nerdexam
EC-Council

312-50V11 · Question #493

If you are to determine the attack surface of an organization, which of the following is the BEST thing to do?

The correct answer is A. Running a network scan to detect network services in the corporate DMZ. The attack surface of an organization is defined by all externally reachable entry points, and a network scan of the DMZ directly enumerates the exposed services that attackers could target.

Vulnerability Analysis

Question

If you are to determine the attack surface of an organization, which of the following is the BEST thing to do?

Options

  • ARunning a network scan to detect network services in the corporate DMZ
  • BReviewing the need for a security clearance for each employee
  • CUsing configuration management to determine when and where to apply security patches
  • DTraining employees on the security policy regarding social engineering

How the community answered

(65 responses)
  • A
    85% (55)
  • B
    5% (3)
  • C
    9% (6)
  • D
    2% (1)

Why each option

The attack surface of an organization is defined by all externally reachable entry points, and a network scan of the DMZ directly enumerates the exposed services that attackers could target.

ARunning a network scan to detect network services in the corporate DMZCorrect

Running a network scan against the corporate DMZ identifies all live hosts, open ports, and running services that are reachable from external networks, which is the technical definition of the attack surface. This approach provides concrete, actionable data about what an attacker can directly interact with, making it the most direct method to assess exposure.

BReviewing the need for a security clearance for each employee

Reviewing security clearance requirements is an administrative HR control and does not identify technical attack vectors or network-level exposure.

CUsing configuration management to determine when and where to apply security patches

Configuration management and patch management reduce vulnerabilities but do not enumerate or define the organization's attack surface.

DTraining employees on the security policy regarding social engineering

Security awareness training for social engineering mitigates the human attack vector but does not map or quantify the technical attack surface.

Concept tested: Attack surface identification via network scanning

Source: https://csrc.nist.gov/glossary/term/attack_surface

Topics

#attack surface#network scanning#DMZ#vulnerability assessment

Community Discussion

No community discussion yet for this question.

Full 312-50V11 Practice