ExamTopics Logo
Mail Us[email protected]
Menu
Comptia Discussions
exam questions

Exam PT0-001 All Questions

View all questions & answers for the PT0-001 exam
Go to Exam

Exam PT0-001 topic 1 question 6 discussion

Actual exam question from CompTIA's PT0-001
Question #: 6
Topic #: 1
[All PT0-001 Questions]

A security analyst was provided with a detailed penetration report, which was performed against the organization's DMZ environment. It was noted on the report that a finding has a CVSS base score of 10.0. Which of the following levels of difficulty would be required to exploit this vulnerability?

  • A. Very difficult; perimeter systems are usually behind a firewall.
  • B. Somewhat difficult; would require significant processing power to exploit.
  • C. Trivial; little effort is required to exploit this finding.
  • D. Impossible; external hosts are hardened to protect against attacks.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
Reference:
https://nvd.nist.gov/vuln-metrics/cvss
by mr_robot at April 3, 2020, 5:06 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
mr_robot
Highly Voted 5 years ago
Tricky one. The question below is taken from PenTest+ Practice Tests Book - SYBEX A detailed penetration report was given to a security analyst. The penetration was conducted against the target organization’s DMZ environment. The report had a finding that the Common Vulnerability Scoring System (CVSS) had a base score of 1.0. To exploit this vulnerability, which level of difficulty would be required? A. Very difficult, because the perimeter systems are usually behind a firewall B. Somewhat difficult, because it would require powerful processing to exploit C. Trivial, because little effort would be required to exploit the findings D. Impossible, because the external hosts are hardened to protect against attacks The CVSS score from every material found from this question on the Internet is 10.0 but from the book is 1.0. Here is their explanation: C. - The Common Vulnerability Scoring System (CVSS) is an industry standard for assessing the severity of security vulnerabilities. It provides a technique for scoring each vulnerability on a variety of measures. Security analysts often use CVSS ratings to prioritize response actions. Each measure is given a descriptive rating and a numeric score. It must be just a typo but just a small detail I detected from this question.
upvoted 7 times
ufovictim
4 years, 2 months ago
IDK if there’s a typo or not, but since a CVSS score of 10.0 designates it as an incredibly critical vulnerability, it only stands to reason that it would be trivial to exploit. A score of 1.0 would be next to impossible to exploit. C is the correct answer in this case but I’d watch for this question on the exam.
upvoted 2 times
...
...
bigwilly69
Highly Voted 4 years, 4 months ago
i think C, I did alot of my own research and came to the conclusion that C. - The Common Vulnerability Scoring System (CVSS) is an industry standard for assessing the severity of security vulnerabilities. It provides a technique for scoring each vulnerability on a variety of measures. Security analysts often use CVSS ratings to prioritize response actions. Each measure is given a descriptive rating and a numeric score.
upvoted 5 times
...
kloug
Most Recent 2 years, 2 months ago
cccccccccccc
upvoted 1 times
...
miabe
2 years, 9 months ago
Selected Answer: C
looks good to me
upvoted 1 times
...
Mediocrity
3 years, 10 months ago
C. A good way to think of this is that in order to achieve a score of 10 its has to have all the CVSS flags set to the highest severity. The easy it is for the attacker the higher the severity rating will be.
upvoted 2 times
...
xMilkyMan123
4 years, 3 months ago
How can a CVSS of 10 be trivial?
upvoted 2 times
who__cares123456789___
4 years, 3 months ago
Trivial to exploit they are saying...but how do we know that? See my link above and a c/p from my WGU class ...I believe if you read into how the scoring is done, you can infer that it would be trivial...at least fro one whom knows what they are doing!!
upvoted 2 times
...
MDGuy
4 years, 3 months ago
Its a typo in this question. It should be a 1.0 If it was truly a 10.0 it would obvs not be trivial
upvoted 1 times
RTFM
3 years, 2 months ago
A CVSS base score of 10.0 would mean that this vulnerability is given the most critical rating a vulnerability could achieve. which means basically their is an open door from the internet to a companies most restricted data on a server. an attacker could basically just connect and voila has everything he/she ever wanted. The answer is C because it would be trivial for the attacker to execute a successful attack on the target.
upvoted 1 times
...
...
boyladdudeman
4 years, 1 month ago
They're saying that the expolit is trivial (super easy) to action, therefore the issue is significant, low barrier to entry means every skiddy can do it.
upvoted 2 times
...
...
Oduro
4 years, 10 months ago
C is the correct answer
upvoted 3 times
...
boblee
4 years, 10 months ago
The answer is C.
upvoted 2 times
who__cares123456789___
4 years, 3 months ago
The score for the base group is between 0 and 10, where 0 is the least severe and 10 is assigned to highly critical vulnerabilities. For example, a highly critical vulnerability could allow an attacker to remotely compromise a system and get full control. In addition, the score comes in the form of a vector string that identifies each of the components used to make up the score. The vector is used to record or transfer CVSS metric information in a concise form. The vector string starts with the label CVSS: and a numeric representation of the CVSS version, followed, for each metric, by a metric name in abbreviated form, a colon, :, and the associated metric value in abbreviated form. The following is an example of a CVSS 3.0 vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L
upvoted 1 times
who__cares123456789___
4 years, 3 months ago
Attack Vector (AV) represents the context in which a vulnerability can be exploited. It can assume four values:Network (N)Adjacent (A)Local (L)Physical (P) Attack Complexity (AC) represents the conditions beyond the attacker’s control that must exist in order to exploit the vulnerability.Low (L)High (H) Privileges Required (PR) represents the level of privileges an attacker must have to exploit the vulnerability.None (N)Low (L)High (H) User Interaction (UI) captures whether a user interaction is needed to perform an attack.None (N)Required (R) Scope (S) captures the impact on systems other than the system being attacked:Unchanged (U)Changed (C) The Impact metrics include the following: Confidentiality (C) measures the degree of impact to the confidentiality of the systemLow (L)Medium (M)High (H) Integrity (I) measures the degree of impact to the integrity of the system. Low (L)Medium (M)High (H) Availability (A) measures the degree of impact to the availability of the system.assume the following values:Low (L)Medium (M)High (H)
upvoted 1 times
...
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago