Domain 6 - Security Assessment and Testing

Question 1

Security Testing

Answer 1

verifies that a control is functioning properly. These tests include automated scans, tool-assisted penetration tests and manual attempts to undermine security. When scheduling security controls for review, information security managers should consider the following factors:

• Availability of security testing resources
• Criticality of the systems and applications protected by the tested controls Sensitivity of information contained on tested systems and applications
• Likelihood of a technical failure of the mechanism implementing the control
• Likelihood of a misconfiguration of the control that would jeopardize security
• Risk that the system will come under attack
• Rate of change of the control configuration
• Other changes in the technical environment that may affect the control performance
• Difficulty and time required to perform a control test
• Impact of the test on normal business operations

After assessing each of these factors, security teams design and validate a comprehensive assessment and testing strategy.

Question 2

Verification

Answer 2

objective evidence that the design outputs of a phase of the SDLC meet requirements. 3rd party sometimes

Question 3

Validation

Answer 3

develop “level of confidence” that the software meets all requirements and expectations, software improve over time Find back doors thru structured walk through

Question 4

Network Flow logs

Answer 4

captured to provide insight into network traffic for security, troubleshooting, and performance management

Question 5

Audit logging

Answer 5

provides information about events on the routers

Question 6

NTP

Answer 6

Network Time Protocol, One important consideration is ensuring that logs have accurate time stamps and that these time stamps remain consistent throughout the environment. A common method is to set up an internal NTP server that is synchronized to a trusted time source such as a public NTP server. Other systems can then synchronize with this internal NTP server.

Question 7

Syslog

Answer 7

message logging standard commonly used by network devices, Linux and Unix systems and other devices (firewalls)

Reboot – generates an information log entry

• Errors – significant problem
• Warnings – future problem - Information – successful operations
• Success Audits – successful security accesses
• Failure Audits – failed security access attempts

Question 8

Inconsistent Time Stamps

Answer 8

often caused by improperly set time zones or due to differences in how system clocks are set

Question 9

Modified logs

Answer 9

often a sign of intrusion or malicious intent NetFlow is a feature that was introduced on Cisco routers that provides the ability to collect IP network traffic as it enters or exits an interface. a network administrator can determine things such as the source and destination of traffic, class of service, and the causes of congestion.

Question 10

Antimalware and Antivirus

Answer 10

records instances of detected malware

Question 11

IDS/IPS

Answer 11

security testing, NIST 800-4

Question 12

War driving

Answer 12

driving a car with notebook to find open access points

Question 13

IDS

Answer 13

intrusion detection system

Question 14

IDS: NETWORK BASED

Answer 14

• Detects intrusions on the LAN behind a firewall.
• Is passive while it acquires data.
• Reviews packets and headers
• Problem with network based is that it will not detect attacks by users logged into hosts

Question 15

IDS: HOST BASED

Answer 15

• monitoring servers through EVENT LOGS AND SYSTEM LOGS
• as good as the completeness of the host logging

easier to discover and disable

Question 16

Signature based method (AKA Knowledge based)

Answer 16

compared with signature attack database (aka misuse detector)

Question 17

Statistical anomaly based

Answer 17

defines a ‘normal’ behavior and detects abnormal behaviors.

Question 18

Response box

Answer 18

is a part of an IDS that initiates alarm or activity

Question 19

IDS Components

Answer 19

Information source/sensor, centralized monitor software, data and even report analysis, database components and response to an event or intrusion

Question 20

IPS

Answer 20

Intrusion prevention system - detect attack and PREVENT that attack being successfu

Question 21

Remote Access Software

Answer 21

granted and secured through VPNs

Question 22

Web Proxies

Answer 22

intermediate hosts, restrict access

Question 23

Vulnerability Management Software

Answer 23

patching

Question 24

Authentication Servers

Answer 24

SSO servers

Question 25

Routers

Answer 25

permit or block traffic based on policy

Question 26

Firewalls

Answer 26

more sophisticated than routers to examine traffic

Question 27

Monitoring and auditing

Answer 27

Companies can set predefined thresholds for the number of certain types of errors that will be allowed before the activity is considered suspicious. This baseline is referred to as clipping level

Question 28

Breaches

Answer 28

protect from breaches of confidentiality and integrity.

Question 29

Protecting Logs : Availability

Answer 29

archival process to prevent loss by overwritten logs

Question 30

Log Analysis

Answer 30

study logs for events of interest Set maximum size. If too small, attacker can make little changes and push them out of window

Question 31

Real User Monitoring

Answer 31

aims to capture and analyze every transaction of a user

Question 32

Synthetic Performance Monitoring

Answer 32

uses scripted or recorded data. Traffic capture, Db performance monitoring, website performance monitoring can be used. NOT User Session

Monitoring Types

• Proactive monitoring involves having external agents run scripted transactions against a web application
• Db monitoring; availability of Db
• TCP port monitoring; availability of website, service, or application
  Code

Question 33

Code Review and Testing

Answer 33

Code review is the foundation of software assessment programs. During a code review, also known as a “peer review,” developers other than the one who wrote the code review it for defects.

The most formal code review processes, known as Fagan inspections, follow a rigorous review and testing process with six steps:

• Planning
• Overview
• Preparation
• Inspection
• Rework
• Follow-up

Question 34

Code Coverage Report

Answer 34

information on the functions, statements, branches, and conditions covered in testing. Use cases – used as part of test coverage calculation that divides the tested use case by total use cases

Question 35

Code Review Report

Answer 35

generated if the organization was manually reviewing the application’s source code

Question 36

Black-box testing

Answer 36

observes the system external behavior, no internal details known

Question 37

Dynamic Testing

Answer 37

does not require access to source code, evaluates code in a runtime environment

Question 38

White-box testing

Answer 38

(crystal) is a detailed exam of a logical path, checking the possible conditions. Requires access to source code

Question 39

Static Testing

Answer 39

requires access to source code, performs code analysis

Question 40

CSV

Answer 40

Comma Separated Values

Question 41

CVE

Answer 41

Common Vulnerability and Exposures dictionary. The CVE dictionary provides a standard convention used to identify vulnerabilities, list by MITRE

Question 42

CVSS

Answer 42

Common Vulnerability Scoring System, metrics and calculation tools for exploitability, impact, how mature exploit code is, and how vulnerabilities can be remediated, also to score vulnerabilities against unique requirements.

Question 43

NVD

Answer 43

National Vulnerability Db

Question 44

Compiled code

Answer 44

poses more risk than interpreted code because malicious code can be embedded in the compiled code and can be difficult to detect.

Question 45

Regression testing

Answer 45

the verification that what is being installed does not affect any portion of the application system already installed. It generally requires the support of automated process to repeat tests previously undertaken. Known inputs against an application then compares results to earlier version results

Question 46

nonRegression testing

Answer 46

code works as planned

Question 47

Code comparison

Answer 47

normally used to identify the parts of the source code that have changed.

Question 48

Integration testing

Answer 48

aimed at finding bugs in the relationship and interfaces between pairs of components. It does not normally test all functions.

Question 49

Attack surface

Answer 49

exposure

Question 50

STRIDE

Answer 50

is often used in relation to assessing threats against applications or operating systems, threat categorization scheme,

STRIDE:
Spoofing, 
Tampering, 
Repudiation,
Information disclosure, Denial of service,
Elevation of privilege.

Question 51

Spoofing

Answer 51

An attack with the goal of gaining access to a target system through the use of a falsified identity. Spoofing can be used against IP addresses, MAC address, usernames, system names, wireless network SSIDs, and other types of logical identification.

Question 52

Tampering

Answer 52

Any action resulting in the unauthorized changes or manipulation of data, whether in transit or in storage. Tampering is used to falsify communications or alter static information. Such attacks are a violation of integrity as well as availability.

Question 53

Repudiation

Answer 53

The ability for a user or attacker to deny having performed an action or activity.

Question 54

Information disclosure

Answer 54

The revelation or distribution of private, confidential, or controlled information to external or unauthorized entities.

Question 55

Elevation of privilege

Answer 55

An attack where a limited user account is transformed into an account with greater privileges/powers/ access

Question 56

Key Performance and Risk Indicators

Answer 56

Security managers should also monitor key performance and risk indicators on an ongoing basis. The exact metrics they monitor will vary by organization but may include the following:

• Number of open vulnerabilities
• Time to resolve vulnerabilities
• Number of compromised accounts
• Number of software flaws detected in preproduction scanning & Repeat audit findings
• User attempts to visit known malicious sites

Question 57

Vulnerability scans

Answer 57

automatically probe systems, applications, and networks, looking for weaknesses that may be exploited

Question 58

Network discovery scanning

Answer 58

uses a variety of techniques to scan a range of IP addresses, searching for systems with open ports.

Question 59

TCP SYN Scanning

Answer 59

Sends a single packet to each scanned port with the SYN flag set. This indicates a request to open a new connection. If the scanner receives a response that has the SYN and ACK flags set, this indicates that the system is moving to the second phase in the three-way TCP handshake and that the port is open. TCP SYN scanning is also known as “half-open” scanning.

Question 60

TCP Connect Scanning

Answer 60

Opens a full connection to the remote system on the specified port. This scan type is used when the user running the scan does not have the necessary permissions to run a half-open scan.

Question 61

TCP ACK Scanning

Answer 61

Sends a packet with the ACK flag set, indicating that it is part of an open connection.

Question 62

Xmas Scanning

Answer 62

Sends a packet with the FIN, PSH, and URG flags set. A packet with so many flags set is said to be “lit up like a Christmas tree,” leading to the scan’s name.

Question 63

Passive Scanning

Answer 63

user scan wireless to look for rogue devices in addition to IDS

Question 64

Bluetooth Scans

Answer 64

time consuming, many personal devices

• Active; strength of PIN, security mode
• Passive; only active connections, multiple visits

Question 65

Authenticated scans

Answer 65

read-only account to access config files

Question 66

Static Testing

Answer 66

evaluates the security of software without running it by analyzing either the source code or the compiled application. Static analysis usually involves the use of automated tools designed to detect common software flaws, such as buffer overflows.

Question 67

Dynamic Testing

Answer 67

evaluates the security of software in a runtime environment and is often the only option for organizations deploying applications written by someone else. In those cases, testers often do not have access to the underlying source code. One common example of dynamic software testing is the use of web application scanning tools to detect the presence of cross-site scripting, SQL injection, or other flaws in web applications. Testing may include the use of synthetic transactions to verify system performance.

Question 68

Fuzz Testing

Answer 68

a specialized dynamic testing technique that provides many different types of input to software to stress its limits and find previously undetected flaws. Fuzz testing software supplies invalid input to the software, either randomly generated or specially crafted to trigger known software vulnerabilities. Often limited to simple errors, does find important, exploitable issues, don’t fully cover code

Question 69

Mutation (Dumb) Fuzzing

Answer 69

Takes previous input values from actual operation of the software and manipulates (or mutates) it to create fuzzed input. It might alter the characters of the content, append strings to the end of the content, or perform other data manipulation techniques.

Question 70

Generational (Intelligent) Fuzzing

Answer 70

develops inputs based on models of expected inputs to perform the same task. The zzuf tool automates the process of mutation fuzzing by manipulating input according to user specifications.

Question 71

Misuse Case testing

Answer 71

Software testers use this process or abuse case testing to evaluate the vulnerability of their software to known risks.

Question 72

Misuse Case diagrams

Answer 72

threats and mitigate

Question 73

Test Coverage Analysis

Answer 73

method used to assess how well software testing covered the potential use of an application Interface testing - is an important part of the development of complex software systems. In many cases, multiple teams of developers work on different parts of a complex application that must function together to meet business objectives. The handoffs between these separately developed modules use well-defined interfaces so that the teams may work independently. Interface testing assesses the performance of modules against the interface specifications to ensure that they will work together properly when all of the development efforts are complete.

Question 74

Application Programming Interfaces (APIs)

Answer 74

Offer a standardized way for code modules to interact and may be exposed to the outside world through web services. Developers must test APIs to ensure that they enforce all security requirements.

Question 75

User Interfaces (UIs)

Answer 75

Examples include graphic user interfaces (GUIs) and command-line interfaces. UIs provide end users with the ability to interact with the software. Interface tests should include reviews of all user interfaces to verify that they function properly.

Question 76

Physical Interfaces

Answer 76

Exist in some applications that manipulate machinery, logic controllers, or other objects in the physical world. Software testers should pay careful attention to physical interfaces because of the potential consequences if they fail.

Question 77

Unit testing

Answer 77

testing small piece of software during a development stage by developers and quality assurance, ensures quality units are furnished for integration into final product

Question 78

Integration level testing

Answer 78

focus on transfer of data and control across a programs interfaces

Question 79

System level testing

Answer 79

demonstrates that all specified functionality exists and that the software product is trustworthy

Question 80

SAS 70

Answer 80

outdated 2011, based on ISAE 3402

Question 81

SOC Reports

Answer 81

service organization control report

Question 82

SOC-1

Answer 82

report, covers only internal controls over financial reporting. SSAE 16 is the same most common synonym SOC 1 - Finances

Question 83

SOC-2

Answer 83

(design and operational effectiveness) If you want to verify the security, integrity, privacy, and availability controls, in detail for business partners, auditors @security

Question 84

SOC-3

Answer 84

report; shared with broad community, website seal, support organizations claims about their ability to provide CIA

Type 1 – point in time covering design

Type 2 – period of time covering design and operating effectiveness

Question 85

Log Management System

Answer 85

volume of log data, network bandwidth, security of data, and amount of effort to analyze. NOT enough log sources

Question 86

OPSEC process

Answer 86

Understanding your day-to-day operations from the viewpoint of a competitor, enemy, or hacker and then developing and applying countermeasures.

Question 87

Pen-test

Answer 87

testing of network security as would a hacker do to find vulnerabilities. Always get management approval first

Question 88

Port scanner

Answer 88

program that attempts to determine whether any of a range of ports is open on a particular computer or device

Question 89

Ring zero

Answer 89

inner code of the operating system. Reserved for privileged instructions by the OS itself

Question 90

War dialer

Answer 90

dials a range of phone numbers as in the movie wargames

Question 91

Superzapping

Answer 91

system utility or application that bypasses all access controls and audit/logging functions to make updates to code or data

Question 92

Operational assurance

Answer 92

Verification that a system is operating according to its security requirements
• Design & development reviews
• Formal modeling
• Security architecture
• ISO 9000 quality techniques
• Assurance – degree of confidence that the implemented security measures work as intended

Question 93

Piggybacking

Answer 93

when an unauthorized person goes through a door behind an authorized person.

Question 94

Tailgating

Answer 94

authorized person circumventing controls

Question 95

Supervisor mode

Answer 95

processes running in inner protected ring