CISSP Practice Test Chapter 6 Security Assessment and Testing (Sybex) Flashcards
During a port scan, Susan discovers a system running services on TCP and UDP 137–139 and TCP 445, as well as TCP 1433. What type of system is she likely to find if she connects to the machine?
A. A Linux email server
B. A Windows SQL server
C. A Linux file server
D. A Windows workstation
B. A Windows SQL server
Explanation:
B. TCP and UDP ports 137–139 are used for NetBIOS services, whereas 445 is used for Active Directory. TCP 1433 is the default port for Microsoft SQL, indicating that this is probably a Windows server providing SQL services.
Which of the following is a method used to automatically design new software tests and to ensure the quality of tests?
A. Code auditing
B. Static code analysis
C. Regression testing
D. Mutation testing
D. Mutation testing
Explanation:
D. Mutation testing modifies a program in small ways and then tests that mutant to determine if it behaves as it should or if it fails. This technique is used to design and test software tests through mutation. Static code analysis and regression testing are both means of testing code, whereas code auditing is an analysis of source code rather than a means of designing and testing software tests.
During a port scan, Naomi found TCP port 443 open on a system. Which tool is best suited to scanning the service that is most likely running on that port?
A. zzuf
B. Nikto
C. Metasploit
D. sqlmap
B. Nikto
Explanation:
TCP port 443 normally indicates an HTTPS server. Nikto is useful for vulnerability scanning web servers and applications and is the best choice listed for a web server. Metasploit includes some scanning functionality but is not a purpose-built tool for vulnerability scanning. zzuf is a fuzzing tool and isn’t relevant for vulnerability scans, whereas sqlmap is a SQL injection testing tool.
What message logging standard is commonly used by network devices, Linux and Unix systems, and many other enterprise devices?
A. Syslog
B. Netlog
C. Eventlog
D. Remote Log Protocol (RLP)
A. Syslog
Explanation:
Syslog is a widely used protocol for event and message logging. Eventlog, netlog, and Remote Log Protocol are all made-up terms.
Alex wants to use an automated tool to fill web application forms to test for format string vulnerabilities. What type of tool should he use?
A. A black box
B. A brute-force tool
C. A fuzzer
D. A static analysis tool
C. A fuzzer
Explanation:
Fuzzers are tools that are designed to provide invalid or unexpected input to applications, testing for vulnerabilities like format string vulnerabilities, buffer overflow issues, and other problems. A static analysis relies on examining code without running the application or code and thus would not fill forms as part of a web application. Brute-force tools attempt to bypass security by trying every possible combination for passwords or other values. A black box is a type of penetration test where the testers do not know anything about the environment.
Susan needs to scan a system for vulnerabilities, and she wants to use an open source tool to test the system remotely. Which of the following tools will meet her requirements and allow vulnerability scanning?
A. Nmap
B. OpenVAS
C. MBSA
D. Nessus
B. OpenVAS
Explanation:
OpenVAS is an open source vulnerability scanning tool that will provide Susan with a report of the vulnerabilities that it can identify from a remote, network-based scan. Nmap is an open source port scanner. Both the Microsoft Baseline Security Analyzer (MBSA) and Nessus are closed-source tools, although Nessus was originally open source.
Morgan is implementing a vulnerability management system that uses standards-based components to score and evaluate the vulnerabilities it finds. Which of the following is most commonly used to provide a severity score for vulnerabilities?
A. CCE
B. CVSS
C. CPE
D. OVAL
B. CVSS
Explanation:
B. CVSS, the Common Vulnerability Scoring System, is used to describe the severity of security vulnerabilities. CCE is Common Configuration Enumeration, a naming system for configuration issues. CPE is Common Platform Enumeration, which names operating systems, applications, and devices. OVAL is a language for describing security testing procedures.
Jim has been contracted to perform a penetration test of a bank’s primary branch. To make the test as real as possible, he has not been given any information about the bank other than its name and address. What type of penetration test has Jim agreed to perform?
A. A crystal-box penetration test
B. A gray-box penetration test
C. A black-box penetration test
D. A white-box penetration test
C. A black-box penetration test
Explanation:
Jim has agreed to a black-box penetration test, which provides no information about the organization, its systems, or its defenses. A crystal- or white-box penetration test provides all of the information an attacker needs, whereas a gray-box penetration test provides some, but not all, information.
In a response to a request for proposal, Susan receives an SSAE 18 SOC report. If she wants a report that includes operating effectiveness detail, what should Susan ask for as follow-up and why?
A. A SOC 2 Type II report, because Type I does not cover operating effectiveness
B. A SOC 1 Type I report, because SOC 2 does not cover operating effectiveness
C. A SOC 2 Type I report, because SOC 2 Type II does not cover operating effectiveness
D. A SOC 3 report, because SOC 1 and SOC 2 reports are outdated
A. A SOC 2 Type II report, because Type I does not cover operating effectiveness
Explanation:
The key to answering this question correctly is understanding the difference between SOC 1 and SOC 2 reports, and Type I and Type II audits. SOC 1 reports cover financial reporting, and SOC 2 reports look at security. Type I audits only cover a single point in time and are based upon management descriptions of controls. They do not include an assessment of operating effectiveness. Type II audits cover a period of time and do include an assessment of operating effectiveness.
During a wireless network penetration test, Susan runs aircrack-ng against the network using a password file. What might cause her to fail in her password-cracking efforts?
A. Using WPA2 encryption
B. Running WPA2 in Enterprise mode
C. Using WEP encryption
D. Running WPA2 in PSK mode
B. Running WPA2 in Enterprise mode
Explanation:
B. WPA2 enterprise uses RADIUS authentication for users rather than a preshared key. This means a password attack is more likely to fail as password attempts for a given user may result in account lockout. WPA2 encryption will not stop a password attack, and WPA2’s preshared key mode is specifically targeted by password attacks that attempt to find the key. Not only is WEP encryption outdated, but it can also frequently be cracked quickly by tools like aircrack-ng.
A zero-day vulnerability is announced for the popular Apache web server in the middle of a workday. In Jacob’s role as an information security analyst, he needs to quickly scan his network to determine what servers are vulnerable to the issue. What is Jacob’s best route to quickly identify vulnerable systems?
A.Immediately run Nessus against all of the servers to identify which systems are vulnerable.
B. Review the CVE database to find the vulnerability information and patch information.
C. Create a custom IDS or IPS signature.
D. Identify affected versions and check systems for that version number using an automated scanner.
D. Identify affected versions and check systems for that version number using an automated scanner.
Explanation:
In many cases when an exploit is initially reported, there are no prebuilt signatures or detections for vulnerability scanners, and the CVE database may not immediately have information about the attack. Jacob’s best option is to quickly gather information and review potentially vulnerable servers based on their current configuration. As more information becomes available, signatures and CVE information are likely to be published. Unfortunately for Jacob, IDS and IPS signatures will only detect attacks and won’t detect whether systems are vulnerable unless he sees the systems being exploited.
What type of testing is used to ensure that separately developed software modules properly exchange data?
A. Fuzzing
B. Dynamic testing
C. Interface testing
D, API checksums
C. Interface testing
Explanation:
C. Interface testing is used to ensure that software modules properly meet interface specifications and thus will properly exchange data. Dynamic testing tests software in a running environment, whereas fuzzing is a type of dynamic testing that feeds invalid input to running software to test error and input handling. API checksums are not a testing technique.
Selah wants to provide security assessment information to customers who want to use her organization’s cloud services. Which of the following options should she select to ensure that the greatest number of customers are satisfied with the assessment information?
A. Use an internal audit team to self-assess against internal metrics.
B. Use a third-party auditor.
C. Use internal technical staff who know the systems.
D . Use an internal audit team to self-assess against a common standard like COBIT.
B. Use a third-party auditor.
Explanation:
Using a third-party auditor from a well-known and well-regarded firm is often the best option when providing audit and compliance information to third parties. Selah could engage an appropriate vendor for an SOC 2 Type II engagement as one example of a reasonable option to provide detail to her customers. Internal staff assessing to a common standard like COBIT would be the next most acceptable option on this list, with an internal standard less useful than that. Finally, internal nonaudit staff are the least useful in this circumstance.
Yasmine has been asked to consider a breach and attack simulation system. What type of system should she look for?
A. A ticket and change management system designed to help manage incidents
B. A system that runs incident response simulations for blue teams to test their skills
C. A system that combines red and blue team techniques with automation
D. A security operations and response (SOAR) system
C. A system that combines red and blue team techniques with automation
Explanation:
C. BAS, or Breach and Attack Simulation, systems are systems that combine red team (attack) and blue team (defense) techniques together with automation to simulate advanced persistent threats and other advanced threat actors when run against your environment. This allows a variety of threats to be replicated and assessed in an environment without as much overhead as a fully staffed purple team would.
Monica wants to gather information about security awareness in her organization. What technique is most frequently used to assess security awareness?
A. Phishing simulators
B. Gamified applications
C. Assessment tests
D. Surveys
D. Surveys
Explanation:
Most organizations use surveys to assess security awareness. Phishing simulators are also frequently used, but only test awareness of phishing issues and techniques, not general security awareness. Gamified applications are continuing to grow in popularity, but the ease of use and availability of surveys makes them the most popular. Finally, assessment tests may be used when compliance knowledge assessments are required to meet a specific standard, but testing is not as common as surveying.
Jim has been contracted to conduct a gray-box penetration test, and his clients have provided him with the following information about their networks so that he can scan them:
Data center: 10.10.10.0/24
Sales: 10.10.11.0/24
Billing: 10.10.12.0/24
Wireless: 192.168.0.0/16
A. The IP ranges are too large to scan efficiently.
B. The IP addresses provided cannot be scanned.
C. The IP ranges overlap and will cause scanning issues.
D. The IP addresses provided are RFC 1918 addresses.
D. The IP addresses provided are RFC 1918 addresses.
Explanation:
The IP addresses that his clients have provided are RFC 1918 nonroutable IP addresses, and Jim will not be able to scan them from off-site. To succeed in his penetration test, he will have to either first penetrate their network border or place a machine inside their network to scan from the inside. IP addresses overlapping is not a real concern for scanning, and the ranges can easily be handled by current scanning systems.
Mark’s company has been notified that there is a flaw in their web application. The anonymous individual has notified them that they have two weeks to fix it before the details of the flaw are published along with example exploit code. What industry norm is the individual who contacted Mark’s company violating?
A. Zero-day reporting
B. Ethical disclosure
C. Ethical hacking
D. The (ISC)2 vulnerability disclosure ethics statement
B. Ethical disclosure
Explanation:
B. Ethical (or responsible) disclosure practices will provide companies and organizations with a reasonable period of time to fix a flaw and to get that fix into the hands of their customers. Two weeks is unlikely to be a reasonable amount of time for this. Unfortunately, Mark may not be able to persuade the individual to make a different decision, and Mark’s company will need to determine what to do about the issue.
For questions 18–20, please refer to the following scenario:
The company that Jennifer works for has implemented a central logging infrastructure, as shown in the following image. Use this diagram and your knowledge of logging systems to answer the following questions.
Jennifer needs to ensure that all Windows systems provide identical logging information to the SIEM. How can she best ensure that all Windows desktops have the same log settings?
A. Perform periodic configuration audits.
B. Use Group Policy.
C. Use Local Policy.
D. Deploy a Windows syslog client.
B. Use Group Policy.
Explanation:
Group Policy enforced by Active Directory can ensure consistent logging settings and can provide regular enforcement of policy on systems. Periodic configuration audits won’t catch changes made between audits, and local policies can drift due to local changes or differences in deployments. A Windows syslog client will enable the Windows systems to send syslog to the SIEM appliance but won’t ensure consistent logging of events.
During normal operations, Jennifer’s team uses the SIEM appliance to monitor for exceptions received via syslog. What system shown does not natively have support for syslog events?
A. Enterprise wireless access points
B. Windows desktop systems
C.Linux web servers
D. Enterprise firewall devices
B. Windows desktop systems
Explanation:
Windows systems generate logs in the Windows native logging format. To send syslog events, Windows systems require a helper application or tool. Enterprise wireless access points, firewalls, and Linux systems all typically support syslog.
What technology should an organization use for each of the devices shown in the diagram to ensure that logs can be time sequenced across the entire infrastructure?
A. Syslog
B. NTP
C. Logsync
D. SNAP
B. NTP
Explanation:
Network Time Protocol (NTP) can ensure that systems are using the same time, allowing time sequencing for logs throughout a centralized logging infrastructure. Syslog is a way for systems to send logs to a logging server and won’t address time sequencing. Neither logsync nor SNAP is an industry term.
During a penetration test, Michelle needs to identify systems, but she hasn’t gained sufficient access on the system she is using to generate raw packets. What type of scan should she run to verify the most open services?
A. A TCP connect scan
B. A TCP SYN scan
C. A UDP scan
D. An ICMP scan
A. A TCP connect scan
Explanation:
When a tester does not have raw packet creation privileges, such as when they have not escalated privileges on a compromised host, a TCP connect scan can be used. TCP SYN scans require elevated privileges on most Linux systems due to the need to write raw packets. A UDP scan will miss most services that are provided via TCP, and an ICMP is merely a ping sweep of systems that respond to pings and won’t identify services at all.
During a port scan using nmap, Joseph discovers that a system shows two ports open that cause him immediate worry:
21/open
23/open
What services are likely running on those ports?
A. SSH and FTP
B. FTP and Telnet
C. SMTP and Telnet
D. POP3 and SMTP
B. FTP and Telnet
Explanation:
B. Joseph may be surprised to discover FTP (TCP port 21) and Telnet (TCP port 23) open on his network since both services are unencrypted and have been largely replaced by SSH, and SCP or SFTP. SSH uses port 22, SMTP uses port 25, and POP3 uses port 110.
Aaron wants to validate his compliance with PCI-DSS. His company is a large commercial organization with millions of dollars in transactions a year. What is the most common method of conducting this type of testing for large organizations?
A. Self-assessment
B. To conduct a thirty-party assessment using COBIT
C. To partner with another company and trade assessments between the organizations
D. To conduct a third-party assessment using a qualified security assessor
D. To conduct a third-party assessment using a qualified security assessor
Explanation:
Large organizations hire QSAs, or qualified security assessors, to conduct compliance checks. Third-party certification is required for large organizations by PCI-DSS, although smaller organizations can self-certify.
What method is commonly used to assess how well software testing covered the potential uses of an application?
A. A test coverage analysis
B. A source code review
C. A fuzz analysis
D. A code review report
A. A test coverage analysis
Explanation:
A test coverage analysis is often used to provide insight into how well testing covered the set of use cases that an application is being tested for. Source code reviews look at the code of a program for bugs, not necessarily at a use case analysis, whereas fuzzing tests invalid inputs. A code review report might be generated as part of a source code review.
Testing that is focused on functions that a system should not allow is an example of what type of testing?
A. Use case testing
B. Manual testing
C. Misuse case testing
D. Dynamic testing
C. Misuse case testing
Explanation:
Testing how a system could be misused, or misuse testing, focuses on behaviors that are not what the organization desires or that are counter to the proper function of a system or application. Use case testing is used to verify whether a desired functionality works. Dynamic testing is used to determine how code handles variables that change over time, whereas manual testing is just what it implies: testing code by hand.
What type of monitoring uses simulated traffic to a website to monitor performance?
A. Log analysis
B. Synthetic monitoring
C. Passive monitoring
D. Simulated transaction analysis
B. Synthetic monitoring
Explanation:
Synthetic monitoring uses emulated or recorded transactions to monitor for performance changes in response time, functionality, or other performance monitors. Passive monitoring uses a span port or other method to copy traffic and monitor it in real time. Log analysis is typically performed against actual log data but can be performed on simulated traffic to identify issues. Simulated transaction analysis is not an industry term.
Derek wants to ensure that his organization tracks all changes to accounts through their lifecycle. What type of tool should he invest in for his organization?
A. A directory service like LDAP
B. An IAM system
C. An SIEM
D. An EDR system
B. An IAM system
Explanation:
Identity and access management (IAM) systems combine lifecycle management and monitoring tools to ensure that identity and authorization are properly handled throughout an organization. Derek should invest in a capable IAM system and ensure that it is configured to use appropriate workflows and to generate the logs and reports that he needs. EDR systems are endpoint detection and response tools and are used to protect against compromise by advanced attackers.
Jim uses a tool that scans a system for available services and then connects to them to collect banner information to determine what version of the service is running. It then provides a report detailing what it gathers, basing results on service fingerprinting, banner information, and similar details it gathers combined with CVE information. What type of tool is Jim using?
A. A port scanner
B. A service validator
C. A vulnerability scanner
D. A patch management tool
C. A vulnerability scanner
Explanation:
C. Vulnerability scanners that do not have administrative rights to access a machine or that are not using an agent scan remote machines to gather information, including fingerprints from responses to queries and connections, banner information from services, and related data. CVE information is Common Vulnerability and Exposure information, or vulnerability information. A port scanner gathers information about what service ports are open, although some port scanners blur the line between port and vulnerability scanners. Patch management tools typically run as an agent on a system to allow them to both monitor patch levels and update the system as needed. Service validation typically involves testing the functionality of a service, not its banner and response patterns.
Emily builds a script that sends data to a web application that she is testing. Each time the script runs, it sends a series of transactions with data that fits the expected requirements of the web application to verify that it responds to typical customer behavior. What type of transactions is she using, and what type of test is this?
A. Synthetic, passive monitoring
B. Synthetic, use case testing
C. Actual, dynamic monitoring
D. Actual, fuzzing
B. Synthetic, use case testing
Explanation:
Emily is using synthetic transactions, which can use recorded or generated transactions, and is conducting use case testing to verify that the application responds properly to actual use cases. Neither actual data nor dynamic monitoring is an industry term. Fuzzing involves sending unexpected inputs to a program to see how it responds. Passive monitoring uses a network tap or other capture technology to allow monitoring of actual traffic to a system or application.
What passive monitoring technique records all user interaction with an application or website to ensure quality and performance?
A. Client/server testing
B. Real user monitoring
C. Synthetic user monitoring
D. Passive user recording
B. Real user monitoring
Explanation:
Real user monitoring (RUM) is a passive monitoring technique that records user interaction with an application or system to ensure performance and proper application behavior. RUM is often used as part of a predeployment process using the actual user interface. The other answers are all made up—synthetic monitoring uses simulated behavior, but synthetic user monitoring is not a testing method. Similarly, passive monitoring monitors actual traffic, but passive user recording is not an industry term or technique. Client/server testing merely describes one possible architecture.
Earlier this year, the information security team at Jim’s employer identified a vulnerability in the web server that Jim is responsible for maintaining. He immediately applied the patch and is sure that it installed properly, but the vulnerability scanner has continued to incorrectly flag the system as vulnerable. To deal with the issue so that it does not continue to be flagged incorrectly?
A. Uninstall and reinstall the patch.
B. Ask the information security team to flag the system as patched and not vulnerable to that particular flaw.
C. Update the version information in the web server’s configuration.
D. Review the vulnerability report and use alternate remediation options.
B. Ask the information security team to flag the system as patched and not vulnerable to that particular flaw.
Explanation:
B. Jim should ask the information security team to flag the issue as resolved if he is sure the patch was installed. Many vulnerability scanners rely on version information or banner information and may flag patched versions if the software provider does not update the information they see. Uninstalling and reinstalling the patch will not change this. Changing the version information may not change all of the details that are being flagged by the scanner and may cause issues at a later date. Reviewing the vulnerability information for a workaround may be a good idea but should not be necessary if the proper patch is installed; it can create maintenance issues later.
Angela wants to test a web browser’s handling of unexpected data using an automated tool. What tool should she choose?
A. Nmap
B. zzuf
C. Nessus
D. Nikto
B. zzuf
Explanation:
zzuf is the only fuzzer on the list, and zzuf is specifically designed to work with tools like web browsers, image viewers, and similar software by modifying network and file input to application. Nmap is a port scanner, Nessus is a vulnerability scanner, and Nikto is a web server scanner.
STRIDE, which stands for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege, is useful in what part of application threat modeling?
A. Vulnerability assessment
B. Misuse case testing
C. Threat categorization
D. Penetration test planning
C. Threat categorization
Explanation:
An important part of application threat modeling is threat categorization. It helps to assess attacker goals that influence the controls that should be put in place. The other answers all involve topics that are not directly part of application threat modeling.
Why should passive scanning be conducted in addition to implementing wireless security technologies like wireless intrusion detection systems?
A. It can help identify rogue devices.
B. It can test the security of the wireless network via scripted attacks.
C. Their short dwell time on each wireless channel can allow them to capture more packets.
D. They can help test wireless IDS or IPS systems.
A. It can help identify rogue devices.
Explanation:
Passive scanning can help identify rogue devices by capturing MAC address vendor IDs that do not match deployed devices, by verifying that systems match inventories of organizationally owned hardware by hardware address, and by monitoring for rogue SSIDs or connections.
Scripted attacks are part of active scanning rather than passive scanning, and active scanning is useful for testing IDS or IPS systems, whereas passive scanning will not be detected by detection systems. Finally, a shorter dwell time can actually miss troublesome traffic, so balancing dwell time versus coverage is necessary for passive wireless scanning efforts.
Paul is reviewing the approval process for a penetration test and wants to ensure that it has appropriate management review. Who should he ensure has approved the request for a penetration test for a business system?
A. The change advisory board
B. Senior management
C. The systems administrator for the system
D. The service owner
B. Senior management
Explanation:
B. In most organizations, senior management needs to approve penetration tests due to the risk to the organization and the potential impact of the test. In a small number of organizations, the service owner may be able to make this decision, but penetration tests often have broader impacts than a single service, meaning that senior management is the proper path. Change advisory boards approve changes, not penetration tests, and system administrators may be advised of the test but do not have the authority in most organizations to sign off on a penetration test.
What term describes software testing that is intended to uncover new bugs introduced by patches or configuration changes?
A. Nonregression testing
B. Evolution testing
C. Smoke testing
D. Regression testing
D. Regression testing
Explanation:
D. Regression testing, which is a type of functional or unit testing, tests to ensure that changes have not introduced new issues. Nonregression testing checks to see whether a change has had the effect it was supposed to, smoke testing focuses on simple problems with impact on critical functionality, and evolution testing is not a software testing technique.
Which of the following tools cannot identify a target’s operating system for a penetration tester?
A. Nmap
B. Nessus
C. Nikto
D. sqlmap
D. sqlmap
Explanation:
Nmap, Nessus, and Nikto all have OS fingerprinting or other operating system identification capabilities. sqlmap is designed to perform automated detection and testing of SQL injection flaws and does not provide OS detection.
Susan needs to predict high-risk areas for her organization and wants to use metrics to assess risk trends as they occur. What should she do to handle this?
A. Perform yearly risk assessments.
B. Hire a penetration testing company to regularly test organizational security.
C. Identify and track key risk indicators.
D. Monitor logs and events using a SIEM device.
C. Identify and track key risk indicators.
Explanation:
Key risk indicators are used to tell those in charge of risk management how risky an activity is and how much impact changes are having on that risk profile. Identifying key risk indicators and monitoring them can help to identify high-risk areas earlier in their lifecycle. Yearly risk assessments may be a good idea, but only provide a point-in-time view, whereas penetration tests may miss out on risks that are not directly security-related. Monitoring logs and events using a SIEM device can help detect issues as they occur but won’t necessarily show trends in risk.
What major difference separates synthetic and passive monitoring?
A. Synthetic monitoring works only after problems have occurred.
B. Passive monitoring cannot detect functionality issues.
C. Passive monitoring works only after problems have occurred.
D. Synthetic monitoring cannot detect functionality issues.
C. Passive monitoring works only after problems have occurred.
Explanation:
Passive monitoring works only after issues have occurred because it requires actual traffic. Synthetic monitoring uses simulated or recorded traffic and thus can be used to proactively identify problems. Both synthetic and passive monitoring can be used to detect functionality issues.
For questions 40–42, please refer to the following scenario. Chris uses the standard penetration testing methodology shown here. Use this methodology and your knowledge of penetration testing to answer questions about tool usage during a penetration test.
What task is the most important during Phase 1, Planning?
A. Building a test lab
B. Getting authorization
C. Gathering appropriate tools
D. Determining if the test is white, black, or gray box
B. Getting authorization
Explanation:
Getting authorization is the most critical element in the planning phase. Permission, and the “get out of jail free card” that demonstrates that organizational leadership is aware of the issues that a penetration test could cause, is the first step in any penetration test. Gathering tools and building a lab, as well as determining what type of test will be conducted, are all important, but nothing should happen without permission.