Domain 6: Security Assessment and Testing

Question 1

Audit

Answer 1

An audit is a systematic assessment of the security controls of an information system.

Question 2

What is the most important step in planning a security audit?

Answer 2

Setting a clear set of goals

Question 3

Pros and cons of internal audits

Answer 3

Internal audits benefit from the auditors’ familiarity with the systems.

They may be hindered by a lack of exposure to how others attack and defend systems.

Question 4

External audits

Answer 4

External audits happen when organizations have a contract in place that includes security provisions.

The contracting party can demand to audit the contractor to ensure those provisions are being met.

Question 5

Pros and cons of third-party audits

Answer 5

Third-party audits typically bring a much broader background of experience that can provide fresh insights.

They can be expensive.

Question 6

Test coverage

Answer 6

Test coverage is a measure of how much of a system is examined by a specific test (or group of tests).

Question 7

Vulnerability test

Answer 7

A vulnerability test is an examination of a system for the purpose of identifying defining and ranking its vulnerabilities.

Question 8

Black box testing

Answer 8

Black box testing treats the system being tested as completely opaque.

Question 9

White box testing

Answer 9

White box testing affords the auditor complete knowledge of the inner workings of the system even before the first scan is performed.

Question 10

Gray box testing

Answer 10

Gray box testing gives the auditor some but not all information about the internal workings of the system.

Question 11

Penetration testing

Answer 11

Penetration testing is the process of simulating attacks on a network and its systems at the request of the owner.

Question 12

Blind test

Answer 12

A blind test is one in which the assessors only have publicly available data to work with and the network security staff is aware that the testing will occur.

Question 13

Double-blind test

Answer 13

A double-blind test (stealth assessment) is a blind test in which the network security staff is not notified that testing will occur.

Question 14

War dialing

Answer 14

War dialing allows attackers and administrators to dial large blocks of phone numbers in search of available modems.

Question 15

Log review

Answer 15

A log review is the examination of system log files to detect security events or to verify the effectiveness of security controls.

Question 16

Synthetic transactions

Answer 16

Synthetic transactions are scripted events that mimic the behaviors of real users and allow security professionals to systematically test the performance of critical services.

Question 17

Misuse case

Answer 17

A misuse case is a use case that includes threat actors and the tasks they want to perform on the system.

Question 18

Code Review

Answer 18

A code review is a systematic examination of the instructions that comprise a piece of software performed by someone other than the author of that code.

Question 19

Interface testing

Answer 19

Interface testing is the systematic evaluation of a given set of exchange points for data between systems and/or users.

Question 20

How are administrative controls implemented?

Answer 20

Administrative controls are implemented primarily through policies or procedures.

Question 21

BCP

Answer 21

A business continuity plan (BCP) ensures that the critical business processes of an organization remain uninterrupted or are quickly restored after a serious event.

Question 22

DRP

Answer 22

A disaster recovery plan (DRP) ensures that the information systems supporting critical business processes remain operational or are quickly restored in the event of a disaster.

Question 23

Security training

Answer 23

Security training is the process of teaching a skill or set of skills that will allow people to better perform specific functions.

Question 24

Security awareness training

Answer 24

Security awareness training is the process of exposing people to security issues so that they may be able to recognize them and better respond to them.

Question 25

Social Engineering

Answer 25

Social engineering in the context of information security is the process of manipulating individuals so that they perform actions that violate security protocols.

Question 26

Phishing

Answer 26

Phishing is social engineering conducted through a digital communication.

Question 27

Drive-by download

Answer 27

A drive-by download is an automatic attack that is triggered simply by visiting a malicious website.

Question 28

KPI

Answer 28

Key performance indicators (KPIs) measure the effectiveness of an organization in performing a given task at a given point in time.

Question 29

KRI

Answer 29

Key risk indicators (KRIs) measure the risk inherent in performing a given action or set of actions.

Question 30

Management review

Answer 30

A management review is a formal meeting in which senior organizational leaders determine whether the information security management systems are effectively accomplishing their goals.

Question 31

What kind of testing is used to determine if program changes have introduced new errors?

Answer 31

Regression testing

Regression testing is the verification that what is being changed and installed does not affect any portion of the system already installed.

Regression testing is software testing that seeks to uncover software errors by partially retesting a modified program. The intent of regression testing is to provide a general assurance that no additional errors were introduced in the process of fixing other problems.

Question 32

When a system development project is in the middle of the programming coding phase, what is the MOST frequent type of test?

Answer 32

Unit testing

Unit tests are used to ensure that individual programs are working correctly.

This type of test should occur during the programming phase. The development team should have mechanisms in place for the running of unit tests. The other alternatives happen later in the development and testing phases.

Question 33

True or False - Logging both successful and unsuccessful events is not necessarily important because logging unsuccessful attempts may not reveal unauthorized access attempts.

Answer 33

False

Logging successful and unsuccessful events are equally important because they may reveal unauthorized access or an unauthorized escalation of access rights.

Question 34

True or False - Known and unknown vulnerabilities can be identified on a host through the use of a vulnerability scanner.

Answer 34

False

A vulnerability scanner is software intended to explore and map known security weaknesses in applications, systems, and networks.

Question 35

When an organization has a large number of privileged users is it necessary to periodically re-certify them?

Answer 35

Yes. Privileged users should always be re-certified as a way of securing the environment and identifying any fraudulent activity.

It is never a good idea to set systems and user access levels to a privileged default level.

Question 36

What is Real User Monitoring?

Answer 36

Testing that tests every transaction of every user on a web site.

Question 37

What are the general types of penetration tests?

Answer 37

• Internal
• External
• Wireless

Question 38

Are logs reviewed as part of a Physical Security Assessment?

Answer 38

Yes. Access logs of physical controls should be assessed as part of a Physical audit.

Question 39

To what does the term “footprinting” refer?

Answer 39

Footprinting (also called reconnaissance) is a method used by an attacker to learn information about a victim before actually carrying out scanning and probing activity.

Question 40

What is Synthetic Performance Monitoring?

Answer 40

Monitoring system performance using automated scripts rather than real users.

Question 41

Collecting data so a system can be monitored is known as:

Answer 41

Logging

Logs can be used for audit, troubleshooting, and research.

Question 42

What is the difference between a penetration test and a vulnerability test?

Answer 42

Vulnerability scanners are comprehensive tests that check for numerous potential security weaknesses in the system and reports them.

Penetration testing are specific tests that demonstrate how the existence of vulnerabilities can be exploited using attacker processes.

Penetration testing can be used in conjunction with vulnerability scanning. But neither can replace the other.

Question 43

What tasks should be carried out before a vulnerability assessment or penetration test is started?

Answer 43

• Have management’s approval
• Understand the goals of the operation
• Be able to identify the resources being tested

Question 44

What is a Key Performance Indicator?

Answer 44

An interpretation of one or more metrics that describes an element of an Information Security Management System.