Domain 6: Security Assessment and Testing Flashcards

Question

# Define: Black Box Testing

Answer 1

Evaluating system functionality without internal knowledge, focusing on input and output to identify vulnerabilities, especially in penetration testing by simulating external attacks. ## Footnote A method of evaluating system functionality without any knowledge of its internal workings or structure. This approach views the system as a "black box," focusing solely on input and output without concerning itself with internal behavior. It can be applied in various scenarios, including functional testing, integration testing, and system testing. In a security context, it is used in penetration testing to identify vulnerabilities or potential entry points for attacks, mimicking the approach of a potential external attacker. *For more information, view this lecture on [Penetration testing](https://courses.thorteaches.com/courses/take/cissp/lessons/19180029-penetration-testing). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Black-box_testing).*

Answer 2

A pentest method with limited prior target information, simulating real-world attacker tactics to realistically assess security vulnerabilities and response mechanisms. ## Footnote The pentest method in which security professionals simulate an actual attack on a system, with limited information provided about the target beforehand. This approach is designed to mimic the real-world tactics and techniques of potential attackers, who typically have no inside information. It allows organizations to get a realistic understanding of their security vulnerabilities and how well their detection and response mechanisms perform under such conditions. *For more information, view this lecture on [Penetration testing](https://courses.thorteaches.com/courses/take/cissp/lessons/19180029-penetration-testing). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Penetration_test).*

Answer 3

A group of security professionals focused on defensive measures to safeguard information systems from cyber-attacks and prevent breaches through audits and protocols. ## Footnote A team of security professionals who focus on defensive measures to protect an organization's information systems. It is used in cybersecurity to defend against cyber-attacks and prevent data breaches. Examples include regular security audits, implementing security protocols, and monitoring network traffic. *For more information, view this lecture on [Risk- Attackers and Types of Attacks Part 1](https://courses.thorteaches.com/courses/take/cissp/lessons/18588139-risk-attackers-and-types-of-attacks-part-1). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Blue_team_(computer_security)).*

Answer 4

Controlled tests mimicking real-world attacks to evaluate an organization's security posture, identifying vulnerabilities, and testing response procedures. ## Footnote These are controlled tests carried out to mimic the tactics and techniques of real-world attackers to assess the effectiveness of an organization's security posture. By emulating the actions of potential threats in a safe environment, BAS allows organizations to identify potential vulnerabilities, test their response procedures, and understand where improvements might be needed before an actual attack occurs. This proactive approach is a key part of maintaining a robust defense against increasingly sophisticated threats. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Breach_and_attack_simulation).*

Answer 5

The process of notifying individuals and authorities about a security breach or potential threat, commonly following a data compromise, to alert stakeholders and prevent further issues. ## Footnote The process of informing individuals and authorities about a security breach or potential security threat. It is used in the event of a data breach to alert affected individuals and organizations and to determine the cause and prevent further incidents. Examples - A healthcare organization reporting a breach to patients and the government, a financial institution reporting a breach to customers and regulatory bodies. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Data_breach_notification_laws).*

Answer 6

The act of navigating through information resources on the Internet, a potential vulnerability for encountering malicious sites or unsafe downloads, requiring secure browsing practices. ## Footnote The act of navigating through information resources in a network such as the Internet. This involves accessing and reading websites, downloading files, or using online applications. Browsing can be a vulnerable point for data breaches or malware infections, as users might encounter malicious sites, phishing attempts, or unsafe downloads. Effective measures to ensure secure browsing include the use of up-to-date, secure browsers, enabling automatic updates, utilizing browser security settings, and practicing careful navigation habits such as avoiding unfamiliar websites. *For more information, view this lecture on [Penetration testing](https://courses.thorteaches.com/courses/take/cissp/lessons/19180029-penetration-testing).*

Answer 7

Programs that reward individuals for reporting software bugs, especially those related to security exploits, encouraging ethical hacking and system security enhancement. ## Footnote Incentive programs offered by organizations where individuals can receive recognition and compensation for reporting bugs, especially those pertaining to exploits and vulnerabilities within software systems. These programs encourage ethical hackers to contribute to the security of software by lawfully reporting potential issues. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Bug_bounty_program).*

Answer 8

A testing approach that introduces failures into systems intentionally to assess their resilience and robustness, helping to identify and address potential weaknesses. ## Footnote A method of testing the resilience and robustness of systems by intentionally introducing failures or disruptions into a system in a controlled manner. It is used to identify and address potential weaknesses or vulnerabilities in a system and to ensure that it can withstand unexpected failures or events. Examples of chaos engineering include testing the ability of a system to recover from a database failure or simulating a network outage. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Chaos_engineering).*

Answer 9

A list of required items, actions to be taken, or points to consider, acting as a reminder to ensure security procedures and controls are covered. ## Footnote A structured list of items required, things to be done, or points to be considered, used as a reminder. From a security perspective, a checklist can help ensure that all necessary procedures have been followed, security controls are in place, and potential vulnerabilities are addressed. This might include tasks to perform, security controls to implement, or guidelines to follow when developing or managing a system. Checklists can help reduce human error and ensure a consistent approach to managing security. *For more information, view this lecture on [Testing the Plans - Part 1](https://courses.thorteaches.com/courses/take/cissp/lessons/19180552-testing-the-plans-part-1). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Checklist).*

Answer 10

A methodical testing process that follows a pre-defined checklist of steps or tasks, often used in compliance or functionality testing scenarios. ## Footnote A test that is conducted by following a checklist of specific steps or tasks. It is commonly used in quality assurance or compliance testing to ensure that all necessary steps are followed and all relevant criteria are met. Examples of checklist tests include a checklist for testing the functionality of a software application or a checklist for conducting a security audit. *For more information, view this lecture on [Testing the Plans - Part 1](https://courses.thorteaches.com/courses/take/cissp/lessons/19180552-testing-the-plans-part-1).*

Answer 11

The process of evaluating cloud systems and services to ensure they comply with regulatory standards and organizational security policies, involving both automated and manual reviews. ## Footnote The systematic evaluation of cloud-based systems and services to ensure that they meet regulatory and organizational security policies. This process helps verify that data is being handled in a manner that meets various compliance standards, such as GDPR, HIPAA, or SOC 2, and can involve both automated scans and manual reviews. These audits are critical in mitigating risk, identifying vulnerabilities, and ensuring the integrity and confidentiality of data in the cloud. *For more information, view this lecture on [Audit strategies for cloud and hybrid environments - part 1](https://courses.thorteaches.com/courses/take/cissp/lessons/54399189-new-2024-audit-strategies-for-cloud-and-hybrid-environments-part-1). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Cloud_computing_security#Compliance).*

Answer 12

A public list of vulnerabilities in software and firmware, providing a standardized method for sharing information about known issues. ## Footnote A publicly available, free-to-use list of reported vulnerabilities in software and firmware. Each CVE entry includes an identification number, a description, and at least one public reference. Maintained by the MITRE Corporation, CVE provides a standardized method for sharing information about vulnerabilities, allowing organizations to better protect their systems against known issues. *For more information, view this lecture on [Vulnerability scanners](https://courses.thorteaches.com/courses/take/cissp/lessons/19180017-vulnerability-scanners). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures).*

Answer 13

A system for rating IT vulnerabilities that helps prioritize responses by calculating a score based on the exploitability and impact of the vulnerability. ## Footnote A universally open and standardized method for rating IT vulnerabilities. CVSS helps organizations prioritize their responses to system vulnerabilities by offering a calculated score between 0 and 10 based on factors such as the complexity of exploiting a vulnerability, whether it requires local or network access, and what kind of impact it would have if successfully exploited. *For more information, view this lecture on [Vulnerability scanners](https://courses.thorteaches.com/courses/take/cissp/lessons/19180017-vulnerability-scanners). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Common_Vulnerability_Scoring_System).*

Answer 14

A list of software security weaknesses that represent conditions leading to vulnerabilities, aiding developers in creating secure systems. ## Footnote A community-driven project that maintains a list of software security weaknesses. These weaknesses, identified by common terms and definitions, represent the conditions that lead to software vulnerabilities. By understanding and identifying these weaknesses, organizations, and developers can create more secure software systems and address issues before they lead to exploitable vulnerabilities. *For more information, view this lecture on [Vulnerability scanners](https://courses.thorteaches.com/courses/take/cissp/lessons/19180017-vulnerability-scanners). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Common_Weakness_Enumeration).*

Answer 15

A framework for scoring the severity of software weaknesses based on impact and software environment context. ## Footnote A framework for scoring the severity of software weaknesses listed in CWE based on various factors, including the potential impact of the weakness and the context of the software environment. It helps organizations prioritize software weaknesses to address the most significant risks first. *Or visit this [Wikipedia page](https://cwe.mitre.org/cwss/cwss_v1.0.1.html).*

Answer 16

Verifying that systems, processes, and practices meet regulations, standards, and policies, critical for legal and operational adherence. ## Footnote The process of verifying whether systems, processes, and practices conform to established regulations, standards, and policies. Compliance testing is critical for ensuring that organizations meet legal requirements and industry standards, which can include data protection laws and security frameworks. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Conformance_testing).*

Answer 17

An exhaustive examination of all organizational aspects to verify compliance, assess risk management, and identify improvement areas. ## Footnote A comprehensive audit is an in-depth review and examination of all aspects of an organization's operations, systems, and processes to ensure adherence to regulations, policies, and standards. It aims to verify compliance, evaluate risk management effectiveness, and identify areas for improvement. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Information_technology_audit#Web_presence_audits).*

Answer 18

An identifiable and manageable component of a system subject to configuration management and change tracking. ## Footnote A component of a system that is subject to configuration management. This could be a piece of hardware, a software module, a network configuration, or any other part of a system that requires monitoring and management for changes. CIs are individually identifiable and manageable, and their status is maintained and updated throughout their lifecycle. *For more information, view this lecture on [Configuration Management](https://courses.thorteaches.com/courses/take/cissp/lessons/19180328-configuration-management). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Configuration_item).*

Answer 19

A database that holds information on system components and their relationships, used to track configurations in IT service management. ## Footnote A database that holds information about the components of an information system and the relationships between those components. Used in IT service management, a CMDB helps organizations understand the relationships between these components and track their configuration. It is a fundamental part of the ITIL framework for managing IT services. *For more information, view this lecture on [Configuration Management](https://courses.thorteaches.com/courses/take/cissp/lessons/19180328-configuration-management). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Configuration_management_database).*

Answer 20

An ongoing process of evaluating an organization's activities for compliance and operational risks, involving real-time monitoring. ## Footnote A systematic and ongoing process of evaluating and monitoring an organization's financial and operational activities. This approach allows for regular and frequent assessments of internal controls, processes, and risks. Examples of continuous auditing include real-time monitoring of financial transactions, regular audits of key business processes, and ongoing risk assessments. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Continuous_audit).*

Answer 21

Testing software throughout its development lifecycle, from design to release, to catch issues early and ensure quality. ## Footnote A testing practice that continually evaluates software throughout its development life cycle, from initial design to final release. This approach helps catch and address issues early, reduce the risk of software failures, and ensure that the final product meets quality and security standards.

Answer 22

Using authorized access to perform in-depth system analysis, offering a comprehensive assessment of security controls. ## Footnote In cybersecurity, this refers to a scanning or analysis process where the security tools are provided with authorized access credentials to perform a more thorough examination of the system. By using credentials to log in, the tools can evaluate the system as an authenticated user, allowing for a deeper and more accurate assessment of configurations, software, permissions, and other security controls that may not be visible or accessible to non-credentialed scanning. This can provide a comprehensive picture of system vulnerabilities, compliance with policies, and potential security risks.

Answer 23

A strategy using design elements to deter criminal activity, extendable to digital environments. ## Footnote A multi-disciplinary approach to deter criminal behavior through environmental design. It posits that the proper design and effective use of a physical environment can reduce the incidence and fear of crime, thereby improving the quality of life. This concept can be extended to digital environments as well, where careful design can prevent unauthorized access and deter cybercrimes. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Crime_prevention_through_environmental_design).*

Answer 24

An aspect of change management that integrates changes into a live environment, ensuring accurate and safe deployments. ## Footnote A critical phase in change management where changes are integrated into the live environment following rigorous testing and approval. This involves ensuring that changes are deployed accurately, efficiently, and safely and that they do not disrupt operations. Effective deployment control is essential to ensuring that vulnerabilities are not introduced during the deployment of changes and that the system remains secure and functional throughout the process.

Answer 25

Selecting a subset of data for analysis to estimate a larger population's characteristics, used in statistics, auditing, and research. ## Footnote The process of selecting a subset of data for analysis in order to estimate the characteristics of a larger population. It involves selecting a representative sample from a larger population and using it to draw conclusions about the population as a whole. It is used in various fields, such as statistics, auditing, and research. Examples include selecting a sample of transactions for testing, selecting a sample of records for review, or selecting a sample of customers for survey.

Answer 26

A realistic security assessment where the defense team is unaware of the simulated attack being tested, similar to a real attack. ## Footnote This form of assessment simulates a real-world attack on a system, network, or application, where the defenders are unaware of the simulated attack just as they would be in an actual attack. It provides an organization with the most realistic indication of its security posture and readiness without providing prior knowledge of the testing scenario to its security personnel. *For more information, view this lecture on [Penetration testing](https://courses.thorteaches.com/courses/take/cissp/lessons/19180029-penetration-testing). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Penetration_test).*

Answer 27

Searching through physical or digital trash to find valuable or sensitive information that can be exploited. ## Footnote A practice where individuals sift through trash (physical or digital) in an attempt to uncover valuable information that could be used for unscrupulous purposes. While traditionally associated with searching through physical refuse for discarded documents, in a more modern sense, it can also refer to searching through discarded digital data. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Dumpster_diving).*

Answer 28

Testing that inspects a running application from the outside to identify security vulnerabilities. ## Footnote A type of security testing method that inspects a running application from the outside in the testing environment, attempting to exploit potential vulnerabilities much like an external attacker might do. It focuses on identifying security vulnerabilities related to incorrect configurations, software flaws, and other weaknesses that can be exploited by malicious entities. *For more information, view this lecture on [SCA - Software Composition Analysis](https://courses.thorteaches.com/courses/take/cissp/lessons/54399265-new-2024-sca-software-composition-analysis). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Dynamic_application_security_testing).*

Answer 29

Interacting with a system to gather useful information potentially for future exploitation or attacks. ## Footnote A process used in the reconnaissance or pre-attack phase where a potential attacker interacts with a system to gather information that could be useful for exploiting it. This may involve determining a user's valid email address, network resources, shared directories, IP addresses in use, or even detailed user account information in certain circumstances. *For more information, view this lecture on [Penetration Testing](https://courses.thorteaches.com/courses/take/cissp/lessons/19180029-penetration-testing). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Network_enumeration).*

Answer 30

The investigation phase of external audits, examining organization compliance with laws and standards. ## Footnote The audit execution stage of an external audit involves the systematic investigation of processes, procedures, and systems by independent auditors. The goal is to determine whether they comply with relevant laws, regulations, standards, and policies. This stage involves data collection, interviewing staff, observing operations, and performing tests to verify information and identify any areas of risk or non-compliance. *For more information, view this lecture on [Security Audits](https://courses.thorteaches.com/courses/take/cissp/lessons/19180000-security-audits). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Information_security_audit#Who_performs_audits).*

Answer 31

The phase in external audits where findings, including issues and recommendations, are communicated. ## Footnote The audit reporting stage of an external audit involves presenting these findings, which may include identified issues, recommendations for improvements, and an overall assessment of the entity's compliance status. This report is typically presented to senior management or a governance body such as a board of directors. *For more information, view this lecture on [Security Audits](https://courses.thorteaches.com/courses/take/cissp/lessons/19180000-security-audits). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Information_security_audit#Who_performs_audits).*

Answer 32

The phase in external audits where scope and objectives are established, and a detailed audit plan is developed. ## Footnote The chartering stage of an external audit involves the establishment of the scope, objectives, and protocols for the audit. It often includes defining what areas or processes will be audited, what standards or regulations will be used as a basis for the audit, and what the expected deliverables are (such as an audit report). The charter is agreed upon by both the auditors and the organization being audited. *For more information, view this lecture on [Security Audits](https://courses.thorteaches.com/courses/take/cissp/lessons/19180000-security-audits). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Information_security_audit#Who_performs_audits).*

Answer 33

The initial phase of an external audit, defining scope, objectives, and audit methodologies. ## Footnote Pre-audit planning is the initial phase of an external audit, where the audit's scope and objectives are established, and a detailed audit plan is developed. This phase involves identifying the key processes, systems, or areas to be audited, gathering information about them, and deciding on the methodologies to be used during the audit. *For more information, view this lecture on [Security Audits](https://courses.thorteaches.com/courses/take/cissp/lessons/19180000-security-audits). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Information_security_audit#Who_performs_audits).*

Answer 34

Assessments by third-party auditors verifying an organization's financial records, compliance, or internal controls. ## Footnote Independent assessments conducted by third-party auditors to verify the accuracy of an organization's financial records, compliance with regulatory standards, or the effectiveness of its internal controls. External audits serve to provide assurance to stakeholders, such as investors, creditors, and regulators, that an organization's financial statements present a true and fair view of its financial performance and position. They can also assess an organization's adherence to industry standards, laws, and regulations, particularly in specialized areas like cybersecurity, environmental compliance, and quality management. *For more information, view this lecture on [Security Audits](https://courses.thorteaches.com/courses/take/cissp/lessons/19180000-security-audits). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Information_security_audit#Who_performs_audits).*

Answer 35

The state of being well-known or easily recognized, affecting trust and behavior. ## Footnote Familiarity involves the degree to which people recognize or understand an element, system, or process. In security settings, familiarity can enhance trust or, conversely, lead to complacency if over-relied upon without sufficient vigilance. Familiar interfaces and procedures often improve user efficiency, yet they also need rigorous oversight to ensure that perceived comfort does not lead to overlooked vulnerabilities. *For more information, view this lecture on [Social Engineering Attacks](https://courses.thorteaches.com/courses/take/cissp/lessons/19180035-social-engineering-attacks).*

Answer 36

Structured evaluation of operations or systems against standards to ensure they are effective and compliant. ## Footnote A structured evaluation process used to measure the efficiency, effectiveness, and compliance of certain operations or systems. In the context of data management and protection, this could involve a systematic review of controls, procedures, and policies to ensure they meet prescribed standards and guidelines, help mitigate risks, and contribute to the overall security posture of an organization. *For more information, view this lecture on [Security Assessments](https://courses.thorteaches.com/courses/take/cissp/lessons/19179927-security-assessments). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/ISO_22301).*

Answer 37

Software testing that checks the system against functional requirements to ensure it behaves as intended. ## Footnote A type of software testing that validates the software system against the functional requirements/specifications. The purpose of functional tests is to test each function of the software application by providing appropriate input and verifying the output against the Functional requirements. This testing mainly involves black box testing and is not concerned about the source code of the application. It includes testing of user commands, data manipulation, searches, business processes, user screens, and integrations. Functional testing ensures that the application is behaving according to the intended functionality. *For more information, view this lecture on [Software testing - Part 1.](https://courses.thorteaches.com/courses/take/cissp/lessons/19180056-software-testing-part-1). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Functional_testing).*

Answer 38

Providing random or unexpected data as input to a program to find errors or security vulnerabilities. ## Footnote A software testing technique that involves providing invalid, unexpected, or random data as input to a computer program. The program is then monitored for exceptions such as crashes, failing built-in code assertions, or potential memory leaks. A fuzzer is a tool used to carry out fuzz testing. Fuzzing is often automated and is used to discover coding errors and security loopholes within software, operating systems, or networks. It is particularly useful for finding security concerns that might be exploited by malicious users. *For more information, view this lecture on [Software testing - Part 2.](https://courses.thorteaches.com/courses/take/cissp/lessons/33748175-software-testing-part-2). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Fuzzing).*

Answer 39

Gap analysis identifies discrepancies between an organization's current security posture and its target state, providing actionable insights to prioritize improvements and close potential security holes. ## Footnote Gap analysis is a systematic approach to pinpoint the differences between an organization’s existing security measures and the desired risk management objectives. By identifying these shortcomings, security teams can allocate resources effectively, define clear responsibilities, and implement targeted controls. This process not only highlights areas needing immediate attention but also provides a roadmap for future enhancements. Through regular updates, gap analysis helps maintain strong defenses, demonstrating compliance with standards and sustaining trust with stakeholders. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Gap_analysis).*

Answer 40

A testing method with partial knowledge of a system, combining black box and white box approaches for effective analysis. ## Footnote Gray box testing is a hybrid approach to software testing that combines elements of both black box and white box testing methodologies. Testers have partial knowledge of the internal workings of the application, which allows them to design test cases with more efficiency. Gray box testing is ideal for situations where understanding the context is essential, such as security penetration testing, where knowledge of system architecture enhances testing effectiveness. *For more information, view this lecture on [Penetration testing.](https://courses.thorteaches.com/courses/take/cissp/lessons/19180029-penetration-testing). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Grey_box_testing).*

Answer 41

A deception or false claim, often online, that can lure victims into harmful actions or scams. ## Footnote A deliberate deception or fabrication, often intended to trick or deceive others. It is commonly used in internet scams or fraudulent emails to lure victims into providing sensitive information or money. Examples include receiving an email claiming to be from a Nigerian prince offering a large sum of money in exchange for a small upfront investment or seeing a social media post claiming that a celebrity has died when they are actually alive and well. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Hoax).*

Answer 42

Pretending to be another entity to deceive and gain unauthorized access, posing a threat in various attack scenarios. ## Footnote This involves an entity pretending to be another with the intent to deceive. It's often used as a technique in deceptive attacks, where an attacker may impersonate a legitimate user, system, or device to gain unauthorized access or provoke actions that compromise security. Countermeasures against impersonation include robust authentication protocols, awareness training, and anomaly detection systems. *For more information, view this lecture on [Social Engineering attacks.](https://courses.thorteaches.com/courses/take/cissp/lessons/19180035-social-engineering-attacks). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Impersonator).*

Answer 43

Testing a system piece by piece to isolate and fix issues, beneficial for early defect detection and easier troubleshooting. ## Footnote A testing strategy that involves breaking down a complex system into smaller, manageable pieces and testing each piece individually. This can help to identify defects early on and make it easier to isolate and fix problems. An example of incremental testing might be a software development team that tests individual components of the system before integrating them into the final product. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Integration_testing#Incremental_integration_testing).*

Answer 44

A preliminary or less structured evaluation, often used to identify areas for improvement prior to formal assessments. ## Footnote A less structured evaluation or evaluation without a set of predetermined criteria or standards. It is often used as a preliminary step or to identify areas for improvement before a formal assessment is conducted. Examples of informal assessments include a quick check of security controls or a casual review of business processes. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Informal_assessment).*

Answer 45

Collecting data for insights, decision-making, or problem resolution, key across business, research, and law enforcement fields. ## Footnote The process of collecting data and information from various sources in order to gain insights, make decisions, or solve a problem. This may include activities such as research, interviews, and surveys. Information gathering is used in a variety of contexts, including business, research, and law enforcement. Examples of information gathering include market research, competitive intelligence, and criminal investigations. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Information_gathering).*

Answer 46

A systematic review of an organization's info systems, ensuring compliance and security of operations and controls. ## Footnote An information systems audit is a systematic review and evaluation of an organization's information systems, practices, operations, and related controls. Conducted by internal or external auditors, these audits aim to verify the reliability and integrity of IT systems, ensure compliance with policies and regulations, and detect any breaches or security risks. Audits can cover areas such as network security, system integrity, and data management. *For more information, view this lecture on [Security Assessments.](https://courses.thorteaches.com/courses/take/cissp/lessons/19179927-security-assessments). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Information_technology_audit).*

Answer 47

Standards for evaluating the security of IT products and systems, ensuring compliance with infosec standards. ## Footnote A set of standards and guidelines used to evaluate the security of information technology products and systems. It is used in organizations to ensure that the information technology they use is secure and compliant with information security standards. Examples - functional and assurance requirements, security targets, and evaluator qualifications. *For more information, view this lecture on [Security evaluation models.](https://courses.thorteaches.com/courses/take/cissp/lessons/18591287-security-evaluation-models). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Information_Technology_Security_Evaluation_Criteria).*

Answer 48

The process of validating input to ensure it meets necessary criteria, preventing errors and unauthorized system interactions. ## Footnote The process of validating and verifying user input to prevent errors and unauthorized access. It is used in computer programming and system administration to ensure that only valid and authorized input is accepted by a system or application. Examples -password authentication, captcha verification, and permission checks. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Input_control).*

Answer 49

An audit that evaluates an organization's financial statements and the effectiveness of its internal controls. ## Footnote An integrated audit is an auditing process that simultaneously evaluates the financial statements' accuracy and the effectiveness of an organization's internal controls over financial reporting. It is particularly relevant in contexts where financial and IT systems are closely intertwined and provide stakeholders with comprehensive insights into an organization's operations. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Integrated_audit).*

Answer 50

Testing environments combining system components to verify compatibility and functionality. ## Footnote A testing environment that combines multiple components and systems to test their compatibility and functionality. It is used in software testing and development to simulate real-world conditions and ensure that a system or application works as intended. Examples -network test labs, simulation environments, and development sandboxes. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Integrated_Test_Facilities).*

Answer 51

Creative works and inventions legally protected, granting exclusive rights to creators. ## Footnote A legal concept that refers to creations of the mind, such as inventions, literary and artistic works, and symbols, names, and images used in commerce. It is used in the protection of intellectual property rights, such as patents, trademarks, and copyrights. Examples of intellectual property include a software application, a brand logo, and a musical composition. *For more information, view this lecture on [Intellectual property](https://courses.thorteaches.com/courses/take/cissp/lessons/18552326-intellectual-property). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Intellectual_property).*

Answer 52

Validating the interactions and connections between different components of a software system. ## Footnote A process that verifies the functionality, reliability, and efficiency of the interfaces in a software application. This type of testing is crucial in ensuring smooth interaction between different components of a system, such as user interfaces, APIs, databases, servers, and network interfaces. It focuses on detecting issues such as incorrect data transfers, communication gaps, and unhandled error conditions that can occur while interacting with a system's multiple interconnected parts. *For more information, view this lecture on [Software testing - Part 2.](https://courses.thorteaches.com/courses/take/cissp/lessons/33748175-software-testing-part-2). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Software_testing#Black-box_testing).*

Answer 53

Establishing the scope and guidelines for internal audits, ensuring effective evaluation. ## Footnote Chartering for an internal audit is a formal document that outlines the purpose, authority, and responsibility of the audit function within an organization. This charter acts as a guideline for internal auditors to conduct reviews on the organization's processes, controls, and risk management practices. By adhering to this charter, auditors can help organizations ensure the adequacy and effectiveness of their operational and control systems and maintain regulatory compliance. *For more information, view this lecture on [Security Audits.](https://courses.thorteaches.com/courses/take/cissp/lessons/19180000-security-audits). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Information_technology_audit).*

Answer 54

Actions taken to resolve identified weaknesses in an organization's processes and controls. ## Footnote Remediation in the context of internal auditing refers to the actions taken to rectify identified deficiencies or vulnerabilities in an organization's processes, systems, or controls. This involves implementing solutions that eliminate the root causes of identified problems or risks. The remediation process often includes creating and following a remediation plan, which maps out the necessary steps for resolution, such as improving procedures, modifying systems, enhancing controls, or training staff members. *For more information, view this lecture on [Security Audits.](https://courses.thorteaches.com/courses/take/cissp/lessons/19180000-security-audits). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Information_technology_audit).*

Answer 55

Delivering findings and recommendations from internal audits to management or stakeholders. ## Footnote Reporting is a critical stage in the internal auditing process where auditors present their findings, conclusions, and recommendations to management or relevant stakeholders. These reports typically detail the scope and objectives of the audit, the methodology employed, and an analysis of the reviewed systems or processes. Reporting aims to communicate the state of the organization's risk management, control, and governance processes, as well as to provide insights for improving these processes. *For more information, view this lecture on [Security Audits.](https://courses.thorteaches.com/courses/take/cissp/lessons/19180000-security-audits). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Information_technology_audit).*

Answer 56

Examining an organization's systems and controls to evaluate effectiveness and compliance. ## Footnote In the context of an internal audit, testing is the process of examining the organization's processes, systems, and controls to ensure they are functioning as intended and are in line with established guidelines, regulations, and best practices. Testing may involve various methods, such as reviewing documentation, interviewing personnel, observing operations, and performing sample tests on transactions. The purpose of testing is to gather evidence that helps auditors evaluate the effectiveness of controls and identify any areas of risk or non-compliance. *For more information, view this lecture on [Security Audits.](https://courses.thorteaches.com/courses/take/cissp/lessons/19180000-security-audits). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Information_technology_audit).*

Answer 57

Reviews of an organization's operations and activities to ensure effectiveness and compliance. ## Footnote A systematic, objective appraisal of an organization's operations and activities. They aim to evaluate the effectiveness of an organization's internal controls, risk management processes, and governance structures. In doing so, they help to ensure that the organization is compliant with laws, regulations, and its own policies, as well as identifying areas for process improvement and efficiency gains. Audits may be conducted by the organization's own internal audit staff or by external specialists. *For more information, view this lecture on [Security Audits.](https://courses.thorteaches.com/courses/take/cissp/lessons/19180000-security-audits). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Information_technology_audit).*

Answer 58

The act of applying pressure or threats to force compliance or disclosure. ## Footnote Intimidation involves using coercion, threats, or aggressive behaviors to compel individuals to act against their interests or divulge confidential information. In security and social engineering contexts, attackers rely on intimidation to bypass standard protocols, exploiting human psychology to gain unauthorized access. This method underscores the need for robust training and policies to recognize and counteract coercive tactics. *For more information, view this lecture on [Social Engineering attacks.](https://courses.thorteaches.com/courses/take/cissp/lessons/19180035-social-engineering-attacks).*

Answer 59

Part of the Common Criteria for IT Security Evaluation, providing a framework for security functional and assurance requirements. ## Footnote Part of the Common Criteria for Information Technology Security Evaluation, this international standard provides a framework for specifying security functional and assurance requirements in IT products and systems. It details the general model for evaluation, ensuring that evaluated products meet certain trusted security properties. *For more information, view this lecture on [Security evaluation models.](https://courses.thorteaches.com/courses/take/cissp/lessons/18591287-security-evaluation-models). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/ISO/IEC_15408).*

Answer 60

IT Audits systematically review an organization’s technological infrastructure, ensuring compliance with policies, standards, and regulatory requirements while identifying potential security or operational gaps. ## Footnote In an IT audit, a qualified examiner evaluates hardware, software, data management, and processes, verifying adherence to established benchmarks. By examining controls, risk management procedures, and incident response capabilities, auditors reveal issues like misconfigurations, outdated patches, or policy violations. Post-audit, thorough remediation plans address critical findings to strengthen overall IT governance, assure stakeholders of data integrity, and maintain compliance with relevant regulations. *For more information, view this lecture on [Security Audits](https://courses.thorteaches.com/courses/take/cissp/lessons/19180000-security-audits). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Information_technology_audit).*

Answer 61

Kali Linux is a Debian-based distribution tailored for digital forensics and penetration testing, offering a vast collection of preinstalled security tools. ## Footnote Maintained by Offensive Security, Kali Linux centralizes frameworks like Metasploit, Nmap, and Wireshark, streamlining ethical hacking workflows. It includes specialized utilities for password cracking, network probing, and vulnerability assessment. With a rolling release model, Kali stays updated with the latest tools and patches. Its environment is designed for professionals and students alike, simplifying research, practice, and simulation of various attack vectors, thereby supporting robust security assessments. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Kali_Linux).*

Answer 62

A testing method using verified input data to ensure system outputs are functioning as expected. ## Footnote A testing methodology that utilizes a set of input data for which the expected output is already known. This known-good data set, which should be representative of the normal range of input data, allows for verification of system performance and functionality. In security contexts, it's used to ensure that systems are functioning as intended and that they are correctly identifying and handling malicious inputs.

Answer 63

Lateral movement describes an attacker’s actions after breaching a network, as they traverse systems and escalate privileges to access critical data or resources. ## Footnote Common tactics include reusing stolen credentials, exploiting misconfigurations, or scanning for unpatched vulnerabilities. Once inside, adversaries aim to blend in with normal user activity, evading detection. Strong network segmentation, privileged access monitoring, and continuous threat hunting help contain lateral movement. Early identification of unusual behaviors—like anomalous logins—significantly limits damage from internal propagation and data exfiltration.

Answer 64

A control that sets maximum parameters for data or operations to prevent unauthorized access or mitigate breaches. ## Footnote A security measure that sets a limit on the amount of data that can be accessed or processed in a given time period. It is used to prevent unauthorized access to sensitive information and to limit the impact of security breaches. Examples include limit checks on the number of login attempts and the amount of data that can be transferred in a single transaction.

Answer 65

A record of computer system events that can include security breaches, system errors, and user activities. ## Footnote A log is a record of events that occur within a computer system or network, documenting actions such as user logins, system errors, and configuration changes. Logs are critical for monitoring, troubleshooting, and conducting security audits within an IT environment. *For more information, view this lecture on [Security Audit Logs](https://courses.thorteaches.com/courses/take/cissp/lessons/19180008-security-audit-logs). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Logging_(computing)).*

Answer 66

Examining logs to identify patterns and anomalies, crucial for troubleshooting and detecting security incidents. ## Footnote The process of examining log files to identify patterns, detect anomalies, and discover useful information about activities within a system, network, or application. It's often used for troubleshooting, performance monitoring, and security incident detection. With the help of log analysis tools, organizations can detect unusual behavior, identify security incidents, and respond to threats more effectively. *For more information, view this lecture on [Security Audit Logs](https://courses.thorteaches.com/courses/take/cissp/lessons/19180008-security-audit-logs). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Log_analysis).*

Answer 67

Collecting, storing, and analyzing log data to provide insights into network activities and potential threats. ## Footnote The process of collecting, storing, and analyzing logs generated by various devices and systems on a network. It is used to monitor network activity, detect security threats, and troubleshoot technical issues. Examples include firewall logs, intrusion detection system logs, and system logs. *For more information, view this lecture on [Security Audit Logs](https://courses.thorteaches.com/courses/take/cissp/lessons/19180008-security-audit-logs). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Log_management).*

Answer 68

Regular examination of logs to identify potential threats and anomalies, aiding in proactive security monitoring. ## Footnote The process of regularly reviewing logs to identify potential security threats and anomalies. It is used to monitor network activity and identify trends and patterns that may indicate a security breach. Examples include reviewing firewall logs for suspicious traffic patterns and system logs for unauthorized access attempts. *For more information, view this lecture on [Security Audit Logs](https://courses.thorteaches.com/courses/take/cissp/lessons/19180008-security-audit-logs).*

Answer 69

Capturing and recording event data within a system to create a detailed account of activities. ## Footnote The process of recording events or messages in a log. It is used to monitor system activities, track user actions, and identify security threats. Examples include enabling logging for system events, recording user login attempts, and monitoring network traffic. *For more information, view this lecture on [Security Audit Logs](https://courses.thorteaches.com/courses/take/cissp/lessons/19180008-security-audit-logs). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Logging_(computing)).*

Answer 70

Records of events within a computer system, providing a detailed history of activities. ## Footnote A record of events happening in a system, whether that be a computer system, an application, or a network. Log files track and record user activities, system warnings, and error messages, which are essential for system debugging, performance monitoring, auditing, and incident response. These files are critical in the realm of security, as they provide an audit trail that can be analyzed for signs of malicious activity or intrusion attempts. *For more information, view this lecture on [Security Audit Logs](https://courses.thorteaches.com/courses/take/cissp/lessons/19180008-security-audit-logs). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Log_file).*

Answer 71

Deceptive techniques used to coax individuals into revealing sensitive information or influencing their actions. ## Footnote The deceptive methods used to trick individuals into revealing sensitive information or to influence their actions, often for malicious purposes. Techniques could include phishing, spear-phishing, or social engineering tactics, which are designed to exploit human vulnerabilities and bypass conventional security measures. *For more information, view this lecture on [Social Engineering attacks](https://courses.thorteaches.com/courses/take/cissp/lessons/19180035-social-engineering-attacks).*

Answer 72

Metasploit is a popular penetration testing framework used to find, exploit, and validate security vulnerabilities, providing tools for reconnaissance, payload creation, and post-exploitation. ## Footnote Metasploit, maintained by Rapid7, offers an extensive library of exploits, allowing security professionals to simulate attacker techniques. Through its modular architecture, testers can efficiently develop or integrate new payloads, backdoors, and automated scripts. Its features include vulnerability scanning, reporting, and collaboration tools that facilitate in-depth security assessments. By reflecting real-world threats, Metasploit helps organizations pinpoint weaknesses and refine defensive measures. *Or visit this [Wikipedia page](https://metasploit.com/).*

Answer 73

Testing based on how an application should not be used, focusing on identifying vulnerabilities from potential misuse. ## Footnote Misuse case testing is an approach in software testing that involves analyzing and creating test cases based on how an application should not be used. It anticipates malicious behaviors or scenarios and tests the application's response to such misuse, like input validation errors or unauthorized attempts to access data, aiming to identify and mitigate vulnerabilities. *For more information, view this lecture on [Software testing - Part 2](https://courses.thorteaches.com/courses/take/cissp/lessons/33748175-software-testing-part-2). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Misuse_case).*

Answer 74

Identifying unauthorized activities within a system, vital for preventing and responding to security threats. ## Footnote The process of identifying unauthorized or malicious activity within a system. It is used in security systems to prevent and respond to cyber threats. Examples include using an intrusion detection system to monitor network traffic for unusual behavior, implementing access controls to prevent unauthorized users from accessing sensitive information, and conducting regular security audits to identify potential vulnerabilities. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Misuse_detection).*

Answer 75

Detailed reports from Nessus scans identifying security vulnerabilities within a network. ## Footnote Nessus Vulnerability Scan Reports are generated by the Nessus security tool, which scans systems and networks to identify potential vulnerabilities. These reports provide detailed assessments, risk ratings, and remediation recommendations, enabling security professionals to prioritize fixes, improve system resilience, and ensure adherence to regulatory standards. *For more information, view this lecture on [Vulnerability scanners](https://courses.thorteaches.com/courses/take/cissp/lessons/19180017-vulnerability-scanners). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Nessus).*

Answer 76

A tool used by Netflix to randomly terminate services to test system resilience and ensure high availability during failures. ## Footnote A tool used by the streaming company Netflix to test the resilience of its systems by randomly shutting down individual services and components. This helps to ensure that the system can continue to operate even in the face of failures and disruptions. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Chaos_engineering).*

Answer 77

Procedures for assessing security controls in federal information systems, ensuring effectiveness. ## Footnote NIST Special Publication 800-53A Revision 4 is the previous version of the guidelines for assessing the security controls in federal information systems and organizations. It provides a set of procedures for conducting assessments of security controls and techniques for ensuring those controls are effectively implemented. *Or visit this [Wikipedia page](https://csrc.nist.gov/pubs/sp/800/53/r4/upd3/final).*

Answer 78

Guidelines for measuring information security performance within federal systems. ## Footnote NIST Special Publication 800-55 provides guidelines for measuring the performance of information security policies and technologies within federal information systems. These guidelines help organizations to develop, select, and implement metrics to improve the efficiency and effectiveness of security control measures. *Or visit this [Wikipedia page](https://csrc.nist.gov/pubs/sp/800/55/v1/final).*

Answer 79

Guidance on managing computer security logs to support incident detection and information security. ## Footnote A publication by the National Institute of Standards and Technology providing guidelines for Computer Security Log Management. It explains the importance of log management in security incident identification and outlines best practices for log generation, analysis, storage, and disposal. *For more information, view this lecture on [Security Audit Logs](https://courses.thorteaches.com/courses/take/cissp/lessons/19180008-security-audit-logs). Or visit this [Wikipedia page](https://csrc.nist.gov/pubs/sp/800/92/final).*

Answer 80

A network scanning tool with a graphical interface for mapping and securing networks. ## Footnote Nmap, along with its Zenmap GUI, is a powerful network exploration and security auditing tool used to discover hosts, open ports, and services on a network. Its intuitive graphical interface simplifies complex scans, allowing both novices and experts to visualize network topologies, assess security vulnerabilities, and optimize network defenses effectively. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Nmap).*

Answer 81

Unannounced evaluations testing an organization's security readiness and response capabilities. ## Footnote No notice assessments are unannounced evaluations or tests performed to assess the effectiveness of an organization's security posture. By simulating a realistic scenario without forewarning, these assessments can provide a more accurate representation of how an organization would respond to an actual incident or threat.

Answer 82

Selecting samples based on non-statistical criteria, used when representativeness is not the priority. ## Footnote Non-statistical sampling refers to selecting a sample based on criteria other than statistical methods, often used when a high degree of confidence in the representativeness of the sample isn't required or when other practical considerations drive the selection. Examples include judgmental or purposive sampling.

Answer 83

A validation technique ensuring numerical data conforms to specific formats or ranges. ## Footnote A numeric check is a data validation technique used to ensure that numerical input or data conforms to specified formats, ranges, or values. It is essential for maintaining data integrity and can prevent errors related to incorrect data entry. Examples include validating that a phone number contains only digits or that an age field is within a reasonable range.

Answer 84

An in-depth review of an organization's operations to assess effectiveness, efficiency, and compliance. ## Footnote A detailed analysis conducted to assess an organization's internal operations in terms of effectiveness, efficiency, and adherence to policies and procedures. It involves reviewing day-to-day activities and processes to identify potential areas of improvement or detect any misconduct. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Performance_audit).*

Answer 85

An exercise evaluating security procedures through discussion and scenario analysis without active technical deployment. ## Footnote A paper test, often referred to as a tabletop exercise, involves evaluating the effectiveness of security controls and incident response procedures through discussion-based scenarios. Participants walk through various hypothetical situations to analyze the response strategies and decision-making processes without the need for active technical intervention. This approach is widely used for training purposes and to gauge the preparedness of an organization's security team. *For more information, view this lecture on [Testing the Plans - Part 1](https://courses.thorteaches.com/courses/take/cissp/lessons/19180552-testing-the-plans-part-1). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Performance_audit).*

Answer 86

Simultaneously running multiple processes or operations for testing, to evaluate outcomes in a shared environment. ## Footnote The process of simulating multiple processes or operations simultaneously to evaluate outcomes in a shared environment. This is often used in performance testing or security testing to assess how well systems can handle multiple transactions or tasks at the same time. It helps to identify bottlenecks, points of failure, or potential security vulnerabilities that may not be visible under normal conditions. *For more information, view this lecture on [Testing the Plans - Part 1](https://courses.thorteaches.com/courses/take/cissp/lessons/19180552-testing-the-plans-part-1). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Performance_audit).*

Answer 87

Running systems side-by-side to compare performance and outputs, ensuring reliability and accuracy. ## Footnote A method of testing where multiple copies of a system are run simultaneously, and their outputs are compared to ensure that they produce the same results. It is used to validate the integrity and reliability of a system by comparing its performance in different environments. Examples include disaster recovery testing and redundant systems. *For more information, view this lecture on [Testing the Plans - Part 1](https://courses.thorteaches.com/courses/take/cissp/lessons/19180552-testing-the-plans-part-1). Or visit this [Wikipedia page](https://courses.thorteaches.com/courses/take/cissp/lessons/36454606-testing-the-plans-part-2).*

Answer 88

A security exercise that simulates an attack on a computer system to find vulnerabilities and test defenses. ## Footnote A type of security assessment that simulates a real-world attack on a computer or network system to test its vulnerabilities and defenses. It is used in cyber security to identify weaknesses and improve security measures. Examples include vulnerability assessments and red team exercises. *For more information, view this lecture on [Penetration testing](https://courses.thorteaches.com/courses/take/cissp/lessons/19180029-penetration-testing). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Penetration_test).*

Answer 89

Establishing the scope and agreement for a penetration test, including objectives, methods, and legal aspects. ## Footnote Chartering in the context of penetration testing involves establishing clear guidelines and agreements between the tester and the client regarding the scope, objectives, methods, legal considerations, and expected outcomes of the penetration test. It ensures ethical boundaries are observed, testing is aligned with the client's needs, and sensitive systems are handled with care. *For more information, view this lecture on [Penetration testing](https://courses.thorteaches.com/courses/take/cissp/lessons/19180029-penetration-testing). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Penetration_test#Penetration_testing_phases).*

Answer 90

The initial phase of penetration testing, gathering information about the target to identify vulnerabilities. ## Footnote The process of gathering as much information as possible about the target system, network, or application. This could include data about IP addresses, domain details, user inputs, network mapping, and more. The intention here is to identify potential vulnerabilities or weak spots that can be targeted during the test, often utilizing techniques like port scanning, vulnerability scanning, and network sniffing. *For more information, view this lecture on [Penetration testing](https://courses.thorteaches.com/courses/take/cissp/lessons/19180029-penetration-testing). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Penetration_test#Penetration_testing_phases).*

Answer 91

The phase in penetration testing where identified vulnerabilities are actively exploited to assess impact. ## Footnote A phase of a penetration test where identified vulnerabilities are actually attacked. The tester attempts to exploit these vulnerabilities in a controlled manner to emulate potential attacks an actual hacker could perform. The goal of this phase is not to cause damage but rather to understand the depth of access an attacker could potentially achieve and what kind of data or control they might be able to obtain. *For more information, view this lecture on [Penetration testing](https://courses.thorteaches.com/courses/take/cissp/lessons/19180029-penetration-testing). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Penetration_test#Penetration_testing_phases).*

Answer 92

The final phase in penetration testing, providing detailed findings and recommendations for security improvements. ## Footnote The final phase of penetration testing. After the discovery and exploitation phases, all findings, including vulnerabilities, data breaches, and successful exploits, are compiled into a comprehensive report. This report provides an overview of the test's findings and offers suggestions for improving the system's security. It's a crucial document for understanding the current security posture and planning the necessary steps for enhancement. *For more information, view this lecture on [Penetration testing](https://courses.thorteaches.com/courses/take/cissp/lessons/19180029-penetration-testing). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Penetration_test#Penetration_testing_phases).*

Answer 93

Analyzing the target for specific vulnerabilities that can be exploited during penetration testing. ## Footnote The process of analyzing the target system, network, or application for specific vulnerabilities that can be exploited. Tools such as vulnerability scanners and port scanners are used to identify open ports and detect live systems, services used by hosts, and other potential points of entry. This process provides valuable data, which is used to devise an effective approach for the exploitation phase of the test. *For more information, view this lecture on [Penetration testing](https://courses.thorteaches.com/courses/take/cissp/lessons/19180029-penetration-testing). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Penetration_test#Penetration_testing_phases).*

Answer 94

A scam involving fraudulent messages designed to trick individuals into revealing sensitive information or credentials. ## Footnote A type of cyber-attack that involves tricking individuals into revealing sensitive information, such as passwords or financial data, through fraudulent emails or websites. It is often used by hackers to gain access to accounts or steal personal information. 3 examples of phishing attacks are fake emails from banks asking for account information, fake online shopping websites requesting credit card details, and fake social media messages asking for login credentials. *For more information, view this lecture on [Social Engineering attacks](https://courses.thorteaches.com/courses/take/cissp/lessons/19180035-social-engineering-attacks). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Phishing).*

Answer 95

A method for detecting open ports and services on a network host to identify potential vulnerabilities. ## Footnote A method that is used to detect open ports and services available on a network host. Sending client requests to server port addresses helps to identify vulnerabilities or confirm that security policies are functioning as expected. While it can be a valuable tool for network administrators in securing their own systems, port scanning can also be used maliciously to find weak points to exploit in unauthorized systems. *For more information, view this lecture on [Penetration testing tools](https://courses.thorteaches.com/courses/take/cissp/lessons/19180049-penetration-testing-tools). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Port_scanner).*

Answer 96

A social engineering technique creating a false scenario to deceive individuals into divulging sensitive information. ## Footnote A social engineering technique in which an individual creates a false scenario or pretext to trick someone into disclosing sensitive information. The attacker usually pretends to be a legitimate entity, such as a bank, tech support, or another trusted person, to deceive the target into divulging confidential data, like passwords, social security numbers, or financial details. Pretexting underscores the importance of awareness and cautious behavior when handling personal or confidential data. *For more information, view this lecture on [Social Engineering attacks](https://courses.thorteaches.com/courses/take/cissp/lessons/19180035-social-engineering-attacks). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Pretexting).*

Answer 97

Privilege escalation attacks exploit software flaws, misconfigurations, or credential reuse to gain higher-level permissions within a system than initially assigned. ## Footnote Malicious actors may pivot from a low-privilege user account to full administrator rights, allowing them unrestricted access. Common tactics involve exploiting unpatched vulnerabilities, intercepting passwords, or deploying malware. Mitigations include regularly patching systems, applying the principle of least privilege, and monitoring logs for anomalies. Timely detection and containment prevent attackers from establishing deep footholds or exfiltrating sensitive data. *For more information, view this lecture on [Software vulnerabilities and Attacks](https://courses.thorteaches.com/courses/take/cissp/lessons/19182134-software-vulnerabilities-and-attacks). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Privilege_escalation).*

Answer 98

A mathematical approach using probability to solve problems and predict outcomes. ## Footnote A mathematical approach to solving problems by calculating the likelihood of different outcomes based on probability. It is used in data analysis, machine learning, and other fields to predict and analyze trends and patterns. Examples include Bayesian analysis, Markov chain models, and Monte Carlo simulations.

Answer 99

Investigating a network or system for vulnerabilities in preparation for a cyber attack. ## Footnote In cybersecurity, probing refers to the methodical examination of a network or system for vulnerabilities that could be exploited. It's often a preliminary step in an attack, allowing threat actors to gather information and strategize their infiltration or used by security professionals for defensive vulnerability assessments.

Answer 100

A Purple Team blends offensive (Red Team) and defensive (Blue Team) security activities to enhance collaboration, knowledge sharing, and the continuous improvement of an organization’s security posture. ## Footnote In a traditional security exercise, Red Teams simulate attacks, while Blue Teams defend. A Purple Team approach integrates these efforts, fostering real-time interaction to identify vulnerabilities and fine-tune detection mechanisms. Both sides jointly develop threat scenarios and refine mitigation strategies. This iterative, cooperative model accelerates learning, closes communication gaps, and ensures security measures stay aligned with evolving threats. The result is a more robust, unified security program. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Red_team#Cybersecurity).*

Answer 101

A validation technique ensuring a value falls within a predefined range, used in data integrity checks. ## Footnote A validation process used to ensure that a given value is within a specified range. It is used in programming and data entry to prevent out-of-range values from being accepted. Examples of range checking include ensuring that a password meets minimum length requirements or that a user-entered age falls within a certain age range. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Data_validation#Validation_types).*

Answer 102

Testing conducted after code changes to ensure new bugs have not been introduced and existing functionality remains unaffected. ## Footnote The process of testing a software application after changes have been made to ensure that the changes have not introduced new defects or broken existing functionality. It is commonly used in software development to verify the stability and reliability of a system. Examples include running a suite of automated test cases after a code update or manually testing specific features after a bug fix. *For more information, view this lecture on [Software testing - Part 2](https://courses.thorteaches.com/courses/take/cissp/lessons/33748175-software-testing-part-2). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Regression_testing).*

Answer 103

Information that supports or refutes audit findings and is necessary for drawing audit conclusions. ## Footnote The information collected during an audit process to support the conclusions drawn by the auditor. This can include financial records, transaction logs, and operational procedures, among other things. It is 'relevant' in that it directly influences or validates the audit findings, helping to ensure that the audit conclusions are accurate, reliable, and defensible.

Answer 104

Information from trustworthy sources that supports audit findings and conclusions. ## Footnote The quality and credibility of the information gathered during an audit. The reliability of audit evidence is determined by its source and nature, and it is often higher when it is obtained from independent sources outside the entity being audited. Reliable audit evidence is trustworthy and verifiable, providing a solid basis for forming an audit opinion.

Answer 105

The process of evaluating and documenting the effectiveness of security controls, crucial for compliance and improvement. ## Footnote The process of documenting and communicating the effectiveness of security controls to relevant stakeholders. This is used in organizations to ensure compliance with security regulations and standards and to identify areas for improvement. For example, an annual security audit may include a report on security controls, and a security team may provide regular updates on control effectiveness to management.

Answer 106

Guidelines outlining the scope, objectives, and conduct of an audit, crucial for its effectiveness and fairness. ## Footnote A set of guidelines that outline the scope, objectives, and limitations of an audit. They are typically used to ensure that the audit is conducted in a consistent and objective manner and to protect the interests of the organization being audited. Examples of rules of engagement in audit include requirements for documentation, confidentiality, and independence.

Answer 107

The risk that a chosen sample is not representative of the overall population, potentially leading to inaccurate conclusions. ## Footnote The risk that a sample of data used for analysis may not be representative of the population from which it was drawn. It is often used in statistical analysis to evaluate the potential for bias in data samples. Examples of sampling risk include using a sample that is too small to accurately represent the population or using a sample that is not randomly selected. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Sampling_risk).*

Answer 108

A form of security testing that examines source code or binaries for vulnerabilities without executing the code. ## Footnote A type of security testing that analyzes an application's source code or binaries without executing the application. It is used in software development to identify security vulnerabilities early in the development process before the application is deployed. Examples include code reviews, automated vulnerability scanning, and manual testing. *For more information, view this lecture on [Software testing - Part 1](https://courses.thorteaches.com/courses/take/cissp/lessons/19180056-software-testing-part-1). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Static_application_security_testing).*

Answer 109

A principle where limited availability increases perceived value and demand. ## Footnote Scarcity refers to a situation where resources, information, or opportunities are in limited supply, which can drive up their perceived value or urgency. In economic and marketing contexts, scarcity can stimulate faster decision-making and competitive behaviors. In security, scarcity may also describe the rarity of certain vulnerabilities or keys that become prime targets for attackers when discovered. *For more information, view this lecture on [Social Engineering attacks](https://courses.thorteaches.com/courses/take/cissp/lessons/19180035-social-engineering-attacks). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Scarcity_(social_psychology)).*

Answer 110

Quantitative measures of an organization's security performance or risk level, often provided by third-party services. ## Footnote The quantitative measures of an organization's security performance or risk level. These scores are typically generated by third-party security rating services and are based on the analysis of various data points, such as an organization's public-facing security configurations, past incidents, and other relevant factors. Security scores can serve as a valuable benchmark for organizations to understand their security posture, compare against industry peers, and identify areas for improvement.

Answer 111

Evaluating a system's resilience against potential threats and vulnerabilities to ensure data privacy and business continuity. ## Footnote The evaluation of a system or network's resilience against potential security threats and vulnerabilities. It assesses the system's ability to resist unauthorized access, handle unexpected inputs without failing, maintain data privacy, and ensure business continuity. Examples include penetration testing, vulnerability scanning, and security auditing, with the goal of identifying weak spots that could be exploited by malicious actors. *For more information, view this lecture on [Penetration testing](https://courses.thorteaches.com/courses/take/cissp/lessons/19180029-penetration-testing). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Security_testing).*

Answer 112

A control ensuring data is processed in the correct order by using unique sequential identifiers. ## Footnote A procedural control used to ensure that data is being processed in the intended order, usually by assigning a unique sequential identifier to each data item. In the context of data transmissions, it can be used to detect errors, duplicates, or missing data packets by verifying that the received data is in the correct sequence. If a data item arrives out of order or an identifier is skipped, it triggers an error that indicates a potential issue with the transmission. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Frame_check_sequence).*

Answer 113

Observing closely to gain sensitive information like passwords and security codes. ## Footnote The act of obtaining sensitive information such as passwords, PINs, or security codes by directly observing someone as they enter the information into a device. This could be done at close range (literally looking over someone's shoulder) or from a distance using binoculars or cameras. In the digital context, shoulder surfing is a serious security threat that can lead to unauthorized access to systems, identity theft, and other forms of cybercrime. *For more information, view this lecture on [Social Engineering attacks](https://courses.thorteaches.com/courses/take/cissp/lessons/19180035-social-engineering-attacks). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Shoulder_surfing_(computer_security)).*

Answer 114

A suite of tools developed by Netflix to test the resilience of cloud-based systems by simulating failures and challenges. ## Footnote A collection of open-source tools developed by Netflix to test the resilience and reliability of cloud-based systems. The Simian Army includes tools for simulating failures and other challenges, such as network outages or high levels of traffic. For example, a company might use the Simian Army to test its cloud-based e-commerce platform for peak holiday shopping seasons. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Chaos_engineering).*

Answer 115

A network tool used to capture and analyze traffic, providing insights into network operations and potential security threats. ## Footnote A type of network monitoring tool that captures and analyzes network traffic to identify patterns and anomalies. It is commonly used by network administrators and security professionals to monitor network activity, troubleshoot network issues, and detect security threats. Examples of sniffers include Wireshark, tcpdump, and NetWitness. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Packet_analyzer).*

Answer 116

The act of observing or intercepting private communications without consent, often to access confidential information. ## Footnote An invasive activity where an unauthorized person observes or intercepts private communication in a network, often to gain access to confidential information. While similar to sniffing, snooping is more commonly used to refer to passive listening and is considered a security risk. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/DHCP_snooping).*

Answer 117

An audit standard evaluating internal controls over financial reporting in service organizations. ## Footnote SOC 1 is an audit framework designed to assess the effectiveness of internal controls related to financial reporting processes within service organizations. It provides assurance to clients regarding the reliability and security of outsourced financial operations. Organizations undergo SOC 1 audits to demonstrate compliance, enhance transparency, and build trust with stakeholders about their control environments. *For more information, view this lecture on [Security Audits](https://courses.thorteaches.com/courses/take/cissp/lessons/19180000-security-audits). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/System_and_Organization_Controls#Types).*

Answer 118

Standards for assessing a service organization's controls related to security, availability, processing integrity, confidentiality, and privacy. ## Footnote A set of standards for evaluating the security, availability, processing integrity, confidentiality, and privacy of a service organization's controls. It is used to assess the internal controls of a service organization. Examples of organizations that may undergo a SOC 2 audit include cloud service providers and managed IT service providers. *For more information, view this lecture on [Security Audits](https://courses.thorteaches.com/courses/take/cissp/lessons/19180000-security-audits). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/System_and_Organization_Controls).*

Answer 119

A report providing a public overview of a service organization's controls and their effectiveness based on a SOC 2 audit. ## Footnote A report on the service organization's controls that is intended for public use and includes a summary of the organization's controls and the independent auditor's opinion on the effectiveness of the controls. It is used to provide transparency to customers and stakeholders about the service organization's controls. Examples of organizations that may issue a SOC 3 report include cloud service providers and managed IT service providers. *For more information, view this lecture on [Security Audits](https://courses.thorteaches.com/courses/take/cissp/lessons/19180000-security-audits). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/System_and_Organization_Controls).*

Answer 120

Deceptive tactics to manipulate individuals into divulging confidential information or performing unauthorized actions. ## Footnote The use of psychological manipulation and deception to trick individuals into revealing sensitive information or performing actions that compromise the security of a network or system. It is commonly used by hackers to gain access to sensitive data or systems. Examples of social engineering include phishing scams, pretexting, and baiting. *For more information, view this lecture on [Social Engineering attacks](https://courses.thorteaches.com/courses/take/cissp/lessons/19180035-social-engineering-attacks). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Social_engineering_(security)).*

Answer 121

Online platforms allowing users to connect, communicate, and share content with others. ## Footnote Online platforms that enable users to connect with each other and share content, such as text, images, and videos. They are commonly used for socializing and networking, as well as for marketing and advertising. Examples of social networks include Facebook, Twitter, and LinkedIn. *For more information, view this lecture on [Social Engineering attacks](https://courses.thorteaches.com/courses/take/cissp/lessons/19180035-social-engineering-attacks). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Social_network).*

Answer 122

A targeted email scam where attackers use personalized information to trick victims into revealing sensitive data. ## Footnote A targeted form of phishing where attackers use specific information about the victim to make their emails more convincing. It is used in cyber-attacks to gain sensitive information from individuals or organizations. Examples include using an individual's name and job title in the email or tailoring the email to match the victim's company's branding. *For more information, view this lecture on [Social Engineering attacks](https://courses.thorteaches.com/courses/take/cissp/lessons/19180035-social-engineering-attacks). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Spear_phishing).*

Answer 123

Unsolicited messages sent over instant messaging platforms, often containing spam or phishing attacks. ## Footnote Unsolicited messages sent over instant messaging platforms, similar to email spam. These messages may contain advertisements, phishing attempts, or links to malware. The term "spim" is less commonly used today as generalized terms like spam or phishing often encompass this activity. *For more information, view this lecture on [Social Engineering Attacks](https://courses.thorteaches.com/courses/take/cissp/lessons/19180035-social-engineering-attacks). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Instant_messaging_spam).*

Answer 124

A fraudulent practice where an attacker disguises themselves as another user or device to gain unauthorized access to information. ## Footnote Impersonating another entity, either to gain unauthorized access to a system or to trick users into revealing sensitive information. It is used in network security to prevent attackers from disguising their true identities. Examples include using a fake email address to send phishing emails or using a fake IP address to access a network. *For more information, view this lecture on [Secure Design Principles](https://courses.thorteaches.com/courses/take/cissp/lessons/25340659-secure-design-principles). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Spoofing_attack).*

Answer 125

Professional standards for attestation engagements such as audits and reviews. ## Footnote A set of professional standards for performing attestation engagements, such as audits or reviews of financial statements. This concept is used in the field of accounting to provide guidance for practitioners and ensure the quality of attestation services. For example, an auditor might use the SSAE standards to evaluate the accuracy of a company's financial statements. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/SSAE_No._18).*

Answer 126

Evaluating software code without executing it to identify potential vulnerabilities or adherence to coding standards. ## Footnote This involves reviewing the code of an application without executing it, aiming to discover potential vulnerabilities, bugs, or breaches of coding standards. This method focuses on the source code, byte code, or binary code, using a set of predefined rules or patterns to identify possible issues. It's particularly useful in identifying non-obvious errors, and unlike dynamic analysis, it can be conducted early in the development process. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Static_program_analysis).*

Answer 127

A security testing method that analyzes an application's source code to identify vulnerabilities. ## Footnote A method of software testing in which the code is analyzed without executing it, with a focus on identifying potential security vulnerabilities. It is commonly used in software development. Examples include a static analysis tool that scans the code for potential security vulnerabilities or a static analysis tool that checks the code for adherence to security best practices. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Static_application_security_testing).*

Answer 128

Using numerical data analysis to draw conclusions, predict outcomes, and inform decision-making processes. ## Footnote A method of analyzing data by collecting, organizing, and interpreting numerical data in order to draw conclusions and make predictions. It is used in a wide variety of fields, including economics, psychology, and healthcare, to understand and analyze trends and patterns in data. Examples include regression analysis, t-tests, and chi-square tests.

Answer 129

An audit procedure evaluating the accuracy and completeness of financial information. ## Footnote An audit procedure that is designed to assess the accuracy and completeness of financial statements. It involves reviewing and testing transactions, balances, and account balances to determine if they are properly recorded and presented. Examples of substantive tests include reviewing supporting documentation for transactions and testing the accuracy of calculations in financial statements.

Answer 130

Testing focused on data accuracy and completeness, unrelated to technical functionality. ## Footnote A type of testing that focuses on the accuracy and completeness of data rather than the technical functionality of a system. It is used in auditing and quality assurance to verify the integrity of financial records and other important data. Examples include testing the accuracy of financial statements, testing the completeness of inventory records, and testing the reliability of voter registration records.

Answer 131

The creation of new computer systems or applications, encompassing stages from design to deployment. ## Footnote The process of designing, creating, and implementing a new computer system or software application. This can involve requirements gathering, design, coding, testing, and deployment. Examples of system development projects include a new CRM system or a mobile app. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Systems_development_life_cycle).*

Answer 132

Using specialized software to search for vulnerabilities or issues in a computer system's security. ## Footnote The process of using specialized software to search a computer system for vulnerabilities, security threats, or other issues. This can involve scanning a network for open ports, running a virus scan, or checking for outdated software. Examples of system scanning tools include Nmap, McAfee VirusScan, and Qualys Vulnerability Management. *For more information, view this lecture on [Vulnerability Scanners](https://courses.thorteaches.com/courses/take/cissp/lessons/19180017-vulnerability-scanners).*

Answer 133

Verifying that a system meets its designed requirements, an integral phase in the software development lifecycle. ## Footnote The process of verifying that a system meets its specified requirements. It is used in the development and implementation of software and hardware systems. Examples include testing the functionality of a new computer program, the compatibility of a hardware component with existing systems, and the security of a network system. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/System_testing).*

Answer 134

The evaluation of the extent and effectiveness of testing performed on a software system. ## Footnote The method used to evaluate the extent to which a system or software application has been tested. It helps to identify gaps in testing, areas that have not been tested, or areas where testing may be too dense. From a security perspective, ensuring adequate test coverage is crucial to uncovering and fixing potential vulnerabilities and flaws, thereby minimizing the risk of security breaches and strengthening the overall robustness of the system. *For more information, view this lecture on [Software Testing - Part 2](https://courses.thorteaches.com/courses/take/cissp/lessons/33748175-software-testing-part-2). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Code_coverage).*

Answer 135

Data used in testing that should be representative of production data but de-identified to maintain security. ## Footnote Test data should mimic the characteristics of production data to validate system behavior accurately. However, it must be anonymized or de-identified to protect sensitive information and comply with data privacy standards, ensuring the data's integrity without compromising security. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Test_data).*

Answer 136

Various methods used to validate different aspects of software, such as functionality and security. ## Footnote The various approaches used in software testing to validate functionality, performance, security, and compatibility of applications or systems. Test types include unit, integration, system, acceptance, and security testing, each addressing specific aspects of software quality. *For more information, view this lecture on [Software Testing - Part 2](https://courses.thorteaches.com/courses/take/cissp/lessons/33748175-software-testing-part-2).*

Answer 137

The process of evaluating a system or application to ensure it meets requirements and operates as intended. ## Footnote The process of evaluating a system or application to ensure it meets specified requirements and performs as expected. It is used to identify defects, vulnerabilities, and other issues before a system is put into production. Examples include unit testing, integration testing, and acceptance testing. *For more information, view this lecture on [Software Testing - Part 1](https://courses.thorteaches.com/courses/take/cissp/lessons/19180056-software-testing-part-1). Or view this lecture on [Penetration Testing](https://courses.thorteaches.com/courses/take/cissp/lessons/19180029-penetration-testing). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Software_testing).*

Answer 138

Independent reviews assessing an organization's compliance with standards or regulations. ## Footnote Independent assessments of an organization's compliance with regulations, standards, or policies. These audits are typically performed by external organizations and can provide assurance to stakeholders that the organization is following appropriate practices and procedures. Examples include using third-party audits to verify the security of a financial system, to confirm the accuracy of a company's financial statements, or to assess the quality of a healthcare provider's services. *For more information, view this lecture on [Security Audits](https://courses.thorteaches.com/courses/take/cissp/lessons/19180000-security-audits). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Audit).*

Answer 139

An independent assessment conducted by external experts on an organization's processes or products. ## Footnote An objective examination and assessment conducted by external experts of an organization's processes, systems, or products. Third-party reviews offer independent verification of compliance, security, and performance, providing credibility and assurance to stakeholders.

Answer 140

A record of all transactions processed by a database system, aiding in recovery and data replication. ## Footnote A record of all transactions that have been executed in a database system. It is used to recover from system failures and to replicate data across multiple systems. Examples include transaction log file in Microsoft SQL Server, transaction log entries in MySQL, and transaction log entries in Oracle Database. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Transaction_log).*

Answer 141

A risk-based security auditing framework analyzing systems from a threat perspective to identify security risks. ## Footnote A risk-based security auditing framework that focuses on modeling systems from a threat perspective. It aims to identify security risks by analyzing the intended behavior of the system and comparing it against potential security threats, thereby informing the development of security measures and controls. *For more information, view this lecture on [Secure Design Principles](https://courses.thorteaches.com/courses/take/cissp/lessons/25340659-secure-design-principles).*

Answer 142

A testing approach that evaluates the smallest testable parts of an application to ensure each operates as designed. ## Footnote A method of testing individual components of a system to ensure that they are functioning correctly. It verifies that each component, such as a function or a method in a codebase, behaves as expected when given a specific input. *For more information, view this lecture on [Software Testing - Part 2](https://courses.thorteaches.com/courses/take/cissp/lessons/33748175-software-testing-part-2). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Unit_testing).*

Answer 143

Testing individual components of software in isolation to ensure they function correctly. ## Footnote The process of conducting unit tests. This type of testing is usually performed by developers during the development phase to identify and rectify bugs early in the development cycle. It helps ensure that modifications or additions to a system do not cause unexpected behavior or failures. *For more information, view this lecture on [Software Testing - Part 2](https://courses.thorteaches.com/courses/take/cissp/lessons/33748175-software-testing-part-2). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Unit_testing).*

Answer 144

A condition that compels immediate action due to time constraints or imminent risk. ## Footnote Urgency denotes the perception of a critical need to act promptly, often driven by time constraints or looming risks. This sense of immediacy can influence decision-making and is frequently exploited in social engineering and marketing tactics to bypass rational evaluation. In critical security incidents, urgency is vital, but it must be managed carefully to avoid hasty, insecure decisions. *For more information, view this lecture on [Social Engineering Attacks](https://courses.thorteaches.com/courses/take/cissp/lessons/19180035-social-engineering-attacks).*

Answer 145

A verification process confirming that data entered into a system adheres to predefined rules and formats. ## Footnote A process that verifies if data entered into a system adheres to specified rules and formats. These checks are typically performed to maintain data integrity and reduce the likelihood of errors or inconsistencies. For example, a validity check might ensure that an email address entered into a system is in the correct format. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Data_validation).*

Answer 146

A statistical method analyzing a subset of data to draw conclusions about a larger set, often used in security auditing. ## Footnote A statistical analysis method where a subset of data from a larger population is examined to draw conclusions about the larger set. In the context of system auditing and security, variable sampling might be used to analyze patterns of behavior, detect anomalies, and identify potential threats or vulnerabilities. The goal is to uncover insights that can help improve system security without the need to analyze every single piece of data.

Answer 147

A fraudulent activity where perpetrators use the telephone system to deceive individuals into exposing confidential information. ## Footnote A fraudulent practice where perpetrators use a telephone system to deceive individuals into revealing sensitive information. Often, these attackers pretend to represent legitimate organizations, using social engineering techniques to manipulate victims, gain their trust, and access their personal, financial, or security data. *For more information, view this lecture on [Social Engineering Attacks](https://courses.thorteaches.com/courses/take/cissp/lessons/19180035-social-engineering-attacks). Or view this lecture on [Risk- Attackers and Types of Attacks Part 2](https://courses.thorteaches.com/courses/take/cissp/lessons/18588146-risk-attackers-and-types-of-attacks-part-2). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Voice_phishing).*

Answer 148

Identifying and assessing weaknesses in a system that could be exploited by threats. ## Footnote The process of identifying and evaluating weaknesses in a system. This process involves a detailed examination of the system's components, configurations, and security measures to identify potential vulnerabilities that could be exploited by threat actors. It provides insights into the system's security posture and guides the development of remediation strategies to strengthen the system's defenses. *For more information, view this lecture on [Security Assessments](https://courses.thorteaches.com/courses/take/cissp/lessons/19179927-security-assessments). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Vulnerability_assessment).*

Answer 149

A systematic examination of a system for security flaws to understand the risks and improve defenses. ## Footnote A systematic examination of a system's security flaws. It involves identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system to provide a comprehensive understanding of the system's security weaknesses, which can then be addressed to improve overall security. *For more information, view this lecture on [Security Assessments](https://courses.thorteaches.com/courses/take/cissp/lessons/19179927-security-assessments). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Vulnerability_assessment).*

Answer 150

A process that examines networks or systems using automated tools to identify and address security holes. ## Footnote A methodical process used to inspect a network or system for security holes. It employs automated tools to discover weaknesses, such as outdated software or improper configurations, which could be exploited by attackers, with the ultimate aim to reinforce the defenses by addressing these discovered vulnerabilities. *For more information, view this lecture on [Vulnerability Scanners](https://courses.thorteaches.com/courses/take/cissp/lessons/19180017-vulnerability-scanners). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Vulnerability_scanner).*

Answer 151

A software tool that assesses systems for known vulnerabilities to improve cybersecurity. ## Footnote A software tool that assesses computers, networks, or applications for known weaknesses, generating a list of vulnerabilities that could be exploited by an attacker. It is an essential part of an organization's cybersecurity strategy to proactively identify and mitigate potential security risks. *For more information, view this lecture on [Vulnerability Scanners](https://courses.thorteaches.com/courses/take/cissp/lessons/19180017-vulnerability-scanners). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Vulnerability_scanner).*

Answer 152

Outdated marking of physical locations to indicate open wireless networks, now superseded by modern technology. ## Footnote The practice of marking physical locations with symbols to indicate the presence of wireless networks, particularly those that are open for public use. This practice has been largely obsolete with the widespread use of mobile internet and security improvements in wireless technology. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Warchalking).*

Answer 153

A program that automatically dials phone numbers to identify those connected to modems, now largely obsolete. ## Footnote A computer program used to identify phone numbers that can successfully make a connection with a computer modem. Originally, this was done to discover potential points of unauthorized network access, but these days it's largely obsolete due to the prevalence of broadband internet connections. *For more information, view this lecture on [Penetration Testing Tools](https://courses.thorteaches.com/courses/take/cissp/lessons/19180049-penetration-testing-tools). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/War_dialing).*

Answer 154

Automated phone number dialing to identify vulnerabilities, now less common due to the decline of modems. ## Footnote The practice of using a war dialer to automatically dial a range of phone numbers to identify potential targets for phone attacks. It is used by hackers to identify vulnerabilities in phone systems and gain unauthorized access. Examples include voicemail hacking, PBX hacking, and caller ID spoofing. *For more information, view this lecture on [Penetration Testing Tools](https://courses.thorteaches.com/courses/take/cissp/lessons/19180049-penetration-testing-tools). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/War_dialing).*

Answer 155

The practice of searching for wireless networks by moving around a location, often for malicious intent. ## Footnote The practice of driving around with a wireless-enabled device to identify and map wireless networks. It is used by hackers to identify potential targets for wireless attacks. Examples include using a laptop with a wireless card and an antenna, using a smartphone with a wireless scanner app, and using a GPS device with a wireless scanner. *For more information, view this lecture on [Penetration Testing Tools](https://courses.thorteaches.com/courses/take/cissp/lessons/19180049-penetration-testing-tools). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Wardriving).*

Answer 156

An attack strategy where criminals compromise websites frequented by the target group to distribute malware or gather data. ## Footnote An attack where attackers seek to compromise a specific group of individuals by infecting websites that members of the group are known to visit. The goal is to infect a targeted user's computer and gain access to the network at the targeted user's place of employment. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Watering_hole_attack).*

Answer 157

A social engineering technique targeting high-profile individuals with tailored phishing attacks. ## Footnote A type of social engineering attack that targets high-level executives or other important individuals within an organization. It is used to gain access to sensitive information or to manipulate decisions within the organization. Examples include spear phishing, pretexting, and baiting. *For more information, view this lecture on [Social Engineering Attacks](https://courses.thorteaches.com/courses/take/cissp/lessons/19180035-social-engineering-attacks). Or view this lecture on [Risk- Attackers and Types of Attacks Part 2](https://courses.thorteaches.com/courses/take/cissp/lessons/18588146-risk-attackers-and-types-of-attacks-part-2).*

Answer 158

Software testing with full knowledge of the internal structures, focusing on the code and system architecture. ## Footnote Also referred to as crystal-box testing or clear-box testing, is a method of software testing where the tester has full visibility of the internal workings of the software, including the code structure, algorithms, and logic. The tests are based on coverage of code statements, branches, paths, and conditions and are used to ensure that all the pathways through the code are tested. This approach requires a deep understanding of the system's internals and is often used to validate complex logical flows and security vulnerabilities. *For more information, view this lecture on [Penetration Testing](https://courses.thorteaches.com/courses/take/cissp/lessons/19180029-penetration-testing). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/White-box_testing).*

Domain 6: Security Assessment and Testing Flashcards

Study terminology used in evaluating, testing, and validating security controls.