1. Once an organization has identified a known vulnerability, what recourse does the company have?
The company has two courses – they can accept the vulnerability and hope that nobody finds the vulnerability or the company can take steps by utilizing their IT department or contract out so that their system can be hardened against attacks.
2. If an application has a known vulnerability that is reported, how should a company proceed?
The company should first see if the application has any new patches that would secure this vulnerability. If the company that created the application has no patch, either work with the company to see if they can create a patch or check to see if there are other programs that have the same capability but no vulnerability.
4. What types of authentication and authorization requirements should be audited in a vulnerability assessment?
The types of authentication and authorization requirements that should audited are the access points that require user name and passwords with different types of attacks such as Brute Force attacks or SQL Injections attacks.
7. If an organization is identified as not using any password policies for any of its applications, what would be two suggestions to note in the assessments?
Two recommendations would be the creation of a password policy for the company and change in management which means the approach to handling changes.
8. Should newly-released patches for a known vulnerability be applied to production systemsonce released?
No – they should be bench-tested on an independent machine that contains the application but is not connected to network.
9. What is the importance of having a security incident response plan in an organization?
So that there is a series of steps and procedures that the organization is to follow in the case of a security incident occurring.
10. What would an auditor be trying to verify if he/she is asking to view logs for certain dates?