Domain 6 - Security Assessment and Testing Flashcards

1
Q

These use many of the same techniques followed during security assessments but must be performed by independent auditors.

A

Security audits

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

comprehensive reviews of the security of a system, application, or other tested environment.

A

Security assessments

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

These verify that a control is functioning properly.

A

Security tests

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

These automatically probe systems, applications, and networks, looking for weaknesses that may be exploited by an attacker.

A

Vulnerability scans

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Name 3 types of vulnerability scans

A

network discovery scans, network vulnerability scans, and web application vulnerability scan

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

This evaluates the security of software without running i g t by analyzing either the source code or the compiled application.

A

Static testing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

This evaluates the security of software in a runtime environment and is often the only option for organizations deploying applications written by someone else. In those cases, testers often do not have access to the underlying source code.

A

Dynamic testing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

A specialized dynamic testing technique that provides many different types of input to software to stress its limits and find previously undetected flaws.

A

Fuzz testing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Takes previous input values from actual operation of the software and manipulates (or mutates) it to create fuzzed input. It might alter the characters of the content, append strings to the end of the content, or perform other data manipulation techniques.

A

Mutation (Dumb) Fuzzing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Develops data models and creates new fuzzed input

based on an understanding of the types of data used by the program.

A

Generational (Intelligent) Fuzzing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Testing where team has no knowledge of the target other than what is publicly available. This simulates an external attack

A

Zero knowledge or Black box testing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Testing where team has limited knowledge of the organization.

A

Partial knowledge

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Testing where team has full knowledge of the network operations. This type of testing often simulates an internal attack.

A

Full knowledge.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly