Domain 6 - Security assessment and testing

Question 1

Static testing

Answer 1

we passively test the code, we do not run it

Question 2

Dynamic testing

Answer 2

we tests code while executing it

Question 3

Fuzzing

Answer 3

a black box testing that submits random, malformed data as inputs into software programs to determine if they will crash

Question 4

Penetration Testing or white hat hacking

Answer 4

we pay someone to test our security by trying to compromise our safeguards. This is testing both our organization’s physical and logical perimeter

Question 5

Synthetic Transactions/Monitoring

Answer 5

building scripts or tools that simulate normal user activity in an application

Question 6

is PCI-DSS a law

Answer 6

no, its a standard for entities that issue or handle credit cards. The Industry agreed upon the standards

Question 7

HIPAA is what

Answer 7

Health Insurance Portability and Accountability Act of 1996. its a Health Information Privacy Law

Question 8

is HIPAA a law

Answer 8

Yes - its a law to protect your personal identifiable information and your personal health information

Question 9

the difference between SOC 2 type 1 and type 2

Answer 9

type 2 reports the effectiveness of the controls over time

Question 10

SOC 2 type 1 definition

Answer 10

report of management’s description of a service organization’s system and the suitability of the design of controls

Question 11

In software testing, component interface testing would test what?
A: process and security alerts when encountering errors
B: data handling passed between different units and subsystems
C: the functionality of a specific section of code
D: interfaced between components against the software design

Answer 11

B:
Explanation
Component interface testing: Testing can be used to check the handling of data passed between various units, or subsystem components, beyond full integration testing between those units.

Question 12

At the end of our software development project, we are doing interface testing. What are we testing?

Answer 12

all interfaces exposed by the application

Question 13

Penetration testers have found a vulnerability on some of our switches. The vulnerability is an exploitable, who would patch the switch?

Answer 13

The network team
Explanation
Penetration testers are only there to provide a report, they don’t fix or alter anything. As the security team we do not update switches, that is the responsibility of the networking team.

Question 14

One of the distinct phases of software testing is installation testing. What are we testing in this phase?

Answer 14

Installation testing: Assures that the system is installed correctly and working at actual customer’s hardware.

Question 15

Prior to an external structured audit, we would often do an ‘unstructured’ audit. Who would perform that?

Answer 15

Unstructured audits: Internal auditors to improve our security and find flaws, often done before an external audit.

Question 16

In our software testing we are doing, “unit testing”, what are we testing?

Answer 16

Tests that verify the functionality of a specific section of code

Question 17

Penetration Testing (Pen Testing) have very clear rules of engagement defined in a SOW (Statement Of Work)

Answer 17

Which IP ranges, time frame, tools, POC (point of contact), how to test, what to test.

Question 18

We are doing different types of audits in our organization. Who would perform a structured audit?

Answer 18

External Auditors

Question 19

Which phase could a penetration tester go to after they are finished with one of the “System browsing” phases?

Answer 19

Discovery
Install additional tools

Question 20

What could a vulnerability scan possibly help us find?

Answer 20

outdated software, missing patches and system misconfiguration

Question 21

We have hired a penetration testing company to find security flaws in our organization. They are at the enumeration phase, what are they doing?

Answer 21

scanning

Question 22

Pen testing phases

Answer 22

Planning
Reconnaissance
Scanning (enumeration)
Vulnerability assessment
Exploitation
Reporting.

Question 23

What would be the PRIMARY reason we use a specific server for storing our centralized logs, and only giving our administrators limited access?

Answer 23

to ensure the logs integrity

Question 24

We have hired a penetration tester, and she has been given partial knowledge of our organization and infrastructure. Which access level would that emulate?
A: an administrator
B: a senior executive
C: a manager
D: a normal employee

Answer 24

D: a normal employee
Explanation
Gray (Grey) box (Partial Knowledge) Pentesting: The attacker has limited knowledge; is a normal user, vendor, or someone with limited environment knowledge.

Question 25

what is the formula for RISK

Answer 25

risk = threat x vulnerability
there could be a vulnerability but if it causes no threat there there is also no risk

Question 26

if you have a vulnerability but no threat, what is your risk?

Answer 26

there is no risk if there is no threat based off that specific vulnerability.
Risk = threat X vulnerability

Question 27

what are the 5 phases for pen testing

Answer 27

1. Discovery and Reconnaissance
2. Scanning and probing
3. exploitations
4. post-exploitation
5. reporting

Question 28

what happens during the discovery and recon phase during pen testing

Answer 28

gather information regarding the target(s)

Question 29

what happens during the scanning and probing phase during pen testing

Answer 29

utilize gathered information to probe for vulnerabilities and identify entry points

Question 30

what happens during the exploitation phase during pen testing

Answer 30

utilize approved methods to exploit vulnerabilities and attempt to gain access

Question 31

what happens during the post-exploitation phase during pen testing

Answer 31

continue the attack by attempting further exploits using the access gained

Question 32

what happens during the reporting phase of pen testing

Answer 32

document and present report on action taken, exploits achieved, suggested remediation

Question 33

what should an organization do after the report phase of a pen test

Answer 33

remediate and retest: the org should address any vulnerabilities discovered, and the pen testers repeat the test to identify if the remediation was successful

Question 34

what are synthetic transactions

Answer 34

are automated activities run against a monitored target t measure its performance.

example: for a web application, this might involve logging in with a test user account to verify if the application responds to the log request or returns data in response to queries

for DNS or DHCP, the synthetic transaction is a request for a name resolution or an IP address

Heartbeat monitoring, a detective control that identifies services that are offline or unresponsive is a synthetic transaction.