Certified Ethical Hacker (CEH v13) — Question 145

In the process of implementing a network vulnerability assessment strategy for a tech company, the security analyst is confronted with the following scenarios:
1) A legacy application is discovered on the network, which no longer receives updates from the vendor.
2) Several systems in the network are found running outdated versions of web browsers prone to distributed attacks.
3) The network firewall has been configured using default settings and passwords.
4) Certain TCP/IP protocols used in the organization are inherently insecure.
The security analyst decides to use vulnerability scanning software. Which of the following limitations of vulnerability assessment should the analyst be most cautious about in this context?

Answer options

• A. Vulnerability scanning software cannot define the impact of an identified vulnerability on different business operations
• B. Vulnerability scanning software is not immune to software engineering flaws that might lead to serious vulnerabilities being missed
• C. Vulnerability scanning software is limited in its ability to detect vulnerabilities at a given point in time
• D. Vulnerability scanning software is limited in its ability to perform live tests on web applications to detect errors or unexpected behavior

Correct answer: A

Explanation

The correct answer is A because vulnerability scanning software typically identifies vulnerabilities but does not assess how these vulnerabilities might affect different business operations, which is crucial for prioritizing remediation. Options B and C are also valid concerns but do not directly relate to the specific context of business impact. Option D addresses a limitation but is not as critical as understanding the business implications of vulnerabilities.