Domain 6 -- Security Assessment and Testing Flashcards
(105 cards)
1
Q
What are the 8 steps to the Information System Security Audit Process?
A
- Determine goals
- Involve the right business unit leaders
- Determine the scope
- Choose the audit team
- Plan the audit
- Conduct the audit
- Document the results
- Communicate the results
2
Q
What’s the difference between internal audits, external audits and third party audits?
A
- Internal audits – self evident. An organization audits itself
- External audit (aka second party audit) – an organization audits a business partner (Target and Fazio Mechanical services)
- Third Party audit – Bring in an outside company to conduct the audit
3
Q
What is a technical control?
A
It’s a security control implemented through the use of an IT asset.
4
Q
What are three types of vulnerability testing?
A
- Personnel testing – people, procedures, training
- Physical tesing – review the facility and perimeter protection
- System and network testing
5
Q
What’s the difference between Black Box, white box and grey box testing?
A
- Black box testing - Tester has no a priori knowledge of the internal design or features of the system. All knowledge comes from the testing itself.
- White Box testing — auditor is given complete knowledge of the inner workings of the system before testing begins
- Better for insider threat
- Not as good for outsider threats
- Somewhere between Black and white box testing. The tester has some knowledge, but not all of the inner workings
6
Q
What is penetration testing?
A
Penetration testing is the process of simulating attacks on a network and its systems at the request of the owner, senior management.
Pen tests are not restricted to information technology. Could be technical, physical or administrative
7
Q
What are the capabilities of Vulnerability scanners?
A
- identify active hosts on the network
- identify active/vulnerable services (ports) on hosts
- identify applications and banner grabbing
- identify operating systems
- identify vulnerabiliites associated with discovered operating systems and apps
- Identify misconfigured settings
- Test for compliance with host applications usage/security policies
- The establishment of a foundation for penetration testing
8
Q
What is the 5-step process used during penetration testing?
A
- Discovery – gathering info about target
- Enumeration - performing port scans and resource identification methods
- Vulnerability mapping - identifying vulnerabilities in identified systems and resources
- Exploitation – attempt to gain unauthorized access
- Report to management
9
Q
What’s the difference between a blind, double blind or targeted pen test?
A
-
Blind test – assessors only have publicly available data to work with
- network security staff is aware that this type of test will take place
-
Double Blind (aka stealth assessment) – blind to assessors and the security staff is not notified
- Better for evaluting how good the security team is to identifying and responding to an attack
-
Targeted Tests - can be internal and/or external consultants carrying out focused tests on specific areas of interests
- Example is if a new application or web site is being rolled out
10
Q
What’s the difference between a vulnerability test and a penetration test?
A
- Vulnerability test has a goal of identifying potential vulnerabilities
- Penetration test has a goal of exploiting one or more vulnerabilities to prove that a hacker actually can gain access to company resources
11
Q
What is War Dialing?
A
- War dialing allows attackers and administrators to dial large blocks of phone numbers in search of available modems
12
Q
What’s a kernel flaw and how do you protect against it?
A
- kernel flaws are problems that occur below the level of the UI, deep in the OS
- You protect against them by keeping patches up to date (after sufficient testing)
13
Q
What are buffer overflows and how do you protect against them?
A
- Good programming practices
- Developer education
- automated source code scanners
- enhanced programming libraries
- strongly typed languages
14
Q
What’s a symbolic link vulnerability and how do you protect against it?
A
- The vulnerability is that a program may follow a symbolic link and the attacker may be able to compromise that symbolic link to gain unauthorized access
- Countermeasures:
- Don’t use symbolic links. Use the full path name
15
Q
What are file descriptor attacks and how do you protect against them?
A
- File descriptors are numbers many OS’s use to represent open files in a process.
- Certain file descriptors are universal – same to all programs
- If a program makes unsafe use of a file descriptor, an attacker may be ale to insert unexpected input into the program or cause output to go to an unexpected place with the privileges of the executing program
- Countermeasures:
- Good programming practices
- Developer education
- Source code scanners
- Application security testing
16
Q
What’s a race condition and how do you protect against it?
A
Race conditions exist when the design of a program puts it in a vulnerable condition before ensuring that those vulnerable conditions are mitigated.
Countermeasures
- Good programming practices
- Developer education
- automated source code scanners
- app security testing
17
Q
What are file and directory permission vulnerabilities and how do you protect against them?
A
Many attacks rely on inappropriate file or directory permissions
Countermeasures
- File integrity checkers
- These shoulda lso check expected file and directory permissions
18
Q
What’s the Postmortem?
A
After the testing is complete – you should review the results, close gaps where possible and decide priorities moving forward.
19
Q
What are Log Reviews?
A
- A log review is the examination of system log files to detect security events or to verify the effectiveness of security controls
- It’s important to have time synchronized in order for log analysis across multiple systems to be meaningful.
20
Q
What is NTP?
A
NTP stands for Network Time Protocol
- It’s really important for keeping systems in synch and providing the ability to correlate log entries made by differrent systems
21
Q
What are ways to prevent log tampering?
A
- Remote logging – putting log files on a separate box makes the attackers have to compromise that box, too.
-
Simplex Communication – only have a one-way path to the log repository
- You can sever the receive pairs on an Ethernet cable
- known as a data diode
- Replication – replicate log files someplace not on the network (e.g. removable device)
- Write Once Media
- Crytographic hash chaining – each event is appended to the cryptographic hash – ensures completeness and integrity of every event in the chain
22
Q
What does SIEM stand for and how is it used?
A
- SIEM stands for Security Information and Event Manager
- They are systems that enable:
- Centralization
- Correlation
- Analysis
- Retention of event data
- Purpose is to generate automated alerts
- Typically, they provide a dashboard
23
Q
What is a synthetic transaction and how are they useful in security?
A
- A synthetic transaction is a transaction that is generated by a script
- They allow us to systematically test the behavior and performance of citical services.
24
Q
What’s the difference between real user monitoring and synthetic Transactions?
A
- Real User Monitoring is a passive way to monitor the interactions of real users with a web application system
- It uses agents to capture metrics such as delay, jitter and errors from a user’s perspective
- Can require more backend analysis to understand when a user may have changed his mind or lost mobile connectivity, rather than something to be concerned about
- Synthetic transactions are more consistent.
- Neither is better all the time
25
What is misuse case testing?
A misuse case is a use case that includes threat actors and the tasks they want to perform on the system.
26
What are the steps in the code review process?
1. Identify the code to be reviewed
2. Team leader organizes the inspection and makes sure everyone has access to it
3. Everyone prepares by reading through the code and making notes
4. All obvious errors are collated off-line so they don't need to be discussed
5. If all agree that code is ready for inspection, procedd with the meeting
6. Team leader displays code and team discusses it. Scribe writes notes down
7. Team decides on a disposition:
* Good to go
* Passed with rework
* Reinspect following fix of issues
8. Following meeting author fixes (if needed)
9. Re-review if needed
27
What is defensive coding?
* It means that during development or code review, you are constantly looking for opportunities for things to go badly
28
What is interface testing?
* Interface testing is the systematic evaluation of a given set of the "exchange points" that comprise the interface
* Interface testing is a special case of Integration Testing
29
What are 3 ways for attackers to become "normal, privileged users" of the systems they intend to compromise?
1. Compromise an existing privileged account
2. Create a new privileged account
3. Elevate the privileges of a regular user account
30
What command do you use to switch to a different user in Windows, Linux and MacOS?
* Windows -- use the runas command
* Linux -- sudo command
* macOS - sudo
31
What are some points to keep in mind regarding testing Data Backups?
* Develop scenarios
* Develop a plan
* Leverage automation
* Minimize the impact on business processes
* Ensure coverage
* Document the results
* Fix or improve any issues you documented
32
What is a checklist test as it relates to DR/BCP? What is another name for it?
* Copies of the DRP or BCP are distributed to the different departments and functional areas for review.
* They make comments which are then incorporated back into the master copy.
* The checklist test is also called a desk check test
33
What is a Structured Walk-through test with regard to DR/BCP?
* People come together to review the plan for accuracy
34
What is a tabletop exercise with respect to DR/BCP?
* TTX's do NOT involve a technical control infra
* Can happen at the executive level or team level
* Goal is to test out procedures and ensure that they actually do what they are supposed to do
* Ensures that everyone knows their role
* Goal is to ensure that the team is able to respond to the likeliest/most dangerous scenario
TTX's are only as good as the people who show up to play.
35
What is a simulation test with respect to DR/BCP
* Takes a lot of planning and a lot of people
* Takes place up to the point of actual relocation to an offsite facility and actual shipment of replacement equipment
36
What is a Parallel test with respect to DR/BCP?
* In a parellel test, some systems are moved to the alternate site and processing takes place.
* Results are compared with regular processing done at the main site.
* Ensures that specific systems can perform adequately at the alternate offsite facility
* Will flush out any tweaking ro reconfiguration that is needed.
37
What is a full interruption test with respect to DR/BCP?
* Most intrusive to regular operations
* The original site is actually shut down
* All processing takes place at the alternate site
* Full-blown drill that takes a lot of planning and coordination, but it can reveal the most holes in the plan
38
What other types of training are needed withr respect to DR/BCP?
* cardiac pulmonary resuscitation (CPR)
* how to use a fire extinguisher
* emergency communication procedures
* how to shut down equipment when disasters strike
39
What are the main reasons DR/BCP plans become outdated?
* BC process not integrated into change management process
* Changes occur in the infra and environment
* Reorganization of the company, layoffs, mergers
* Changes in HW, SW and applications
* After the plan is constructed, people think their job is done
* Personnel turnover
* Large plans take a lot of work to maintain
* Plans do not have a direct line to profitability
40
What are steps a company can do to ensure that the plan stays updated?
* Make BC part of every business decision
* Insert maintenance responsibilities into job descriptions
* Include maintenance in personnel evaluations
* Perform internal audits that include DR/BCP
* Perform regular drills that use the plan
* Integrate BCP into the current change management process
* Incorporate lessons learned from actual incidents into the plan
41
What's the difference between security training and Security awareness training?
**Security training** is teaching the skill or skills that will allow people to perform specific functions better
**Security awareness training** is the process of exposing people to security issues so that they can recognize them and better respond to them
42
What is social engineering?
Social engineering, in the context of Info Security, is the process of manipulating individuals so that they perform actions that violate security protocols.
43
What is a drive-by download?
A driveby download is where a legitimate site has been compromised, the site will invisibly redirect the user to a malware distribution server.
44
What is ISO 27004?
It's the Information Security Metrics Implementation Standard
45
# Define the following terms with respect to key performance indicators (KPI's)
* Factor
* Measurement
* Baseline
* Metric
* **Factor** -- atttribute of the ISMS that is a value that can change over time
* e.g.number of alerts generated by IDS
* Number of events investigated by Incident Response teams
* **Measurement** -- The value of a factor at a particular time
* e.g. 356 IDS alerts in the last 24 hours
* e.g. 42 verified events investigated by IR teams in the month of Jan
* **Baseline** - what you think it means
* **Metric** -- a derived value that is generated by comparing multiple measurements against each other or against a baseline
* e.g. ratio of verified incidents to IDS alerts over a 30-day period
* **Indicator** -- An interpretation of one or more metrics that describes an element of the effectiveness of the ISMS
* e.g. green traffic light indicates a threshold ratio of no more than 30% false or undetected by IDS evnets has been met for a reporting period
46
Give the process a team should follow to select and implement KPI's
* Choose factors that can show the state of security
* Define baselines for some or all factors under consideration
* Develop plan for periodically capturing the values of these factors and fix the sampling period
* Analyze and interpret the data
* Communicate the indicators to all stakeholders
47
What's a KRI and what's the difference between a KPI and a KRI?
* KRI stands for Key Risk Indicators
* KRI's tell us where we are today in relation to our risk appetite
* KRI's measure how risky an activity is so that the leadership can make informed decisions about that activity
* Designed to work like mine canaries -- tell us when something bad is likely to happen
* It's best to relate KRI's to Single Loss Expectancy equations
48
What are the 3 "what's" of analyzing data from a security assessment?
* What
* So What?
* Now What?
49
What are the elements of a good technical audit report?
* Exec Summary
* Background
* Methodology
* Findings
* Recommendations
* Appendices
50
Know Stratum 0 - Stratum 3 of NTP
51
With respect to auditing, know the difference between a test and an assessment.
**Test** -- A procedure that records some set of properties of behaviours in a system being tested and compares them against predetermined standards.
**Assessment** -- A series of planned tests that are somehow related to each other.
52
Which of the following components of a TableTop exercise represents a branch?
See graphic
53
Which of the following components of a tabletop exercise indicates a sequel?
See graphic
54
The Network Time Protocol uses which transport layer protocol and which port?
55
In the context of BCP, what is the difference between a structured walkthrough and a checklist test?
56
Alice needs to hire a third party to conduct a test of her company’s security posture. If she needs an independent comparison against statutory requirements, which of the following services should she select?
Regulatory audit
57
Which of the following best describes the most critical problem with “running as root”?
If an administrator is tricked by attackers into executing malicious software, that software will run with the administrative level of privilege, which is commonly system level.
58
Alice has been tasked with assessing her company’s security awareness program. Her company has hired a third party to perform social engineering testing as part of a broader penetration testing regime once per quarter. The contractor provides quantitative details as to the percentage of employees who click a potentially malicious link in an e-mail designed to attempt to deceive them. Tracking and comparing this performance indicator over time is best described by which of the following terms?
Security metric
59
Which of the following is not a result of a penetration test?
Modify access control permissions
60
Which of the following sections of a technical security report is the most critical to include?
Recommended actions
61
What services run on TCP and UDP ports 137 - 139?
What service runs on TCP port 445?
What service runs on TCP port 1433?
**What services run on TCP and UDP ports 137 - 139?**
* NetBios Services
**What service runs on TCP port 445?**
* Active Directory
**What service runs on TCP port 1433?**
* Microsoft SQL Server
62
What is mutation testing?
Mutation testing modifies a program in small ways and then tests that mutant to determine if it behaves as it should or if it fails.
63
What are the following tools used for?
* zzuf
* Nikto
* Metasploit
* sqlmap
* **Nikto** is useful for vulnerability scanning web servers and applications and is the best choice listed for a web server.
* **Metasploit** includes some scanning functionality but is not a purpose-built tool for vulnerability scanning.
* **zzuf** is a fuzzing tool and isn’t relevant for vulnerability scans,
* **sqlmap** is a SQL injection testing tool.
64
What message logging standard is commonly used by network devices, Linux and Unix systems, and many other enterprise devices?
Syslog is a widely used protocol for event and message logging
65
What is a fuzzer and why would you use one?
Fuzzers are tools that are designed to provide invalid or unexpected input to applications
Fuzzers are used for testing for vulnerabilities like format string vulnerabilities, buffer overflow issues, and other problems.
66
What are the following tools used for?
* Nmap
* OpenVAS
* MBSA
* Nessus
* Nmap is an open source port scanner.
* OpenVAS is an open source vulnerability scanning tool that provides a report of the vulnerabilities that it can identify from a remote, network-based scan.
* MBSA stands for Microsoft Baseline Security Analyzer (MBSA). It is a vulnerability scanning tool (closed source)
* Nessus is a vulnerabulity scanning tool (closed source)
67
Within the context of nmap, what do the following mean?
* Open
* Closed
* Filtered
* **Open** - The port is accessible on the remote system and an application is accepting connections on that port.
* **Closed** - The port is accessible on the remote system, but no application is accepting connections on that port.
* **Filtered** - The port is not accessible on the remote system.
68
What does SSAE stand for and what is the difference between a SSAE 18 SOC 1 Type I report and a Type II report?
* **Type I audits** only cover a single point in time and are based upon management descriptions of controls. They do not include an assessment of operating effectiveness.
* **Type II audits** cover a period of time and do include an assessment of operating effectiveness.
SSAE stands for Statement on Standards for Attestation Engagements, which is overseen by The American Institute of Certified Public Accountants.
69
Why is WPA2 Enterprise Edition better than WPA2 against password attacks?
* **WPA2 enterprise** uses RADIUS authentication for users rather than a preshared key. This means a password attack is more likely to fail as password attempts for a given user may result in account lock-out.
* **WPA2 encryption** will not stop a password attack, and WPA2’s preshared key mode is specifically targeted by password attacks that attempt to find the key.
70
What does CVE stand for and what is a CVE database good for?
CVE stands for Common Vulnerabilities and Exposures.
CVE is a dictionary of common names for publicly known cybersecurity vulnerabilities maintained by the US Dept of Homeland Security
It is useful once vulnerabilities are well understood.
Unfortunately, the CVE database won't help you with a zero-day attack
71
What sorts of threats do IDS and IPS systems protect against?
How do vulnerability scanners help?
IDS and IPS systems protect against attacks. They won't identify if
Vulnerability scanners help by identifying whether any parts of an organization are vulnerable to known threats
72
What kinds of issues could be expected with active wireless scanning and which ones are considered problems?
* Accidently scanning apparent rogue devices that actually belong to guests (this is a problem)
* Causing alarms on the organization’s wireless IPS (this is not necessarily a problem because it can test an org's responses to a possible attack
* Scanning devices that belong to nearby organizations (Problem)
* Misidentifying rogue device (Problem)
Moral of the story is that you have to be careful when conducting a wireless scan
73
What's the difference between a Generational fuzzing tool and a Mutation based fuzzing tool?
* **Generational fuzzing** relies on models for application input and conducts fuzzing attacks based on that information.
* **Mutation based fuzzers** are sometimes called “dumb” fuzzers because they simply mutate or modify existing data samples to create new test samples.
74
What's the difference between the following types of logging in routers?
* Audit logging
* Flow logging
* Trace logging
* Route logging
* **Audit logging** - provides information about events on the routers
* **Flow logging** - Flows, also often called network flows, are captured to provide insight into network traffic for security, troubleshooting, and performance management.
* **Trace logging** - Trace logs are used in troubleshooting specific software packages as they perform their functions
* **Route logging** - route logging is not a common network logging function
75
RFC 1918 non-routeable IP addesses are things like 192.168.X.X
There are class A, B and C versions (see Flash card in Domain 4).
What problem will happen if a person tries to scan these address ranges from off-site?
Since the addresses used are RFC 1918 non-routable addresses, it is not possible to scan them from off-site
76
What are three valid ways to verify that backups are working properly?
1. Log review
2. Hashing logs to ensure that they are intact
3. Periodic testing
77
What is the best way to ensure that all Windows systems provide identical logging information to the SIEM?
Group Policy enforced by Active Directory can ensure consistent logging settings and can provide regular enforcement of policy on systems.
78
Do windows desktop systems support syslog?
No. Only things like the following support syslog
* Enterprise wireless access points
* Linux web servers
* Enterprise firewall devices
79
The National Institute for Standards and Technology (NIST) offers a special publication that describes best practices in conducting security and privacy assessments. What is it called?
NIST Special Publication 800-53A: Assessing Security and Privacy Controls in Federal Information Systems and Organizations
80
What does PCI DSS stand for?
Payment Card Industry Data Security Standard (PCI DSS)
81
What is a common tool used for penetration testing?
Metasploit
82
How do CIDR address ranges work.
For example 10.0.0.0/16
83
The Fagan inspection process is related to what?
Code reviews
84
During a penetration test, Danielle needs to identify systems, but she hasn’t gained sufficient access on the system she is using to generate raw packets. What type of scan should she run to verify the most open services?
When a tester does not have raw packet creation privileges, such as when they have not escalated privileges on a compromised host, a TCP connect scan can be used.
TCP SYN scans require elevated privileges on most Linux systems due to the need to write raw packets.
A UDP scan will miss most services that are provided via TCP,
An ICMP is merely a ping sweep of systems that respond to pings and won’t identify services at all.
85
What is Real User Monitoring (RUM)?
Real user monitoring (RUM) is a passive monitoring technique that records user interaction with an application or system to ensure performance and proper application behavior. RUM is often used as part of a predeployment process using the actual user interface.
86
What does STRIDE stand for and in what part of application test modeling is it useful?
* Spoofing
* Tampering
* Repudiation
* Information Disclosure
* Denial of Service
* Elevation of Privilege
It's useful in the threat categorization portion of threat modeling
87
What can bluetooth scanning do, and what are its limitations?
**_What it can do:_**
* Bluetooth active scans can determine both the strength of the PIN and what security mode the device is operating in.
**_Limitations_**
* Unfortunately, Bluetooth scans can be challenging due to the limited range of Bluetooth and the prevalence of personally owned Bluetooth enabled devices.
* Passive Bluetooth scanning only detects active connections and typically requires multiple visits to have a chance of identifying all devices.
88
Compare these tools with respect to OS finger printing.
* Nmap
* Nessus
* Nikto
* sqlmap
The tools that begin with N can all do OS fingerprinting:
* Nmap
* Nessus
* Nikto
SQLmap does not do OS fingerprinting
89
Is there such a thing as Key Risk Indicators or only Key Performance Indicators?
Key Risk Indicators exist.
Key risk indicators are used to tell those in charge of risk management how risky an activity is and how much impact changes are having on that risk profile. Identifying key risk indicators and monitoring them can help to identify high-risk areas earlier in their life cycle.
90
What major difference separates synthetic and passive monitoring?
* Passive monitoring only works after issues have occurred because it requires actual traffic.
* Synthetic monitoring uses simulated or recorded traffic and thus can be used to proactively identify problems.
* Both synthetic and passive monitoring can be used to detect functionality issues.
91
What is a key concern with respect to reporting on the results of a pen test?
Penetration test reports often include information that could result in additional exposure if they were accidently released or stolen. Therefore, determining how vulnerability data should be stored and sent is critical.
92
What four types of coverage criteria are commonly used when validating the work of a code testing suite?
Function, statement, branch, and condition coverage
93
What are the components of the Security Content Automation Protocol (SCAP) and what are they used for?
* **CVE** - Common Vulnerabilities and Exposures (CVE) database provides a consistent reference for identifying security vulnerabilities.
* **OVAL** Open Vulnerability and Assessment Language (OVAL) is used to describe the security condition of a system.
* **XCCDF** - Extensible Configuration Checklist Description Format is used to create security checklists in a standardized fashion.
* **SCE** - Script Check Engine is designed to make scripts interoperable with security policy definitions.
94
What are hazards of Penetration Testing, which are expected?
* Application crashes
* Denial of service
* Data corruption
95
Lauren’s team conducts regression testing on each patch that they release. What key performance measure should they maintain to measure the effectiveness of their testing?
A measure of the rate of defect recurrence
96
When testing in a non-Prod environment, which types of code issues are most likely to be missed during testing?
A race condition
97
Danielle wants to compare vulnerabilities she has discovered in her data center based on how exploitable they are, if exploit code exists, and how hard they are to remediate. What scoring system should she use to compare vulnerability metrics like these?
The Common Vulnerability Scoring System (CVSS) includes metrics and calculation tools for exploitability, impact, how mature exploit code is, and how vulnerabilities can be remediated, as well as a means to score vulnerabilities against users’ unique requirements.
98
Nikto, Burp Suite, and Wapiti are all examples of what type of tool?
Nikto, Burp Suite, and Wapiti are all web application vulnerability scanners, tools designed specifically to scan web servers and applications. While they share some functionality with broader vulnerability scanners and port scanning tools, they have a narrower focus and typically have deeper capabilities than vulnerability scanners.
99
Ken is having difficulty correlating information from different security teams in his organization. Specifically, he would like to find a way to describe operating systems in a consistent fashion. What SCAP component can assist him?
The Common Platform Enumeration (CPE) component of SCAP provides a consistent way to refer to operating systems and other system components.
100
When a Windows system is rebooted, what type of log is generated?
Information
101
During a pen test, after an initial nmap scan with default settings, what should be the next step?
Identify interesting ports for further scanning.
102
If a port scan reveals that X11 is running, what type of system is it most likely?
A Linux system
103
What's the problem with using Nmap with the default settings?
Nmap only scans 1000 TCP and UDP ports by default, including ports outside of the 0–1024 range of “well-known” ports. By using the defaults for nmap, Ben missed 64,535 ports.
104
NIST specifies four attack phase steps: gaining access, escalating privileges, system browsing, and installing additional tools. Once attackers install additional tools, what phase will a penetration tester typically return to?
Once additional tools have been installed, penetration testers will typically use them to gain additional access. From there they can further escalate privileges, search for new targets or data, and once again, install more tools to allow them to pivot further into infrastructure or systems.
105
