Domain 6: Review Questions Flashcards
For which of the following penetration tests does the testing team have limited knowledge of the network systems and devices with only access to publicly available information?
A. Target test
B. Physical test
C. Blind test
D. Double-blind test
C. With a blind test, the testing team knows an attack is coming and has limited knowledge of the network systems and devices and publicly available information. A target test occurs when the testing team and the organization’s security team are given maximum information about the network and the type of attack that will occur. A physical test is not a type of penetration test. It is a type of vulnerability assessment. A double-blind test is like a blind test except that the organization’s security team does not know an attack is coming.
Which of the following is not a guideline according to NIST SP 800-92?
A. Organizations should establish policies and procedures for log management.
B. Organizations should create and maintain a log management infrastructure.
C. Organizations should prioritize log management appropriately throughout the organization.
D. Choose auditors with security experience.
D. NIST SP 800-92 does not include any information regarding auditors. So, the “Choose auditors with security experience” option is not a guideline according to NIST SP 800-92.
According to NIST SP 800-92, which of the following are facets of log management infrastructure? (Choose all that apply.)
A. General functions (log parsing, event filtering, and event aggregation)
B. Storage (log rotation, log archival, log reduction, log conversion, log normalization, log file integrity checking)
C. Log analysis (event correlation, log viewing, log reporting)
D. Log disposal (log clearing)
A, B, C, D. According to NIST SP 800-92, log management functions should include general functions (log parsing, event filtering, and event aggregation), storage (log rotation, log archival, log reduction, log conversion, log normalization, log file integrity checking), log analysis (event correlation, log viewing, log reporting), and log disposal (log clearing).
What are the two ways of collecting logs using security information and event management (SIEM) products, according to NIST SP 800-92?
A. Passive and active
B. Agentless and agent-based
C. Push and pull
D. Throughput and rate
B. The two ways of collecting logs using security information and event management (SIEM) products, according to NIST SP 800-92, are agentless and agent-based.
Which monitoring method MOST likely captures and analyzes every transaction of every application or website user when configured correctly?
A. RUM
B. Synthetic transaction monitoring
C. Code review and testing
D. Misuse case testing
A. Real user monitoring (RUM) captures and analyzes every transaction of every application or website user.
Which type of testing is also known as negative testing?
A. RUM (real user monitoring)
B. Synthetic transaction monitoring
C. Code review and testing
D. Misuse case testing
D. Misuse case testing is also known as negative testing.
What is the first step of the information security continuous monitoring (ISCM) plan, according to NIST SP 800-137?
A. Establish an ISCM program.
B. Define the ISCM strategy.
C. Implement an ISCM program.
D. Analyze the data collected.
B. Define an ISCM strategy
The steps in an ISCM program, according to NIST SP 800-137, are
- Define an ISCM strategy.
- Establish an ISCM program.
- Implement an ISCM program and collect the security-related information required for metrics, assessments, and reporting.
- Analyze the data collected, report findings, and determine the appropriate responses.
- Respond to findings.
- Review and update the monitoring program.
What is the second step of the information security continuous monitoring (ISCM) plan, according to NIST SP 800-137?
A. Establish an ISCM program.
B. Define the ISCM strategy.
C. Implement an ISCM program.
D. Analyze the data collected.
A. Establish an ISCM program
The steps in an ISCM program, according to NIST SP 800-137, are
- Define an ISCM strategy.
- Establish an ISCM program.
- Implement an ISCM program and collect the security-related information required for metrics, assessments, and reporting.
- Analyze the data collected, report findings, and determine the appropriate responses.
- Respond to findings.
- Review and update the monitoring program.
Which of the following is not a guideline for internal, external, and third-party audits?
A. Choose auditors with security experience.
B. Involve business unit managers early in the process.
C. At a minimum, perform biannual audits to establish a security baseline.
D. Ensure that the audit covers all systems and all policies and procedures.
C. At a minimum, perform biannual audits to establish a security baseline.
The following are guidelines for internal, external, and third-party audits:
* At minimum, perform annual audits to establish a security baseline.
* Determine your organization’s objectives for the audit and share them with the auditors.
* Set the ground rules for the audit, including the dates/times of the audit, before the audit starts.
* Choose auditors who have security experience.
* Involve business unit managers early in the process.
* Ensure that auditors rely on experience, not just checklists.
* Ensure that the auditor’s report reflects risks that the organization has identified.
* Ensure that the audit is conducted properly.
* Ensure that the audit covers all systems and all policies and procedures.
* Examine the report when the audit is complete.
Which SOC (Service Organization Control) report can be shared with the general public WITHOUT causing any harm to the organization?
A. SOC 1, Type 1
B. SOC 1, Type 2
C. SOC 2
D. SOC 3
D. SOC 3 is the only SOC report that should be shared with the general public.
Which of the following is the last step in performing a penetration test?
A. Document the results of the penetration test and report the findings to management, with suggestions for remedial action.
B. Gather information about attack methods against the target system or device.
C. Document information about the target system or device.
D. Execute attacks against the target system or device to gain user and privileged access.
A.
The steps in performing a penetration test are as follows:
1. Document information about the target system or device.
2. Gather information about attack methods against the target system or device. This step includes performing port scans.
3. Identify the known vulnerabilities of the target system or device.
4. Execute attacks against the target system or device to gain user and privileged access.
5. Document the results of the penetration test and report the findings to management, with suggestions for remedial action.
In which of the following does the testing team have zero knowledge of the organization’s network?
A. Gray-box testing
B. Black-box testing
C. White-box testing
D. Physical testing
B. In black-box testing, or zero-knowledge testing, the testing team is provided with no knowledge regarding the organization’s network.
In white-box testing, the testing team goes into the testing process with a deep understanding of the application or system. In gray-box testing, the testing team is provided more information than in black-box testing, while not as much as in white-box testing. Gray-box testing has the advantage of being nonintrusive while maintaining the boundary between developer and tester. Physical testing reviews facility and perimeter protections.
Which of the following is defined as a dynamic testing tool that tests the software’s limits and may discover flaws?
A. Interface testing
B. Static testing
C. Test coverage analysis
D. Fuzz testing
D. Fuzz testing is a dynamic testing tool that provides input to the software to test the software’s limits and discover flaws. The input provided can be randomly generated by the tool or specially created to test for known vulnerabilities.
Interface testing evaluates whether an application’s systems or components correctly pass data and control to one another. It verifies whether module interactions are working properly and errors are handled correctly. Static testing analyzes software security without actually running the software. This is usually provided by reviewing the source code or compiled application. Test coverage analysis uses test cases that are written against the application requirements specifications.
Which factors should security professionals follow when performing security testing? (Choose all that apply.)
A. Changes that could affect the performance
B. System risk
C. Information sensitivity level
D. Likelihood of technical failure or misconfiguration
a, b, c, d.
Security professionals should consider the following factors when performing security testing:
* Impact
* Difficulty
* Time needed
* Changes that could affect the performance
* System risk
* System criticality
* Security test availability
* Information sensitivity level
* Likelihood of technical failure or misconfiguration
Which of the following can a hacker use to identify common vulnerabilities in an operating system running on a host or server?
A. Operating system fingerprinting
B. Network discovery scan
C. Key performance and risk indicators
D. Third-party audits
A. Operating system fingerprinting is the process of using some method to determine the operating system running on a host or a server. By identifying the OS version and build number, hackers can identify common vulnerabilities of that OS using readily available documentation from the Internet. A network discovery scan examines a range of IP addresses to determine which ports are open. This type of scan only shows a list of systems on the network and the ports in use on the network. It does not actually check for any vulnerabilities. By using key performance and risk indicators of security process data, organizations better identify when security risks are likely to occur. Key performance indicators allow organizations to determine whether levels of performance are below or above established norms. Key risk indicators allow organizations to identify whether certain risks are more or less likely to occur. Organizations should conduct internal, external, and third-party audits as part of any security assessment and testing strategy.