CISSP Domain 6

Question 1

Security audit types

Answer 1

Internal: Org performs
External: big4
Third party: EY auditing your third party behalf of another organization

Question 2

Soc1 , SoC 2 and SoC 3

Answer 2

Finance

Trust security - CIAP, nda to be signed

Trust security- can be shared public disclosure

Question 3

Type 1 and Type 2 reports

Answer 3

Type 1: documentation review by auditor

Type 2: Effectiveness of controls over period of time , at least 6 months

Question 4

4 types of vulnerability scans

Answer 4

Scan to be done on IP ranges and open ports

Network discovery scan

Network vulnerability scans

Web application scans

Database vulnerability scans

Question 5

Network discovery scan techniques

Answer 5

TCP SYN scan- half open scanning

TCP connect scan- open a full connection in specified port

TCP ack scan- Determine rules enforced by the firewall technology

UDP scanning- remote system using UDP protocol and checking UDP services

X mas scanning- FIN, PSH and URG flags set “ lit up like a Christmas tree”

Question 6

Network vulnerability scans

Answer 6

Database of known vulnerability instead of detection of open ports

Question 7

Authenticated scans

Answer 7

improve scanning and accuracy to reduce false positives
Scanner has read only access to servers getting scanned and can read config info from the targeted system when analysis testing results

Question 8

Vulnerability management flow

Answer 8

Detection

Validation

Remediation

Question 9

Pen test process

Answer 9

Planning: Rules of engagement

Info gathering and discovery

Attack

Reporting

Question 10

White box test

Answer 10

Known environment test

By-pass reconciance test

Question 11

Testing your software principle

Answer 11

Never depend on users behaving properly. Software to expect the unexpected. This is known as exception handling

Question 12

Code Review

Answer 12

Planning
Overview
Preparation
Inspection
Re-work
Follow-up

Question 13

Code Review - Fagan

Answer 13

Peer review- manual walkthrough
Senior developer review
Automated review of tools

Question 14

Static review

Answer 14

Without running and analysing source code

Question 15

Dynamic testing

Answer 15

Software in runtime testing and can include *synthetic transactions**

Scripted transaction with known results

Question 16

Fuzz testing and Categories

Answer 16

Different types of inputs to software to stress it’s limits and find previously undetected flaws

1. Mutation (Dumb) fuzzing: Previous input from app
2. Generational (Intelligent) fuzzing:
   Develop data model and creates new fuzzed input

Question 17

Interface testing

Answer 17

API

GUI

Physical interface

Question 18

Misuse case testing

Answer 18

Ways that software users might attempt to misuse the application

Question 19

Test coverage analysis

Answer 19

Estimate degree of testing conducted against New software

Test coverage= number of use cases tested / total number of use cases

Question 20

Test coverage analysis - 5 common criteria

Answer 20

Branch coverage - If else conditions
Condition coverage - Logical based on inputs ?
Function coverage - returned results
Loop coverage - All loop
Statement coverage- every line of code executed ?

Question 21

Website monitoring

Answer 21

Passive monitoring - real user monitoring

Synthetic monitoring - Artificial transaction WAF ?

Question 22

Log reviews

Answer 22

Logging policy from gpo

Ntp sync

Siem

Question 23

Need to know, least prevlige and SoD

Answer 23

Security clearance

Permission+ rights

Question 24

Two persons control

Answer 24

Approval of two individuals for critical tasks

PAM solutions can create split password

Question 25

Split knowledge

Answer 25

Segregation of duties+ Two persons control into a Single solution

Question 26

PAM and MS PAM

Answer 26

Restrict access to privilege accounts or detect when accounts use elevated privilege

Ms pam is based on JIT ticket expires after 15 minutes of elevation of prevlige

Question 27

SaaS

Answer 27

Gmail - everything handled by csp

Question 28

PaaS

Answer 28

Customer will manage -App, data CSP provides platform like windows

Question 29

IaaS

Answer 29

Basic computing resources to customers. Servers, storage and network resources

Customer install os and apps, performs maintenance on OS and apps

Question 30

Public, private, community and hybrid

Answer 30

Private - SaaS, PaaS or IaaS

Community - Two or more org that have shared concern

Hybrid - two or more cloud bound together by a tech that provides data and app probability

Question 31

Scalability Vs Elasticity

Answer 31

Scalability - Computing resources
Handle work load

Requires shutting down the system

Elasticity - Computing resources can be created and destroyed when needed

Doesn’t require shutting down

Question 32

Configuration management

Answer 32

System deployed in secure, consistent state and stay secure, consistent throughout lifetime

Question 33

Provisioning

Answer 33

Install and configure OS and needed apps

Harden it based on its use

Question 34

Baselining

Answer 34

Starting point, In context of CM list of settings

Using images for baseline- steps

1. Baseline system
2. Image server deployed image

Question 35

Change management and primary goal

Answer 35

Changes do not cause outages by unauthorised changes

It affects A of CIA

Question 36

Change management steps

Answer 36

Request for change

Review the change

Approve / reject change

Test change

Schedule and implement change

Document change

Question 37

Patch management steps

Answer 37

Evaluates
Test patch
Approve patch
Deploy patch
Verify that patches are deployed - Vulnerability scan