Domain 6 - Security assessment and testing Flashcards
Static testing
we passively test the code, we do not run it
Dynamic testing
we tests code while executing it
Fuzzing
a black box testing that submits random, malformed data as inputs into software programs to determine if they will crash
Penetration Testing or white hat hacking
we pay someone to test our security by trying to compromise our safeguards. This is testing both our organization’s physical and logical perimeter
Synthetic Transactions/Monitoring
building scripts or tools that simulate normal user activity in an application
is PCI-DSS a law
no, its a standard for entities that issue or handle credit cards. The Industry agreed upon the standards
HIPAA is what
Health Insurance Portability and Accountability Act of 1996. its a Health Information Privacy Law
is HIPAA a law
Yes - its a law to protect your personal identifiable information and your personal health information
the difference between SOC 2 type 1 and type 2
type 2 reports the effectiveness of the controls over time
SOC 2 type 1 definition
report of management’s description of a service organization’s system and the suitability of the design of controls
In software testing, component interface testing would test what?
A: process and security alerts when encountering errors
B: data handling passed between different units and subsystems
C: the functionality of a specific section of code
D: interfaced between components against the software design
B:
Explanation
Component interface testing: Testing can be used to check the handling of data passed between various units, or subsystem components, beyond full integration testing between those units.
At the end of our software development project, we are doing interface testing. What are we testing?
all interfaces exposed by the application
Penetration testers have found a vulnerability on some of our switches. The vulnerability is an exploitable, who would patch the switch?
The network team
Explanation
Penetration testers are only there to provide a report, they don’t fix or alter anything. As the security team we do not update switches, that is the responsibility of the networking team.
One of the distinct phases of software testing is installation testing. What are we testing in this phase?
Installation testing: Assures that the system is installed correctly and working at actual customer’s hardware.
Prior to an external structured audit, we would often do an ‘unstructured’ audit. Who would perform that?
Unstructured audits: Internal auditors to improve our security and find flaws, often done before an external audit.
In our software testing we are doing, “unit testing”, what are we testing?
Tests that verify the functionality of a specific section of code
Penetration Testing (Pen Testing) have very clear rules of engagement defined in a SOW (Statement Of Work)
Which IP ranges, time frame, tools, POC (point of contact), how to test, what to test.
We are doing different types of audits in our organization. Who would perform a structured audit?
External Auditors
Which phase could a penetration tester go to after they are finished with one of the “System browsing” phases?
Discovery
Install additional tools
What could a vulnerability scan possibly help us find?
outdated software, missing patches and system misconfiguration
We have hired a penetration testing company to find security flaws in our organization. They are at the enumeration phase, what are they doing?
scanning
Pen testing phases
Planning
Reconnaissance
Scanning (enumeration)
Vulnerability assessment
Exploitation
Reporting.
What would be the PRIMARY reason we use a specific server for storing our centralized logs, and only giving our administrators limited access?
to ensure the logs integrity
We have hired a penetration tester, and she has been given partial knowledge of our organization and infrastructure. Which access level would that emulate?
A: an administrator
B: a senior executive
C: a manager
D: a normal employee
D: a normal employee
Explanation
Gray (Grey) box (Partial Knowledge) Pentesting: The attacker has limited knowledge; is a normal user, vendor, or someone with limited environment knowledge.
what is the formula for RISK
risk = threat x vulnerability
there could be a vulnerability but if it causes no threat there there is also no risk
if you have a vulnerability but no threat, what is your risk?
there is no risk if there is no threat based off that specific vulnerability.
Risk = threat X vulnerability
what are the 5 phases for pen testing
- Discovery and Reconnaissance
- Scanning and probing
- exploitations
- post-exploitation
- reporting
what happens during the discovery and recon phase during pen testing
gather information regarding the target(s)
what happens during the scanning and probing phase during pen testing
utilize gathered information to probe for vulnerabilities and identify entry points
what happens during the exploitation phase during pen testing
utilize approved methods to exploit vulnerabilities and attempt to gain access
what happens during the post-exploitation phase during pen testing
continue the attack by attempting further exploits using the access gained
what happens during the reporting phase of pen testing
document and present report on action taken, exploits achieved, suggested remediation
what should an organization do after the report phase of a pen test
remediate and retest: the org should address any vulnerabilities discovered, and the pen testers repeat the test to identify if the remediation was successful
what are synthetic transactions
are automated activities run against a monitored target t measure its performance.
example: for a web application, this might involve logging in with a test user account to verify if the application responds to the log request or returns data in response to queries
for DNS or DHCP, the synthetic transaction is a request for a name resolution or an IP address
Heartbeat monitoring, a detective control that identifies services that are offline or unresponsive is a synthetic transaction.
