chap 7 - security assessment and testing

Question 1

main types of security assessment, audits, test or other activities

Answer 1

1. Formal - evaluation against a compliance standard that may be a legal, regulatory or contract requirement.
   performed by individuals who are outside the management structure of the organization
2. Informal - conducted to provide an insight/observations about the systems being evaluated but not for the direct purpose of meeting a compliance requirement
   performed by in-house or outside the organization.

Question 2

what is an audit

Answer 2

structured review of information, observations and other data to measure/determine compliance.

information products are ARTIFACTS, which are considered as evidence of the level of compliance

Question 3

how are audits reported

Answer 3

reported formally to organization as a series of FINDINGS.

FINDINGS format would include:
- condition
- criteria
- cause
- effect
- recommendation

Question 4

what is an assessment

Answer 4

assessments is an evaluation of controls to meet management expectations

Question 5

what is an Service Organization Control reports (SOC reports)

Answer 5

AICPA framework for evaluating internal controls over financial reporting best known as Service Organization Control (SOC) report that EVALUATE ORGANIZATION CONTROLS AGAINST A SET OF 5 TRUST SERVICE PRINCIPLES

5 Trust Service Principles:
1. Security
2. availability
3. confidentiality
4. processing integrity
5. privacy

Question 6

what is the structure of SOC reports

Answer 6

SOC 1 - attests to the condition over financial reporting
- SOC 1 type I: audit performance at particular point in time
- SOC 1 type II: audit performance over specific period

SOC 2 - Trust Services Criteria reports (TCS reports)
along 5 criteria: security / availability / confidentiality / processing integrity / privacy
- SOC 2 type I: verify design of controls at time of report
- SOC 2 type 2: assessing control effectiveness. over specific period

SOC 3 - summary of the findings and attestation of SOC 2 report, in less technical form -> designed for public release

SOC for cybersecurity - report focus on cybersecurity plan, programs, processes, procedures, services or functions used to meet cybersecurity requirements

Question 7

type I vs. type II SOC reports

Answer 7

both type I and type II consider:
- fairness of the presentation of mgmt description of the service org system
- suitability of the design of the controls to achieve the related control objectives
- all of these as of a specific date

SOC 2 reports add : evaluate the operating effectiveness of controls

SOC 1 is similar to due of care
SOC 2 is similar to due diligence

Question 8

what is the main steps in internal audit/assessment

Answer 8

1. Chartering - management commitment starts the assessment process. scoping the assessment
   Risk assessment must be conducted throughout the assessment ensure risk in managed
2. Testing - Vulnerability assessment suggests areas of vulnerability. PenTest evaluation system security from attacker perspective
3. Reporting - as specified by management. disclosure of the results is management responsibility
4. Remediating - Plan of Action and Milestones (POA&M)

Question 9

what are external audit/assessment most common types of audit

Answer 9

• compliance audit: test specific controls to determine if compliant to standard
• Financial audits: evaluate accuracy of financial reporting
• Operational audits: test internal control process
• Information system audits: evaluate control performance of information system
• Integrated audit: combine elements from operational & financial systems control
• Forensic audit: discovering, investigating and reporting fraud/crimes

Question 10

what is the structure of a SOC 2 report and a SOC 3 report

Answer 10

SOC 3 report include ISAE, SSAE:
- section 1: auditors opinion
- section 2: attestation/assertion of controls
- section 3: description of internal controls & objectives

SOC 2 report include ISAE, SSAE:
- section 1: auditors opinion
- section 2: attestation/assertion of controls
- section 3: description of internal controls & objectives
- Section 4: test operating effectiveness of controls
- Section 5: additional info

Question 11

what is tailoring an assessment of controls

Answer 11

• tailored to the control that need to be assessed
• the depth and breadth of the assessment
• sampling the system

sampling the system can be either:
- statistical sampling
- judgmental sampling

Question 12

what is logging best practice

Answer 12

event logs recording user activities, exceptions, faults and information security events should be produced, kept and regularly reviewed

Question 13

how are logs management prioritized

Answer 13

prioritization of log entries is driven by organizational policies, regulatory standards and key business requirements

Question 14

what are the four best practices in logging

Answer 14

1. prioritize log management appropriately throughout the organization
2. establish policies and procedures for log management
3. create ad maintain a secure log management infrastructure -> “integrity of log for evidence”

4.provide adequate support for all staff with log management responsibilities

Question 15

what is a key requirement for log security (ISO)

Answer 15

logging facilities and log information should be protected against tampering and unauthorized access

Question 16

what is a testing exercise

Answer 16

testing is the process of comparing the actual behavior of a system, process or activity under defined conditions with its expected behavior

Question 17

what are the 2 types of test

Answer 17

1. compliance test: determine if the control exists and is operating properly
2. substantive test: evaluates the proper operation of the process. it provides a higher degree of assurance that the process is performing as expected, but takes time & resources

Question 18

what does code review/test include

Answer 18

1. all required functions exist
2. no foreign code is present
3. no dead-end or unreachable code is present
4. no backdoors or trapdoors are present
5. coding standards have been met
6. all code is of trustworthy provenance

Question 19

What are key steps of code review during the planning & design phase

Answer 19

Architecture security review:
- prerequisite: model
- benefits: detecting architectural violations of security standards

threat modeling review:
- prerequisite: business case/scenario
- benefits: identify threats, impact and countermeasures

Question 20

what are 2 type of code review during the application and development phase

Answer 20

• static analysis and security testing (SAST)
• static binary code analysis and manual binary review

Question 21

what is a “misuse case” testing

Answer 21

test considering: the set of actions which could lead to systems integrity failures, malfunctions or other security compromises may be undertaken by a human actor

Question 22

what is negative testing

Answer 22

designed to provide evidence of the application behavior if there is unexpected or invalid data

Question 23

what are examples of test coverage analysis types

Answer 23

• statement coverage
• decision coverage
• condition coverage
• multi-condition coverage
• loop coverage
• path coverage
• data flow coverage
• populating required fields
• correspondence between data and field types
• allowed number of characters
• allowed data bounds and limits

Question 24

what is interference testing

Answer 24

test the quality of the software products

evaluate whether systems or components pass data and control correctly to one another

Question 25

what is ethical PenTesting

Answer 25

simulates actions of a threat actor using information the threat actor is likely to have available.

must by clearly defined by RULES OF ENGAGEMENT (RoE) that details the circumstance under which the PenTest is conducted

Question 26

what is PenTesting basic methodology (steps)

Answer 26

1. Chartering: define Rules of Engagement (RoE)
2. Discovery: identify potential breadth of the environment
3. Scanning: once scope of system defined, system is scanned to identify any potential weaknesses
4. exploitation: the exploit is delivered and the tester documents the results of the compromise
5. Reporting: incl. executive summary, recommendations, and all materials related to test (incl. credentials etc.)

Question 27

what is continuous full-cycle testing

Answer 27

breach attack simulation tools automate the testing activities so that they can be performed continuously against the organization’s infrastructure

Question 28

what is “choas engineering”

Answer 28

alternative approach to vulnerability assessment and ethical PenTest, is to force production system to fail, so that the organization incident detection, response and recovery capabilities can be evaluated

Question 29

what is the difference between training and awareness

Answer 29

training: seeks to teach skiils, which allow a person to perform a specific function

awareness seeks to focus an individual’s attention on an issue or set of issues

Question 30

what are the minimum set of roles that should undergo specific training

Answer 30

• executive management
• security personnel
• system owners
• system admin & IT support personnel
• operational mangers and system users

Question 31

what are type of business continuity and business recovery trainings

Answer 31

• desk check: review documentation
• walk-through: DR team explain roles & activities
• tabletop exercise: leaders given scenario & discuss response
• simulation: event simulated outside of production environ.
• Parallel: event simulated while production ongoing
• Full cutover: event that will affect the production environ.

Question 32

what is the difference between KPIs and KRIs

Answer 32

KPIs: looking to the past performance and measuring them

KRIs: anticipated levels for risk indicators as prediction of event yet to occur

Question 33

what are some examples of KRIs

Answer 33

Risk –> Indicator

audit non-compliant -> increase in # of assessment findings
compromise by ransomware -> increase in # of attack in comparable companies

Question 34

what are the steps of a continual process improvement cycle (also called PDCA cycle)

Answer 34

1. plan: what needs to be done
2. Do: execute plan
3. Check: evaluate results
4. Act (adjust): enhance to remedy where needed

Question 35

what is ethical disclosure (auditor)

Answer 35

legally obligated to report to proper authorities regardless of the actions or desires of the audited organization

Question 36

What is a method used to design new software tests and to ensure the quality of tests?

Answer 36

Mutation testing

Mutation testing modifies a program in small ways, and then tests that mutant to determine if it behaves as it should or if it fails

Question 37

During a port scan, Lauren found TCP port 443 open on a system. Which tool is best suited to scanning the service that is most likely running on that port?

Answer 37

Nikto

Nikto is useful for vulnerability scanning web servers and applications and is the best choice listed for a web server.

Question 38

Alex wants to use an automated tool to fill web application forms to test for format string vulnerabilities. What type of tool should he use?

Answer 38

A fuzzer

Fuzzers are tools that are designed to provide invalid or unexpected input to applications, testing for vulnerabilities like format string vulnerabilities, buffer overflow issues, and other problems

Question 39

Which type of SOC report is best suited to provide assurance to users about an organization’s security, availability, and the integrity of their service operations?

Answer 39

An SOC 3 report

SOC 3 reports are intended to be shared with a broad community, often with a website seal, and support the organization’s claims about their ability to provide integrity, availability, and confidentiality

Question 40

What is not a potential problem with active wireless scanning?

Answer 40

Causing alarms on the organization’s wireless IPS

Question 41

Ben uses a fuzzing tool that develops data models and creates fuzzed data based on information about how the application uses data to test the application. What type of fuzzing is Ben doing?

Answer 41

Generational

Generational fuzzing relies on models for application input and conducts fuzzing attacks based on that information.

Mutation based fuzzers are sometimes called “dumb” fuzzers because they simply mutate or modify existing data samples to create new test samples

Question 42

During a port scan using nmap, Joseph discovers that a system shows two ports open that cause him immediate worry:
21/open
23/open

Answer 42

FTP and Telnet

Question 43

What method is commonly used to assess how well software testing covered the potential uses of a an application?

Answer 43

A test coverage analysis

Question 44

What type of monitoring uses simulated traffic to a website to monitor performance?

Answer 44

Synthetic monitoring

Synthetic monitoring uses emulated or recorded transactions to monitor for performance changes in response time, functionality, or other performance monitors

Question 45

What vulnerabilities is unlikely to be found by a web vulnerability scanner?

Answer 45

Race condition

Path disclosures, local file inclusions, and buffer overflows are all vulnerabilities that may be found by a web vulnerability scanner, but race conditions that take advantage of timing issues

Question 46

Jim uses a tool that scans a system for available services, then connects to them to collect banner information to determine what version of the service is running. It then provides a report detailing what it gathers, basing results on service fingerprinting, banner information, and similar details it gathers combined with CVE information. What type of tool is Jim using?

Answer 46

A vulnerability scanner

Question 47

Earlier this year, the information security team at Jim’s employer identified a vulnerability in the web server that Jim is responsible for maintaining. He immediately applied the patch and is sure that it installed properly, but the vulnerability scanner has continued to flag the system as vulnerable even though Jim is sure the patch is installed. Which of the following options is Jim’s best choice to deal with the issue?

Answer 47

Ask the information security team to flag the system as patched and not vulnerable

Question 48

Why should passive scanning be conducted in addition to implementing wireless security technologies like wireless intrusion detection systems?

Answer 48

It can help identify rogue devices.

Passive scanning can help identify rogue devices by capturing MAC address vendor IDs that do not match deployed devices, by verifying that systems match inventories of organizationally owned hardware by hardware address, and by monitoring for rogue SSIDs or connections

Question 49

During a penetration test, Lauren is asked to test the organization’s Bluetooth security. Which of the following is not a concern she should explain to her employers?

Answer 49

Bluetooth active scans can’t evaluate the security mode of Bluetooth devices.

Question 50

What major difference separates synthetic and passive monitoring?

Answer 50

Passive monitoring only works after problems have occurred.

Question 51

Which of these concerns is the most important to address during planning to ensure the reporting phase does not cause problems?

Answer 51

How the vulnerability data will be stored and sent

Question 52

What four types of coverage criteria are commonly used when validating the work of a code testing suite?

Answer 52

Function, statement, branch, and condition coverage

Question 53

Misconfiguration, logical and functional flaws, and poor programming practices are all causes of what type of issue?

Answer 53

Security vulnerabilities

Question 54

What is not a hazard associated with penetration testing?

Answer 54

Exploitation of vulnerabilities

Question 55

Lauren is performing a review of a third-party service organization and wants to determine if the organization’s policies and procedures are effectively enforced over a period of time. What type of industry standard assessment report should she request?

Answer 55

SSAE 16 SOC 1 Type II

Question 56

Lauren’s team conducts regression testing on each patch that they release. What key performance measure should they maintain to measure the effectiveness of their testing?

Answer 56

measure of the rate of defect recurrence

Question 57

What types of code review is not typically performed by a human?

Answer 57

Static program analysis

Static program reviews are typically performed by an automated tool.

Question 58

Susan’s team of software testers are required to test every code path, including those that will only be used when an error condition occurs. What type of testing environment does her team need to ensure complete code coverage?

Answer 58

White box

In order to fully test code, a white box test is required.

Question 59

As part of the continued testing of their new application, Susan’s quality assurance team has designed a set of test cases for a series of black box tests. These functional tests are then run, and a report is prepared explaining what has occurred. What type of report is typically generated during this testing to indicate test metrics?

Answer 59

A test coverage report

Question 60

As part of their code coverage testing, Susan’s team runs the analysis in a nonproduction environment using logging and tracing tools. Which of the following types of code issues is most likely to be missed during testing due to this change in the operating environment?

Answer 60

A race condition

The changes from a testing environment with instrumentation inserted into the code and the production environment for the code can mask timing-related issues like race conditions

Question 61

What step should occur after a vulnerability scan finds a critical vulnerability on a system?

Answer 61

Validation

Once a vulnerability scanner identifies a potential problem, validation is necessary to verify that the issue exists. Reporting, patching, or other remediation actions can be conducted

Question 62

Susan needs to ensure that the interactions between the components of her ecommerce application are all handled properly. She intends to verify communications, error handling, and session management capabilities throughout her infrastructure. What type of testing is she planning to conduct?

Answer 62

Interface testing

Interface testing involves testing system or application components to ensure that they work properly together

Question 63

What term describes an evaluation of the effectiveness of security controls performed by a third party?

Answer 63

A security audit

Security audits are security assessments performed by third parties and are intended to evaluate the effectiveness of security controls.

Question 64

Saria needs to write a request for proposal for code review and wants to ensure that the reviewers take the business logic behind her organization’s applications into account. What type of code review should she specify in the RFP?

Answer 64

Manual

manual code review, which is performed by humans who review code line by line, is the best option when it is important to understand the context and business logic in the code.

Question 65

zero-day vulnerability is announced for the popular Apache web server in the middle of a workday. In Jacob’s role as an information security analyst, he needs to quickly scan his network to determine what servers are vulnerable to the issue. What is Jacob’s best route to quickly identify vulnerable systems?

Answer 65

Identify affected versions and check systems for that version number using an automated scanner

Question 66

Which of the following is not a typical part of a penetration test report?

Answer 66

All sensitive data that was gathered during the test

Penetration testing reports often do not include the specific data captured during the assessment, as the readers of the report may not be authorized to access all of the data, and exposure of the report could result in additional problems for the organization