Domain 6 -- Security Assessment and Testing

Question 1

What are the 8 steps to the Information System Security Audit Process?

Answer 1

1. Determine goals
2. Involve the right business unit leaders
3. Determine the scope
4. Choose the audit team
5. Plan the audit
6. Conduct the audit
7. Document the results
8. Communicate the results

Question 2

What’s the difference between internal audits, external audits and third party audits?

Answer 2

• Internal audits – self evident. An organization audits itself
• External audit (aka second party audit) – an organization audits a business partner (Target and Fazio Mechanical services)
• Third Party audit – Bring in an outside company to conduct the audit

Question 3

What is a technical control?

Answer 3

It’s a security control implemented through the use of an IT asset.

Question 4

What are three types of vulnerability testing?

Answer 4

1. Personnel testing – people, procedures, training
2. Physical tesing – review the facility and perimeter protection
3. System and network testing

Question 5

What’s the difference between Black Box, white box and grey box testing?

Answer 5

• Black box testing - Tester has no a priori knowledge of the internal design or features of the system. All knowledge comes from the testing itself.
• White Box testing — auditor is given complete knowledge of the inner workings of the system before testing begins
  
  • Better for insider threat
  • Not as good for outsider threats
• Somewhere between Black and white box testing. The tester has some knowledge, but not all of the inner workings

Question 6

What is penetration testing?

Answer 6

Penetration testing is the process of simulating attacks on a network and its systems at the request of the owner, senior management.

Pen tests are not restricted to information technology. Could be technical, physical or administrative

Question 7

What are the capabilities of Vulnerability scanners?

Answer 7

• identify active hosts on the network
• identify active/vulnerable services (ports) on hosts
• identify applications and banner grabbing
• identify operating systems
• identify vulnerabiliites associated with discovered operating systems and apps
• Identify misconfigured settings
• Test for compliance with host applications usage/security policies
• The establishment of a foundation for penetration testing

Question 8

What is the 5-step process used during penetration testing?

Answer 8

1. Discovery – gathering info about target
2. Enumeration - performing port scans and resource identification methods
3. Vulnerability mapping - identifying vulnerabilities in identified systems and resources
4. Exploitation – attempt to gain unauthorized access
5. Report to management

Question 9

What’s the difference between a blind, double blind or targeted pen test?

Answer 9

• Blind test – assessors only have publicly available data to work with
  
  • network security staff is aware that this type of test will take place
• Double Blind (aka stealth assessment) – blind to assessors and the security staff is not notified
  
  • Better for evaluting how good the security team is to identifying and responding to an attack
• Targeted Tests - can be internal and/or external consultants carrying out focused tests on specific areas of interests
  
  • Example is if a new application or web site is being rolled out

Question 10

What’s the difference between a vulnerability test and a penetration test?

Answer 10

• Vulnerability test has a goal of identifying potential vulnerabilities
• Penetration test has a goal of exploiting one or more vulnerabilities to prove that a hacker actually can gain access to company resources

Question 11

What is War Dialing?

Answer 11

• War dialing allows attackers and administrators to dial large blocks of phone numbers in search of available modems

Question 12

What’s a kernel flaw and how do you protect against it?

Answer 12

• kernel flaws are problems that occur below the level of the UI, deep in the OS
• You protect against them by keeping patches up to date (after sufficient testing)

Question 13

What are buffer overflows and how do you protect against them?

Answer 13

• Good programming practices
• Developer education
• automated source code scanners
• enhanced programming libraries
• strongly typed languages

Question 14

What’s a symbolic link vulnerability and how do you protect against it?

Answer 14

• The vulnerability is that a program may follow a symbolic link and the attacker may be able to compromise that symbolic link to gain unauthorized access
• Countermeasures:
  
  • Don’t use symbolic links. Use the full path name

Question 15

What are file descriptor attacks and how do you protect against them?

Answer 15

• File descriptors are numbers many OS’s use to represent open files in a process.
• Certain file descriptors are universal – same to all programs
• If a program makes unsafe use of a file descriptor, an attacker may be ale to insert unexpected input into the program or cause output to go to an unexpected place with the privileges of the executing program
• Countermeasures:
  
  • Good programming practices
  • Developer education
  • Source code scanners
  • Application security testing

Question 16

What’s a race condition and how do you protect against it?

Answer 16

Race conditions exist when the design of a program puts it in a vulnerable condition before ensuring that those vulnerable conditions are mitigated.

Countermeasures

• Good programming practices
• Developer education
• automated source code scanners
• app security testing

Question 17

What are file and directory permission vulnerabilities and how do you protect against them?

Answer 17

Many attacks rely on inappropriate file or directory permissions

Countermeasures

• File integrity checkers
• These shoulda lso check expected file and directory permissions

Question 18

What’s the Postmortem?

Answer 18

After the testing is complete – you should review the results, close gaps where possible and decide priorities moving forward.

Question 19

What are Log Reviews?

Answer 19

• A log review is the examination of system log files to detect security events or to verify the effectiveness of security controls
• It’s important to have time synchronized in order for log analysis across multiple systems to be meaningful.

Question 20

What is NTP?

Answer 20

NTP stands for Network Time Protocol

• It’s really important for keeping systems in synch and providing the ability to correlate log entries made by differrent systems

Question 21

What are ways to prevent log tampering?

Answer 21

• Remote logging – putting log files on a separate box makes the attackers have to compromise that box, too.
• Simplex Communication – only have a one-way path to the log repository
  
  • You can sever the receive pairs on an Ethernet cable
  • known as a data diode
• Replication – replicate log files someplace not on the network (e.g. removable device)
• Write Once Media
• Crytographic hash chaining – each event is appended to the cryptographic hash – ensures completeness and integrity of every event in the chain

Question 22

What does SIEM stand for and how is it used?

Answer 22

• SIEM stands for Security Information and Event Manager
• They are systems that enable:
  
  • Centralization
  • Correlation
  • Analysis
  • Retention of event data
  • Purpose is to generate automated alerts
  • Typically, they provide a dashboard

Question 23

What is a synthetic transaction and how are they useful in security?

Answer 23

• A synthetic transaction is a transaction that is generated by a script
• They allow us to systematically test the behavior and performance of citical services.

Question 24

What’s the difference between real user monitoring and synthetic Transactions?

Answer 24

• Real User Monitoring is a passive way to monitor the interactions of real users with a web application system
• It uses agents to capture metrics such as delay, jitter and errors from a user’s perspective
• Can require more backend analysis to understand when a user may have changed his mind or lost mobile connectivity, rather than something to be concerned about
• Synthetic transactions are more consistent.
• Neither is better all the time

Question 25

What is misuse case testing?

Answer 25

A misuse case is a use case that includes threat actors and the tasks they want to perform on the system.

Question 26

What are the steps in the code review process?

Answer 26

1. Identify the code to be reviewed
2. Team leader organizes the inspection and makes sure everyone has access to it
3. Everyone prepares by reading through the code and making notes
4. All obvious errors are collated off-line so they don’t need to be discussed
5. If all agree that code is ready for inspection, procedd with the meeting
6. Team leader displays code and team discusses it. Scribe writes notes down
7. Team decides on a disposition:
   
   • Good to go
   • Passed with rework
   • Reinspect following fix of issues
8. Following meeting author fixes (if needed)
9. Re-review if needed

Question 27

What is defensive coding?

Answer 27

• It means that during development or code review, you are constantly looking for opportunities for things to go badly

Question 28

What is interface testing?

Answer 28

• Interface testing is the systematic evaluation of a given set of the “exchange points” that comprise the interface
• Interface testing is a special case of Integration Testing

Question 29

What are 3 ways for attackers to become “normal, privileged users” of the systems they intend to compromise?

Answer 29

1. Compromise an existing privileged account
2. Create a new privileged account
3. Elevate the privileges of a regular user account

Question 30

What command do you use to switch to a different user in Windows, Linux and MacOS?

Answer 30

• Windows – use the runas command
• Linux – sudo command
• macOS - sudo

Question 31

What are some points to keep in mind regarding testing Data Backups?

Answer 31

• Develop scenarios
• Develop a plan
• Leverage automation
• Minimize the impact on business processes
• Ensure coverage
• Document the results
• Fix or improve any issues you documented

Question 32

What is a checklist test as it relates to DR/BCP? What is another name for it?

Answer 32

• Copies of the DRP or BCP are distributed to the different departments and functional areas for review.
  
  • They make comments which are then incorporated back into the master copy.
• The checklist test is also called a desk check test

Question 33

What is a Structured Walk-through test with regard to DR/BCP?

Answer 33

• People come together to review the plan for accuracy

Question 34

What is a tabletop exercise with respect to DR/BCP?

Answer 34

• TTX’s do NOT involve a technical control infra
• Can happen at the executive level or team level
• Goal is to test out procedures and ensure that they actually do what they are supposed to do
• Ensures that everyone knows their role
• Goal is to ensure that the team is able to respond to the likeliest/most dangerous scenario

TTX’s are only as good as the people who show up to play.

Question 35

What is a simulation test with respect to DR/BCP

Answer 35

• Takes a lot of planning and a lot of people
• Takes place up to the point of actual relocation to an offsite facility and actual shipment of replacement equipment

Question 36

What is a Parallel test with respect to DR/BCP?

Answer 36

• In a parellel test, some systems are moved to the alternate site and processing takes place.
• Results are compared with regular processing done at the main site.
• Ensures that specific systems can perform adequately at the alternate offsite facility
• Will flush out any tweaking ro reconfiguration that is needed.

Question 37

What is a full interruption test with respect to DR/BCP?

Answer 37

• Most intrusive to regular operations
• The original site is actually shut down
• All processing takes place at the alternate site
• Full-blown drill that takes a lot of planning and coordination, but it can reveal the most holes in the plan

Question 38

What other types of training are needed withr respect to DR/BCP?

Answer 38

• cardiac pulmonary resuscitation (CPR)
• how to use a fire extinguisher
• emergency communication procedures
• how to shut down equipment when disasters strike

Question 39

What are the main reasons DR/BCP plans become outdated?

Answer 39

• BC process not integrated into change management process
• Changes occur in the infra and environment
• Reorganization of the company, layoffs, mergers
• Changes in HW, SW and applications
• After the plan is constructed, people think their job is done
• Personnel turnover
• Large plans take a lot of work to maintain
• Plans do not have a direct line to profitability

Question 40

What are steps a company can do to ensure that the plan stays updated?

Answer 40

• Make BC part of every business decision
• Insert maintenance responsibilities into job descriptions
• Include maintenance in personnel evaluations
• Perform internal audits that include DR/BCP
• Perform regular drills that use the plan
• Integrate BCP into the current change management process
• Incorporate lessons learned from actual incidents into the plan

Question 41

What’s the difference between security training and Security awareness training?

Answer 41

Security training is teaching the skill or skills that will allow people to perform specific functions better

Security awareness training is the process of exposing people to security issues so that they can recognize them and better respond to them

Question 42

What is social engineering?

Answer 42

Social engineering, in the context of Info Security, is the process of manipulating individuals so that they perform actions that violate security protocols.

Question 43

What is a drive-by download?

Answer 43

A driveby download is where a legitimate site has been compromised, the site will invisibly redirect the user to a malware distribution server.

Question 44

What is ISO 27004?

Answer 44

It’s the Information Security Metrics Implementation Standard

Question 45

Define the following terms with respect to key performance indicators (KPI’s)

• Factor
• Measurement
• Baseline
• Metric

Answer 45

• Factor – atttribute of the ISMS that is a value that can change over time
  
  • e.g.number of alerts generated by IDS
  • Number of events investigated by Incident Response teams
• Measurement – The value of a factor at a particular time
  
  • e.g. 356 IDS alerts in the last 24 hours
  • e.g. 42 verified events investigated by IR teams in the month of Jan
• Baseline - what you think it means
• Metric – a derived value that is generated by comparing multiple measurements against each other or against a baseline
  
  • e.g. ratio of verified incidents to IDS alerts over a 30-day period
• Indicator – An interpretation of one or more metrics that describes an element of the effectiveness of the ISMS
  
  • e.g. green traffic light indicates a threshold ratio of no more than 30% false or undetected by IDS evnets has been met for a reporting period

Question 46

Give the process a team should follow to select and implement KPI’s

Answer 46

• Choose factors that can show the state of security
• Define baselines for some or all factors under consideration
• Develop plan for periodically capturing the values of these factors and fix the sampling period
• Analyze and interpret the data
• Communicate the indicators to all stakeholders

Question 47

What’s a KRI and what’s the difference between a KPI and a KRI?

Answer 47

• KRI stands for Key Risk Indicators
• KRI’s tell us where we are today in relation to our risk appetite
• KRI’s measure how risky an activity is so that the leadership can make informed decisions about that activity
• Designed to work like mine canaries – tell us when something bad is likely to happen
• It’s best to relate KRI’s to Single Loss Expectancy equations

Question 48

What are the 3 “what’s” of analyzing data from a security assessment?

Answer 48

• What
• So What?
• Now What?

Question 49

What are the elements of a good technical audit report?

Answer 49

• Exec Summary
• Background
• Methodology
• Findings
• Recommendations
• Appendices

Question 50

Know Stratum 0 - Stratum 3 of NTP

Question 51

With respect to auditing, know the difference between a test and an assessment.

Answer 51

Test – A procedure that records some set of properties of behaviours in a system being tested and compares them against predetermined standards.

Assessment – A series of planned tests that are somehow related to each other.

Question 52

Which of the following components of a TableTop exercise represents a branch?

Answer 52

See graphic

Question 53

Which of the following components of a tabletop exercise indicates a sequel?

Answer 53

See graphic

Question 54

The Network Time Protocol uses which transport layer protocol and which port?

Question 55

In the context of BCP, what is the difference between a structured walkthrough and a checklist test?

Question 56

Alice needs to hire a third party to conduct a test of her company’s security posture. If she needs an independent comparison against statutory requirements, which of the following services should she select?

Answer 56

Regulatory audit

Question 57

Which of the following best describes the most critical problem with “running as root”?

Answer 57

If an administrator is tricked by attackers into executing malicious software, that software will run with the administrative level of privilege, which is commonly system level.

Question 58

Alice has been tasked with assessing her company’s security awareness program. Her company has hired a third party to perform social engineering testing as part of a broader penetration testing regime once per quarter. The contractor provides quantitative details as to the percentage of employees who click a potentially malicious link in an e-mail designed to attempt to deceive them. Tracking and comparing this performance indicator over time is best described by which of the following terms?

Answer 58

Security metric

Question 59

Which of the following is not a result of a penetration test?

Answer 59

Modify access control permissions

Question 60

Which of the following sections of a technical security report is the most critical to include?

Answer 60

Recommended actions

Question 61

What services run on TCP and UDP ports 137 - 139?

What service runs on TCP port 445?

What service runs on TCP port 1433?

Answer 61

What services run on TCP and UDP ports 137 - 139?

• NetBios Services

What service runs on TCP port 445?

• Active Directory

What service runs on TCP port 1433?

• Microsoft SQL Server

Question 62

What is mutation testing?

Answer 62

Mutation testing modifies a program in small ways and then tests that mutant to determine if it behaves as it should or if it fails.

Question 63

What are the following tools used for?

• zzuf
• Nikto
• Metasploit
• sqlmap

Answer 63

• Nikto is useful for vulnerability scanning web servers and applications and is the best choice listed for a web server.
• Metasploit includes some scanning functionality but is not a purpose-built tool for vulnerability scanning.
• zzuf is a fuzzing tool and isn’t relevant for vulnerability scans,
• sqlmap is a SQL injection testing tool.

Question 64

What message logging standard is commonly used by network devices, Linux and Unix systems, and many other enterprise devices?

Answer 64

Syslog is a widely used protocol for event and message logging

Question 65

What is a fuzzer and why would you use one?

Answer 65

Fuzzers are tools that are designed to provide invalid or unexpected input to applications

Fuzzers are used for testing for vulnerabilities like format string vulnerabilities, buffer overflow issues, and other problems.

Question 66

What are the following tools used for?

• Nmap
• OpenVAS
• MBSA
• Nessus

Answer 66

• Nmap is an open source port scanner.
• OpenVAS is an open source vulnerability scanning tool that provides a report of the vulnerabilities that it can identify from a remote, network-based scan.
• MBSA stands for Microsoft Baseline Security Analyzer (MBSA). It is a vulnerability scanning tool (closed source)
• Nessus is a vulnerabulity scanning tool (closed source)

Question 67

Within the context of nmap, what do the following mean?

• Open
• Closed
• Filtered

Answer 67

• Open - The port is accessible on the remote system and an application is accepting connections on that port.
• Closed - The port is accessible on the remote system, but no application is accepting connections on that port.
• Filtered - The port is not accessible on the remote system.

Question 68

What does SSAE stand for and what is the difference between a SSAE 18 SOC 1 Type I report and a Type II report?

• Type I audits only cover a single point in time and are based upon management descriptions of controls. They do not include an assessment of operating effectiveness.
• Type II audits cover a period of time and do include an assessment of operating effectiveness.

Answer 68

SSAE stands for Statement on Standards for Attestation Engagements, which is overseen by The American Institute of Certified Public Accountants.

Question 69

Why is WPA2 Enterprise Edition better than WPA2 against password attacks?

Answer 69

• WPA2 enterprise uses RADIUS authentication for users rather than a preshared key. This means a password attack is more likely to fail as password attempts for a given user may result in account lock-out.
• WPA2 encryption will not stop a password attack, and WPA2’s preshared key mode is specifically targeted by password attacks that attempt to find the key.

Question 70

What does CVE stand for and what is a CVE database good for?

Answer 70

CVE stands for Common Vulnerabilities and Exposures.

CVE is a dictionary of common names for publicly known cybersecurity vulnerabilities maintained by the US Dept of Homeland Security

It is useful once vulnerabilities are well understood.

Unfortunately, the CVE database won’t help you with a zero-day attack

Question 71

What sorts of threats do IDS and IPS systems protect against?

How do vulnerability scanners help?

Answer 71

IDS and IPS systems protect against attacks. They won’t identify if

Vulnerability scanners help by identifying whether any parts of an organization are vulnerable to known threats

Question 72

What kinds of issues could be expected with active wireless scanning and which ones are considered problems?

Answer 72

• Accidently scanning apparent rogue devices that actually belong to guests (this is a problem)
• Causing alarms on the organization’s wireless IPS (this is not necessarily a problem because it can test an org’s responses to a possible attack
• Scanning devices that belong to nearby organizations (Problem)
• Misidentifying rogue device (Problem)

Moral of the story is that you have to be careful when conducting a wireless scan

Question 73

What’s the difference between a Generational fuzzing tool and a Mutation based fuzzing tool?

Answer 73

• Generational fuzzing relies on models for application input and conducts fuzzing attacks based on that information.
• Mutation based fuzzers are sometimes called “dumb” fuzzers because they simply mutate or modify existing data samples to create new test samples.

Question 74

What’s the difference between the following types of logging in routers?

• Audit logging
• Flow logging
• Trace logging
• Route logging

Answer 74

• Audit logging - provides information about events on the routers
• Flow logging - Flows, also often called network flows, are captured to provide insight into network traffic for security, troubleshooting, and performance management.
• Trace logging - Trace logs are used in troubleshooting specific software packages as they perform their functions
• Route logging - route logging is not a common network logging function

Question 75

RFC 1918 non-routeable IP addesses are things like 192.168.X.X

There are class A, B and C versions (see Flash card in Domain 4).

What problem will happen if a person tries to scan these address ranges from off-site?

Answer 75

Since the addresses used are RFC 1918 non-routable addresses, it is not possible to scan them from off-site

Question 76

What are three valid ways to verify that backups are working properly?

Answer 76

1. Log review
2. Hashing logs to ensure that they are intact
3. Periodic testing

Question 77

What is the best way to ensure that all Windows systems provide identical logging information to the SIEM?

Answer 77

Group Policy enforced by Active Directory can ensure consistent logging settings and can provide regular enforcement of policy on systems.

Question 78

Do windows desktop systems support syslog?

Answer 78

No. Only things like the following support syslog

• Enterprise wireless access points
• Linux web servers
• Enterprise firewall devices

Question 79

The National Institute for Standards and Technology (NIST) offers a special publication that describes best practices in conducting security and privacy assessments. What is it called?

Answer 79

NIST Special Publication 800-53A: Assessing Security and Privacy Controls in Federal Information Systems and Organizations

Question 80

What does PCI DSS stand for?

Answer 80

Payment Card Industry Data Security Standard (PCI DSS)

Question 81

What is a common tool used for penetration testing?

Answer 81

Metasploit

Question 82

How do CIDR address ranges work.

For example 10.0.0.0/16

Question 83

The Fagan inspection process is related to what?

Answer 83

Code reviews

Question 84

During a penetration test, Danielle needs to identify systems, but she hasn’t gained sufficient access on the system she is using to generate raw packets. What type of scan should she run to verify the most open services?

Answer 84

When a tester does not have raw packet creation privileges, such as when they have not escalated privileges on a compromised host, a TCP connect scan can be used.

TCP SYN scans require elevated privileges on most Linux systems due to the need to write raw packets.

A UDP scan will miss most services that are provided via TCP,

An ICMP is merely a ping sweep of systems that respond to pings and won’t identify services at all.

Question 85

What is Real User Monitoring (RUM)?

Answer 85

Real user monitoring (RUM) is a passive monitoring technique that records user interaction with an application or system to ensure performance and proper application behavior. RUM is often used as part of a predeployment process using the actual user interface.

Question 86

What does STRIDE stand for and in what part of application test modeling is it useful?

Answer 86

• Spoofing
• Tampering
• Repudiation
• Information Disclosure
• Denial of Service
• Elevation of Privilege

It’s useful in the threat categorization portion of threat modeling

Question 87

What can bluetooth scanning do, and what are its limitations?

Answer 87

What it can do:

• Bluetooth active scans can determine both the strength of the PIN and what security mode the device is operating in.

Limitations

• Unfortunately, Bluetooth scans can be challenging due to the limited range of Bluetooth and the prevalence of personally owned Bluetooth enabled devices.
• Passive Bluetooth scanning only detects active connections and typically requires multiple visits to have a chance of identifying all devices.

Question 88

Compare these tools with respect to OS finger printing.

• Nmap
• Nessus
• Nikto
• sqlmap

Answer 88

The tools that begin with N can all do OS fingerprinting:

• Nmap
• Nessus
• Nikto

SQLmap does not do OS fingerprinting

Question 89

Is there such a thing as Key Risk Indicators or only Key Performance Indicators?

Answer 89

Key Risk Indicators exist.

Key risk indicators are used to tell those in charge of risk management how risky an activity is and how much impact changes are having on that risk profile. Identifying key risk indicators and monitoring them can help to identify high-risk areas earlier in their life cycle.

Question 90

What major difference separates synthetic and passive monitoring?

Answer 90

• Passive monitoring only works after issues have occurred because it requires actual traffic.
• Synthetic monitoring uses simulated or recorded traffic and thus can be used to proactively identify problems.
• Both synthetic and passive monitoring can be used to detect functionality issues.

Question 91

What is a key concern with respect to reporting on the results of a pen test?

Answer 91

Penetration test reports often include information that could result in additional exposure if they were accidently released or stolen. Therefore, determining how vulnerability data should be stored and sent is critical.

Question 92

What four types of coverage criteria are commonly used when validating the work of a code testing suite?

Answer 92

Function, statement, branch, and condition coverage

Question 93

What are the components of the Security Content Automation Protocol (SCAP) and what are they used for?

Answer 93

• CVE - Common Vulnerabilities and Exposures (CVE) database provides a consistent reference for identifying security vulnerabilities.
• OVAL Open Vulnerability and Assessment Language (OVAL) is used to describe the security condition of a system.
• XCCDF - Extensible Configuration Checklist Description Format is used to create security checklists in a standardized fashion.
• SCE - Script Check Engine is designed to make scripts interoperable with security policy definitions.

Question 94

What are hazards of Penetration Testing, which are expected?

Answer 94

• Application crashes
• Denial of service
• Data corruption

Question 95

Lauren’s team conducts regression testing on each patch that they release. What key performance measure should they maintain to measure the effectiveness of their testing?

Answer 95

A measure of the rate of defect recurrence

Question 96

When testing in a non-Prod environment, which types of code issues are most likely to be missed during testing?

Answer 96

A race condition

Question 97

Danielle wants to compare vulnerabilities she has discovered in her data center based on how exploitable they are, if exploit code exists, and how hard they are to remediate. What scoring system should she use to compare vulnerability metrics like these?

Answer 97

The Common Vulnerability Scoring System (CVSS) includes metrics and calculation tools for exploitability, impact, how mature exploit code is, and how vulnerabilities can be remediated, as well as a means to score vulnerabilities against users’ unique requirements.

Question 98

Nikto, Burp Suite, and Wapiti are all examples of what type of tool?

Answer 98

Nikto, Burp Suite, and Wapiti are all web application vulnerability scanners, tools designed specifically to scan web servers and applications. While they share some functionality with broader vulnerability scanners and port scanning tools, they have a narrower focus and typically have deeper capabilities than vulnerability scanners.

Question 99

Ken is having difficulty correlating information from different security teams in his organization. Specifically, he would like to find a way to describe operating systems in a consistent fashion. What SCAP component can assist him?

Answer 99

The Common Platform Enumeration (CPE) component of SCAP provides a consistent way to refer to operating systems and other system components.

Question 100

When a Windows system is rebooted, what type of log is generated?

Answer 100

Information

Question 101

During a pen test, after an initial nmap scan with default settings, what should be the next step?

Answer 101

Identify interesting ports for further scanning.

Question 102

If a port scan reveals that X11 is running, what type of system is it most likely?

Answer 102

A Linux system

Question 103

What’s the problem with using Nmap with the default settings?

Answer 103

Nmap only scans 1000 TCP and UDP ports by default, including ports outside of the 0–1024 range of “well-known” ports. By using the defaults for nmap, Ben missed 64,535 ports.

Question 104

NIST specifies four attack phase steps: gaining access, escalating privileges, system browsing, and installing additional tools. Once attackers install additional tools, what phase will a penetration tester typically return to?

Answer 104

Once additional tools have been installed, penetration testers will typically use them to gain additional access. From there they can further escalate privileges, search for new targets or data, and once again, install more tools to allow them to pivot further into infrastructure or systems.