Chapter 15: Security Assessment and Testing

Question 1

_____ assessment and testing programs perform regular checks to ensure that adequate security controls are in place and that they effectively perform their assigned functions.

Answer 1

Security

Question 2

Security ___ verify that a control is functioning properly. These tests include automated scans, tool-assisted penetration tests, and manual attempts to undermine security.

Answer 2

tests

Question 3

Security ____ are comprehensive reviews of the security of a system, application, or other tested environment. They also include a thoughtful review of the threat environment, current and future risks, and the value of the targeted environment.

Answer 3

assessments

Question 4

Security ____ use many of the same techniques followed during security assessments but must be performed by independent auditors.

Answer 4

audits

Question 5

_____ audits are performed by an organization’s internal audit staff and are typically intended for internal audiences.

Answer 5

Internal

Question 6

______ audits are performed by an outside auditing firm.

Answer 6

External

Question 7

______ audits are conducted by, or on behalf of, another organization. For example, a regulatory body might have the authority to initiate an audit of a regulated firm under contract or law.

Answer 7

Third-party

Question 8

SOC ____ Engagements Assess the organization’s controls that might impact the accuracy of financial reporting.

Answer 8

1

Question 9

SOC __ Engagements Assess the organization’s controls that affect the security (confidentiality, integrity, and availability) and privacy of information stored in a system.

Answer 9

2

Question 10

SOC __ Engagements Assess the organization’s controls that affect the security (confidentiality, integrity, and availability) and privacy of information stored in a system.

Answer 10

3

Question 11

Type __ Reports These reports provide the auditor’s opinion on the description provided by management and the suitability of the design of the controls.

Answer 11

I

Question 12

Type __ Reports These reports go further and also provide the auditor’s opinion on the operating effectiveness of the controls.

Answer 12

II

Question 13

_____ scans and penetration tests provide security professionals with a perspective on the weaknesses in a system or application’s technical controls by identifying technical vulnerabilities that they contain.

Answer 13

Vulnerability

Question 14

The security community depends on a common set of standards to provide a common language for describing and evaluating vulnerabilities. NIST provides the community with the ____ to meet this need.

Answer 14

Security Content Automation Protocol (SCAP)

Question 15

____ provides a naming system for describing security vulnerabilities.

Answer 15

Common Vulnerabilities and Exposures (CVE)

Question 16

______ provides a standardized scoring system for describing the severity of security vulnerabilities.

Answer 16

Common Vulnerability Scoring System (CVSS)

Question 17

____ provides a naming system for system configuration issues.

Answer 17

Common Configuration Enumeration (CCE)

Question 18

_____ provides a naming system for operating systems, applications, and devices.

Answer 18

Common Platform Enumeration (CPE)

Question 19

_____ provides a language for specifying security checklists.

Answer 19

Extensible Configuration Checklist Description Format (XCCDF

Question 20

______ provides a language for describing security testing procedures.

Answer 20

Open Vulnerability and Assessment Language (OVAL)

Question 21

_____ scans automatically probe systems, applications, and networks, looking for weaknesses that may be exploited by an attacker.

Answer 21

Vulnerability

Question 22

____ scanning uses a variety of techniques to scan a range of IP addresses, searching for systems with open network ports.

Answer 22

Network discovery

Question 23

_____ Scanning Performs a scan of the remote system using the UDP protocol, checking for active UDP services.

Answer 23

UDP

Question 24

_____ Scanning Sends a packet with the FIN, PSH, and URG flags set.

Answer 24

Xmas

Question 25

True or False

Traditional vulnerability scans are able to detect zero-day vulnerabilities that have not yet been identified by the scanner vendor.

Answer 25

False; unable

Question 26

______ scanners are special-purpose tools that scour web applications for known vulnerabilities.

Answer 26

Web vulnerability

Question 27

What are the 3 steps of vulnerability management workflow?

Answer 27

1. Detection
2. Validation
3. Remediation

Question 28

The _____ test goes beyond vulnerability testing techniques because it actually attempts to exploit systems.

Answer 28

penetration

Question 29

IST defines the penetration testing process as consisting of the four phases:

Answer 29

Planning
Information gathering and discovery
Attack
Reporting

Question 30

These tests are sometimes called “known environment” tests.

Answer 30

White-Box Penetration Test

Question 31

These tests are sometimes called “partially known environment” tests.

Answer 31

Gray-Box Penetration Test

Question 32

These tests are sometimes called “unknown environment” tests.

Answer 32

Black-Box Penetration Test

Question 33

These checks verify that all of the controls listed in a compliance plan are functioning properly and are effectively meeting regulatory requirements.

Answer 33

Compliance checks

Question 34

This process of handling unexpected activity is known as ____ handling.

Answer 34

exception

Question 35

These procedures provide third-party reviews of the work performed by developers before moving code into a production environment.

Answer 35

Code Review

Question 36

The most formal code review processes, known as Fagan inspections, follow a rigorous review and testing process with six steps:

Answer 36

Planning
Overview
Preparation
Inspection
Rework
Follow-up

Question 37

_____ evaluates the security of software without running it by analyzing either the source code or the compiled application.

Answer 37

Static application security testing (SAST)

Question 38

_____ evaluates the security of software in a runtime environment and is often the only option for organizations deploying applications written by someone else.

Answer 38

Dynamic application security testing (DAST)

Question 39

___ testing is a specialized dynamic testing technique that provides many different types of input to software to stress its limits and find previously undetected flaws.

Answer 39

Fuzz

Question 40

____ Fuzzing Takes previous input values from actual operation of the software and manipulates (or mutates) it to create fuzzed input. It might alter the characters of the content, append strings to the end of the content, or perform other data manipulation techniques.

Answer 40

Mutation (Dumb)

Question 41

____ Fuzzing Develops data models and creates new fuzzed input based on an understanding of the types of data used by the program.

Answer 41

Generational (Intelligent)

Question 42

True or False

Fuzz testing typically doesn’t result in full coverage of the code and is commonly limited to detecting simple vulnerabilities that do not require complex manipulation of business logic. For this reason, fuzz testing should be considered only one tool in a suite of tests performed

Answer 42

True

Question 43

In ____ case testing, testers first enumerate the known misuse cases. They then attempt to exploit those use cases with manual and/or automated attack techniques.

Answer 43

misuse

Question 44

Software testing professionals often conduct a ____ analysis to estimate the degree of testing conducted against the new software.

Answer 44

test coverage

Question 45

What is the test coverage analysis formula?

Answer 45

test coverage = (number of use cases tested)/(total number of use cases)

Question 46

_____ monitoring analyzes actual network traffic sent to a website by capturing it as it travels over the network or reaches the server.

Answer 46

Passive