Domain 6

Question 1

Information Security Assesment

Answer 1

Information Security Assesment is the process of determinig how effectively the entity being evaluated meets specific security criteria (assirance).

Question 2

Examination

Answer 2

Examination (E) is the process of interviewing, reviewing, inspecting, studying, and observing to facilitite understaing comparing to standards or baselines, or to obtain evidence.
Examinations are used to determine if the assessment object is properly documented and to gain operational insight regarding effectiveness, suitability and survivability.

Question 3

Examination properties

Answer 3

• Examination generally focus the policies, standards, baselines, procedures, plans, programs, configuration, settings, output, and reports.
• Examinations are considered a passive activity with minimal (if any) anticipated operational impact.

Question 4

Testing

Answer 4

Testing is used to identify vulnerabilities (weakness), substantiate strentghs, and predict the likelihood of exploitation.

• Testing techniques may include vulnerability assessments, penetration testing, password cracking, and social engineering as well as incident response and disaster response/business continuity exercises.
• Testing can be intrusive and can have an opeational impact.

Question 5

Rules of Engagement (ROE)

Answer 5

Rules of Engagement (ROE) document details the parameters and expected assesor conduct of the assessment (exam-test).

Question 6

Rules of Engagement (ROE) Components

Answer 6

ROE components include:

• Scope
• Level of expertise / methodology
• Data Handling requirements
• Reporting expectations
• Assesor responsabilities.
• Legal Considerations.

Question 7

Rules of Engagement (ROE) Component: Scope

Answer 7

Seleccion of assesment objects are influenced by system criticality, information sensitivity, regulatory requirements, and contractual obligations.

• Size of the system being assesed.
• Complexity of the environment.
• Feasibility of sampling.

Question 8

Rules of Engagement (ROE) Component: Sampling

Answer 8

Sampling is used to infer characteristics about a population based upon the characteristics of a sample.

• Evidence sampling is applying a procedure to less than 100% of the population.
• Sampling risk is where the assessor’s conclusion is based on a sample that might be different if they examined or tested the entire population.

Question 9

Sampling Techniques.

Answer 9

• Statistical Sampling
• Non-statistical Sampling
• Block Sampling

Question 10

Statistical Sampling

Answer 10

A objective method for determining sample size and selection criteria.
- Each item should have a equal probability of selection.

Question 11

Non-statistical Sampling

Answer 11

A subjective method of determinig which items are the most materail, relevant and/or risky.
- Included items are based on professional judgement.

Question 12

Block Sampling

Answer 12

All Items in a selected time period, numerical sequence, or alphabetical sequence.

Question 13

Rules of Engagement (ROE) Component: Logistics

Answer 13

Logisitcal considerations include location, timing, and notification.

Question 14

Rules of Engagement (ROE) Component: Assesor Challanges

Answer 14

Security assessor ofter face technical, operational, and political challanges.

• Resistance from business owners, system, and network administrators, and end users.
• Re-assessment fixes.
• In-the- moment mitigation.
• Restricted time windows.
• Evolving Technology.
• Teisk of operational impact.

Question 15

Rules of Engagement (ROE) Component: Legal Considerations

Answer 15

Legal conderations include authorization, liability, indemnification, nondisclosure, and privacy.

Question 16

Documet that detailks the parameters of an assesment

Answer 16

Rules of Engagement (ROE)

Question 17

Penetration Testing

Answer 17

The Objective of Penetration Testing is to evaluate the security of a target by identifying and attempting to exploit (actual or proof of concept) weakness in the target environment.

• Not to be confuresed with a vulnerability scan which looks for knonwn vulnerabilities in the target environment and reports potential exposures.
• Testing methodology can be manual, automated, or hibrid.
• Penetration testing ca be useful for determinig incident detection and response capabilities.

Question 18

Penetration testing Approches

Answer 18

• Back Box (Blind)
• Double Blind
• Gray Box testing
• White Box (Targeted)

Question 19

Back Box (Blind) Testing

Answer 19

Penetration testing team is not provided any details of the target environment.
Target personnel have knowledge of the test.

Question 20

Double Blind

Answer 20

Penetration testing team is not provided any details of the target environment.
Target personnel gave knowledge of the test.

Question 21

Gray Box Testing

Answer 21

Penetration testing team is provided limited information about the target environment .
Target personnel have knowledge of the test.

Question 22

White Box (Targeted)

Answer 22

Both the penetration testing team and target personnel are knowledgeable and work in concert.
More efficient testing method.
The final report may have impact.

Question 23

Penetration Test Phases

Answer 23

• Passive Reconnaissance
• Active Reconnaissance
• Attack Planning
• Attack and Exploitation
• Reporting.
• Remediation and Retesting

Question 24

Exploitation

Answer 24

Exploitation is the stage where the testers exploit target systems to compromise them. Depending upon the ROE, this pahse may be undertalen as “proof of concept” or actual exploit.
- Persistence is the act of installing or modifying services, installing malware or rootkits, creating backdoors, and/or creating accounts that will survive reboots.

Question 25

Exploitation

Answer 25

Exploitation is the stage where the testers exploit target systems to compromise them. depending upon the ROE, this phase may be undertaken as “proof of concept” or actual exploit.

Question 26

Persistance

Answer 26

Persistance is the act of installing modifying services, installing malware or rootkits, creating backdoors, and /or creating accounts that will survive reboots.

Question 27

Pivoting

Answer 27

Pivoting is the act of using a weakness on one system to access a better protected system.

Question 28

Escalation of Privilege

Answer 28

Escalation of Privilege is the act of exploting a vulnerability to gain elevated access to a resource.

Question 29

Reporting

Answer 29

Penetration test reports should include vulnerability findings, exploit activities, and recommendations for mitigation.

• Vulnerability findings should be categorized and referenced appropriately with CVE notation.
• Exploit activities should be documented with enough details so that they are reproducible.
• Mitigation recommendations should be prioritized and as applicable, incliude risl reduction and security enhancement recommendations.

Question 30

Pen Test Result Evaluation

Answer 30

• Scope: What Systems and devices are in scope?
• Frequency: How often is the test conducted?
• Stage: What is the stage of the target environment?
• Type: Was the testing manual or automated?
• Qualifications: What are the qualifications of the tester?
• Rating Scale: What rating scale are they using - propietary, open source, government?
• Results: How comprehensive are the results? Howclearly are they presented?
• Remediation Plan: Are remediation actions documented? Is enough information presented so that the findings can be replicated?

Question 31

Red Team | Blue Team Simulation Exercises

Answer 31

Red Team | Blue Team Simulation Exercises are designated to simulate an attack and evaluate response and preparedness.

Question 32

Red Team

Answer 32

External entities that emaulate the behaviours and techniques of likely attackers.

Question 33

Blue Team

Answer 33

Internal security team (defenders)

Question 34

Purple Team

Answer 34

Independent third party the monitors both teams in real-time, evaluates inactivity, if applicable, facilitates communications, and recommends enhancements.

Question 35

Fagan Inspection

Answer 35

• Planning
• Overview
• Preparation
• Inspection
• Rework
• Follow-up