Domain 6: Security Assessment and Testing

Question 1

Artifact

Answer 1

A piece of evidence, such as text or a reference to a resource, that is submitted to support a response to a question.

Question 2

Assessment

Answer 2

The testing or evaluation of the controls in an information system or an organization to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security or privacy requirements for the system or the organization.

Question 3

Audit/Auditing

Answer 3

The process of reviewing a system for compliance against a standard or baseline. Examples include audits of security controls, configuration baselines, and financial records. Can be formal and independent, or informal using internal staff.

Question 4

Chaos Engineering

Answer 4

The discipline of experimenting on a software system in production to build confidence in the system’s capability to withstand turbulent and unexpected conditions.

Question 5

Compliance Calendar

Answer 5

A calendar that tracks an organization’s audits, assessment, required filings, and their due dates and related details.

Question 6

Compliance Tests

Answer 6

An evaluation that provides assurance an organization’s controls are being applied in accordance with management policies and procedures.

Question 7

Ethical Penetration Testing, Penetration Testing

Answer 7

A security testing and assessment method in which testers actively attempt to circumvent or defeat the security features of a system. Ethical penetration testing is constrained, typically by contracts, to stay within specified rules of engagement (RoE).

Question 8

Examination

Answer 8

The process of reviewing, inspecting, observing, studying or analyzing one or more assessment objects (e.g., specifications, mechanisms, activities). The examination method facilitates assessor understanding, achieves clarification, or obtains evidence.

Question 9

Finding(s)

Answer 9

Assessment results produced by the application of an assessment procedure to a security control or control enhancement to achieve an assessment objective.

Question 10

Interview(s)

Answer 10

As a systems assessment technique, the process of holding discussions with individuals or groups within an organization to facilitate assessor understanding, achieve clarification, or obtain evidence.

Question 11

Judgmental Sampling

Answer 11

Also called purposive sampling or authoritative sampling, it is a nonprobability sampling technique in which the sample members are chosen based on the researcher’s knowledge and judgment.

Question 12

Misuse Case Testing

Answer 12

Testing strategy and technique from the point of view of an actor hostile to the system, using deliberately chosen sets of actions, which could lead to systems integrity failures, malfunctions, or other security or safety compromises.

Question 13

Plan of Action and Milestones (POA&M)

Answer 13

A document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones for meeting the tasks, and scheduled milestone completion dates.

Question 14

Rules of Engagement (RoE)

Answer 14

A set of rules, constraints, boundaries, or conditions that establish limits on what participants in an activity may or may not do. Ethical penetration testing, for example, uses RoE to define the scope of the testing to be done and to establish liability limitations for both the testers and the sponsoring organization or systems owners.

Question 15

Statistical Sampling

Answer 15

The process of selecting subsets of examples from a population with the objective of estimating properties of the total population.

Question 16

Substantive Test

Answer 16

This testing technique is used by auditors to obtain audit evidence to support auditor opinion.

Question 17

Testing

Answer 17

The process of exercising one or more assessment objects (e.g., activities or mechanisms) under specified conditions to compare actual with expected behavior.

Question 18

Trust Services Criteria (TSC)

Answer 18

The criteria used by an auditor when evaluating the suitability of the design and operating effectiveness ofcontrols relevant to the security, availability, or processing integrity of information and systems, or the confidentiality or privacy of the information processed by the entity.

Question 19

security tests

Answer 19

Security tests verify that a control is functioning properly. These tests
include automated scans, tool-assisted penetration tests, and manual attempts to undermine
security. Security testing should take place on a regular schedule, with attention paid to each
of the key security controls protecting an organization.

Question 20

security assessments

Answer 20

Comprehensive reviews of the security of a system, application,
or other tested environment. During a security assessment, a trained information security
professional performs a risk assessment that identifies vulnerabilities in the tested environment that may allow a compromise and makes recommendations for remediation, as needed.

Question 21

security audits

Answer 21

Evaluations performed with the purpose of demonstrating the effectiveness
of controls to a third party. Security audits use many of the same techniques followed during
security assessments but must be performed by independent auditors. The staff members who
design, implement, and monitor controls for an organization have an inherent conflict of
interest when evaluating the effectiveness of those controls.

Question 22

internal audit

Answer 22

An audit performed by an organization’s internal audit staff and typically
intended for internal audiences.

Question 23

external audit

Answer 23

An audit performed by an outside auditing firm. These audits have a high
degree of external validity because the auditors performing the assessment theoretically have
no conflict of interest with the organization itself. Aka third-party audit.

Question 24

third-party audit

Answer 24

An audit conducted by, or on behalf of, another organization, such as a
regulatory authority.

Question 25

Service Organization Controls (SOC) Report

Answer 25

A report produced by an auditor that
includes the results of security assessments of a cloud provider.

Question 26

Control Objectives for Information and Related Technology (COBIT)

Answer 26

A security concept
infrastructure used to organize the complex security solution of companies. A framework
that describes the common requirements that organizations should have in place surrounding
their information systems.

Question 27

Security Content Automation Protocol (SCAP)

Answer 27

An effort led by the National Institute
of Standards and Technology (NIST) in an effort to establish a standardized means to define
and communicate security-related event and issue information. SCAP provides a common
framework and naming conventions for the discussion of security vulnerabilities and also
facilitates the automation of interactions between different security systems.

Question 28

compliance testing

Answer 28

Verification that a system complies with laws, regulations, baselines,
guidelines, standards, best practices, and policies. This is an important part of maintaining
security in any environment. Aka compliance checking or compliance checks.

Question 29

exception handling

Answer 29

The process where a programmer codes in mechanisms to anticipate
and defend against errors in order to avoid the termination of execution. Error handling is
the inclusion of code that will attempt to handle errors when they arise before they can cause
harm or interrupt execution. Aka error handling.

Question 30

code review

Answer 30

A form of vulnerability assessment where flaws in code or errors in logic are
detected by combing through source code.

Question 31

static testing

Answer 31

Evaluates the security of software without running it by analyzing either the
source code or the compiled application. Aka static application security testing (SAST).

Question 32

dynamic testing

Answer 32

Evaluates the security of software in a runtime environment and is
often the only option for organizations deploying applications written by someone else. See
dynamic analysis. Aka dynamic application security testing (DAST).

Question 33

synthetic transactions

Answer 33

Scripted transactions with known expected results. The testers run
the synthetic transactions against the tested code and then compare the output of the transactions to the expected state. Any deviations between the actual and expected results represent
possible flaws in the code and must be further investigated.

Question 34

fuzzing

Answer 34

A dynamic analysis software testing technique that generates inputs for targeted
programs. The goal of fuzz testing is to discover input sets that cause errors, failures, and
crashes, or to discover other unknown defects in the targeted program. Aka fuzz testing
and fuzzer.

Question 35

misuse case testing

Answer 35

A process used by software testers to evaluate the vulnerability of
their software to known risks. Testers first enumerate the known misuse cases and then
attempt to exploit those use cases with manual and/or automated attack techniques. It is testing that attempts to model the activity of an attacker. Aka abuse case testing.

Question 36

interface testing

Answer 36

Interface testing assesses the performance of modules against the
interface specifications to ensure that they will work together properly when all of the
development efforts are complete.

Question 37

test coverage analysis

Answer 37

A test evaluation technique that estimates the degree of testing conducted against new software.

Test coverage = # of use cases tested/ Total # of use cases

Question 38

passive monitoring

Answer 38

Website monitoring technique that analyzes actual network traffic
sent to a website by capturing it as it travels over the network or reaches the server. See real
user monitoring (RUM).

Question 39

real user monitoring (RUM)

Answer 39

A variant of passive monitoring where the monitoring tool
reassembles the activity of individual users to track their interaction with a website.

Question 40

synthetic monitoring

Answer 40

Website monitoring technique that performs artificial transactions
against a website to assess performance. See active monitoring.