Chap 15: Security Assessment and Testing Flashcards

1
Q

Understand the importance of security assessment and testing programs.

A

Security assessment and testing programs provide an important mechanism for validating the ongoing
effectiveness of security controls. They include a variety of tools, such as vulnerability assessments, penetration tests, software testing, audits, and security management tasks designed to validate controls. Every organization should have a security assessment and testing program defined and operational.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Conduct vulnerability assessments and penetration tests.

A

Vulnerability assessments use automated tools to search for known vulnerabilities in systems, applications, and networks. These flaws may include missing patches, misconfigurations, or faulty code that expose the organization to security risks. Penetration tests also use these same tools but supplement them with attack techniques where an assessor attempts to exploit vulnerabilities and gain
access to the system. Vulnerability management programs take the results of these tests as
inputs and then implement a risk management process for identified vulnerabilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Perform software testing to validate code moving into production.

A

Software testing techniques verify that code functions as designed and does not contain security flaws. Code review uses a peer review process to formally or informally validate code before deploying it in production. Interface testing assesses the interactions between components and users with
API testing, user interface testing, and physical interface testing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Understand the difference between static and dynamic software testing.

A

Static software testing techniques, such as code reviews, evaluate the security of software without running it by analyzing either the source code or the compiled application. Dynamic testing evaluates
the security of software in a runtime environment and is often the only option for organizations deploying applications written by someone else.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Explain the concept of fuzzing.

A

Fuzzing uses modified inputs to test software performance under unexpected circumstances. Mutation fuzzing modifies known inputs to generate
synthetic inputs that may trigger unexpected behavior. Generational fuzzing develops inputs based on models of expected inputs to perform the same task.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Perform security management tasks to provide oversight to the information security
program.

A

Security managers must perform a variety of activities to retain proper oversight of the information security program. Log reviews, particularly for administrator activities, ensure that systems are not misused. Account management reviews ensure that only authorized
users retain access to information systems. Backup verification ensures that the organization’s data protection process is functioning properly. Key performance and risk indicators provide a high-level view of security program effectiveness.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Conduct or facilitate internal and third-party

audits.

A

Security audits occur when a third party performs an assessment of the security controls protecting an organization’s information assets. Internal audits are performed by an organization’s internal staff and are
intended for management use. External audits are performed by a third-party audit firm and are generally intended for the organization’s governing body.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Collect security process data.

A

Many components of the information security program
generate data that is crucial to security assessment processes. These components include the account management process, management review and approval, key performance and risk indicators, backup verification data, training and awareness metrics, and the data generated by disaster recovery and business continuity programs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly