6.2 Key Concepts Conduct Security Controls Test

Question 1

includes routine vulnerability scans and periodic vulnerability
assessments, but encompasses a larger set of processes that support the risk management
process. This is the overarching process/practice for identifying, tracking, and remediating vulnerabilities on an ongoing basis.

Answer 1

Vulnerability Management

Question 2

extend beyond just technical scans and can include configuration
and process reviews and audits to detect vulnerabilities.This is the process of human assessment of vulnerability scans and the organization’s security posture.

Answer 2

Vulnerability Assessments

Question 3

involves confirming the individual vulnerability, prioritizing it using
CVSS and CVE, and considering organization-specific factors.

Answer 3

Vulnerability Analysis

Question 4

can detect known security vulnerabilities and weaknesses,
absence of patches or weak passwords. are used in performing
vulnerability scans, which serve as inputs to the assessment process.

Answer 4

Vulnerability Scanning

Question 5

1. Identification: Vulnerability identification can come from scans, penetration tests,
   responsible disclosure, bug bounty programs, and audit results.
2. Analysis: Vulnerability analysis involves confirming the vulnerability, prioritizing it using
   CVSS and CVE, and considering organization-specific factors.
3. Responses: Vulnerability responses include applying patches, isolating affected systems,
   implementing compensating controls, transferring risk through insurance, or formally
   accepting the risk.
4. Validation ensures the vulnerability is no longer present.
5. Reporting informs stakeholders about the findings, actions, trends, and recommendations
   for improvement.

Answer 5

Vulnerability Lifecycle

Question 6

is simply a list of all publicly disclosed vulnerabilities that includes the CVE ID, a description, dates, and comments.

Answer 6

Common Vulnerabilities and Exposures (CVE)

Question 7

is the overall score assigned to a vulnerability.
It indicates severity and is used by many vulnerability scanning tools.

Answer 7

Common Vulnerability Scoring System (CVSS)

Question 8

includes user credentials to authenticate against
targets. It is a more powerful version of the vulnerability scan because it has higher
privileges than a non-credentialed scan.

Answer 8

Credentialed Scan

Question 9

will identify vulnerabilities that an
attacker would easily find anonymously. It has lower privileges than a credentialed scan.

Answer 9

Non-Credentialed Scan

Question 10

These are passive and merely report vulnerabilities. They do not
cause damage to your system.

Answer 10

Non-Intrusive Scans

Question 11

Can cause damage as they try to exploit the vulnerability and should be used in a sandbox and not on your live production system.

Answer 11

Intrusive Scans

Question 12

Configuration compliance scanners and desired state configuration
in PowerShell ensure that no deviations are made to the security configuration of a
system.

Answer 12

Configuration Review

Question 13

These scans look at computers and devices on your network and help
identify weaknesses in their security.

Answer 13

Network Scans

Question 14

Before applications are released, coding experts perform regression
testing that will check code for deficiencies.

Answer 14

Application Scans

Question 15

Crawl through a website as if they are a search engine looking
for vulnerabilities.

Answer 15

Web Application Scans

Question 16

A technique that scans a range of IP addresses to identify
systems and open network ports, providing a report of detected systems and exposed
ports without probing for vulnerabilities.

Answer 16

Network discovery scanning

Question 17

A method that sends a single packet with the SYN flag set to each
scanned port, indicating a request to open a new connection; also known as “half-open”
scanning.

Answer 17

TCP SYN Scanning

Question 18

A scan type used when the user lacks permissions to run a halfopen
scan, completing the full TCP handshake

Answer 18

TCP Connect Scanning

Question 19

A technique that sends a packet with the ACK flag set, attempting to
determine firewall rules and methodology.

Answer 19

TCP ACK Scanning

Question 20

A method that checks for active UDP services on a remote system using the connectionless UDP protocol

Answer 20

UDP Scanning

Question 21

A scanning technique that sends a packet with the FIN, PSH, and URG
flags set, named for its “lit up” appearance resembling a Christmas tree.

Answer 21

Xmas Scanning

Question 22

is a reconnaissance technique used in network security and penetration testing to
identify the specific version and type of software running on a networked system
or server. It is commonly used for fingerprinting web servers, revealing type and
version, enabling the attacker to focus on the known vulnerabilities of that platform
and version.

Answer 22

Banner grabbing

Question 23

is an active test that attempts to exploit discovered vulnerabilities

Answer 23

penetration test

Question 24

This is the initial information gathering stage. Testers collect data about the target system or network using both passive and active methods. This may
include:
* Open-source intelligence (OSINT) gathering
* Social engineering
* Network scanning
* Public records searches
GOAL: to build a comprehensive picture of the target environment.

Answer 24

Reconnaissance

Question 25

where the tester is not interacting directly with the target and as such, the target has no way of knowing, recording, or logging activity.

Answer 25

Passive reconnaissance

Question 26

interacts directly with the target in some way and as such, the target may discover, record, or log these activities.

Answer 26

Active reconnaissance

Question 27

In this phase, testers conduct a more detailed, systematic examination of the target systems. This involves: * Identifying active systems * Discovering open ports and services * Determining operating systems and software versions * Mapping the network architecture Goal: provides a more granular understanding of the tar

Answer 27

Enumeration

Question 28

Here, testers analyze the information gathered during reconnaissance and enumeration to identify potential security weaknesses. This typically involves: * Using automated vulnerability scanning tools * Manual analysis of systems and applications * Researching known vulnerabilities for identified software versions GOAL: Analysis aims to create a list of potential vulnerabilities that could be exploited.

Answer 28

Vulnerability Analysis

Question 29

In this phase, testers attempt to actively exploit the vulnerabilities identified earlier. Activities may include: * Using existing exploit code * Developing custom exploits * Chaining multiple vulnerabilities together * Within this phase we also see execution, also known as “post-exploitation”. It involves actions taken after successful exploitation and may include: – Maintaining persistent access – Escalating privileges – Pivoting to other systems in the network – Data exfiltration (simulated) GOAL: aims to demonstrate the real-world impact of the discovered vulnerabilities by gaining unauthorized access or elevating privileges and simulate what an attacker might do after gaining initial access.

Answer 29

Exploitation

Question 30

The final phase involves documenting all findings and activities from the previous phases. A comprehensive report typically includes: * Executive summary * Detailed technical findings * Risk assessments for each vulnerability * Proof-of-concept evidence * Recommendations for remediation * Methodology used during the test GOAL: helps organizations understand their security posture and prioritize their efforts to improve their defenses.

Answer 30

Reporting

Question 31

are internal or external entities dedicated to testing the effectiveness of a security program by emulating the tools and techniques of likely attackers in the most realistic way possible. Their goal is to assess the effectiveness of the organization’s defenses and provide insights for improvement.

Answer 31

Red Team (offense)

Question 32

the internal security team that defends against both real attackers and Red teams. Their objective is to minimize the impact of any successful attack and ensure the organization’s resilience.

Answer 32

Blue Team (defense)

Question 33

is implemented to ensure and maximize the effectiveness of the Red and Blue teams. The focus is on improving the overall security posture through continuous feedback, joint exercises, and lessons learned.

Answer 33

Purple Team (process improvement)

Question 34

In this situation, the penetration tester is given a map of target systems and networks. They go into the test with substantial/full information of the target systems and networks.

Answer 34

Known environment (white box test)

Question 35

In this scenario, the penetration tester knows nothing about target systems and networks. They go into the test completely blind and build out the database of everything they find as they go.

Answer 35

Unknown environment (black box test)

Question 36

A test in which limited information is shared with the tester, sometimes in the form of login credentials. Simulates the level of knowledge that a hacker with long-term access to a system would achieve through research and system footprinting.

Answer 36

Partially known environment (gray box test)

Question 37

involve the systematic analysis of these logs to detect security incidents, unusual patterns, or potential weaknesses. should focus primarily on anomalies and errors.

Answer 37

Log reviews

Question 38

is simulated (recorded or scripted) user interactions or processes designed to exercise specific system functions or components with a specific expected response or output. Advantages include the ability to test under specific, repeatable conditions and proactive detection of issues before they impact real users, like server performance or broken links.

Answer 38

Synthetic monitoring also called active monitoring

Question 39

involves tracking how actual users interact with a website or application in real-time. The purpose is to provide insights into the real-world performance of your site, capturing how different users experience it under various conditions like different devices, browsers, or network speeds. This technique can provide accurate, real-time data on user experiences, including page load times, user session times, and error rates, which can inform design and content improvements based on actual user behavior.

Answer 39

Real User Monitoring (RUM) also called passive monitoring

Question 40

define a standard expected performance level for a system or process. The definition of “expected performance” may include metrics like response time, resource consumption, data/transaction throughput, error levels, etc

Answer 40

Benchmarks

Question 41

is the manual and/or automated examination of source code to find errors, vulnerabilities, and deviations from secure coding practices

Answer 41

Code review

Question 42

involves executing the code in various scenarios to validate its functionality and robustness.

Answer 42

Code testing

Question 43

It involves the re-running existing tests after making changes to software to ensure that previously working functionality hasn’t been broken by the new changes. It helps catch unintended side effects of code changes and verifies that new features don’t disrupt existing functionality.

Answer 43

Regression testing

Question 44

consider how an attacker could manipulate or exploit system functions for malicious purposes. Test scenarios are developed based on these misuse cases (sometimes called abuse cases).

Answer 44

Misuse case

Question 45

measures how thoroughly your security testing exercises the security controls, system components, and attack scenarios. It identifies gaps in your testing procedures.

Answer 45

Coverage analysis

Question 46

examines the interactions among software components, systems, and users to ensure the application and its supporting systems function as expected.

Answer 46

Interface testing

Question 47

This type focuses on testing the interfaces between software components or systems. It verifies that APIs function correctly, handle various inputs, and return expected outputs while checking for proper data exchange, error handling, and adherence to API documentation.

Answer 47

Application Programming Interface (API) Testing

Question 48

testing evaluates the graphical user interface and how users interact with the application. It ensures that UI elements like buttons, forms, menus, and navigation work as expected, verifying proper layout, design consistency, and responsiveness across different devices and screen sizes.

Answer 48

User Interface (UI) Testing

Question 49

This testing examines the communication between different network components or systems. It verifies proper data transmission, network protocols, and connectivity while testing for issues like packet loss, latency, and bandwidth limitations.

Answer 49

Network Interface Testing

Question 50

assesses the interaction between hardware components and the software. It verifies proper communication through physical connections, tests compatibility with various hardware configurations and peripherals, and ensures correct data transfer and functionality across different physical interfaces.

Answer 50

Physical Interface Testing

Question 51

Intentional simulated attacks by ethical hackers or dedicated ‘red teams’ to imitate real-world adversary tactics and discover weaknesses before a threat actor finds them. IMPORTANCE: These simulations assess your ability to detect, respond to, and remediate real attacks. They provide hands-on training to your security teams in the best ways to counter threats

Answer 51

Breach attack simulations

Question 52

are the crucial validation step within security control testing, verifying that implemented safeguards adhere to documented requirements like regulations, internal policies, and standards (e.g., NIST SP 800-53, ISO 27001, CIS). This ongoing process ensures controls are effective and operating as intended.

Answer 52

Compliance Checks

Question 53

* Systematic Verification: Reviewing control configurations and outputs against security baselines and policies using methods like audits, gap assessments, and technical testing (including automated scans, computer-assisted audit techniques, breach/attack simulations, red teaming). * Continuous Validation: Employing ongoing monitoring and testing techniques to detect deviations in real-time and ensure sustained adherence against evolving threats (using frameworks like MITRE ATT&CK for targeted validation). * Evidence & Accountability: Analyzing documentation (control outputs, incident responses, remediation tracking) to demonstrate adherence, ensure accountability, validate training, and maintain audit readiness.

Answer 53

Key activities of Compliance Checks