CISSP Q V1.4 DOMAIN 6 Security Assessment and Testing Flashcards
Synthetic monitoring would most typically involve external agents performing which of the following?
A. Scripted transactions against a File Transfer Protocol (FTP) application.
B. Batch jobs against email applications.
C. Batch jobs against a telecommunications network (telnet)
application.
D. Scripted transactions against a web application.
D. Scripted transactions against a web application.
Which of the following will cause the fewest security flaws?
A. Design flaws in the proposed system documentation.
B. Poor programming.
C. Misconfiguration of security infrastructures.
D. Functional bugs in security infrastructures.
A. Design flaws in the proposed system documentation.
Answers (B), (C), and (D) all point to areas that cause major and numerous security flaws. The word “proposed” in answer (A) is the key – this system is still being designed and we can’t accurately determine if the flaws will continue to exist by the time this system is done development.
Which of the following is not a type of test coverage analysis that would provide structural-coverage metrics?
A. Statement coverage
B. Dynamic coverage
C. Path coverage
D. Loop coverage
B. Dynamic coverage
The different forms of test coverage analysis include:
* Statement coverage
* Decision (branch) coverage
* Condition coverage
* Multi-condition coverage
* Loop coverage
* Path coverage
* Data flow coverage.
What are the two main testing strategies in software testing?
A. Negative and Positive cases
B. Static and Negative cases
C. Positive and Dynamic cases
D. Known and Unknown cases
A. Negative and Positive cases
Positive testing determines whether your application is working as expected, and negative testing ensures that your application can gracefully handle invalid input or unexpected behaviors.
In a testing environment that seeks to verify the accuracy of installed controls, which of the following is most correct?
A. The white-hat tester is an external tester and the black-hat tester is an internal tester.
B. A blind test is done so that insiders don’t know that they are being tested by external testers.
C. The most effective test would be a double-blind test.
D. A black-hat blind test will produce better results than a white hat blind
test.
C. The most effective test would be a double-blind test.
A “double-blind” test is one in which the tester has little to no knowledge of the systems, and the internal staff is unaware that there is testing going on. This kind of test therefore most effectively mimics a real attack (i.e. one conducted by an outside black-hat). Answer (A) is wrong; you don’t want black-hats “testing” anything. (B) is backwards. The answer to (D) depends on the skills of the tester / hacker.
Which technique would a black-hat tester normally use initially?
A. Static Source Code Analysis (SAST) Tools. B. Fuzz testing tools, or “fuzzing.”
C. No-Op / NOP sleds, slides or ramps.
D. Reverse Engineering.
B. Fuzz testing tools, or “fuzzing.”
Answer (B) is Correct. Fuzz Testing Tools send random data, usually in larger chunks than expected by the application, to the input channels of an application in order to try to crash it. SAST tools are for source code analysis, which a hacker would be unlikely to have. NOP, or “no-operation” sleds are a sequence of NOP instructions meant to “slide” the CPU’s instruction execution flow to its final destination whenever the program branches to a memory address anywhere on the sled. This technique is often used in software exploits – i.e. not an “initial” technique. Similarly, a hacker may use reverse engineering, but if so, that would come much later.
Which of the following describes penetration testing steps in their proper sequence?
A. Discovery, enumeration, exploitation, Key Performance Indicators (KPIs), reporting.
B. Enumeration, discovery, vulnerability scanning, reporting.
C. Key Performance Indicators (KPIs), vulnerability scanning,
exploitation, reporting.
D. Discovery, enumeration, vulnerability scanning exploitation.
D. Discovery, enumeration, vulnerability scanning exploitation.
The correct and logical order:
1. Discovery
2. Enumeration
3. Vulnerability mapping
4. Exploitation
5. Document findings
KPIs are not always provided, but if they are, they are provided as the last step.
What is the correct order of penetration testing steps?
Di
En
Vu
Ex
D
The correct and logical order:
1. Discovery
2. Enumeration
3. Vulnerability mapping
4. Exploitation
5. Document findings
Which answer below BEST DESCRIBES the testing term “attack surface”?
- Different testing tools produce different attack surfaces for the same system.
- Architecture security review and Threat modeling help to identify attack surface.
- An attack surface describes all the ways in which an attacker might be able to get into a system, as well as ways in which they could get data out.
- An attack surface describes the technical ways in which an attacker might be able to get into a system, as well as how they could get data out.
A.1and3
B.3only
C. 2only
D. 2and4
B.3only
Items 1 and 2 describe things you do in attempting to determine the AS. Item 4 includes only logical attacks – the attack surface includes all methods of possible attack.
How often are SOC reports typically done?
A. One month after initial product installation and installed controls are tested.
B. The quarter after initial product installation and installed controls are tested .
C. Every year after initial product installation and installed controls are tested.
D. Twice a year after initial product installation and controls are tested.
C. Every year after initial product installation and installed controls are tested.
Which answer describes synthetic monitoring’s greatest benefits?
- Monitor an application’s availability 24x7.
- Monitor critical databases for queries and availability.
- Objectively measure Service Level Requirements (SLRs).
- Monitor performance of proposed Identity as a Service
(IDaaS) cloud solutions.
A. 1and2
B. 1and3
C. 1,2,and4
D. 2,4,and4
3 is wrong, as a SLR documents what the client wants in an SLA, not the actual performance of the service. Similarly, #4 is not correct as Synthetic testing is about providing scripts to monitor running systems.
A. 1and2
Which answer below is MOST accurate with respect to testing newly developed software?
A. With a little practice, complicated new software systems can be exhaustively tested
B. Expected test results should be objective and according to pre-defined specifications
C. Examining the “Top 5 Most Often Occurring” cases is a BEST PRACTICE for software testing
D. Best practices involve end-users in software testing as soon as new code can be tested
B. Expected test results should be objective and according to pre-defined specifications
(A) has been shown to be false; almost no software can be exhaustively tested. (D) is wrong because testing that frequently will cause huge delays and redesigns of the intended system.
Which answer below best describes Structural Coverage testing?
- Statement Coverage –there are enough test cases so that each program statement will be tested at least once.
- Decision Coverage – financial decisions about whether to move forward with the development can be determined from the software testing.
- Condition Coverage – testing that entry into and exit from each program loop is tested at least once.
- Multi-Condition – test cases exercise all possible combinations of conditions in program decisions.
A.1and2
B.2and3
C. 3and4
D. 1and4
D. 1and4
Management is looking for a security solution that can continuously determine the effectiveness of the security controls around the network. They would also like to know if the organization is protected against the latest day to day network threats. What would be best suited to this
task?
A. Penetration testers
B. Breach attack simulations
C. Automated risk hunting
D. Advanced persistent tests
B. Breach attack simulations
BAS (breach attack simulations) are SaaS applications that can be launched from the cloud and from agents within the network. Instead of just scanning for vulnerabilities, they generate a wide range of intrusive traffic that is aimed at virtual machines created for the BAS applications. The intrusive traffic is monitored carefully by the BAS apps and can report not just on the effectiveness of the network controls, but can also give detailed insight as to how an attacker could pivot through the network. These are essentially the next generation form of vulnerability scanners. Furthermore, since they are SaaS, they receive frequent updates to test for the latest network threats.
The Chief Risk officer is looking through logs for a specific IoC (Indicator of Compromise) that they read about online. What best describes this activity?
A. Risk analysis
B. Log aggregation
C. Threat hunting
D. Vulnerability scanning
C. Threat hunting
Threat hunting: a defense activity where security personnel proactively search through networks and logs to isolate and detect advanced threats that would evade existing security mechanisms.