Flashcards in IS3230 CHAPTER 14 Deck (38):
The use of software to control the execution of a test suite is called ___.
A hole in system or network security placed deliberately either by system designers or attackers and also a way of quickly bypassing normal security measures is called ___.
In a penetration test, the ___ consists of IT staff who defend against the penetration testers. They are generally aware that a penetration test is happening but do not know what methods the penetration testers will user.
The outermost extremes of test conditions is called ___.
An industry mailing list provided by Symantec that reports new vulnerabilities as they are discovered is called ___.
An attack in which malicious code is introduced into an application. This type of attack is possible because of lax input validation in the target application and is called ___.
A document that defines every data element and database table in a piece of software is called ___.
.The process of identifying the difference between reality--the current state of an organization's IT infrastructure--and the organization's security goals is called ___.
The authorization memo, signed by a member of upper management, that states that a penetration test has been authorized and exactly what methods the test will include. Every member of a penetration testing team should carry a copy of this memo at all time to avoid misunderstandings with security and law enforcement and is called ___.
GET OUT OF JAIL FREE CARD
The process by which vulnerabilities are addressed to create a secure system is called ___.
The process of scanning the network to find out which Internet Protocol (IP) addresses are attached to interesting resources is called ___.
The process of testing how individual components function together as a complete system is called ___.
Security testing methods that expo it possible vulnerabilities in order to prove their existence and potential impact is called ___.
INTRUSIVE TESTING METHODS
A way of measuring how software will perform with an average number of user, as well as how it will perform under extreme load conditions is called ___.
A proprietary security scanner developed by Tenable Network Security. It is network-centric with Web-based consoles and a central server is called ___.
An open source port scanning and host detection utility is called ___.
.Security testing methods that do not exploit possible vulnerabilities is called ___.
NONINTRUSIVE TESTING METHODS
The act of simulating an attack on an organization's resources to assess an infrastructure's true vulnerability. This is an actual attack where testers use a variety of methods including social engineering, software hacking, and physical intrusion and is called ___.
A technique designed to probe a networks's open ports looking for a weakness is called ___.
A high level abstraction of code used to outline the steps in an algorithm is called ___.
In a penetration test, this team consists of penetration testers who have been given some background knowledge of the infrastructure is called ___.
A graphically intensive vulnerability scanner is called ___.
In a penetration test, theis team is comprised of testers who are given no knowledge of the infrastructure, and are attacking a target that is unaware of their existence until the attack is made and is called ___.
A method of testing that ensures that a specific function or module works as designed is called ___.
1. It is necessary to consider security issues during every phase of the software development life cycle.
TRUE OR FALSE
2. What occurs during the sunset phase of a security system's life cycle?
1. Electronic media is wiped clean
2. Paper documentation is shredded or archived
3. Old equipment is destroyed or disposed of in a secure manner.
4. All the above
Electronic media is wiped clean
Paper documentation is shredded or archived
Old equipment is destroyed or disposed of in a secure manner.
3. Which of the following are primary activities for an information security team? (Select two)
1. Researching new exploits
2. Monitoring/incident handling
4. Upgrading security systems
4. Port scanning is an example of ___ testing.
5. Penetration testing is an example of ___ testing.
6. Which of the following test is the most accurate way to test security incident response?
7. Gap analysis in which domain focuses primarily on the effectiveness of an organization's training program?
4. LAN to WAN
7. Remote access
8. A Web application security scanner is a good tool to use when testing which domain?
4. LAN to WAN
6. Remote access
9. Penetration testing is a risky operation for both the organization and the testers.
TRUE OR FALSE
10. Which penetration testing team may be comprised of systems administrators in other departments of within an organization?
11. Which penetration testing team is comprised of systems administrators who defend the network and respond to the activities of the penetration testers?
12. Which penetration testing team is given no prior knowledge of the IT infrastructure and uses the same tools and strategies that an actual attacker would use?
13. The clean-up phase of a penetration test is the responsibility of which individual or group?
1. Systems administrator
2. Upper management
3. Penetration testing team
4. Help desk
Penetration testing team