Chapter 15: Security Assessment and Testing Flashcards
_____ assessment and testing programs perform regular checks to ensure that adequate security controls are in place and that they effectively perform their assigned functions.
Security
Security ___ verify that a control is functioning properly. These tests include automated scans, tool-assisted penetration tests, and manual attempts to undermine security.
tests
Security ____ are comprehensive reviews of the security of a system, application, or other tested environment. They also include a thoughtful review of the threat environment, current and future risks, and the value of the targeted environment.
assessments
Security ____ use many of the same techniques followed during security assessments but must be performed by independent auditors.
audits
_____ audits are performed by an organization’s internal audit staff and are typically intended for internal audiences.
Internal
______ audits are performed by an outside auditing firm.
External
______ audits are conducted by, or on behalf of, another organization. For example, a regulatory body might have the authority to initiate an audit of a regulated firm under contract or law.
Third-party
SOC ____ Engagements Assess the organization’s controls that might impact the accuracy of financial reporting.
1
SOC __ Engagements Assess the organization’s controls that affect the security (confidentiality, integrity, and availability) and privacy of information stored in a system.
2
SOC __ Engagements Assess the organization’s controls that affect the security (confidentiality, integrity, and availability) and privacy of information stored in a system.
3
Type __ Reports These reports provide the auditor’s opinion on the description provided by management and the suitability of the design of the controls.
I
Type __ Reports These reports go further and also provide the auditor’s opinion on the operating effectiveness of the controls.
II
_____ scans and penetration tests provide security professionals with a perspective on the weaknesses in a system or application’s technical controls by identifying technical vulnerabilities that they contain.
Vulnerability
The security community depends on a common set of standards to provide a common language for describing and evaluating vulnerabilities. NIST provides the community with the ____ to meet this need.
Security Content Automation Protocol (SCAP)
____ provides a naming system for describing security vulnerabilities.
Common Vulnerabilities and Exposures (CVE)
______ provides a standardized scoring system for describing the severity of security vulnerabilities.
Common Vulnerability Scoring System (CVSS)
____ provides a naming system for system configuration issues.
Common Configuration Enumeration (CCE)
_____ provides a naming system for operating systems, applications, and devices.
Common Platform Enumeration (CPE)
_____ provides a language for specifying security checklists.
Extensible Configuration Checklist Description Format (XCCDF
______ provides a language for describing security testing procedures.
Open Vulnerability and Assessment Language (OVAL)
_____ scans automatically probe systems, applications, and networks, looking for weaknesses that may be exploited by an attacker.
Vulnerability
____ scanning uses a variety of techniques to scan a range of IP addresses, searching for systems with open network ports.
Network discovery
_____ Scanning Performs a scan of the remote system using the UDP protocol, checking for active UDP services.
UDP
_____ Scanning Sends a packet with the FIN, PSH, and URG flags set.
Xmas
