Domain 6 Flashcards

Question 1

Q

What type of vulnerabilities will not be found by a vulnerability scanner?

a. Local vulnerabilities
b. Service vulnerabilities
c. Zero-day vulnerabilities
d. Vulnerabilities that require authentication

Answer

A

C. Vulnerability scanners cannot detect vulnerabilities for which they do not have a test, plug-in, or signature. Signatures often include version numbers, service fingerprints, or configuration data. They can detect local vulnerabilities as well as those that require authentication if they are provided with credentials, and of course, they can detect service vulnerabilities.

Question 2

Q

Jim has been contracted to perform a penetration test of a bank’s primary branch. In order to make the test as real as possible, he has not been given any information about the bank other than its name and address. What type of penetration test has Jim agreed to perform?

a. A crystal box penetration test
b. A gray box penetration test
c. A black box penetration test
d. A white box penetration test

Answer

A

C. Jim has agreed to a black box penetration test, which provides no information about the organization, its systems, or its defenses. A crystal or white box penetration test provides all of the information an attacker needs, whereas a gray box penetration test provides some, but not all, information.

Question 3

Q

What type of monitoring uses simulated traffic to a website to monitor performance?

a. Log analysis
b. Synthetic monitoring
c. Passive monitoring
d. Simulated transaction analysis

Answer

A

B. Synthetic monitoring uses emulated or recorded transactions to monitor for performance changes in response time, functionality, or other performance monitors. Passive monitoring uses a span port or other method to copy traffic and monitor it in real time. Log analysis is typically performed against actual log data but can be performed on simulated traffic to identify issues. Simulated transaction analysis is not an industry term.

Question 4

Q

Which of the following is not an interface that is typically tested during the software testing process?

a. APIs
b. Network interfaces
c. UIs
d. Physical interfaces

Answer

A

B. Application programming interfaces (APIs), user interfaces (UIs), and physical interfaces are all important to test when performing software testing. Network interfaces are not a part of the typical list of interfaces tested in software testing.

Question 5

Q

Lauren is performing a review of a third-party service organization and wants to determine if the organization’s policies and procedures are effectively enforced over a period of time. What type of industry standard assessment report should she request?

a. SSAE 16 SOC 1 Type I
b. SAS 70 Type I
c. SSAE 16 SOC 1 Type II
d. SAS 70 Type II

Answer

A

C. SOC 1 reports are prepared according to the Statement on Standards for Attestation Engagements, or SSAE number 16 (typically shortened to SSAE-16). An SOC 1 Type I report validates policies and procedures at a point in time, whereas SOC 1 Type II reports cover a period of time of at least six months. SOC 1 reports replaced SAS 70 reports in 2011, meaning that a current report should be an SSAE-16 SOC 1 report.

Question 6

Q

Ben’s organization has begun to use STRIDE to assess their software, and has identified threat agents and the business impacts that these threats could have. Now they are working to identify appropriate controls for the issues they have identified. Use the STRIDE model to answer the following three questions.

Ben wants to prevent or detect tampering with data. Which of the following is not an appropriate solution?

a. Hashes
b. Digital signatures
c. Filtering
d. Authorization controls

Answer

A

C. Filtering is useful for preventing denial of service attacks but won’t prevent tampering with data. Hashes and digital signatures can both be used to verify the integrity of data, and authorization controls can help ensure that only those with the proper rights can modify the data.

Question 7

Q

When a Windows system is rebooted, what type of log is generated?

a. Error
b. Warning
c. Information
d. Failure audit

Answer

A

C. Rebooting a Windows machine results in an information log entry. Windows defines five types of events: errors, which indicate a significant problem; warnings, which may indicate future problems; information, which describes successful operation; success audits, which record successful security accesses; and failure audits, which record failed security access attempts.

Question 8

Q

Susan is the lead of a Quality Assurance team at her company. They have been tasked with the testing for a major release of their company’s core software product. Use your knowledge of code review and testing to answer the following three questions.

As part of the continued testing of their new application, Susan’s quality assurance team has designed a set of test cases for a series of black box tests. These functional tests are then run, and a report is prepared explaining what has occurred. What type of report is typically generated during this testing to indicate test metrics?

a. A test coverage report
b. A penetration test report
c. A code coverage report
d. A line coverage report

Answer

A

A. A test coverage report measures how many of the test cases have been completed and is used as a way to provide test metrics when using test cases. A penetration test report is provided when a penetration test is conducted—this is not a penetration test. A code coverage report covers how much of the code has been tested, and a line coverage report is a type of code coverage report.

Question 9

Q

Susan is the lead of a Quality Assurance team at her company. They have been tasked with the testing for a major release of their company’s core software product. Use your knowledge of code review and testing to answer the following three questions.

As part of their code coverage testing, Susan’s team runs the analysis in a nonproduction environment using logging and tracing tools. Which of the following types of code issues is most likely to be missed during testing due to this change in the operating environment?

a. Improper bounds checking
b. Input validation
c. A race condition
d. Pointer manipulation

Answer

A

C. The changes from a testing environment with instrumentation inserted into the code and the production environment for the code can mask timing-related issues like race conditions. Bounds checking, input validation, and pointer manipulation are all related to coding issues rather than environmental issues and are more likely to be discoverable in a test environment.

Question 10

Q

NIST specifies four attack phase steps: gaining access, escalating privileges, system browsing, and installing additional tools. Once attackers install additional tools, what phase will a penetration tester typically return to?

a. Discovery
b. Gaining access
c. Escalating privileges
d. System browsing

Answer

A

B. Once additional tools have been installed, penetration testers will typically use them to gain additional access. From there they can further escalate privileges, search for new targets or data, and once again, install more tools to allow them to pivot further into infrastructure or systems.

Question 11

Q

During a port scan, Ben uses nmap’s default settings and sees the following results. Use this information to answer the following three questions.

If Ben is conducting a penetration test, what should his next step be after receiving these results?

a. Connect to the web server using a web browser.
b. Connect via Telnet to test for vulnerable accounts.
c. Identify interesting ports for further scanning.
d. Use sqlmap against the open databases.

Answer

A

C. After scanning for open ports using a port scanning tool like nmap, penetration testers will identify interesting ports and then conduct vulnerability scans to determine what services may be vulnerable. This will perform many of the same activities that connecting via a web server will, and will typically be more useful than trying to manually test for vulnerable accounts via Telnet. sqlmap would typically be used after a vulnerability scanner identifies additional information about services, and the vulnerability scanner will normally provide a wider range of useful information.

Question 12

Q

During a port scan, Lauren found TCP port 443 open on a system. Which tool is best suited to scanning the service that is most likely running on that port?

a. zzuf
b. Nikto
c. Metasploit
d. sqlmap

Answer

A

B. TCP port 443 normally indicates an HTTPS server. Nikto is useful for vulnerability scanning web servers and applications and is the best choice listed for a web server. Metasploit includes some scanning functionality but is not a purpose-built tool for vulnerability scanning. zzuf is a fuzzing tool and isn’t relevant for vulnerability scans, whereas sqlmap is a SQL injection testing tool.

Question 13

Q

What international framework was SSAE-16 based on?

a. ISO27001
b. SAS70
c. SOX
d. ISAE 3402

Answer

A

D. SSAE-16 is based on ISAE 3402, the International Standard on Assurance Engagements. It differs in a number of ways, including how it handles purposeful acts by service organizational personnel as well as anomalies, but the two share many elements. SAS-70 has been replaced by SSAE-16, whereas ISO27001 is a formal specification for an information security management system (ISMS). SOX is the Sarbanes–Oxley Act, a U.S. law that impacts accounting and investor protection.

Question 14

Q

Saria’s team is working to persuade their management that their network has extensive vulnerabilities that attackers could exploit. If she wants to conduct a realistic attack as part of a penetration test, what type of penetration test should she conduct?

a. Crystal box
b. Gray box
c. White box
d. Black box

Answer

A

D. Black box testing is the most realistic type of penetration test because it does not provide the penetration tester with inside information about the configuration or design of systems, software, or networks. A gray box test provides some information, whereas a white or crystal box test provides significant or full detail.

Question 15

Q

Chris uses the standard penetration testing methodology shown here. Use this methodology and your knowledge of penetration testing to answer the following questions about tool usage during a penetration test.

What task is the most important during Phase 1, Planning?

a. Building a test lab
b. Getting authorization
c. Gathering appropriate tools
d. Determining if the test is white, black, or gray box

Answer

A

B. Getting authorization is the most critical element in the planning phase. Permission, and the “get out of jail free card” that demonstrates that organizational leadership is aware of the issues that a penetration test could cause, is the first step in any penetration test. Gathering tools and building a lab, as well as determining what type of test will be conducted, are all important, but nothing should happen without permission.

Question 16

Q

In a response to a Request for Proposal, Susan receives a SAS-70 Type 1 report. If she wants a report that includes operating effectiveness detail, what should Susan ask for as followup and why?

a. An SAS-70 Type II, because Type I only covers a single point in time
b. An SOC Type 1, because Type II does not cover operating effectiveness
c. An SOC Type 2, because Type I does not cover operating effectiveness
d. An SAC-70 type 3, because Types 1 and 2 are outdated and no longer accepted

Answer

A

C. Service Organization Control (SOC) reports replaced SAS-70 reports in 2010. A Type 1 report only covers a point in time, so Susan needs an SOC Type 2 report to have the information she requires to make a design and operating effectiveness decision based on the report.

Question 17

Q

During a port scan, Ben uses nmap’s default settings and sees the following results. Use this information to answer the following three questions.

Ben’s manager expresses concern about the coverage of his scan. Why might his manager have this concern?

a. Ben did not test UDP services.
b. Ben did not discover ports outside the “well-known ports.”
c. Ben did not perform OS fingerprinting.
d. Ben tested only a limited number of ports.

Answer

A

D. Nmap only scans 1000 TCP and UDP ports by default, including ports outside of the 0–1024 range of “well-known” ports. By using the defaults for nmap, Ben missed 64,535 ports. OS fingerprinting won’t cover more ports but would have provided a best guess of the OS running on the scanned system.

Question 18

Q

Nikto, Burp Suite, and Wapiti are all examples of what type of tool?

a. Web application vulnerability scanners
b. Code review tools
c. Vulnerability scanners
d. Port scanners

Answer

A

A. Nikto, Burp Suite, and Wapiti are all web application vulnerability scanners, tools designed specifically to scan web servers and applications. While they share some functionality with broader vulnerability scanners and port scanning tools, they have a narrower focus and typically have deeper capabilities than vulnerability scanners.

Question 19

Q

Questions 19, 20, and 21 refer to the following scenario.

The company that Jennifer works for has implemented a central logging infrastructure, as shown in the following image. Use this diagram and your knowledge of logging systems to answer the following questions.

During normal operations, Jennifer’s team uses the SIEM appliance to monitor for exceptions received via syslog. What system shown does not natively have support for syslog events?

a. Enterprise wireless access points
b. Windows desktop systems
c. Linux web servers
d. Enterprise firewall devices

Answer

A

B. Windows systems generate logs in the Windows native logging format. To send syslog events, Windows systems require a helper application or tool. Enterprise wireless access points, firewalls, and Linux systems all typically support syslog.

Question 20

Q

Why should passive scanning be conducted in addition to implementing wireless security technologies like wireless intrusion detection systems?

a. It can help identify rogue devices.
b. It can test the security of the wireless network via scripted attacks.
c. Their short dwell time on each wireless channel can allow them to capture more packets.
d. They can help test wireless IDS or IPS systems.

Answer

A

A. Passive scanning can help identify rogue devices by capturing MAC address vendor IDs that do not match deployed devices, by verifying that systems match inventories of organizationally owned hardware by hardware address, and by monitoring for rogue SSIDs or connections.
Scripted attacks are part of active scanning rather than passive scanning, and active scanning is useful for testing IDS or IPS systems, whereas passive scanning will not be detected by detection systems. Finally, a shorter dwell time can actually miss troublesome traffic, so balancing dwell time versus coverage is necessary for passive wireless scanning efforts.

Question 21

Q

Susan needs to scan a system for vulnerabilities, and she wants to use an open source tool to test the system remotely. Which of the following tools will meet her requirements and allow vulnerability scanning?

a. Nmap
b. OpenVAS
c. MBSA
d. Nessus

Answer

A

B. OpenVAS is an open source vulnerability scanning tool that will provide Susan with a report of the vulnerabilities that it can identify from a remote, network-based scan. Nmap is an open source port scanner. Both the Microsoft Baseline Security Analyzer (MBSA) and Nessus are closed source tools, although Nessus was originally open source.

Question 22

Q

Misconfiguration, logical and functional flaws, and poor programming practices are all causes of what type of issue?

a. Fuzzing
b. Security vulnerabilities
c. Buffer overflows
d. Race conditions

Answer

A

B. Security vulnerabilities can be created by misconfiguration, logical or functional design or implementation issues, or poor programming practices. Fuzzing is a method of software testing and is not a type of issue. Buffer overflows and race conditions are both caused by logical or programming flaws, but they are not typically caused by misconfiguration or functional issues.

Question 23

Q

During a port scan using nmap, Joseph discovers that a system shows two ports open that cause him immediate worry:

21/open

23/open

What services are likely running on those ports?

a. SSH and FTP
b. FTP and Telnet
c. SMTP and Telnet
d. POP3 and SMTP

Answer

A

B. Joseph may be surprised to discover FTP (TCP port 21) and Telnet (TCP port 23) open on his network since both services are unencrypted and have been largely replaced by SSH, and SCP or SFTP. SSH uses port 22, SMTP uses port 25, and POP3 uses port 110.

Question 24

Q

Which of the following is a method used to design new software tests and to ensure the quality of tests?

a. Code auditing
b. Static code analysis
c. Regression testing
d. Mutation testing

Answer

A

D. Mutation testing modifies a program in small ways, and then tests that mutant to determine if it behaves as it should or if it fails. This technique is used to design and test software tests through mutation. Static code analysis and regression testing are both means of testing code, whereas code auditing is an analysis of source code rather than a means of designing and testing software tests.

Question 25

Q

What type of port scanning is known as “half open” scanning?

a. TCP Connect
b. TCP ACK
c. TCP SYN
d. Xmas

Answer

A

C. TCP SYN scans only open a connection halfway; they do not complete the TCP connection with an ACK, thus leaving the connection open. TCP Connect scans complete the connection, whereas TCP ACK scans attempt to appear like an open connection. Xmas, or Christmas tree, scans set the FIN, PSH, and URG flags, thereby “lighting up” the TCP packet.

Question 26

Q

Karen’s organization has been performing system backups for years but has not used the backups frequently. During a recent system outage, when administrators tried to restore from backups they found that the backups had errors and could not be restored. Which of the following options should Karen avoid when selecting ways to ensure that her organization’s backups will work next time?

a. Log review
b. MTD verification
c. Hashing
d. Periodic testing

Answer

A

B. Karen can’t use MTD verification because MTD is the Maximum Tolerable Downtime. Verifying it will only tell her how long systems can be offline without significant business impact. Reviewing logs, using hashing to verify that the logs are intact, and performing periodic tests are all valid ways to verify that the backups are working properly.

Question 27

Q

Jim has contracted with a software testing organization that uses automated testing tools to validate software. He is concerned that they may not completely test all statements in his software. What measurement should he ask for in their report to provide information about this?

a. A use case count
b. A test coverage report
c. A code coverage report
d. A code review report

Answer

A

C. Jim should ask for a code coverage report, which provides information on the functions, statements, branches, and conditions or other elements that were covered in the testing. Use cases are used as part of a test coverage calculation that divides the tested use cases by the total use cases, but use cases may not cover all possible functions or branches. A code review report would be generated if the organization was manually reviewing the application’s source code.

Question 28

Q

What term describes software testing that is intended to uncover new bugs introduced by patches or configuration changes?

a. Nonregression testing
b. Evolution testing
c. Smoke testing
d. Regression testing

Answer

A

D. Regression testing, which is a type of functional or unit testing, tests to ensure that changes have not introduced new issues. Nonregression testing checks to see if a change has had the effect it was supposed to, smoke testing focuses on simple problems with impact on critical functionality, and evolution testing is not a software testing technique.

Question 29

Q

Susan is the lead of a Quality Assurance team at her company. They have been tasked with the testing for a major release of their company’s core software product. Use your knowledge of code review and testing to answer the following three questions.

Susan’s team of software testers are required to test every code path, including those that will only be used when an error condition occurs. What type of testing environment does her team need to ensure complete code coverage?

a. White box
b. Gray box
c. Black box
d. Dynamic

Answer

A

A. In order to fully test code, a white box test is required. Without full visibility of the code, error conditions or other code could be missed, making a gray box or black box test an inappropriate solution. Using dynamic testing that runs against live code could also result in some conditions being missed due to sections of code not being exposed to typical usage.

Question 30

Q

Questions 19, 20, and 21 refer to the following scenario.

The company that Jennifer works for has implemented a central logging infrastructure, as shown in the following image. Use this diagram and your knowledge of logging systems to answer the following questions.

What technology should an organization use for each of the devices shown in the diagram to ensure that logs can be time sequenced across the entire infrastructure?

a. Syslog
b. NTP
c. Logsync
d. SNAP

Answer

A

B. Network Time Protocol (NTP) can ensure that systems are using the same time, allowing time sequencing for logs throughout a centralized logging infrastructure. Syslog is a way for systems to send logs to a logging server and won’t address time sequencing. Neither logsync nor SNAP is an industry term.

Question 31

Q

Which of the following is not an issue when using fuzzing to find program faults?

a. They often find only simple faults.
b. Fuzz testing bugs are often severe.
c. Fuzzers may not fully cover the code.
d. Fuzzers can’t reproduce errors.

Answer

A

B. Finding severe bugs is not a fault—in fact, fuzzing often finds important issues that would otherwise have been exploitable. Fuzzers can reproduce errors, but typically don’t fully cover the code—code coverage tools are usually paired with fuzzers to validate how much coverage was possible. Fuzzers are often limited to simple errors because they won’t handle business logic or attacks that require knowledge from the application user.

Question 32

Q

Saria needs to write a request for proposal for code review and wants to ensure that the reviewers take the business logic behind her organization’s applications into account. What type of code review should she specify in the RFP?

a. Static
b. Fuzzing
c. Manual
d. Dynamic

Answer

A

C. A manual code review, which is performed by humans who review code line by line, is the best option when it is important to understand the context and business logic in the code. Fuzzing, dynamic, and static code review can all find bugs that manual code review might not, but won’t take the intent of the programmers into account.

Question 33

Q

What major difference separates synthetic and passive monitoring?

a. Synthetic monitoring only works after problems have occurred.
b. Passive monitoring cannot detect functionality issues.
c. Passive monitoring only works after problems have occurred.
d. Synthetic monitoring cannot detect functionality issues.

Answer

A

C. Passive monitoring only works after issues have occurred because it requires actual traffic. Synthetic monitoring uses simulated or recorded traffic, and thus can be used to proactively identify problems. Both synthetic and passive monitoring can be used to detect functionality issues.

Question 34

Q

Angela wants to test a web browser’s handling of unexpected data using an automated tool. What tool should she choose?

a. Nmap
b. zzuf
c. Nessus
d. Nikto

Answer

A

B. zzuf is the only fuzzer on the list, and zzuf is specifically designed to work with tools like web browsers, image viewers, and similar software by modifying network and file input to application. Nmap is a port scanner, Nessus is a vulnerability scanner, and Nikto is a web server scanner.

Question 35

Q

Lauren’s team conducts regression testing on each patch that they release. What key performance measure should they maintain to measure the effectiveness of their testing?

a. Time to remediate vulnerabilities
b. A measure of the rate of defect recurrence
c. A weighted risk trend
d. A measure of the specific coverage of their testing

Answer

A

B. Lauren’s team is using regression testing, which is intended to prevent the recurrence of issues. This means that measuring the rate of defect recurrence is an appropriate measure for their work. Time to remediate vulnerabilities is associated with activities like patching, rather than preparing the patch, whereas a weighted risk trend is used to measure risk over time to an organization. Finally, specific coverage may be useful to determine if they are fully testing their effort, but regression testing is more specifically covered by defect recurrence rates.

Question 36

Q

What technique relies on reviewing code without running it?

a. Fuzzing
b. Black box analysis
c. Static analysis
d. Gray box analysis

Answer

A

C. Static analysis is the process of reviewing code without running it. It relies on techniques like data flow analysis to review what the code does if it was run with a given set of inputs. Black and gray box analyses are not types of code review, although black box and gray box both describe types of penetration testing. Fuzzing provides unexpected or invalid data inputs to test how software responds.

Question 37

Q

What type of vulnerability scan accesses configuration information from the systems it is run against as well as information that can be accessed via services available via the network?

a. Authenticated scans
b. Web application scans
c. Unauthenticated scans
d. Port scans

Answer

A

A. Authenticated scans use a read-only account to access configuration files, allowing more accurate testing of vulnerabilities. Web application, unauthenticated scans, and port scans don’t have access to configuration files unless they are inadvertently exposed.
Microsoft’s STRIDE threat assessment model places threats into one of six categories:

Spoofing—threats that involve user credentials and authentication, or falsifying legitimate communications

Tampering—threats that involve the malicious modification of data

Repudiation—threats that cause actions to occur that cannot be denied by a user

Information disclosure—threats that involve exposure of data to unauthorized individuals

Denial of service—threats that deny service to legitimate users

Elevation of privilege—threats that provide higher privileges to unauthorized users

Question 38

Q

Testing that is focused on functions that a system should not allow are an example of what type of testing?

a. Use case testing
b. Manual testing
c. Misuse case testing
d. Dynamic testing

Answer

A

C. Testing how a system could be misused, or misuse testing, focuses on behaviors that are not what the organization desires or that are counter to the proper function of a system or application. Use case testing is used to verify whether a desired functionality works. Dynamic testing is used to determine how code handles variables that change over time, whereas manual testing is just what it implies: testing code by hand.

Question 39

Q

During a wireless network penetration test, Susan runs aircrack-ng against the network using a password file. What might cause her to fail in her password-cracking efforts?

a. Use of WPA2 encryption
b. Running WPA2 in Enterprise mode
c. Use of WEP encryption
d. Running WPA2 in PSK mode

Answer

A

B. WPA2 enterprise uses RADIUS authentication for users rather than a preshared key. This means a password attack is more likely to fail as password attempts for a given user may result in account lock-out. WPA2 encryption will not stop a password attack, and WPA2’s preshared key mode is specifically targeted by password attacks that attempt to find the key. Not only is WEP encryption outdated, but it can also frequently be cracked quickly by tools like aircrack-ng.

Question 40

Q

Nmap is an example of what type of tool?

a. Vulnerability scanner
b. Web application fuzzer
c. Network design and layout
d. Port scanner

Answer

A

D. Nmap is a very popular open source port scanner. Nmap is not a vulnerability scanner, nor is it a web application fuzzer. While port scanners can be used to partially map a network, and its name stands for Network Mapper, it is not a network design tool.

Question 41

Q

What method is commonly used to assess how well software testing covered the potential uses of a an application?

a. A test coverage analysis
b. A source code review
c. A fuzz analysis
d. A code review report

Answer

A

A. A test coverage analysis is often used to provide insight into how well testing covered the set of use cases that an application is being tested for. Source code reviews look at the code of a program for bugs, not necessarily at a use case analysis, whereas fuzzing tests invalid inputs. A code review report might be generated as part of a source code review.

Question 42

Q

During a review of access logs, Alex notices that Danielle logged into her workstation in New York at 8 a.m. daily, but that she was recorded as logging into her department’s main web application shortly after 3 a.m. daily. What common logging issue has Alex likely encountered?

a. Inconsistent log formatting
b. Modified logs
c. Inconsistent timestamps
d. Multiple log sources

Answer

A

C. Inconsistent timestamps are a common problem, often caused by improperly set time zones or due to differences in how system clocks are set. In this case, a consistent time difference often indicates that one system uses local time, and the other is using Greenwich Mean Time (GMT). Logs from multiple sources tend to cause problems with centralization and collection, whereas different log formats can create challenges in parsing log data. Finally, modified logs are often a sign of intrusion or malicious intent.

Question 43

Q

STRIDE, which stands for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege, is useful in what part of application threat modeling?

a. Vulnerability assessment
b. Misuse case testing
c. Threat categorization
d. Penetration test planning

Answer

A

C. An important part of application threat modeling is threat categorization. It helps to assess attacker goals that influence the controls that should be put in place. The other answers all involve topics that are not directly part of application threat modeling.

Question 44

Q

Which of the following is not a hazard associated with penetration testing?

a. Application crashes
b. Denial of service
c. Exploitation of vulnerabilities
d. Data corruption

Answer

A

C. Penetration tests are intended to help identify vulnerabilities, and exploiting them is part of the process rather than a hazard. Application crashes; denial of service due to system, network, or application failures; and even data corruption can all be hazards of penetration tests.

Question 45

Q

Ben uses a fuzzing tool that develops data models and creates fuzzed data based on information about how the application uses data to test the application. What type of fuzzing is Ben doing?

a. Mutation
b. Parametric
c. Generational
d. Derivative

Answer

A

C. Generational fuzzing relies on models for application input and conducts fuzzing attacks based on that information. Mutation based fuzzers are sometimes called “dumb” fuzzers because they simply mutate or modify existing data samples to create new test samples. Neither parametric nor derivative is a term used to describe types of fuzzers.

Question 46

Q

During a third-party audit, Jim’s company receives a finding that states, “The administrator should review backup success and failure logs on a daily basis, and take action in a timely manner to resolve reported exceptions.” What is the biggest issue that is likely to result if Jim’s IT staff need to restore from a backup?

a. They will not know if the backups succeeded or failed.
b. The backups may not be properly logged.
c. The backups may not be usable.
d. The backup logs may not be properly reviewed.

Answer

A

C. The audit finding indicates that the backup administrator may not be monitoring backup logs and taking appropriate action based on what they report, thus resulting in potentially unusable backups. Issues with review, logging, or being aware of the success or failure of backups are less important than not having usable backups.

Question 47

Q

During a penetration test, Lauren is asked to test the organization’s Bluetooth security. Which of the following is not a concern she should explain to her employers?

a. Bluetooth scanning can be time consuming.
b. Many devices that may be scanned are likely to be personal devices.
c. Bluetooth passive scans may require multiple visits at different times to identify all targets.
d. Bluetooth active scans can’t evaluate the security mode of Bluetooth devices.

Answer

A

D. Bluetooth active scans can determine both the strength of the PIN and what security mode the device is operating in. Unfortunately, Bluetooth scans can be challenging due to the limited range of Bluetooth and the prevalence of personally owned Bluetooth enabled devices. Passive Bluetooth scanning only detects active connections and typically requires multiple visits to have a chance of identifying all devices.

Question 48

Q

Ben’s organization has begun to use STRIDE to assess their software, and has identified threat agents and the business impacts that these threats could have. Now they are working to identify appropriate controls for the issues they have identified. Use the STRIDE model to answer the following three questions.

Ben’s team is attempting to categorize a transaction identification issue that is caused by use of a symmetric key shared by multiple servers. What STRIDE category should this fall into?

a. Information disclosure
b. Denial of service
c. Tampering
d. Repudiation

Answer

A

D. Since a shared symmetric key could be used by any of the servers, transaction identification problems caused by a shared key are likely to involve a repudiation issue. If encrypted transactions cannot be uniquely identified by server, they cannot be proved to have come from a specific server.

Question 49

Q

During a port scan of his network, Alex finds that a number of hosts respond on TCP ports 80, 443, 515, and 9100 in offices throughout his organization. What type of devices is Alex likely discovering?

a. Web servers
b. File servers
c. Wireless access points
d. Printers

Answer

A

D. Network-enabled printers often provided services via TCP 515 and 9100, and have both nonsecure and secure web-enabled management interfaces on TCP 80 and 443. Web servers, access points, and file servers would not typically provide service on the LPR and LPD ports (515 and 9100).

Question 50

Q

Which of the following types of code review is not typically performed by a human?

a. Software inspections
b. Code review
c. Static program analysis
d. Software walkthroughs

Answer

A

C. Static program reviews are typically performed by an automated tool. Program understanding, program comprehension, code review, software inspections and software walkthroughs are all human-centric methods for reviewing code.

Question 51

Q

Kathleen is reviewing the code for an application. She first plans the review, conducts an overview session with the reviewers and assigns roles, and then works with the reviewers to review materials and prepare for their roles. Next, she intends to review the code, rework it, and ensure that all defects found have been corrected.

What type of review is Kathleen conducting?

a. A dynamic test
b. Fagan inspection
c. Fuzzing
d. A Roth-Parker review

Answer

A

B. Fagan testing is a detailed code review that steps through planning, overview, preparation, inspection, rework, and follow-up phases. Dynamic tests test the code in a real runtime environment, whereas fuzzing is a type of dynamic testing that feeds invalid inputs to software to test its exception-handling capabilities. Roth-Parker reviews were made up for this question.

Question 52

Q

As part of a penetration test, Alex needs to determine if there are web servers that could suffer from the 2014 Heartbleed bug. What type of tool could he use, and what should he check to verify that the tool can identify the problem?

a. A vulnerability scanner, to see whether the scanner has a signature or test for the Heartbleed CVE number
b. A port scanner, to see whether the scanner properly identifies SSL connections
c. A vulnerability scanner, to see whether the vulnerability scanner detects problems with the Apache web server
d. A port scanner, to see whether the port scanner supports TLS connections

Answer

A

A. A vulnerability scanner that has a test (sometimes called a signature or plugin) that provides a detection method for CVE-2014-0160, also known as the Heartbleed bug, a vulnerability in OpenSSL will detect and report on the issue on any system it can connect to. Port scanners do not determine whether services are vulnerable, and Heartbleed was not a vulnerability in the Apache web server—but even without knowing this, the CVE number is a better indicator of whether the issue will be found than a generic detect for a service.

Question 53

Q

Which of the following best describes a typical process for building and implementing an Information Security Continuous Monitoring program as described by NIST Special Publication 800-137?

a. Define, establish, implement, analyze and report, respond, review, and update
b. Design, build, operate, analyze, respond, review, revise
c. Prepare, detect and analyze, contain, respond, recover, report
d. Define, design, build, monitor, analyze, react, revise

Answer

A

A. NIST SP 800-137 outlines the process for organizations that are establishing, implementing, and maintaining an ICSM as define, establish, implement, analyze and report, respond, review, and update. Prepare, detect and analyze, contain, respond, recover, report is an incident response plan, and the others do not match the NIST process.

Question 54

Q

Ben’s organization has begun to use STRIDE to assess their software, and has identified threat agents and the business impacts that these threats could have. Now they are working to identify appropriate controls for the issues they have identified. Use the STRIDE model to answer the following three questions.

Ben’s development team needs to address an authorization issue, resulting in an elevation of privilege threat. Which of the following controls is most appropriate to this type of issue?

a. Auditing and logging is enabled.
b. RBAC is used for specific operations.
c. Data type and format checks are enabled.
d. User input is tested against a whitelist.

Answer

A

B. Using role-based access controls (RBACs) for specific operations will help to ensure that users cannot perform actions that they should not be able to. Auditing and logging can help detect abuse but won’t prevent it, and data type, format checks, and whitelisting are all useful for preventing attacks like SQL injection and buffer overflow attacks but are not as directly aimed at authorization issues.

Question 55

Q

During a port scan, Ben uses nmap’s default settings and sees the following results. Use this information to answer the following three questions.

Based on the scan results, what OS was the system that was scanned most likely running?

a. Windows Desktop
b. Linux
c. Network device
d. Windows Server

Answer

A

B. The system is likely a Linux system. The system shows X11, as well as login, shell, and nfs ports, all of which are more commonly found on Linux systems than Windows systems or network devices. This system is also very poorly secured; many of the services running on it should not be exposed in a modern secure network.

Question 56

Q

Susan needs to predict high-risk areas for her organization and wants to use metrics to assess risk trends as they occur. What should she do to handle this?

a. Perform yearly risk assessments.
b. Hire a penetration testing company to regularly test organizational security.
c. Identify and track key risk indicators.
d. Monitor logs and events using a SIEM device.

Answer

A

C. Key risk indicators are used to tell those in charge of risk management how risky an activity is and how much impact changes are having on that risk profile. Identifying key risk indicators and monitoring them can help to identify high-risk areas earlier in their life cycle. Yearly risk assessments may be a good idea, but only provide a point in time view, whereas penetration tests may miss out on risks that are not directly security related. Monitoring logs and events using a SIEM device can help detect issues as they occur but won’t necessarily show trends in risk.

Question 57

Q

What step should occur after a vulnerability scan finds a critical vulnerability on a system?

a. Patching
b. Reporting
c. Remediation
d. Validation

Answer

A

D. Once a vulnerability scanner identifies a potential problem, validation is necessary to verify that the issue exists. Reporting, patching, or other remediation actions can be conducted once the vulnerability has been confirmed.

Question 58

Q

Which of the following is not a potential problem with active wireless scanning?

a. Accidently scanning apparent rogue devices that actually belong to guests
b. Causing alarms on the organization’s wireless IPS
c. Scanning devices that belong to nearby organizations
d. Misidentifying rogue devices

Answer

A

B. Not only should active scanning be expected to cause wireless IPS alarms, but they may actually be desired if the test is done to test responses. Accidently scanning guests, neighbors, or misidentifying devices belonging to third parties are all potential problems with active scanning and require the security assessor to carefully verify the systems that she is scanning.

Question 59

Q

During a penetration test Saria calls her target’s help desk claiming to be the senior assistance to an officer of the company. She requests that the help desk reset the officer’s password because of an issue with his laptop while traveling and persuades them to do so. What type of attack has she successfully completed?

a. Zero knowledge
b. Help desk spoofing
c. Social engineering
d. Black box

Answer

A

C. Saria’s social-engineering attack succeeded in persuading a staff member at the help desk to change a password for someone who they not only couldn’t see, but who they couldn’t verify actually needed their password reset. Black box and zero knowledge are both terms describing penetration tests without information about the organization or system, and help desk spoofing is not an industry term.

Question 60

Q

Which of the following is not a method of synthetic transaction monitoring?

a. Database monitoring
b. Traffic capture and analysis
c. User session monitoring
d. Website performance monitoring

Answer

A

C. User session monitoring is not a means of conducting synthetic performance monitoring. Synthetic performance monitoring uses scripted or recorded data, not actual user sessions. Traffic capture, database performance monitoring, and website performance monitoring can all be used during synthetic performance monitoring efforts.

Question 61

Q

Susan needs to ensure that the interactions between the components of her e-commerce application are all handled properly. She intends to verify communications, error handling, and session management capabilities throughout her infrastructure. What type of testing is she planning to conduct?

a. Misuse case testing
b. Fuzzing
c. Regression testing
d. Interface testing

Answer

A

D. Susan is conducting interface testing. Interface testing involves testing system or application components to ensure that they work properly together. Misuse case testing focuses on how an attacker might misuse the application and would not test normal cases. Fuzzing attempts to send unexpected input and might be involved in interface testing, but it won’t cover the full set of concerns. Regression testing is conducted when testing changes and is used to ensure that the application or system functions as it did before the update or change.

Question 62

Q

What type of diagram used in application threat modeling includes malicious users as well as descriptions like mitigates and threatens?

a. Threat trees
b. STRIDE charts
c. Misuse case diagrams
d. DREAD diagrams

Answer

A

C. Misuse case diagrams use language beyond typical use case diagrams, including threatens and mitigates. Threat trees are used to map threats but don’t use specialized languages like threatens and mitigates. STRIDE is a mnemonic and model used in threat modeling, and DREAD is a risk assessment model.

Question 63

Q

Jim is designing his organization’s log management systems and knows that he needs to carefully plan to handle the organization’s log data. Which of the following is not a factor that Jim should be concerned with?

a. The volume of log data
b. A lack of sufficient log sources
c. Data storage security requirements
d. Network bandwidth

Answer

A

B. Not having enough log sources is not a key consideration in log management system design, although it may be a worry for security managers who can’t capture the data they need. Log management system designs must take into account the volume of log data and the network bandwidth it consumes, the security of the data, and the amount of effort required to analyze the data.

Question 64

Q

Which type of SOC report is best suited to provide assurance to users about an organization’s security, availability, and the integrity of their service operations?

a. An SOC 1 Type 2 report
b. An SOC 2 report
c. An SOC 3 report
d. An SOC 1 Type 1 report

Answer

A

C. SOC 3 reports are intended to be shared with a broad community, often with a website seal, and support the organization’s claims about their ability to provide integrity, availability, and confidentiality. SOC 1 reports report on controls over financial reporting, whereas SOC 2 reports cover security, availability, integrity, and privacy for business partners, regulators, and other similar organizations in detail that would not typically be provided to a broad audience.

Answer 65

A

C. Vulnerability scanners that do not have administrative rights to access a machine or that are not using an agent scan remote machines to gather information, including fingerprints from responses to queries and connections, banner information from services, and related data. CVE information is Common Vulnerability and Exposure information, or vulnerability information. A port scanner gathers information about what service ports are open, although some port scanners blur the line between port and vulnerability scanners. Patch management tools typically run as an agent on a system to allow them to both monitor patch levels and update the system as needed. Service validation typically involves testing the functionality of a service, not its banner and response patterns.

Answer 66

A

B. TCP and UDP ports 137-139 are used for NetBIOS services, whereas 445 is used for Active Directory. TCP 1433 is the default port for Microsoft SQL, indicating that this is probably a Windows server providing SQL services.

Answer 67

A

B. Metasploit is an exploitation package that is designed to assist penetration testers. A tester using Metasploit can exploit known vulnerabilities for which an exploit has been created or can create their own exploits using the tool. While Metasploit provides built-in access to some vulnerability scanning functionality, a tester using Metasploit should primarily be expected to perform actual tests of exploitable vulnerabilities. Similarly, Metasploit supports creating buffer overflow attacks, but it is not a purpose-built buffer overflow testing tool, and of course testing systems for zero-day exploits doesn’t work unless they have been released.

Answer 68

A

C. Path disclosures, local file inclusions, and buffer overflows are all vulnerabilities that may be found by a web vulnerability scanner, but race conditions that take advantage of timing issues tend to be found either by code analysis or using automated tools that specifically test for race conditions as part of software testing.

Answer 69

A

B. Real user monitoring (RUM) is a passive monitoring technique that records user interaction with an application or system to ensure performance and proper application behavior. RUM is often used as part of a predeployment process using the actual user interface. The other answers are all made up—synthetic monitoring uses simulated behavior, but synthetic user monitoring is not a testing method. Similarly, passive monitoring monitors actual traffic, but passive user recording is not an industry term or technique. Client/server testing merely describes one possible architecture.

Answer 70

A

D. Privilege escalation occurs during the attack phase of a penetration test. Host and service information gathering, as well as activities like dumpster diving that can provide information about the organization, its systems, and security, are all part of the discovery phase.

Answer 71

A

A. When a tester does not have raw packet creation privileges, such as when they have not escalated privileges on a compromised host, a TCP connect scan can be used. TCP SYN scans require elevated privileges on most Linux systems due to the need to write raw packets. A UDP scan will miss most services that are provided via TCP, and an ICMP is merely a ping sweep of systems that respond to pings and won’t identify services at all.

Answer 72

A

D. Nmap, Nessus, and Nikto all have OS fingerprinting or other operating system identification capabilities. sqlmap is designed to perform automated detection and testing of SQL injection flaws, and does not provide OS detection.

Answer 73

A

C. Fuzzers are tools that are designed to provide invalid or unexpected input to applications, testing for vulnerabilities like format string vulnerabilities, buffer overflow issues, and other problems. A static analysis relies on examining code without running the application or code, and thus would not fill forms as part of a web application. Brute-force tools attempt to bypass security by trying every possible combination for passwords or other values. A black box is a type of penetration test where the testers do not know anything about the environment.

Answer 74

A

A. NIST SP 800-137 is titled “Information Security Continuous Monitoring (ISCM) for Federal Systems and Organizations” and describes the process of building and maintaining an ISCM. NIST SP 800-145 defines cloud computing, whereas NIST SP 800-53A covers assessing security and privacy controls for federal systems and organizations. NIST SP 800-50 focuses on information security awareness programs.

Answer 75

A

B. An IPS is an example of a mechanism like a hardware-, software-, or firmware-based control or system. Specifications are document-based artifacts like policies or designs, activities are actions that support an information system that involves people, and an individual is one or more people applying specifications, mechanisms, or activities.

Answer 76

A

B. Emily is using synthetic transactions, which can use recorded or generated transactions, and is conducting use case testing to verify that the application responds properly to actual use cases. Neither actual data nor dynamic monitoring is an industry term. Fuzzing involves sending unexpected inputs to a program to see how it responds. Passive monitoring uses a network tap or other capture technology to allow monitoring of actual traffic to a system or application.

Answer 77

A

B. Penetration test reports often include information that could result in additional exposure if they were accidently released or stolen. Therefore, determining how vulnerability data should be stored and sent is critical. Problems with off-limits targets are more likely to result in issues during the vulnerability assessment and exploitation phase, and reports should not be limited in length but should be as long as they need to be to accomplish the goals of the test.

Answer 78

A

C. The most important first step for a penetration test is getting permission. Once permission has been received, planning, data gathering, and then elements of the actual test like port scanning can commence.

Answer 79

A

D. The Common Vulnerability Scoring System (CVSS) includes metrics and calculation tools for exploitability, impact, how mature exploit code is, and how vulnerabilities can be remediated, as well as a means to score vulnerabilities against users’ unique requirements. NVD is the National Vulnerability Database, CSV is short for Comma-Separated Values, and VSS is a made-up term.

Answer 80

A

B. Jim should ask the information security team to flag the issue as resolved if he is sure the patch was installed. Many vulnerability scanners rely on version information or banner information, and may flag patched versions if the software provider does not update the information they see. Uninstalling and reinstalling the patch will not change this. Changing the version information may not change all of the details that are being flagged by the scanner, and may cause issues at a later date. Reviewing the vulnerability information for a workaround may be a good idea but should not be necessary if the proper patch is installed; it can create maintenance issues later.

Answer 81

A

C. Discovery can include both active and passive discovery. Port scanning is commonly done during discovery to assess what services the target provides, and nmap is one of the most popular tools used for this purpose. Nessus and Nikto might be used during the vulnerability scanning phase, and john, a password cracker, can be used to recover passwords during the exploitation phase.

Answer 82

A

A. Syslog is a widely used protocol for event and message logging. Eventlog, netlog, and Remote Log Protocol are all made-up terms.

Answer 83

A

B. Flows, also often called network flows, are captured to provide insight into network traffic for security, troubleshooting, and performance management. Audit logging provides information about events on the routers, route logging is not a common network logging function, and trace logs are used in troubleshooting specific software packages as they perform their functions.

Answer 84

A

D. The IP addresses that his clients have provided are RFC 1918 non-routable IP addresses, and Jim will not be able to scan them from offsite. To succeed in his penetration test, he will either have to first penetrate their network border or place a machine inside their network to scan from the inside. IP addresses overlapping is not a real concern for scanning, and the ranges can easily be handled by current scanning systems.

Answer 85

A

B. Group Policy enforced by Active Directory can ensure consistent logging settings and can provide regular enforcement of policy on systems. Periodic configuration audits won’t catch changes made between audits, and local policies can drift due to local changes or differences in deployments. A Windows syslog client will enable the Windows systems to send syslog to the SIEM appliance but won’t ensure consistent logging of events.

Answer 86

A

C. The Common Vulnerabilities and Exposures (CVE) dictionary provides a central repository of security vulnerabilities and issues. Patching information for applications and software versions are sometimes managed using central patch management tools, but a single central database is not available for free or public use. Costs versus effort is also not what CVE stands for.

Answer 87

A

C. Security audits are security assessments performed by third parties and are intended to evaluate the effectiveness of security controls. Security assessments are conducted by internal staff, and security tests are used to verify that a control is functioning effectively. Penetration tests can be conducted by internal or external staff and test systems by using actual exploitation techniques.

Answer 88

A

B. Code coverage testing most frequently requires that every function has been called, that each statement has been executed, that all branches have been fully explored, and that each condition has been evaluated for all possibilities. API, input, and loop testing are not common types of code coverage testing measures.

Answer 89

A

C. Simply updating the version that an application provides may stop the vulnerability scanner from flagging it, but it won’t fix the underlying issue. Patching, using workarounds, or installing an application layer firewall or IPS can all help to remediate or limit the impact of the vulnerability.

Answer 90

A

B. Time to remediate a vulnerability is a commonly used key performance indicator for security teams. Time to live measures how long a packet can exist in hops, business criticality is a measure used to determine how important a service or system is to an organization, and coverage rates are used to measure how effective code testing is.

Answer 91

A

C. A TCP scan that sets all or most of the possible TCP flags is called a Christmas tree, or Xmas, scan since it is said to “light up like a Christmas tree” with the flags. A SYN scan would attempt to open TCP connections, whereas an ACK scan sends packets with the ACK flag set. There is no such type of scan known as a TCP flag scan.

Answer 92

A

D. In many cases when an exploit is initially reported, there are no prebuilt signatures or detections for vulnerability scanners, and the CVE database may not have information about the attack immediately. Jacob’s best option is to quickly gather information and review potentially vulnerable servers based on their current configuration. As more information becomes available, signatures and CVE information are likely to be published. Unfortunately for Jacob, IDS and IPS signatures will only detect attacks, and won’t detect whether systems are vulnerable unless he sees the systems being exploited.

Answer 93

A

B. NIST SP 800-53A is titled “Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans,” and covers methods for assessing and measuring controls.
NIST 800-12 is an introduction to computer security, 800-34 covers contingency planning, and 800-86 is the “Guide to Integrating Forensic Techniques into Incident Response.”

Answer 94

A

C. ITIL, which originally stood for IT Infrastructure Library, is a set of practices for IT service management, and is not typically used for auditing. COBIT, or the Control Objectives for Information and Related Technology, ISO 27002, and SSAE-16, or the Statement on Standards for Attestation Engagements number 16, are all used for auditing.

Answer 95

A

D. Unique user IDs provide accountability when paired with auditable logs to provide that a specific user took any given action. Confidentiality, availability, and integrity can be provided through other means like encryption, systems design, and digital signatures.

Answer 96

A

B. Nmap reports one of three statuses: Open, which means that the port is open and that an application responds; Closed, which means that the port is accessible but there is no application response; and Filtered, which means that a firewall is not allowing nmap to determine if the port is open or closed.

Answer 97

A

C. The Security Content Automation Protocol (SCAP) is a community sourced specification for security flaw and security configuration information and is defined in NIST SP 800-126. SVML, VSCAP, and VML are not information security–related terms.

Answer 98

A

D. The menu shown will archive logs when they reach the maximum size allowed (20 MB). These archives will be retained, which could fill the disk. Log data will not be overwritten, and log data should not be lost when the data is archived. The question does not include enough information to determine if needed information may not be logged.

Answer 99

A

C. Interface testing is used to ensure that software modules properly meet interface specifications and thus will properly exchange data. Dynamic testing tests software in a running environment, whereas fuzzing is a type of dynamic testing that feeds invalid input to running software to test error and input handling. API checksums are not a testing technique.

Answer 100

A

B. Penetration testing reports often do not include the specific data captured during the assessment, as the readers of the report may not be authorized to access all of the data, and exposure of the report could result in additional problems for the organization. A listing of the issues discovered, risk ratings, and remediation guidance are all common parts of a penetration test report.

Brainscape's Knowledge GenomeTM

Domain 6 Flashcards

Brainscape's Knowledge Genome^TM