CISSP ch 15

Question 1

Security tests

Answer 1

verify that a control is functioning properly

Question 2

Security assessments

Answer 2

comprehensive reviews of the security of a system, application or other tested environment

Identifies vulnerabilities in the tested environment. does not usually include actual mitigation of those vulnerabilities

Thoughtful review of the threat environment, current and future risks, and the value of the targeted environment

hould be addressed to the organization’s management

Question 3

NIST SP 800-53A

Answer 3

Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans = best practices in conduct security and privacy assessments

Question 4

Specifications (NIST SP 800-53A)

Answer 4

documents associated with the system being audited (e.g., policies, procedures, requirements and designs)

Question 5

Mechanisms (NIST SP 800-53A)

Answer 5

controls used within an information system to meet the specifications

Question 6

Activities (NIST SP 800-53A)

Answer 6

actions carried out by people within an information system

Question 7

Individuals (NIST SP 800-53A)

Answer 7

people who implement specifications, mechanisms and activities

Question 8

Security audits

Answer 8

use many of the same techniques followed during security assessments but must be performed by independent auditors

Less routine than tests or assessments

Purpose of demonstrating the effectiveness of controls to a third party (as opposed to purely internal distribution)

Question 9

Internal audits

Answer 9

performed by an organization’s internal audit staff and are typically intended for internal audiences

Reporting line that is completely independent of the functions they evaluate

Question 10

CAE

Answer 10

Chief Auditing Executive = may have reporting responsibility directly to the organization’s governing board

Question 11

SSAE 18

Answer 11

Statement on Standards for Attestation Engagements, document 18 ‘Reporting on Controls’ (produced by the American Institute of Certified Public Accountants / AICPA)

Provides a common standard to be used by auditors performing assessments of service organizations with the intent of allowing the organization to conduct an external assessment instead of multiple third-party assessments and then sharing the resulting report with cutomers and potential customers

Question 12

ISAE 3402

Answer 12

International Standard for Attestation Engagements 3402 ‘Assurance Reports on Controls at a Service Organization’ = SSAE 18 equivalent used outside of U.S.

Question 13

SOC aduits

Answer 13

Service organization controls audit = SSAE 18 and ISAE 3402

Question 14

SOC 1 engagements

Answer 14

asses the organization’s controls that might impact the accuracy of financial reporting

Question 15

SOC 2 engagements

Answer 15

Assess the organization’s controls that affect the security (confidentiality, integrity and availability) and privacy of information stored in a system

SOC 2 audit results are confidential and normally are only shared outside the organization under and NDA

Question 16

SOC 3 Engagements

Answer 16

Assess the organization’s controls that affect the security (confidentiality, integrity and availability) and privacy of information stored in a system

SOC 3 audit results are intended for public disclosure

Question 17

Type I Reports

Answer 17

provide the auditor’s opinion on the description provided by management and the suitability of the design of the controls

Cover only a specific point in time, rather than an extended period

More of a documentation review

Question 18

Type II reports

Answer 18

provide the auditor’s opinion on the operating effectiveness of the controls

The auditor actually confirms that the controls are functioning properly

Covers an extended period of time, at least six months of operation

Question 19

COBIT

Answer 19

Control Objectives for Information and Related Technologies, maintained by ISACA

Common framework for conducting audits and assessments

Describes the common requirements that organizations should have in place surrounding their information systems

Question 20

ISO 27001

Answer 20

standard approach for setting up an information security management system

Question 21

ISO 27002

Answer 21

goes into more detail on the specifics of information security controls

Question 22

SCAP

Answer 22

NIST’s Security Content Automation Protocol = common framework for describing and evaluating vulnerabilities, and facilitates the automation of interactions between different security systems

Question 23

CVE (SCAP)

Answer 23

Common Vulnerabilities and Exposures = naming system for describing security vulnerabilities

Question 24

CVSS (SCAP)

Answer 24

Common Vulnerability Scoring System = standardized scoring system for describing the severity of security vulnerabilities

Question 25

CCE (SCAP)

Answer 25

Common Configuration Enumeration = naming system for systems configuration issues

Question 26

CPE (SCAP)

Answer 26

Common Platform Enumeration = naming system for operating systems, applications and devices

Question 27

XCCDF (SCAP)

Answer 27

Extensible Configuration Checklist Description Format = language for specifying security checklists

Question 28

OVAL (SCAP)

Answer 28

Open Vulnerability and Assessment Language = language for describing security testing procedures

Question 29

Vulnerability scans

Answer 29

automatically probe systems, applications and networks looking for weaknesses that may be exploited by an attacker

Question 30

Network discovery scanning

Answer 30

variety of techniques to scan a range of IP addresses, searching for systems with open network ports

Question 31

TCP SYN Scanning = half-open scanning (network discovery)

Answer 31

Sends a single packet to each scanned port with the SYN flag set, indicating a request to open a new connection

If the scanner receives a response that has the SYN and ACK flags set, this indicates that the system is moving to the second phase in the three-way TCP handshake and that the port is open

Question 32

TCP Connect Scanning (network discovery)

Answer 32

Opens a full connection to the remote system on the specified port

Used when the user running the scan does not have the necessary permissions to run a half-open scan (i.e., user cannot send hand-crafted packets)

Question 33

TCP ACK Scanning (network discovery)

Answer 33

Sends a packet with the ACK flag set, indicating that it is part of an open connection

May be done in an attempt to determine the rules enforced by a firewall and the firewall methodology

Question 34

UDP scanning (network discovery)

Answer 34

Performs a scan of the remote system using the UDP protocol, checking for active UDP services

Does not use the three way handshake, because UDP is a connectionless protocol

Question 35

Xmas scanning (network discovery)

Answer 35

Sends a packet with the FIN, PSH and URG flags set

A packet with so many flags is said to be ‘lit up like a Christmas tree’

Question 36

nmap

Answer 36

most common tool used for network discovery scanning = provides the current status of ports

Question 37

Open (nmap)

Answer 37

the port is open on the remote system and there is an application that is actively accepting connections on that port

Question 38

Closed (nmap)

Answer 38

the port is accessible on the remote system, meaning that the firewall is allowing access, but there is no application accepting connections on that port

Question 39

Filtered (nmap)

Answer 39

Nmap is unable to determine whether a port is open or closed because a firewall is interfering with the connection attempt

Question 40

Banner grabbing

Answer 40

technique used by port scanners, network vulnerability scanners and web vulnerability scanners to identify the variant and version of a service running on a service

Opens a connection to the service and reads the details provided on the welcome screen or banner to assist with version fingerprinting

Question 41

netstat command

Answer 41

useful tool for examining the active ports on a system = lists all active network connections on a system as well as those ports that are open and awaiting new connections

Question 42

network vulnerability scans

Answer 42

go deeper than discovery scans, don’t stop at detecting open ports but continue to probe a targeted system or network for the presence of known vulnerabilities

These tools contain databases of thousands of known vulnerabilities along with tests they can perform to identify whether a system is susceptible to each vulnerability in the system’s database

Question 43

Authenticated scans

Answer 43

scanner has read-only access to the servers being scanned and can use this access to read configuration information from the target system and use that information when analyzing vulnerability testing results

Question 44

TCP Port 20

Answer 44

FTP file transfer protocol

Question 45

TCP Port 22

Answer 45

SSH secure shell

Question 46

TCP Port 23

Answer 46

Telnet (remote access)

Question 47

TCP Port 25

Answer 47

SMTP (unencrypted mail)

Question 48

TCP Port 53

Answer 48

DNS domain name system (domain name to IP address)

Question 49

TCP Port 80

Answer 49

HTTP (unencrypted)

Question 50

TCP Port 110

Answer 50

POP3 (email retrieval)

Question 51

TCP Port 123

Answer 51

NTP network time protocol, time synchronization

Question 52

TCP Port 21

Answer 52

FTP file transfer protocol

Question 53

TCP Port 135

Answer 53

Windows File Sharing

Question 54

TCP port 137

Answer 54

Windows File Sharing

Question 55

TCP port 138

Answer 55

Windows File Sharing

Question 56

TCP port 139

Answer 56

Windows File Sharing

Question 57

TCP port 445

Answer 57

Windows File Sharing

Question 58

TCP port 443

Answer 58

HTTPS

Question 59

TCP port 515

Answer 59

LPR/LPD (printing)

Question 60

TCP port 1433

Answer 60

Microsoft SQL Server

Question 61

TCP port 1434

Answer 61

Microsoft SQL Server

Question 62

TCP port 1521

Answer 62

Oracle

Question 63

TCP port 1720

Answer 63

H.323 (VoIP)

Question 64

TCP port 1723

Answer 64

PPTP (point to point tunneling, VPN)

Question 65

TCP port 3389

Answer 65

RDP remote desktop protocol

Question 66

TCP port 9100

Answer 66

HP JetDirect printing

Question 67

OpenVAS

Answer 67

open source vulnerability scanner

Question 68

Sqlmap

Answer 68

a commonly used open source database vulnerability scanner

Question 69

Penetration testing

Answer 69

goes beyond vulnerability testing techniques and actually attempts to exploit systems = Try to defeat security controls and break into a targeted system or application to demonstrate the flaw

Question 70

Metasploit framework

Answer 70

tool commonly used by penetration testers to automatically execute exploits against targeted systems

Question 71

White-box penetration test

Answer 71

known environment tests

provides the attackers with detailed information about the systems they target, bypassing many of the reconnaissance steps, shortening the time of the attack and increasing the likelihood of finding security flaws

Question 72

gray-box penetration test

Answer 72

partial knowledge tests = partially known environment tests

particularly common when black-box results are desired but costs or time constraints mean that some knowledge is needed to complete the testing

Question 73

black-box penetration test

Answer 73

unknown environment tests

does not provide attackers with any information prior to the attack

simulates an external attacker trying to gain access to information about the business and technical environment before engaging in an attack

Question 74

BAS platforms

Answer 74

breach and attack simulation platforms = seek to automate some aspects of penetration testing

Question 75

NIST 800-115

Answer 75

industry standard penetrating testing methodology

Question 76

OSSTMM

Answer 76

Open Source Security Testing Methodology Manual

industry standard penetrating testing methodology

Question 77

compliance checks

Answer 77

verify that all of the controls listed in a compliance plan are functioning properly and are effectively meeting regulatory requirements

Question 78

exception handling

Answer 78

process of handling unexpected activity (e.g., invalid input, improperly sequenced activity)

Question 79

code review / peer review

Answer 79

where developers other than the one who wrote the code review it for defects

Question 80

Fagan inspections

Answer 80

most formal code review processes

Planning

Overview

Preparation

Inspection

Rework

Follow-up

Question 81

SAST

Answer 81

static application security testing = evaluates the security of software without running it by analyzing either the source code or the compiled application

Involves the use of au

Question 82

DAST

Answer 82

dynamic application security testing = evaluated the security of software in a runtime environment and is often the only option for organizations deploying applications written by someone else

Testers often do not have access to the underlying source code

E.g., use of web application scanning tools to detect the presence of cross-site scripting, SQL injection or other flaws in web applications

May include the use of synthetic transactions (i.e., scripted transactions with known expected results); testers run synthetic transactions against the tested code and then compare the output of the transactions to the expected state

Question 83

IAST

Answer 83

Interactive application security testing = performs real-time analysis of runtime behavior, application performance, HTTP/HTTPS traffic, frameworks, components and background connections

Question 84

RASP

Answer 84

Runtime Application Self-Protection = a tool that runs on a server and intercepts calls to and from an application and validates data requests

Question 85

fuzz testing

Answer 85

a specialized dynamic testing technique that provides many different types of input to software to stress its limits and find previously undetected flaws = Supplies invalid input to the software, either randomly generated or specially crafted to trigger known software vulnerabilities

Question 86

Mutation (dumb) fuzzing

Answer 86

Takes previous input values from actual operation of the software and manipulates (or mutates) it to create fuzzed input

Might alter the characters of the content, append strings to the end of the content or perform other data manipulation techniques

Question 87

generational (intelligent) fuzzing

Answer 87

Develops data models and creates new fuzzed input based on an understanding of the types of data used by the program

Question 88

zzuf tool

Answer 88

automates the process of mutation fuzzing by manipulating input according to user specifications

Question 89

bit flipping

Answer 89

changing text so that it is almost identical to the original text, but with a modified bit (1 changed to 0)

Question 90

interface testing

Answer 90

assesses the performance of separately developed modules against the interface specifications to ensure that they will work together properly when all the development efforts are complete

Question 91

APIs

Answer 91

Application Programming Interfaces

Offer a standardized way for code modules to interact and may be exposed to the outside world through web services

Must be tested to ensure that they enforce all security requirements

Question 92

UIs

Answer 92

User Interfaces

E.g., GUIs (graphic user interfaces) and command-line interfaces

Provide end users with the ability to interact with the software

Question 93

test coverage analysis

Answer 93

used to estimate the degree of testing conducted against the new software

test coverage = number of use cases tested / total number of uses cases

A highly subjective calculation

Question 94

branch coverage (test coverage analysis)

Answer 94

Has every ‘if’ statement been executed under all ‘if’ and ‘else’ conditions?

Question 95

condition coverage (test coverage analysis)

Answer 95

Has every logical test in the code been executed under all sets of inputs?

Question 96

function coverage (test coverage analysis)

Answer 96

Has every function in the code been called and returned results?

Question 97

loop coverage (test coverage analysis)

Answer 97

Has every loop in the code been executed under conditions that cause code execution multiple times, only once, and not at all?

Question 98

statement coverage (test coverage analysis)

Answer 98

Has every line of code been executed during the test?

Question 99

passive website monitoring

Answer 99

Analyzes actual network traffic sent to a website by capturing it as it travels over the network or reaches the server

Provides real-world monitoring data that gives administrators insight into what is actually happening on a network

Question 100

RUM (website monitoring)

Answer 100

real user monitoring = a variant of passive monitoring where the monitoring tool reassembles the activity of individual users to track their interaction with a website

Question 101

active website monitoring / synthetic monitoring

Answer 101

Performs artificial transactions against a website to assess performance

Question 102

SIEM packages

Answer 102

security information and event management packages = automate much of the routine work of log review

Question 103

syslog functionality

Answer 103

present in many devices, operating systems and applications = used by SIEM packages to collect information

Question 104

Windows’ GPOs

Answer 104

Group Policy Objects = mechanism that can deploy and enforce standard policies through the organization = can deploy a logging policy

Question 105

NetFlow logs

Answer 105

network flow logs that provide records of the connections between systems and the amount of data transferred = particularly useful when investigating security incidents