Chapter 15 Flashcards

1
Q

What provides an important mechanism for validating the ongoing effectiveness of security controls?

A

Security Assessment and Testing Program

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What uses automated tools to search for known vulnerabilities in systems, applications, and networks.

A

Vulnerability Assessments

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What takes the results of test inputs from penetration testing and vulnerability assessments and implements a risk management process.

A

Vulnerability Management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What uses a peer review process to formally or informally validate code before deploying it in production?

A

Code Review

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What evaluates the security of software without running it by analyzing either the source code or compiled application.

A

Static Software Testing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What évaluâtes the security of if software in a runtime environment and is often the only option for orgs deploying applications written by someone else.

A

Dynamic Software Testing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What uses modified inputs to test software performance under unexpected circumstances.

A

Fuzzing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What modifies known inputs to generate synthetic inputs that may trigger unexpected behavior.

A

Mutation Fuzzing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What develops inputs based on models of expected inputs to perform the same task.

A

Generational Fuzzing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What occurs when a third party performs an assessment of the security controls protecting an organization’s information assets.

A

Security Audits

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are performed by an organization’s internal staff and are intended for management use.

A

Internal Audits

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What SOC engagement Assess the organization’s controls that might impact the accuracy of financial reporting.

A

SOC 1 Engagement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What SOC engagement Assess the organization’s controls that affect the security (confidentiality, integrity, and availability) and privacy of information stored in a system.

A

SOC 2 Engagements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What SOC engagement Assess the organization’s controls that affect the security (confidentiality, integrity, and availability) and privacy of information stored in a system. However, audit results are intended for public disclosure.

A

SOC 3 Engagement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What report type focuses on the auditor’s opinion based on the description provided by management and the suitability of the design of the controls, and cover only a specific point in time.

A

Type I

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What report type focuses on auditor’s opinion on the operating effectiveness of the controls, and also an extended period of time such as 6 months.

A

Type II

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What describes a standard approach for setting up an information security management system, and goes into more detail on the specifics of information security controls.

A

ISO 27002

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is common framework for conducting audits and assessments.

A

COBIT

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What are the components of SCAP most directly related to vulnerability assessment

A

CVE
CVSS
CCE
CPE
XCCDF
OVAL

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What provides a naming system for describing security vulnerabilities.

A

CVE

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What provides a standardized scoring system for describing the severity of security vulnerabilities.

22
Q

What provides a naming system for system configuration issues.

23
Q

What provides a naming system for operating systems, applications, and devices.

24
Q

What provides a language for specifying security checklists.

25
What provides a language for describing security testing procedures.
OVAL
26
What provide a common language for describing and evaluating vulnerabilities and facilitates the automation of interactions between different security systems.
SCAP
27
What automatically probe systems, applications, and networks, looking for weaknesses that may be exploited by an attacker.
Vulnerability Scans
28
What are the four main categories of vulnerability scans?
Network discovery scans Network vulnerability scans Web application vulnerability scans Database vulnerability scans
29
What uses a variety of techniques to scan a range of IP addresses, searching for systems with open network ports.
Network discovery scans
30
What scanners do not actually probe systems for vulnerabilities but provide a report showing the systems detected on a network and the list of ports that are exposed through the network and server firewalls.
Network discovery scans
31
What are some common network discovery scan techniques?
TCP SYN Scanning TCP Connect Scanning TCP ACK Scanning UDP Scanning Xmas Scanning
32
What scanning technique sends a packet with the FIN, PSH, and URG flags set.
Xmas
33
What scanning technique performs a scan of the remote system using the UDP protocol, checking for active UDP services.
UDP Scan
34
What scanning technique sends a packet with the ACK flag set, indicating that it is part of an open connection.
TCP ACK
35
What scanning technique may be done in an attempt to determine the rules enforced by a firewall and the firewall methodology.
TCP ACK
36
What scanning technique is used when the user running the scan does not have the necessary permissions to run a half-open scan.
TCP Connect
37
What scanning technique sends a single packet to each scanned port with the SYN flag set.
TCP SYN
38
What scans a system, it identifies the current state of each network port on the system. For ports where nmap detects a result, it provides the current status of that port.
Nmap
39
What command lists all active network connections on a system as well as those ports that are open and awaiting new connections.
Netstat
40
What approach is being done when a vulnerability scanner has read-only access to the servers being scanned and can use this access to read configuration information from the target system and use that information when analyzing vulnerability testing results.
Authenticated scans
41
What is a commonly used open source database vulnerability scanner that allows security administrators to probe web applications for database vulnerabilities.
Sqlmap
42
What are the four phases of penetration testing described by NIST?
Planning Information Gathering and Discovery Attack Reporting
43
What uses a scripting language to allow the automatic execution of common attacks, saving testers (and hackers!) quite a bit of time by eliminating many of the tedious, routine steps involved in executing an attack.
Metasploit Framework
44
What are the six steps of the Fagan inspection ?
Planning Overview Preparation Inspection Rework Follow up
45
What evaluates the security of software without running it by analyzing either the source code or the compiled application ?
SAST
46
What represents the use of web application scanning tools to detect the presence of cross-site scripting, SQL injection, or other flaws in web applications.
DAST
47
What tool automates the process of mutation fuzzing by manipulating input according to user specifications.
Zzuf
48
What is used to estimate the degree of testing conducted against the new software.
Test coverage analysis
49
What logs provide records of the connections between systems and the amount of data transferred.
Netflow
50
What are key performance and risk indicators that managers show check for in the org?
Number of open vulnerabilities Time to resolve vulnerabilities Vulnerability/defect recurrence Number of compromised accounts Number of software flaws detected in preproduction scanning Repeat audit findings User attempts to visit known malicious sites