Security Assessment and testing Flashcards
Internal audits are the preferred approach when which of the following is true?
A. The organization lacks the organic expertise to conduct them.
B. Regulatory requirements dictate the use of a third-party auditor.
C. The budget for security testing is limited or nonexistent.
D. There is concern over the spillage of proprietary or confidential information
C. Third-party auditors are almost always fairly expensive, so if the organization’s budget does not support their use, it may be necessary to use internal assets to conduct the audit
All of the following are steps in the security audit process except
A. Document the results.
B. Convene a management review.
C. Involve the right business unit leaders.
D. Determine the scope.
B. The management review is not a part of any audit. Instead, this review typically uses the results of one or more audits in order to make strategic decisions.
Which of the following is an advantage of using third-party auditors?
A. They may have knowledge that an organization wouldn’t otherwise be able to leverage.
B. Their cost.
C. The requirement for NDAs and supervision.
D. Their use of automated scanners and reports
A. Because they perform audits in multiple other organizations, and since their knowledge is constantly refreshed, third-party auditors almost always have knowledge and insights that would otherwise be unavailable to the organization.
Choose the term that describes an audit performed to demonstrate that an organization is complying with its contractual obligations to another organization. A. Internal audit B. Third-party audit C. External audit D. Compliance audit
C. External audits are used to ensure that contractors are meeting their contractual obligations, so that is the best answer. A compliance audit would apply to regulatory or industry standards and would almost certainly be a third-party audit, which makes answer D a poor fit in most cases.
Which of the following is true of a vulnerability assessment?
A. The aim is to identify as many vulnerabilities as possible.
B. It is not concerned with the effects of the assessment on other systems.
C. It is a predictive test aimed at assessing the future performance of a system.
D. Ideally the assessment is fully automated with no human involvement.
A. One of the principal goals of a vulnerability assessment is to identify as many security flaws as possible within a given system, while being careful not to disrupt other systems.
An assessment whose goal is to assess the susceptibility of an organization to social engineering attacks is best classified as A. Physical testing B. Personnel testing C. Vulnerability testing D. Network testing
B. Social engineering is focused on people, so personnel testing is the best answer.
Which of the following is an assessment that affords the auditor detailed knowledge of the
system’s architecture before conducting the test?
A. White box testing
B. Gray box testing
C. Black box testing
D. Zero knowledge testing
A. White box testing gives the tester detailed information about the internal workings of the system under study. Gray box testing provides some information, so it is not the best answer to this question.
Vulnerability scans normally involve all of the following except
A. The identification of active hosts on the network
B. The identification of malware on all hosts
C. The identification of misconfigured settings
D. The identification of operating systems
B. Vulnerability testing does not normally include scanning hosts for malware. Instead, it focuses on finding flaws that malware could potentially exploit
Security event logs can best be protected from tampering by which of the following?
A. Encrypting the contents using asymmetric key encryption
B. Ensuring every user has administrative rights on their own workstations
C. Using remote logging over simplex communications media
D. Storing the event logs on DVD-RW
C. Using a remote logging host raises the bar for attackers because if they are able to compromise one host, they would have to compromise the remote logger in order to tamper with the logs. The use of a simplex channel further hinders the attackers
Code reviews include all of the following except
A. Ensuring the code conforms to applicable coding standards
B. Discussing bugs, design issues, and anything else that comes up about the code
C. Agreeing on a “disposition” for the code
D. Fuzzing the code
D. Fuzzing is a technique for detecting flaws in the code by bombarding it with massive amounts of random data. This is not part of a code review, which focuses on analyzing the source code, not its response to random data.
One of the actions that attackers typically attempt after compromising a system is to acquire the ability to mimic a normal privileged user. What is one way in which they may accomplish this?
A. Rebooting the compromised host
B. Exporting the password hash table
C. Pivoting from the compromised host to another target
D. Adding a privileged user account
D. After compromising a host, attackers may attempt a number of actions, but will typically attempt to blend in by acquiring administrative privileges. They can do this by either compromising a privileged account, adding a privileged account, or elevating the privileges of the account they compromised.
All of the following are normally legitimate reasons to suspend rather than delete user accounts except
A. Regulatory compliance
B. Protection of the user’s privacy
C. Investigation of a subsequently discovered event
D. Data retention policy
B. If the organization was intentionally attempting to protect the privacy of its users, suspension of the account would be a poor privacy measure compared to outright deletion.
Why would an organization need to periodically test disaster recovery and business continuity plans if they’ve already been shown to work?
A. Environmental changes may render them ineffective over time.
B. It has low confidence in the abilities of the testers.
C. To appease senior leadership.
D. Resources may not be available in the future to test again.
A. The best reason to periodically test DRPs and BCPs is to assess the effects of internal or external environment changes on them. Changes to these plans are inevitable and often frequently required, which puts an organization at risk of unacceptably long system outages
if it doesn’t periodically test its DRPs/BCPs.
All of the following are types of tests for disaster recovery and business continuity plans except A. Structured walk-through test B. Simulation test C. Null hypothesis test D. Full-interruption test
C. The null hypothesis test is used in statistical analysis. Though it could conceivably be
used to analyze the results of a DRP/BCP test, it would not be in and of itself a feasible
way to test these plans
What is the difference between security training and security awareness training?
A. Security training is focused on skills, while security awareness training is focused on
recognizing and responding to issues.
B. Security training must be performed, while security awareness training is an aspirational
goal.
C. Security awareness training is focused on security personnel, while security training is
geared toward all users.
D. There is no difference. These terms refer to the same process.
A. Security training is the process of teaching a skill or set of skills that will allow people to better perform specific functions. Security awareness training, on the other hand, is the process of exposing people to security issues so that they may be able to recognize them and better respond to them. Security training is typically provided to security personnel, while security awareness training should be provided to every member of the organization
