Domain 6 Practice Test Question

Question 1

What type of vulnerabilities will not be found by a vulnerability scanner?

a. Local vulnerabilities
b. Service vulnerabilities
c. Zero-day vulnerabilities
d. Vulnerabilities that require authentication

Answer 1

C. Vulnerability scanners cannot detect vulnerabilities for which they do not have a test, plug-in, or signature. Signatures often include version numbers, service fingerprints, or configuration data. They can detect local vulnerabilities as well as those that require authentication if they are provided with credentials, and of course, they can detect service vulnerabilities.

Question 2

Jim has been contracted to perform a penetration test of a bank’s primary branch. In order to make the test as real as possible, he has not been given any information about the bank other than its name and address. What type of penetration test has Jim agreed to perform?

a. A crystal box penetration test
b. A gray box penetration test
c. A black box penetration test
d. A white box penetration test

Answer 2

C. Jim has agreed to a black box penetration test, which provides no information about the organization, its systems, or its defenses. A crystal or white box penetration test provides all of the information an attacker needs, whereas a gray box penetration test provides some, but not all, information.

Question 3

What type of monitoring uses simulated traffic to a website to monitor performance?

a. Log analysis
b. Synthetic monitoring
c. Passive monitoring
d. Simulated transaction analysis

Answer 3

B. Synthetic monitoring uses emulated or recorded transactions to monitor for performance changes in response time, functionality, or other performance monitors. Passive monitoring uses a span port or other method to copy traffic and monitor it in real time. Log analysis is typically performed against actual log data but can be performed on simulated traffic to identify issues. Simulated transaction analysis is not an industry term.

Question 4

Which of the following is not an interface that is typically tested during the software testing process?

a. APIs
b. Network interfaces
c. UIs
d. Physical interfaces

Answer 4

B. Application programming interfaces (APIs), user interfaces (UIs), and physical interfaces are all important to test when performing software testing. Network interfaces are not a part of the typical list of interfaces tested in software testing.

Question 5

Lauren is performing a review of a third-party service organization and wants to determine if the organization’s policies and procedures are effectively enforced over a period of time. What type of industry standard assessment report should she request?

a. SSAE 16 SOC 1 Type I
b. SAS 70 Type I
c. SSAE 16 SOC 1 Type II
d. SAS 70 Type II

Answer 5

C. SOC 1 reports are prepared according to the Statement on Standards for Attestation Engagements, or SSAE number 16 (typically shortened to SSAE-16). An SOC 1 Type I report validates policies and procedures at a point in time, whereas SOC 1 Type II reports cover a period of time of at least six months. SOC 1 reports replaced SAS 70 reports in 2011, meaning that a current report should be an SSAE-16 SOC 1 report.

Question 6

Ben’s organization has begun to use STRIDE to assess their software, and has identified threat agents and the business impacts that these threats could have. Now they are working to identify appropriate controls for the issues they have identified. Use the STRIDE model to answer the following three questions.

Ben wants to prevent or detect tampering with data. Which of the following is not an appropriate solution?

a. Hashes
b. Digital signatures
c. Filtering
d. Authorization controls

Answer 6

C. Filtering is useful for preventing denial of service attacks but won’t prevent tampering with data. Hashes and digital signatures can both be used to verify the integrity of data, and authorization controls can help ensure that only those with the proper rights can modify the data.

Question 7

When a Windows system is rebooted, what type of log is generated?

a. Error
b. Warning
c. Information
d. Failure audit

Answer 7

C. Rebooting a Windows machine results in an information log entry. Windows defines five types of events: errors, which indicate a significant problem; warnings, which may indicate future problems; information, which describes successful operation; success audits, which record successful security accesses; and failure audits, which record failed security access attempts.

Question 8

Susan is the lead of a Quality Assurance team at her company. They have been tasked with the testing for a major release of their company’s core software product. Use your knowledge of code review and testing to answer the following three questions.

As part of the continued testing of their new application, Susan’s quality assurance team has designed a set of test cases for a series of black box tests. These functional tests are then run, and a report is prepared explaining what has occurred. What type of report is typically generated during this testing to indicate test metrics?

a. A test coverage report
b. A penetration test report
c. A code coverage report
d. A line coverage report

Answer 8

A. A test coverage report measures how many of the test cases have been completed and is used as a way to provide test metrics when using test cases. A penetration test report is provided when a penetration test is conducted—this is not a penetration test. A code coverage report covers how much of the code has been tested, and a line coverage report is a type of code coverage report.

Question 9

Susan is the lead of a Quality Assurance team at her company. They have been tasked with the testing for a major release of their company’s core software product. Use your knowledge of code review and testing to answer the following three questions.

As part of their code coverage testing, Susan’s team runs the analysis in a nonproduction environment using logging and tracing tools. Which of the following types of code issues is most likely to be missed during testing due to this change in the operating environment?

a. Improper bounds checking
b. Input validation
c. A race condition
d. Pointer manipulation

Answer 9

C. The changes from a testing environment with instrumentation inserted into the code and the production environment for the code can mask timing-related issues like race conditions. Bounds checking, input validation, and pointer manipulation are all related to coding issues rather than environmental issues and are more likely to be discoverable in a test environment.

Question 10

NIST specifies four attack phase steps: gaining access, escalating privileges, system browsing, and installing additional tools. Once attackers install additional tools, what phase will a penetration tester typically return to?

a. Discovery
b. Gaining access
c. Escalating privileges
d. System browsing

Answer 10

B. Once additional tools have been installed, penetration testers will typically use them to gain additional access. From there they can further escalate privileges, search for new targets or data, and once again, install more tools to allow them to pivot further into infrastructure or systems.

Question 11

During a port scan, Ben uses nmap’s default settings and sees the following results. Use this information to answer the following three questions.

If Ben is conducting a penetration test, what should his next step be after receiving these results?

a. Connect to the web server using a web browser.
b. Connect via Telnet to test for vulnerable accounts.
c. Identify interesting ports for further scanning.
d. Use sqlmap against the open databases.

Answer 11

C. After scanning for open ports using a port scanning tool like nmap, penetration testers will identify interesting ports and then conduct vulnerability scans to determine what services may be vulnerable. This will perform many of the same activities that connecting via a web server will, and will typically be more useful than trying to manually test for vulnerable accounts via Telnet. sqlmap would typically be used after a vulnerability scanner identifies additional information about services, and the vulnerability scanner will normally provide a wider range of useful information.

Question 12

During a port scan, Lauren found TCP port 443 open on a system. Which tool is best suited to scanning the service that is most likely running on that port?

a. zzuf
b. Nikto
c. Metasploit
d. sqlmap

Answer 12

B. TCP port 443 normally indicates an HTTPS server. Nikto is useful for vulnerability scanning web servers and applications and is the best choice listed for a web server. Metasploit includes some scanning functionality but is not a purpose-built tool for vulnerability scanning. zzuf is a fuzzing tool and isn’t relevant for vulnerability scans, whereas sqlmap is a SQL injection testing tool.

Question 13

What international framework was SSAE-16 based on?

a. ISO27001
b. SAS70
c. SOX
d. ISAE 3402

Answer 13

D. SSAE-16 is based on ISAE 3402, the International Standard on Assurance Engagements. It differs in a number of ways, including how it handles purposeful acts by service organizational personnel as well as anomalies, but the two share many elements. SAS-70 has been replaced by SSAE-16, whereas ISO27001 is a formal specification for an information security management system (ISMS). SOX is the Sarbanes–Oxley Act, a U.S. law that impacts accounting and investor protection.

Question 14

Saria’s team is working to persuade their management that their network has extensive vulnerabilities that attackers could exploit. If she wants to conduct a realistic attack as part of a penetration test, what type of penetration test should she conduct?

a. Crystal box
b. Gray box
c. White box
d. Black box

Answer 14

D. Black box testing is the most realistic type of penetration test because it does not provide the penetration tester with inside information about the configuration or design of systems, software, or networks. A gray box test provides some information, whereas a white or crystal box test provides significant or full detail.

Question 15

Chris uses the standard penetration testing methodology shown here. Use this methodology and your knowledge of penetration testing to answer the following questions about tool usage during a penetration test.

What task is the most important during Phase 1, Planning?

a. Building a test lab
b. Getting authorization
c. Gathering appropriate tools
d. Determining if the test is white, black, or gray box

Answer 15

B. Getting authorization is the most critical element in the planning phase. Permission, and the “get out of jail free card” that demonstrates that organizational leadership is aware of the issues that a penetration test could cause, is the first step in any penetration test. Gathering tools and building a lab, as well as determining what type of test will be conducted, are all important, but nothing should happen without permission.

Question 16

In a response to a Request for Proposal, Susan receives a SAS-70 Type 1 report. If she wants a report that includes operating effectiveness detail, what should Susan ask for as followup and why?

a. An SAS-70 Type II, because Type I only covers a single point in time
b. An SOC Type 1, because Type II does not cover operating effectiveness
c. An SOC Type 2, because Type I does not cover operating effectiveness
d. An SAC-70 type 3, because Types 1 and 2 are outdated and no longer accepted

Answer 16

C. Service Organization Control (SOC) reports replaced SAS-70 reports in 2010. A Type 1 report only covers a point in time, so Susan needs an SOC Type 2 report to have the information she requires to make a design and operating effectiveness decision based on the report.

Question 17

During a port scan, Ben uses nmap’s default settings and sees the following results. Use this information to answer the following three questions.

Ben’s manager expresses concern about the coverage of his scan. Why might his manager have this concern?

a. Ben did not test UDP services.
b. Ben did not discover ports outside the “well-known ports.”
c. Ben did not perform OS fingerprinting.
d. Ben tested only a limited number of ports.

Answer 17

D. Nmap only scans 1000 TCP and UDP ports by default, including ports outside of the 0–1024 range of “well-known” ports. By using the defaults for nmap, Ben missed 64,535 ports. OS fingerprinting won’t cover more ports but would have provided a best guess of the OS running on the scanned system.

Question 18

Nikto, Burp Suite, and Wapiti are all examples of what type of tool?

a. Web application vulnerability scanners
b. Code review tools
c. Vulnerability scanners
d. Port scanners

Answer 18

A. Nikto, Burp Suite, and Wapiti are all web application vulnerability scanners, tools designed specifically to scan web servers and applications. While they share some functionality with broader vulnerability scanners and port scanning tools, they have a narrower focus and typically have deeper capabilities than vulnerability scanners.

Question 19

Questions 19, 20, and 21 refer to the following scenario.

The company that Jennifer works for has implemented a central logging infrastructure, as shown in the following image. Use this diagram and your knowledge of logging systems to answer the following questions.

During normal operations, Jennifer’s team uses the SIEM appliance to monitor for exceptions received via syslog. What system shown does not natively have support for syslog events?

a. Enterprise wireless access points
b. Windows desktop systems
c. Linux web servers
d. Enterprise firewall devices

Answer 19

B. Windows systems generate logs in the Windows native logging format. To send syslog events, Windows systems require a helper application or tool. Enterprise wireless access points, firewalls, and Linux systems all typically support syslog.

Question 20

Why should passive scanning be conducted in addition to implementing wireless security technologies like wireless intrusion detection systems?

a. It can help identify rogue devices.
b. It can test the security of the wireless network via scripted attacks.
c. Their short dwell time on each wireless channel can allow them to capture more packets.
d. They can help test wireless IDS or IPS systems.

Answer 20

A. Passive scanning can help identify rogue devices by capturing MAC address vendor IDs that do not match deployed devices, by verifying that systems match inventories of organizationally owned hardware by hardware address, and by monitoring for rogue SSIDs or connections.
Scripted attacks are part of active scanning rather than passive scanning, and active scanning is useful for testing IDS or IPS systems, whereas passive scanning will not be detected by detection systems. Finally, a shorter dwell time can actually miss troublesome traffic, so balancing dwell time versus coverage is necessary for passive wireless scanning efforts.

Question 21

Susan needs to scan a system for vulnerabilities, and she wants to use an open source tool to test the system remotely. Which of the following tools will meet her requirements and allow vulnerability scanning?

a. Nmap
b. OpenVAS
c. MBSA
d. Nessus

Answer 21

B. OpenVAS is an open source vulnerability scanning tool that will provide Susan with a report of the vulnerabilities that it can identify from a remote, network-based scan. Nmap is an open source port scanner. Both the Microsoft Baseline Security Analyzer (MBSA) and Nessus are closed source tools, although Nessus was originally open source.

Question 22

Misconfiguration, logical and functional flaws, and poor programming practices are all causes of what type of issue?

a. Fuzzing
b. Security vulnerabilities
c. Buffer overflows
d. Race conditions

Answer 22

B. Security vulnerabilities can be created by misconfiguration, logical or functional design or implementation issues, or poor programming practices. Fuzzing is a method of software testing and is not a type of issue. Buffer overflows and race conditions are both caused by logical or programming flaws, but they are not typically caused by misconfiguration or functional issues.

Question 23

During a port scan using nmap, Joseph discovers that a system shows two ports open that cause him immediate worry:

21/open

23/open

What services are likely running on those ports?

a. SSH and FTP
b. FTP and Telnet
c. SMTP and Telnet
d. POP3 and SMTP

Answer 23

B. Joseph may be surprised to discover FTP (TCP port 21) and Telnet (TCP port 23) open on his network since both services are unencrypted and have been largely replaced by SSH, and SCP or SFTP. SSH uses port 22, SMTP uses port 25, and POP3 uses port 110.

Question 24

Which of the following is a method used to design new software tests and to ensure the quality of tests?

a. Code auditing
b. Static code analysis
c. Regression testing
d. Mutation testing

Answer 24

D. Mutation testing modifies a program in small ways, and then tests that mutant to determine if it behaves as it should or if it fails. This technique is used to design and test software tests through mutation. Static code analysis and regression testing are both means of testing code, whereas code auditing is an analysis of source code rather than a means of designing and testing software tests.

Question 25

What type of port scanning is known as “half open” scanning?

a. TCP Connect
b. TCP ACK
c. TCP SYN
d. Xmas

Answer 25

C. TCP SYN scans only open a connection halfway; they do not complete the TCP connection with an ACK, thus leaving the connection open. TCP Connect scans complete the connection, whereas TCP ACK scans attempt to appear like an open connection. Xmas, or Christmas tree, scans set the FIN, PSH, and URG flags, thereby “lighting up” the TCP packet.

Question 26

Karen’s organization has been performing system backups for years but has not used the backups frequently. During a recent system outage, when administrators tried to restore from backups they found that the backups had errors and could not be restored. Which of the following options should Karen avoid when selecting ways to ensure that her organization’s backups will work next time?

a. Log review
b. MTD verification
c. Hashing
d. Periodic testing

Answer 26

B. Karen can’t use MTD verification because MTD is the Maximum Tolerable Downtime. Verifying it will only tell her how long systems can be offline without significant business impact. Reviewing logs, using hashing to verify that the logs are intact, and performing periodic tests are all valid ways to verify that the backups are working properly.

Question 27

Jim has contracted with a software testing organization that uses automated testing tools to validate software. He is concerned that they may not completely test all statements in his software. What measurement should he ask for in their report to provide information about this?

a. A use case count
b. A test coverage report
c. A code coverage report
d. A code review report

Answer 27

C. Jim should ask for a code coverage report, which provides information on the functions, statements, branches, and conditions or other elements that were covered in the testing. Use cases are used as part of a test coverage calculation that divides the tested use cases by the total use cases, but use cases may not cover all possible functions or branches. A code review report would be generated if the organization was manually reviewing the application’s source code.

Question 28

What term describes software testing that is intended to uncover new bugs introduced by patches or configuration changes?

a. Nonregression testing
b. Evolution testing
c. Smoke testing
d. Regression testing

Answer 28

D. Regression testing, which is a type of functional or unit testing, tests to ensure that changes have not introduced new issues. Nonregression testing checks to see if a change has had the effect it was supposed to, smoke testing focuses on simple problems with impact on critical functionality, and evolution testing is not a software testing technique.

Question 29

Susan is the lead of a Quality Assurance team at her company. They have been tasked with the testing for a major release of their company’s core software product. Use your knowledge of code review and testing to answer the following three questions.

Susan’s team of software testers are required to test every code path, including those that will only be used when an error condition occurs. What type of testing environment does her team need to ensure complete code coverage?

a. White box
b. Gray box
c. Black box
d. Dynamic

Answer 29

A. In order to fully test code, a white box test is required. Without full visibility of the code, error conditions or other code could be missed, making a gray box or black box test an inappropriate solution. Using dynamic testing that runs against live code could also result in some conditions being missed due to sections of code not being exposed to typical usage.

Question 30

Questions 19, 20, and 21 refer to the following scenario.

The company that Jennifer works for has implemented a central logging infrastructure, as shown in the following image. Use this diagram and your knowledge of logging systems to answer the following questions.

What technology should an organization use for each of the devices shown in the diagram to ensure that logs can be time sequenced across the entire infrastructure?

a. Syslog
b. NTP
c. Logsync
d. SNAP

Answer 30

B. Network Time Protocol (NTP) can ensure that systems are using the same time, allowing time sequencing for logs throughout a centralized logging infrastructure. Syslog is a way for systems to send logs to a logging server and won’t address time sequencing. Neither logsync nor SNAP is an industry term.

Question 31

Which of the following is not an issue when using fuzzing to find program faults?

a. They often find only simple faults.
b. Fuzz testing bugs are often severe.
c. Fuzzers may not fully cover the code.
d. Fuzzers can’t reproduce errors.

Answer 31

B. Finding severe bugs is not a fault—in fact, fuzzing often finds important issues that would otherwise have been exploitable. Fuzzers can reproduce errors, but typically don’t fully cover the code—code coverage tools are usually paired with fuzzers to validate how much coverage was possible. Fuzzers are often limited to simple errors because they won’t handle business logic or attacks that require knowledge from the application user.

Question 32

Saria needs to write a request for proposal for code review and wants to ensure that the reviewers take the business logic behind her organization’s applications into account. What type of code review should she specify in the RFP?

a. Static
b. Fuzzing
c. Manual
d. Dynamic

Answer 32

C. A manual code review, which is performed by humans who review code line by line, is the best option when it is important to understand the context and business logic in the code. Fuzzing, dynamic, and static code review can all find bugs that manual code review might not, but won’t take the intent of the programmers into account.

Question 33

What major difference separates synthetic and passive monitoring?

a. Synthetic monitoring only works after problems have occurred.
b. Passive monitoring cannot detect functionality issues.
c. Passive monitoring only works after problems have occurred.
d. Synthetic monitoring cannot detect functionality issues.

Answer 33

C. Passive monitoring only works after issues have occurred because it requires actual traffic. Synthetic monitoring uses simulated or recorded traffic, and thus can be used to proactively identify problems. Both synthetic and passive monitoring can be used to detect functionality issues.

Question 34

Angela wants to test a web browser’s handling of unexpected data using an automated tool. What tool should she choose?

a. Nmap
b. zzuf
c. Nessus
d. Nikto

Answer 34

B. zzuf is the only fuzzer on the list, and zzuf is specifically designed to work with tools like web browsers, image viewers, and similar software by modifying network and file input to application. Nmap is a port scanner, Nessus is a vulnerability scanner, and Nikto is a web server scanner.

Question 35

Lauren’s team conducts regression testing on each patch that they release. What key performance measure should they maintain to measure the effectiveness of their testing?

a. Time to remediate vulnerabilities
b. A measure of the rate of defect recurrence
c. A weighted risk trend
d. A measure of the specific coverage of their testing

Answer 35

B. Lauren’s team is using regression testing, which is intended to prevent the recurrence of issues. This means that measuring the rate of defect recurrence is an appropriate measure for their work. Time to remediate vulnerabilities is associated with activities like patching, rather than preparing the patch, whereas a weighted risk trend is used to measure risk over time to an organization. Finally, specific coverage may be useful to determine if they are fully testing their effort, but regression testing is more specifically covered by defect recurrence rates.

Question 36

What technique relies on reviewing code without running it?

a. Fuzzing
b. Black box analysis
c. Static analysis
d. Gray box analysis

Answer 36

C. Static analysis is the process of reviewing code without running it. It relies on techniques like data flow analysis to review what the code does if it was run with a given set of inputs. Black and gray box analyses are not types of code review, although black box and gray box both describe types of penetration testing. Fuzzing provides unexpected or invalid data inputs to test how software responds.

Question 37

What type of vulnerability scan accesses configuration information from the systems it is run against as well as information that can be accessed via services available via the network?

a. Authenticated scans
b. Web application scans
c. Unauthenticated scans
d. Port scans

Answer 37

A. Authenticated scans use a read-only account to access configuration files, allowing more accurate testing of vulnerabilities. Web application, unauthenticated scans, and port scans don’t have access to configuration files unless they are inadvertently exposed.
Microsoft’s STRIDE threat assessment model places threats into one of six categories:

Spoofing—threats that involve user credentials and authentication, or falsifying legitimate communications

Tampering—threats that involve the malicious modification of data

Repudiation—threats that cause actions to occur that cannot be denied by a user

Information disclosure—threats that involve exposure of data to unauthorized individuals

Denial of service—threats that deny service to legitimate users

Elevation of privilege—threats that provide higher privileges to unauthorized users

Question 38

Testing that is focused on functions that a system should not allow are an example of what type of testing?

a. Use case testing
b. Manual testing
c. Misuse case testing
d. Dynamic testing

Answer 38

C. Testing how a system could be misused, or misuse testing, focuses on behaviors that are not what the organization desires or that are counter to the proper function of a system or application. Use case testing is used to verify whether a desired functionality works. Dynamic testing is used to determine how code handles variables that change over time, whereas manual testing is just what it implies: testing code by hand.

Question 39

During a wireless network penetration test, Susan runs aircrack-ng against the network using a password file. What might cause her to fail in her password-cracking efforts?

a. Use of WPA2 encryption
b. Running WPA2 in Enterprise mode
c. Use of WEP encryption
d. Running WPA2 in PSK mode

Answer 39

B. WPA2 enterprise uses RADIUS authentication for users rather than a preshared key. This means a password attack is more likely to fail as password attempts for a given user may result in account lock-out. WPA2 encryption will not stop a password attack, and WPA2’s preshared key mode is specifically targeted by password attacks that attempt to find the key. Not only is WEP encryption outdated, but it can also frequently be cracked quickly by tools like aircrack-ng.

Question 40

Nmap is an example of what type of tool?

a. Vulnerability scanner
b. Web application fuzzer
c. Network design and layout
d. Port scanner

Answer 40

D. Nmap is a very popular open source port scanner. Nmap is not a vulnerability scanner, nor is it a web application fuzzer. While port scanners can be used to partially map a network, and its name stands for Network Mapper, it is not a network design tool.