IS3230 CHAPTER 14 Flashcards Preview

IS3230 ACCESS CONTROL, KEY INFRASTRUCTURE > IS3230 CHAPTER 14 > Flashcards

Flashcards in IS3230 CHAPTER 14 Deck (38):
1

The use of software to control the execution of a test suite is called ___.

AUTOMATED TESTING

2

A hole in system or network security placed deliberately either by system designers or attackers and also a way of quickly bypassing normal security measures is called ___.

BACKDOOR

3

In a penetration test, the ___ consists of IT staff who defend against the penetration testers. They are generally aware that a penetration test is happening but do not know what methods the penetration testers will user.

BLUE TEAM

4

The outermost extremes of test conditions is called ___.

BOUNDARY CONDITIONS

5

An industry mailing list provided by Symantec that reports new vulnerabilities as they are discovered is called ___.

BUGTRAQ

6

An attack in which malicious code is introduced into an application. This type of attack is possible because of lax input validation in the target application and is called ___.

CODE INJECTIONS

7

A document that defines every data element and database table in a piece of software is called ___.

DATA DICTIONARY

8

.The process of identifying the difference between reality--the current state of an organization's IT infrastructure--and the organization's security goals is called ___.

GAP ANALYSIS

9

The authorization memo, signed by a member of upper management, that states that a penetration test has been authorized and exactly what methods the test will include. Every member of a penetration testing team should carry a copy of this memo at all time to avoid misunderstandings with security and law enforcement and is called ___.

GET OUT OF JAIL FREE CARD

10

The process by which vulnerabilities are addressed to create a secure system is called ___.

HARDENING

11

The process of scanning the network to find out which Internet Protocol (IP) addresses are attached to interesting resources is called ___.

HOST DISCOVERY

12

The process of testing how individual components function together as a complete system is called ___.

INTEGRATION TESTING

13

Security testing methods that expo it possible vulnerabilities in order to prove their existence and potential impact is called ___.

INTRUSIVE TESTING METHODS

14

A way of measuring how software will perform with an average number of user, as well as how it will perform under extreme load conditions is called ___.

LOAD TESTING

15

A proprietary security scanner developed by Tenable Network Security. It is network-centric with Web-based consoles and a central server is called ___.

NESSUS

16

An open source port scanning and host detection utility is called ___.

NMAP

17

.Security testing methods that do not exploit possible vulnerabilities is called ___.

NONINTRUSIVE TESTING METHODS

18

The act of simulating an attack on an organization's resources to assess an infrastructure's true vulnerability. This is an actual attack where testers use a variety of methods including social engineering, software hacking, and physical intrusion and is called ___.

PENETRATION TESTING

19

A technique designed to probe a networks's open ports looking for a weakness is called ___.

PORT SCANNING

20

A high level abstraction of code used to outline the steps in an algorithm is called ___.

PSEUDOCODE

21

In a penetration test, this team consists of penetration testers who have been given some background knowledge of the infrastructure is called ___.

RED TEAM

22

A graphically intensive vulnerability scanner is called ___.

RETINA

23

In a penetration test, theis team is comprised of testers who are given no knowledge of the infrastructure, and are attacking a target that is unaware of their existence until the attack is made and is called ___.

TIGER TEAM

24

A method of testing that ensures that a specific function or module works as designed is called ___.

UNIT TESTING

25

1. It is necessary to consider security issues during every phase of the software development life cycle.
TRUE OR FALSE

TRUE

26

2. What occurs during the sunset phase of a security system's life cycle?
1. Electronic media is wiped clean
2. Paper documentation is shredded or archived
3. Old equipment is destroyed or disposed of in a secure manner.
4. All the above

Electronic media is wiped clean
Paper documentation is shredded or archived
Old equipment is destroyed or disposed of in a secure manner.

27

3. Which of the following are primary activities for an information security team? (Select two)
1. Researching new exploits
2. Monitoring/incident handling
3. Testing
4. Upgrading security systems

Monitoring/incident handling
Testing

28

4. Port scanning is an example of ___ testing.

Nonintrusive

29

5. Penetration testing is an example of ___ testing.

Intrusive

30

6. Which of the following test is the most accurate way to test security incident response?
1. Open
2. Blind
3. Double-blind
4. Automated

Double-blind

31

7. Gap analysis in which domain focuses primarily on the effectiveness of an organization's training program?
1. User
2. Workstation
3. LAN
4. LAN to WAN
5. WAN
6. System/Application
7. Remote access

User

32

8. A Web application security scanner is a good tool to use when testing which domain?
1. User
2. Workstation
3. LAN
4. LAN to WAN
5. WAN
6. Remote access

WAN

33

9. Penetration testing is a risky operation for both the organization and the testers.
TRUE OR FALSE

TRUE

34

10. Which penetration testing team may be comprised of systems administrators in other departments of within an organization?
1. Red
2. Blue
3. Tiger
4. Orange

Red

35

11. Which penetration testing team is comprised of systems administrators who defend the network and respond to the activities of the penetration testers?
1. Red
2. Blue
3. Tiger
4. Orange

Blue

36

12. Which penetration testing team is given no prior knowledge of the IT infrastructure and uses the same tools and strategies that an actual attacker would use?
1. Red
2. Blue
3. Tiger
4. Orange

Tiger

37

13. The clean-up phase of a penetration test is the responsibility of which individual or group?
1. Systems administrator
2. Upper management
3. Penetration testing team
4. Help desk

Penetration testing team

38

14. A penetration test report should include which of the following? (Select three)
1. Description of gaps and risk exposures found during the test
2. List of passwords uncovered by the penetration testing team
3. Remediation plans for closing security gaps
4. Cost analysis and solution prioritization based on risk exposure

Description of gaps and risk exposures found during the test

Remediation plans for closing security gaps

Cost analysis and solution prioritization based on risk exposure