CISSP Domain 6

Question 1

Security Assessment and Testing

Answer 1

Internal and Third Party Audits
Vulnerability testing
Penetration testing
Log reviews
Synthetic transactions
Code reviews
Misuse case testing
Interface testing
Account management

Question 2

Audit

Answer 2

a systematic assessment of security controls of an information system

Question 3

Audit drivers

Answer 3

Regulatory or compliance requirements
Significant change to the architecture
New threat developments

Question 4

Scope of Assessments

Answer 4

Which subsets and systems
User artifacts like passwords, files, log entries
Privacy implications
Process evaluation

Question 5

Audit scope

Answer 5

should be determined in coordination with business unit managers

Business managers should be included early and throughout the exercise

Never forget business cases

Question 6

Information System Security Audit Process

Answer 6

Determine goals
Involve the right business unit leaders
Determine the scope
Choose the Audit Team
Plan the Audit
Conduct the audit
Document the results
Communicate the results

Question 7

Audit plan must be

Answer 7

repeatable

Question 8

American Institute of Certified Public Accountants AICPA

Statement on Auditing Standards No 70
SAS 70

Answer 8

defined audits carried out by third parties to assess internal controls of a service organization

Third party ensuring best interests of the client corporation

Question 9

AICPA new framework of auditing standards on

Answer 9

Service Organization Controls SOC

Question 10

3 Service Organization Controls (SOC

Answer 10

SOC 1 Pertains to financial Controls

SOC 2 Pertains to trust services ( Security, Availability, Confidentiality, Process Integrity, Privacy

SOC 3 Also pertains to trust services

Question 11

Difference between Service Organization Controls (SOC) 2 and 3

Answer 11

SOC 2 is very detailed

SOC 3 is less detailed and for general purpose

Question 12

Technical Control

Answer 12

Security control implemented through the use of an IT asset.

Question 13

Linkage between controls and risks to mitigate

Answer 13

to understand the context in which specific controls were implemented.

Why was the fence put up?

Question 14

Goals of vulnerability assessments

Answer 14

Evaluate the true security posture of an environment
Identify as many vulnerabilities as possible
Test how systems react to certain circumstances and attacks
Consider testing ramifications. Could be knocked offline, production could be negatively affected

Question 15

Black Box testing

Answer 15

no prior knowledge

knowledge comes from the assessment itself

Question 16

White Box testing

Answer 16

complete knowledge of the inner workings of the system

Targets specific internal controls and features

Question 17

Gray Box testing

Answer 17

somewhere between black and white

Question 18

Penetration testing

Answer 18

process of simulating attacks on a network and its systems at the request of the owner

Goal is to measure an organization’s level of resistance to attack and uncover weaknesses within the environment.

Question 19

Vulnerability Scanning

Answer 19

Identification of active hosts on a network
Identification of active and vulnerable services (ports) on hosts
Identification of applications and banner grabbing
identification of operating systems
Identification of vulnerabilities
Misconfigured settings
Establish foundation for penetration testing

Question 20

Five steps of a penetration test

Answer 20

1. Discovery
2. Enumeration
3. Vulnerability mapping
4. Exploitation
5. Report to management

Question 21

Penetration testing degrees of knowledge

Answer 21

Zero Knowledge
Partial Knowledge
Full Knowledge

Question 22

Blind test

Answer 22

assessors only have publicly available data to work with. Network staff is aware

Question 23

Double blind test

Answer 23

Network staff is unaware

Question 24

Targeted

Answer 24

Focused test on specific areas of interest

Question 25

Vulnerability vs Penetration testing

Answer 25

Vulnerability assessment identifies a wide range of vulnerabilities in the environment. Often uses a scanning tool

Penetration test exploits one or more vulnerabilities

Question 26

Use Cases

Answer 26

Structured scenarios used to describe required functionality. Describes the sequence of interaction

Question 27

Fraggle Attack

Answer 27

Similar to Smurf. Instead of using ICMP, It uses datagrams Attacker broadcasts a spoofed UDP packet to the amplifying network

Question 28

Misuse cases

Answer 28

a use case that includes threat actors and tasks they want to perform on a system

Normally depicted as stick figures with shaded heads

UML diagram

Question 29

Code Reviews

Answer 29

systematic examination of instructions that comprise software.

Question 30

Preferred technique of attackers

Answer 30

become normal “privileged users” in one of 3 ways

create a new privileged account
compromise an existing privileged account
elevate privileges of an normal account

Question 31

Checklist test

Answer 31

DRP or BCP distributed to different departments and functional areas for review

Question 32

Structured walkthrough test

Answer 32

Each department or functional area reviews objectives, scope, and assumptions of the plan

Walks through different scenarios from beginning to end to make sure nothing was left behind.

Question 33

Simulation Test

Answer 33

takes more planning and people All employees who participate come together to practice

Only uses materials that will be available in an actual disaster

Continues up to the point of actual relocation to an offsite facility and shipment of replacement equipment

Question 34

Parallel Test

Answer 34

some systems are move to the alternate site and processing takes place. Results are compared to the regular site

Question 35

Full interruption test

Answer 35

Most intrusive to regular operations and business productivity

Original site is shut down, processing takes place at the alternate site.

Question 36

Security training is

Answer 36

process of teaching a skill or set of skills that will allow people to perform specific functions better

Question 37

Security Awareness training is

Answer 37

process of exposing people to security issues that they may be able to recognize

Question 38

Social engineering

Answer 38

Process of manipulating individuals so they perform actions that violate security protocols

Question 39

Phishing

Answer 39

social engineering conducted through a digital communication

Question 40

Spear phishing

Answer 40

target specific individuals or groups

Question 41

Whale phishing or whaling

Answer 41

target is a senior executive

Question 42

Drive by download

Answer 42

site will invisibly redirect the user to a malware distribution server

Question 43

Pretexting

Answer 43

form of social engineering practiced in person or over the phone persuades target to violate a security policy

Question 44

Telephone Records and Privacy Protection Act of 2006

Answer 44

Imposes stiff criminal penalties on anyone who uses pretexting to obtain confidential information

Instituted after HP scandal to identify leaks

Question 45

Key performance indicators

Answer 45

Metrics for ISMS

1. Choose factors the can show the state of our security
2. Define baselines for some or all of the factors under consideration
3. Develop a plan for periodically capturing the values of these factors
4. Analyse and interpret the data
5. Communicate the indicators to all stakeholders

Question 46

Key Risk Indicators

Answer 46

tell us where we are today in relation to our risk appetite.

Question 47

SUS

Answer 47

System Under Study

Question 48

Key Elements of a good technical audit

Answer 48

Threats
Vulnerabilities
probability of exploitation
Impact of exploitation
Recommended actions

Question 49

Fuzzing

Answer 49

Technique for detecting flaws in the code by bombarding it with massive amounts of random data.