Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CISSP > Domain 6 - Security Assessment and Testing > Flashcards

Domain 6 - Security Assessment and Testing Flashcards

1
Q

Sec assessment and testing programs

A

mechanism for validating ongoing effectiveness of sec controls, with a variety of tools to validate controls ie vuln assessments, pentests, software testing, audits, sec management tasks, every org should have a sec assessment and testing program defined and operational

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Vulnerability assessments

A
  • use automated tools to search for known vulnerabilities in systems/ apps/ networks, flaws may include missing patches, misconfigurations, or faulty code, will often call out the CVE
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Penetration tests

A
  • assessor attempts to exploit vulnerabilities and gain access to the system, done by external companies
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Pentest strategies

A
  • war dialing (bank of modems, legacy), sniffing (monitor the network), eavesdropping (listening), dumpster diving, social engineering (human manipulation), tests that involve human interaction and analysis will increase cost but are more thorough
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Security process data

A
  • employment policies and practices (term process and background checks), roles and responsibilities (management sets standard and verbalizes policy), security awareness training (prevents social engineering, helps with phishing), WRITE COMMUNICATE TRAIN
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Software testing

A
  • validate code before moving to production, verifies it functions as designed and doesn’t contain security flaws, test APIs, UIs, and Physical interfaces
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Code review

A
  • peer review process to validate code before deploying to production
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Interface testing

A
  • assesses interactions between components and users with API testing, user interface testing, and physical interface testing, how an interface interacts with a database or an API, can be automated, sometimes user experience testing
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Static software testing

A
  • evaluate security of software without running it. Code review. Analyzing source code or the compiled application
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Dynamic software testing

A
  • evaluate sec of software in a runtime environment, often the option for orgs deploying apps written by someone else
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Fuzzing

A
  • uses modified inputs to test software under unexpected circumstances, ie changing input around to see how the application responds, can flush out things like SQL injection vulns, modifies known inputs to generate synthetic inputs that may trigger unexpected behavior, generational fuzzing develops inputs BASED ON models of expected inputs to perform the same task
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Log reviews

A
  • particularly for admin/ privileged activities, ensures that systems are not misused
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Account management reviews

A
  • ensure that only authorized users retain access to information systems, typically uses a RANDOM SAMPLING of accounts
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Backup verification

A
  • ensures that the organizations data protection process is functioning properly, VERY IMPORTANT
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Key performance and risk indicators

A
  • high level review of sec program EFFECTIVENESS, evolving sec controls over time
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Security audit

A
  • 3rd party performs an assessment of the sec controls protecting an orgs information Assets
17
Q

Internal audits

A
  • performed by an organization’s internal staff and are intended for management use, make sure we are ready for 3rd party audits, make sure controls are effective
18
Q

Chief Audit Executive (CAE)

A

report to most senior possible leader to avoid conflicts of interest

19
Q

SSAE 18

A

Type 1=auditors opinion on description of controls provided by management and the design of the controls

Type 2=go further than type 1 by providing auditors opinion on the operating effectiveness of the controls over an extended period of time

ONLY 2 TYPES

20
Q

branch coverage

A

evaluates whether every if statement has been executed under all if and else conditions

21
Q

condition coverage

A

tests whether every logical test in the code has been executed under all sets of input

22
Q

function coverage

A

verifies that every function in the code has been called and returned results

23
Q

loop coverage

A

verifies that every loop in the code has been executed under conditions that cause code execution multiple times, only once, and not at all

CISSP (8 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions