Exam SY0-701 topic 1 question 101 discussion

False Positive: A false positive occurs when a vulnerability scanner incorrectly identifies a vulnerability that doesn’t actually exist. In this case, the initial vulnerability report flagged the use of an insecure network protocol (Telnet) on the server at 192.168.14.6. However, the follow-up test using Nmap with the telnet-encryption script revealed that the Telnet server supports encryption. Since encryption enhances security, the initial report was incorrect. Therefore, the conclusion is that the initial report was a false positive.

Why This Is a False Positive: 1. Understanding Telnet: General Security Issues: Telnet typically transmits data in plaintext, making it susceptible to eavesdropping and other security vulnerabilities. This is why it is often flagged in security scans. 2. Encryption Support: Security Enhancement: The presence of encryption changes the security profile of Telnet. If encryption is supported and properly implemented, the transmission of data is secure, counteracting the usual vulnerabilities associated with Telnet. 3. Initial Assessment: Misinterpretation: The initial report indicated a vulnerability due to a general assumption that Telnet is insecure, without verifying the specific configuration that includes encryption. 4. Conclusion: False Positive: Since the Telnet server supports encryption, the assumption of insecurity was incorrect. The vulnerability scanner flagged an issue based on typical characteristics rather than the actual configuration of this specific Telnet implementation.

Horrible question, Telnet is an insecure protocol by design, encryption or no encyption.. period Nmap scan only confirms that it supports encryption, means nothing really, should look to implement something more secure like SSH or jumpbox.. if that's what is meant by D. that would be the answer however the "Theory question" answer here is probably A.

D. Compensating controls exist. My explaining: Vulnerability detected is : Use of an insecure network protocol Having an encryption doesn't change the fact that Telnet is an insecure protocol The answer would be False Positive if the vulnerability detected was lack of encryption In the end Comptia decide the ultimate truth in this exam so

According to ChatGPT , it says origin report is "Use of an insecure network protocol", but when using nmap to test , it discover "Telnet server supports encryption" , so it means this is contradict to the origin report, so this is False Positive

False positive (A) would mean Telnet was incorrectly flagged as insecure—but Telnet is still a risk by default. Compensating controls (D) is correct because encryption helps mitigate the risk, but the risk still exists.

Adding encryption to telnet does not make it as secure as SSH which the scanner would not pick up as a vulnerability. Sure you have encryption, but what about authentication?

The vulnerability scanner flagged the use of Telnet as an insecure network protocol, which is typically true because Telnet is unencrypted. However, the security analyst ran a test using Nmap and found that the Telnet server supports encryption. This suggests that the reported vulnerability was a false positive. Since the server supports encryption, the actual risk is mitigated, and the vulnerability scanning report is inaccurate in this context.

The question is asking "what can be concluded". We know that telnet is unsafe by default. We also know that there is an option for encryption as said by the last line "telnet server supports encryption". Thus the answer must be that we can conclude Compensating Controls Exist. answer is D

The correct answer is: A. It is a false positive. Explanation: The vulnerability scan initially flagged the use of Telnet as insecure because Telnet traditionally sends data, including credentials, in plaintext. However, the nmap test with the --script telnet-encryption option shows that the Telnet server supports encryption, which mitigates the reported risk. This means the vulnerability scanner flagged the issue without accounting for the encryption capability, leading to a false positive. Why the other options are incorrect: B. A rescan is required: The manual test using nmap already confirmed that encryption is supported, so a rescan is unnecessary. C. It is considered noise: Noise refers to irrelevant or unimportant alerts. This finding was important to verify but is ultimately a false positive, not noise. D. Compensating controls exist: The encryption supported by the Telnet server is not a compensating control but a direct mitigation of the issue.

The scan only reports that the telnet server SUPPORTS encryption, but there's no information that state that it is required to use encryption by a client. A client that doesn't know the server supports encryption will most likely use default settings without it. Unlike SSH which is always encrypted by default. Telnet itself is inherently insecure just like FTP is. With this in mind the only choice that makes sense is D.

By the way, this is a better use case of compensating controls: An organization disabled unneeded services and placed a firewall in front of a business-critical legacy system.

The Answer is A: If the only issue that makes Telnet unsafe is because Telnet traditionally uses unencrypted communication, because it now clearly shows that it has been taken care of. The Answer is D: If there are other reasons not to use telnet besides it being unencrypted. If you can mention any other reasons or vulnerabilities then D will be the answer as encrypting it will just be a compensating solution.

The security scan shows telnet port as open and so did the NMAP scan. It is not a false positive A rescan is not required It is not noise D. Compensating Controls is the only correct answer.

Impossible to be A, here is why: Telnet iteself is ALWAYS unencrypted. So, the vulnerability indentified is TRUE. However, there are techinques to support Telnet security and data encryption (like VPN).

Most vulnerability scanners (e.g., Nessus, Qualys, OpenVAS) flag Telnet as a vulnerability by default because it is inherently insecure, transmitting data in plaintext. Even with encryption enabled, Telnet remains risky compared to alternatives like SSH due to: Lack of MFA and Kerberos support, No data integrity checks, Susceptibility to brute-force attacks, Absence of session protection. If encryption exists: Modern scanners may detect it and lower the severity but will still warn about Telnet use since the protocol itself is outdated and insecure. Conclusion: Security professionals consider Telnet deprecated and risky, regardless of encryption. Thus, it is not a false positive, and D (compensating controls exist) is correct here.

The command nmap -p 23 192.168.14.6 --script telnet-encryption performs the following actions: scans the specified IP address for an open Telnet port (port 23) and then uses the telnet-encryption script to determine if the Telnet server supports encryption, which could indicate whether the server might be vulnerable to certain types of attacks if the encryption is not properly implemented. Since telnet is now encrypted. A compensating control exists (D)