Domain 6. Security Assessment and Testing

Question 1

BAS

Answer 1

Breach Attack Simulation

A BAS simulates a penetration test. Programs, such as Infection Monkey are open-source and great for this.

Question 2

Real User Monitoring AKA Passive monitoring

Answer 2

AKA Passive Monitoring

Real user monitoring (RUM) analyzes the traffic or status of transactions for real user traffic. This is also known as passive monitoring. RUM provides real-time updates on the status of user interactions for a given service.

Question 3

Synthetic Monitoring

Answer 3

Same as Active Monitoring

Synthetic monitoring actively makes transactions against a website to evaluate performance.

Question 4

Active Monitoring

Answer 4

Same as Synthetic Monitoring

Synthetic monitoring actively makes transactions against a website to evaluate performance.

Question 5

Key Risk Indicator

Answer 5

KRIs, however, measure the organization’s risk and how its risk profile changes. This provides the ability to assess the likelihood of a negative event, as well as assess the risk level of an activity or situation. The risks, if realized, can typically profoundly impact the organization. Therefore, KRIs can strongly impact decision-making by senior-level executives.

Examples:
Vulnerability Metrics
Policy Exception Rates
Malware Infection Rates

Question 6

Misuse Case Testing

Answer 6

Misuse case testing is used to help identify potential security flaws in a software’s design by examining how software could be abused or manipulated into doing something malicious.

Question 7

SSAE 18 and ISAE 3402

Answer 7

The Statement on Standards for Attestation Engagements (SSAE 18) and the International Standard for Attestation Engagements (ISAE 3402) are service organization controls (SOC) audits.

SSAE 18 is an American national auditing system, while the ISAE 3402 is a very similar system used internationally. Both are standards used by companies to audit other companies in their jurisdiction.

Question 8

DRP vs BCP

Answer 8

Disaster Recovery Plan, Business Continuity Plan

DRP = Business has ceased and needs to be recovered

BCP = Plans to operate THROUGH a disaster, NOT recover from one. Answers the question “How do we continue operating before DRP has been fully realized?”

Question 9

KPI

Answer 9

Key Performance Indicator

helps to evaluate a process’s health

Question 10

Fuzz Testing

Answer 10

Fuzz testing is a technique used to find flaws or vulnerabilities by sending randomly generated or specially crafted inputs into the software. There are two types of fuzzers: mutation (dumb) fuzzers and generational (Intelligent) fuzzers. Mutation fuzzers mutate input to create fuzzed input. Generational fuzzers create fuzzed input based on what type of program is being fuzzed.

Fuzz testing may not cover all of the code to be tested.

Question 11

Synthetic Transactions

Answer 11

Synthetic transactions ensure that whatever text is expected comes out when requested. This is excellent practice to test code and validate input, especially against potential attacks.

Question 12

Exposure Factor

Answer 12

Amount of asset that is at risk.

Question 13

NIST SP-800-53a

Answer 13

“Assessing security and privacy controls in Federal Information Systems and orgs.”

Covers methods for assessing and measuring security controls

Question 14

NIST 800-12

Answer 14

Intro to Computer Security

Question 15

NIST 800-34

Answer 15

Covers contigency planning

Question 16

NIST 800-86

Answer 16

Guide to integrating forensic techniques into incident response.

Question 17

What is an Interface (in context of security assessment)?

Answer 17

The logical or physical point where two systems or a user interact with each other

Question 18

SQLMap

Answer 18

Tool designed to identify database vulnerabilities in web applications.

Question 19

Nikto

Answer 19

Webapp scanner

Question 20

Security Test

Answer 20

Tool or process to verify a control is functioning properly. Includes automated scans, tool assisted pen tests, and manual attempts to undermine security.

Question 21

COBIT

Answer 21

Control Objectives for Information Technologies

The COBIT framework specifically manages control variables within IT and how they align with business practices. COBIT is a healthy approach to balancing IT responsibilities and tailoring them to business needs.

Question 22

Automated integrity checking

Answer 22

automated integrity checking can determine if files have been changed. If the files have been altered, automated integrity checks can occur with the backup drives upon integrating them into production.

Question 23

Fagan Testing

Answer 23

Six Step software testing:

he following are the six steps of a Fagan inspection:

Planning
Overview
Preparation
Inspection
Rework
Follow-up

Question 24

Business Impact Analysis steps

Answer 24

1. Identification of Priorities
2. Risk identification
3. Resource Prioritization