Exam SY0-701 topic 1 question 101 discussion

False Positive: A false positive occurs when a vulnerability scanner incorrectly identifies a vulnerability that doesn’t actually exist. In this case, the initial vulnerability report flagged the use of an insecure network protocol (Telnet) on the server at 192.168.14.6. However, the follow-up test using Nmap with the telnet-encryption script revealed that the Telnet server supports encryption. Since encryption enhances security, the initial report was incorrect. Therefore, the conclusion is that the initial report was a false positive.

Why This Is a False Positive: 1. Understanding Telnet: General Security Issues: Telnet typically transmits data in plaintext, making it susceptible to eavesdropping and other security vulnerabilities. This is why it is often flagged in security scans. 2. Encryption Support: Security Enhancement: The presence of encryption changes the security profile of Telnet. If encryption is supported and properly implemented, the transmission of data is secure, counteracting the usual vulnerabilities associated with Telnet. 3. Initial Assessment: Misinterpretation: The initial report indicated a vulnerability due to a general assumption that Telnet is insecure, without verifying the specific configuration that includes encryption. 4. Conclusion: False Positive: Since the Telnet server supports encryption, the assumption of insecurity was incorrect. The vulnerability scanner flagged an issue based on typical characteristics rather than the actual configuration of this specific Telnet implementation.

The security scan shows telnet port as open and so did the NMAP scan. It is not a false positive A rescan is not required It is not noise D. Compensating Controls is the only correct answer.

Impossible to be A, here is why: Telnet iteself is ALWAYS unencrypted. So, the vulnerability indentified is TRUE. However, there are techinques to support Telnet security and data encryption (like VPN).

Most vulnerability scanners (e.g., Nessus, Qualys, OpenVAS) flag Telnet as a vulnerability by default because it is inherently insecure, transmitting data in plaintext. Even with encryption enabled, Telnet remains risky compared to alternatives like SSH due to: Lack of MFA and Kerberos support, No data integrity checks, Susceptibility to brute-force attacks, Absence of session protection. If encryption exists: Modern scanners may detect it and lower the severity but will still warn about Telnet use since the protocol itself is outdated and insecure. Conclusion: Security professionals consider Telnet deprecated and risky, regardless of encryption. Thus, it is not a false positive, and D (compensating controls exist) is correct here.

The command nmap -p 23 192.168.14.6 --script telnet-encryption performs the following actions: scans the specified IP address for an open Telnet port (port 23) and then uses the telnet-encryption script to determine if the Telnet server supports encryption, which could indicate whether the server might be vulnerable to certain types of attacks if the encryption is not properly implemented. Since telnet is now encrypted. A compensating control exists (D)

The vulnerability scanning report initially flags the Telnet service as using an insecure protocol. Traditionally, Telnet sends data, including credentials, in cleartext, which makes it inherently insecure when compared to encrypted protocols like SSH. However, the security analyst's follow-up test using Nmap with the --script telnet-encryption option reveals that the Telnet server actually supports encryption. This means that the Telnet service in question is not transmitting data in cleartext as a standard Telnet service would. So clearly it is false positive.

I thought D at first but now I believe it is A and here is why. The scan just picks up on Telnet which is not secure. The command ...telnet-encryption, was ran to see if encryption was enabled. It is enabled so therefore it is secure. The analyst didn't enable it or change anything but is now aware that it is safe and therefore a false positive.

I think Compensating Control exist might acrually be the right answear, the Vulnerability scan has correctly identified the vulnerability in this case, port 23 is open, the fact that there is a compensating control doesn't make it a false positive. What do you think?

Yes, compensating controls probably do exist here, however, the end result is that it IS a false positive.

I think D may be the better answer. The presence of a Telnet server, even with support for encryption, indicates a vulnerability due to the potential risks associated with using Telnet in general. While the encryption feature provides a compensating control, it does not negate the fact that using Telnet is inherently less secure compared to alternatives like SSH.

The security analyst would most likely conclude: A. It is a false positive. Explanation: The vulnerability report flagged the Telnet service as insecure because Telnet traditionally uses unencrypted communication, which is considered insecure. However, the analyst performed a manual test using Nmap and discovered that the Telnet server supports encryption, which contradicts the original report. Since the service supports encryption, the vulnerability related to insecure communication (typically associated with Telnet) is not valid, meaning the original finding in the report is incorrect. Thus, this situation represents a false positive.

A) It's a false positive Here's why: The vulnerability report initially flagged the use of an insecure network protocol, Telnet, which by default does not support encryption. However, the analyst performed an Nmap scan using the telnet-encryption script, which showed that the Telnet server does support encryption. Thus, since encryption is supported, the vulnerability flagged as "insecure" can be considered a false positive because the Telnet server is using secure practices.

Another garbage question. It's technically a false positive BECAUSE compensating controls exist.

It is not a false positive because it correctly identified a vulnerability. However, compensating controls exist to mitigate this vulnerability.

B. Rescan is required In pointing out that the nmap scan result shows that the Telnet server "supports encryption," but it does not confirm that encryption is actively being used. It simply indicates that the server has the capability to support encryption, but whether or not it's actually enforced during connections is another matter. Given this clarification, the best course of action for the security analyst would likely be B. A rescan is required. Explanation: Since the scan result only shows that the Telnet server supports encryption, but does not confirm that encryption is enforced, a rescan or further testing should be conducted to determine whether: Encryption is actually being used for all Telnet sessions. There is a configuration issue where encryption is supported but not enforced. The rescan should focus on verifying if encryption is mandatory for Telnet connections. If it's not, the vulnerability remains valid and should be addressed.

"supports encryption"