Domain 6: Review Questions Flashcards
For which of the following penetration tests does the testing team have limited knowledge of the network systems and devices with only access to publicly available information?
A. Target test
B. Physical test
C. Blind test
D. Double-blind test
C.
With a blind test, the testing team knows an attack is coming and has limited knowledge of the network systems and devices and publicly available information. A target test occurs when the testing team and the organization’s security team are given maximum information about the network and the type of attack that will occur. A physical test is not a type of penetration test. It is a type of vulnerability assessment. A double-blind test is like a blind test except that the organization’s security team does not know an attack is coming.
Which of the following is not a guideline according to NIST SP 800-92?
A. Organizations should establish policies and procedures for log management.
B. Organizations should create and maintain a log management infrastructure.
C. Organizations should prioritize log management appropriately throughout the organization.
D. Choose auditors with security experience.
D.
NIST SP 800-92 does not include any information regarding auditors. So, the “Choose auditors with security experience” option is not a guideline according to NIST SP 800-92.
According to NIST SP 800-92, which of the following are facets of log management infrastructure? (Choose all that apply.)
A. General functions (log parsing, event filtering, and event aggregation)
B. Storage (log rotation, log archival, log reduction, log conversion, log normalization, log file integrity checking)
C. Log analysis (event correlation, log viewing, log reporting)
D. Log disposal (log clearing)
A, B, C, D.
According to NIST SP 800-92, log management functions should include general functions (log parsing, event filtering, and event aggregation), storage (log rotation, log archival, log reduction, log conversion, log normalization, log file integrity checking), log analysis (event correlation, log viewing, log reporting), and log disposal (log clearing).
What are the two ways of collecting logs using security information and event management (SIEM) products, according to NIST SP 800-92?
A. Passive and active
B. Agentless and agent-based
C. Push and pull
D. Throughput and rate
B.
The two ways of collecting logs using security information and event management (SIEM) products, according to NIST SP 800-92, are agentless and agent-based.
Which monitoring method MOST likely captures and analyzes every transaction of every application or website user when configured correctly?
A. RUM
B. Synthetic transaction monitoring
C. Code review and testing
D. Misuse case testing
A.
Real user monitoring (RUM) captures and analyzes every transaction of every application or website user.
Which type of testing is also known as negative testing?
A. RUM (real user monitoring)
B. Synthetic transaction monitoring
C. Code review and testing
D. Misuse case testing
D. Misuse case testing is also known as negative testing.
What is the first step of the information security continuous monitoring (ISCM) plan, according to NIST SP 800-137?
A. Establish an ISCM program.
B. Define the ISCM strategy.
C. Implement an ISCM program.
D. Analyze the data collected.
B. Define an ISCM strategy
The steps in an ISCM program, according to NIST SP 800-137, are
- Define an ISCM strategy.
- Establish an ISCM program.
- Implement an ISCM program and collect the security-related information required for metrics, assessments, and reporting.
- Analyze the data collected, report findings, and determine the appropriate responses.
- Respond to findings.
- Review and update the monitoring program.
What is the second step of the information security continuous monitoring (ISCM) plan, according to NIST SP 800-137?
A. Establish an ISCM program.
B. Define the ISCM strategy.
C. Implement an ISCM program.
D. Analyze the data collected.
A. Establish an ISCM program
The steps in an ISCM program, according to NIST SP 800-137, are
- Define an ISCM strategy.
- Establish an ISCM program.
- Implement an ISCM program and collect the security-related information required for metrics, assessments, and reporting.
- Analyze the data collected, report findings, and determine the appropriate responses.
- Respond to findings.
- Review and update the monitoring program.
Which of the following is not a guideline for internal, external, and third-party audits?
A. Choose auditors with security experience.
B. Involve business unit managers early in the process.
C. At a minimum, perform biannual audits to establish a security baseline.
D. Ensure that the audit covers all systems and all policies and procedures.
C. At a minimum, perform biannual audits to establish a security baseline.
The following are guidelines for internal, external, and third-party audits:
* At minimum, perform annual audits to establish a security baseline.
* Determine your organization’s objectives for the audit and share them with the auditors.
* Set the ground rules for the audit, including the dates/times of the audit, before the audit starts.
* Choose auditors who have security experience.
* Involve business unit managers early in the process.
* Ensure that auditors rely on experience, not just checklists.
* Ensure that the auditor’s report reflects risks that the organization has identified.
* Ensure that the audit is conducted properly.
* Ensure that the audit covers all systems and all policies and procedures.
* Examine the report when the audit is complete.
Which SOC (Service Organization Control) report can be shared with the general public WITHOUT causing any harm to the organization?
A. SOC 1, Type 1
B. SOC 1, Type 2
C. SOC 2
D. SOC 3
D. SOC 3 is the only SOC report that should be shared with the general public.
Which of the following is the last step in performing a penetration test?
A. Document the results of the penetration test and report the findings to management, with suggestions for remedial action.
B. Gather information about attack methods against the target system or device.
C. Document information about the target system or device.
D. Execute attacks against the target system or device to gain user and privileged access.
A.
The steps in performing a penetration test are as follows:
1. Document information about the target system or device.
2. Gather information about attack methods against the target system or device. This step includes performing port scans.
3. Identify the known vulnerabilities of the target system or device.
4. Execute attacks against the target system or device to gain user and privileged access.
5. Document the results of the penetration test and report the findings to management, with suggestions for remedial action.
In which of the following does the testing team have zero knowledge of the organization’s network?
A. Gray-box testing
B. Black-box testing
C. White-box testing
D. Physical testing
B.
In black-box testing, or zero-knowledge testing, the testing team is provided with no knowledge regarding the organization’s network.
In white-box testing, the testing team goes into the testing process with a deep understanding of the application or system. In gray-box testing, the testing team is provided more information than in black-box testing, while not as much as in white-box testing. Gray-box testing has the advantage of being nonintrusive while maintaining the boundary between developer and tester. Physical testing reviews facility and perimeter protections.
Which of the following is defined as a dynamic testing tool that tests the software’s limits and may discover flaws?
A. Interface testing
B. Static testing
C. Test coverage analysis
D. Fuzz testing
D.
Fuzz testing is a dynamic testing tool that provides input to the software to test the software’s limits and discover flaws. The input provided can be randomly generated by the tool or specially created to test for known vulnerabilities.
Interface testing evaluates whether an application’s systems or components correctly pass data and control to one another. It verifies whether module interactions are working properly and errors are handled correctly. Static testing analyzes software security without actually running the software. This is usually provided by reviewing the source code or compiled application. Test coverage analysis uses test cases that are written against the application requirements specifications.
Which factors should security professionals follow when performing security testing? (Choose all that apply.)
A. Changes that could affect the performance
B. System risk
C. Information sensitivity level
D. Likelihood of technical failure or misconfiguration
a, b, c, d.
Security professionals should consider the following factors when performing security testing:
* Impact
* Difficulty
* Time needed
* Changes that could affect the performance
* System risk
* System criticality
* Security test availability
* Information sensitivity level
* Likelihood of technical failure or misconfiguration
Which of the following can a hacker use to identify common vulnerabilities in an operating system running on a host or server?
A. Operating system fingerprinting
B. Network discovery scan
C. Key performance and risk indicators
D. Third-party audits
A.
Operating system fingerprinting is the process of using some method to determine the operating system running on a host or a server. By identifying the OS version and build number, hackers can identify common vulnerabilities of that OS using readily available documentation from the Internet. A network discovery scan examines a range of IP addresses to determine which ports are open. This type of scan only shows a list of systems on the network and the ports in use on the network. It does not actually check for any vulnerabilities. By using key performance and risk indicators of security process data, organizations better identify when security risks are likely to occur. Key performance indicators allow organizations to determine whether levels of performance are below or above established norms. Key risk indicators allow organizations to identify whether certain risks are more or less likely to occur. Organizations should conduct internal, external, and third-party audits as part of any security assessment and testing strategy.
During a port scan, Susan discovers a system running services on TCP and UDP 137–139 and TCP 445, as well as TCP 1433. What type of system is she likely to find if she connects to the machine?
A. A Linux email server
B. A Windows SQL server
C. A Linux file server
D. A Windows workstation
B.
TCP and UDP ports 137–139 are used for NetBIOS services, whereas 445 is used for Active Directory. TCP 1433 is the default port for Microsoft SQL, indicating that this is probably a Windows server providing SQL services.
Which of the following is a method used to automatically design new software tests and to ensure the quality of tests?
A. Code auditing
B. Static code analysis
C. Regression testing
D. Mutation testing
D.
Mutation testing modifies a program in small ways and then tests that mutant to determine if it behaves as it should or if it fails. This technique is used to design and test software tests through mutation. Static code analysis and regression testing are both means of testing code, whereas code auditing is an analysis of source code rather than a means of designing and testing software tests.
During a port scan, Naomi found TCP port 443 open on a system. Which tool is best suited to scanning the service that is most likely running on that port?
A. zzuf
B. Nikto
C. Metasploit
D. Sqlmap
B.
TCP port 443 normally indicates an HTTPS server. Nikto is useful for vulnerability scanning web servers and applications and is the best choice listed for a web server. Metasploit includes some scanning functionality but is not a purpose-built tool for vulnerability scanning. zzuf is a fuzzing tool and isn’t relevant for vulnerability scans, whereas sqlmap is a SQL injection testing tool.
What message logging standard is commonly used by network devices, Linux and Unix systems, and many other enterprise devices?
A. Syslog
B. Netlog
C. Eventlog
D. Remote Log Protocol (RLP)
A. Syslog is a widely used protocol for event and message logging. Eventlog, netlog, and Remote Log Protocol are all made-up terms.
Alex wants to use an automated tool to fill web application forms to test for format string vulnerabilities. What type of tool should he use?
A. A black box
B. A brute-force tool
C. A fuzzer
D. A static analysis tool
C.
Fuzzers are tools designed to provide invalid or unexpected input to applications, testing for vulnerabilities like format string vulnerabilities, buffer overflow issues, and other problems. A static analysis relies on examining code without running the application or code and thus would not fill forms as part of a web application. Brute-force tools attempt to bypass security by trying every possible combination for passwords or other values. A black box is a type of penetration test where the testers do not know anything about the environment.
Susan needs to scan a system for vulnerabilities, and she wants to use an open-source tool to test the system remotely. Which of the following tools will meet her requirements and allow vulnerability scanning?
A. Nmap
B. OpenVAS
C. MBSA
D. Nessus
B.
OpenVAS is an open-source vulnerability scanning tool that will provide Susan with a report of the vulnerabilities that it can identify from a remote, network-based scan. Nmap is an open-source port scanner. Both the Microsoft Baseline Security Analyzer (MBSA) and Nessus are closed-source tools, although Nessus was originally open source.
Morgan is implementing a vulnerability management system that uses standards-based components to score and evaluate the vulnerabilities it finds. Which of the following is most commonly used to provide a severity score for vulnerabilities?
A. CCE
B. CVSS
C. CPE
D. OVAL
B.
CVSS, the Common Vulnerability Scoring System, is used to describe the severity of security vulnerabilities. CCE is Common Configuration Enumeration, a naming system for configuration issues. CPE is Common Platform Enumeration, which names operating systems, applications, and devices. OVAL is a language for describing security testing procedures.
Jim has been contracted to perform a penetration test of a bank’s primary branch. To make the test as real as possible, he has not been given any information about the bank other than its name and address. What type of penetration test has Jim agreed to perform?
A. A crystal-box penetration test
B. A gray-box penetration test
C. A black-box penetration test
D. A white-box penetration test
C.
Jim has agreed to a black-box penetration test, which provides no information about the organization, its systems, or its defenses. A crystal- or white-box penetration test provides all of the information an attacker needs, whereas a gray-box penetration test provides some, but not all, information.
In a response to a request for proposal, Susan receives an SSAE 18 SOC report. If she wants a report that includes details on operating effectiveness, what should Susan ask for as follow-up, and why?
A. A SOC 2 Type II report, because Type I does not cover operating effectiveness
B. A SOC 1 Type I report, because SOC 2 does not cover operating effectiveness
C. A SOC 2 Type I report, because SOC 2 Type II does not cover operating effectiveness
D. A SOC 3 report, because SOC 1 and SOC 2 reports are outdated
A.
The key to answering this question correctly is understanding the difference between SOC 1 and SOC 2 reports, and Type I and Type II audits.
SOC 1 reports cover financial reporting, and
SOC 2 reports look at security.
Type I audits cover only a single point in time and are based on management descriptions of controls. They do not include an assessment of operating effectiveness.
Type II audits cover a period of time and include an assessment of operating effectiveness.