associated with using Telnet in general. While the encryption feature provides a compensating control, it does not negate the fact that using Telnet is inherently less secure compared to alternatives like SSH.

The security analyst would most likely conclude: A. It is a false positive. Explanation: The vulnerability report flagged the Telnet service as insecure because Telnet traditionally uses unencrypted communication, which is considered insecure. However, the analyst performed a manual test using Nmap and discovered that the Telnet server supports encryption, which contradicts the original report. Since the service supports encryption, the vulnerability related to insecure communication (typically associated with Telnet) is not valid, meaning the original finding in the report is incorrect. Thus, this situation represents a false positive.

A) It's a false positive Here's why: The vulnerability report initially flagged the use of an insecure network protocol, Telnet, which by default does not support encryption. However, the analyst performed an Nmap scan using the telnet-encryption script, which showed that the Telnet server does support encryption. Thus, since encryption is supported, the vulnerability flagged as "insecure" can be considered a false positive because the Telnet server is using secure practices.

Another garbage question. It's technically a false positive BECAUSE compensating controls exist.

It is not a false positive because it correctly identified a vulnerability. However, compensating controls exist to mitigate this vulnerability.

B. Rescan is required In pointing out that the nmap scan result shows that the Telnet server "supports encryption," but it does not confirm that encryption is actively being used. It simply indicates that the server has the capability to support encryption, but whether or not it's actually enforced during connections is another matter. Given this clarification, the best course of action for the security analyst would likely be B. A rescan is required. Explanation: Since the scan result only shows that the Telnet server supports encryption, but does not confirm that encryption is enforced, a rescan or further testing should be conducted to determine whether: Encryption is actually being used for all Telnet sessions. There is a configuration issue where encryption is supported but not enforced. The rescan should focus on verifying if encryption is mandatory for Telnet connections. If it's not, the vulnerability remains valid and should be addressed.

"supports encryption"

I am going to change my answer to A. False positive, because the initial report flagged Telnet as insecure, but the subsequent test showed that encryption which addresses the vulnerability is being used. This indicates the vulnerability was incorrectly reported. So, that makes it a false positive.

The answer is D: Disable port 23 Telnet (unencrypted) and enable SSH port 22 (encrypted connection)

Telnet supports encryption but its currently not encrypted, which means there's a vulnerability. Hence there needs to be compensating controls. D is the answer

A. It is a false positive. The initial vulnerability scan reported that the use of Telnet (an insecure network protocol) is a high severity issue. However, the follow-up nmap scan with the `telnet-encryption` script shows that the Telnet server supports encryption. Given that Telnet is typically insecure due to lack of encryption, the presence of encryption support indicates that the reported vulnerability might not be accurate. Therefore, the security analyst would conclude that the reported vulnerability is a false positive.