Domain 6 Security Assessment and Testing

Question 1

Which of the following would be the best reason for separating the test and development environments?

Answer 1

To control the stability of the test environment.

Question 2

Which of the following can be defined as the process of rerunning a portion of the test scenario or test plan to ensure that changes or corrections have not introduced new errors?

Answer 2

Regression testing

Question 3

Which of the following statements pertaining to software testing approaches is correct?

Answer 3

The test plan and results should be retained as part of the system’s permanent documentation.

Question 4

There are several types of penetration tests depending upon the scope, objective and nature of a test. Which of the following describes a penetration test where you attack and attempt to circumvent the controls of the targeted network from the outside, usually the Internet?

Answer 4

External Testing

For the CISA exam you should know penetration test types listed below:

External Testing - Refers to attack and control circumvention attempts on a target’s network perimeter from outside the target’s system, usually the Internet
Internal Testing – Refers to attack and control circumvention attempt on target from within the perimeter. The objective is to identify what would occur if the external perimeter was successfully compromised and/or an authorized user from within the network wanted to compromise security of a specific resource on a network.
Blind Testing - Refers to the condition of testing when the penetration tester is provided with limited or no knowledge of the target’s information systems. Such testing is expensive, since penetration tester have to research the target and profile it based on publicly available information.
Double Blind Testing - It is a extension of blind testing, since the administrator and security staff at the target are also not aware of test. Such a testing can effectively evaluate the incident handling and response capability of the target and how well managed the environment is.
Targeted Testing – Refers to attack and control circumvention attempts on the target, while both the target’s IT team and penetration tester are aware of the testing activities. Penetration testers are provided with information related to target and network design. Additionally, they are also provided with a limited privilege user account to be used as a starting point to identify privilege escalation possibilities in the system.

Question 5

Which of the following statement correctly describes the difference between black box testing and white box testing?

Answer 5

The correct answer is: Black box testing focuses on functional operative effectiveness where as white box assesses the effectiveness of software program logic

For your exam you should know below mentioned types of testing

Alpha and Beta Testing - An alpha version is early version is an early version of the application system submitted to the internal user for testing. The alpha version may not contain all the features planned for the final version. Typically software goes to two stages testing before it consider finished.The first stage is called alpha testing is often performed only by the user within the organization developing the software. The second stage is called beta testing, a form of user acceptance testing, generally involves a limited number of external users. Beta testing is the last stage of testing, and normally involves real world exposure, sending the beta version of the product to independent beta test sites or offering it free to interested user.
Pilot Testing - A preliminary test that focuses on specific and predefined aspect of a system. It is not meant to replace other testing methods, but rather to provide a limited evaluation of the system. Proof of concept are early pilot tests – usually over interim platform and with only basic functionalities.
White box testing - Assess the effectiveness of a software program logic. Specifically, test data are used in determining procedural accuracy or conditions of a program’s specific logic path. However testing all possible logical path in large information system is not feasible and would be cost prohibitive, and therefore is used on selective basis only.
Black Box Testing - An integrity based form of testing associated with testing components of an information system’s “functional” operating effectiveness without regards to any specific internal program structure. Applicable to integration and user acceptance testing.
Function/validation testing – It is similar to system testing but it is often used to test the functionality of the system against the detailed requirements to ensure that the software that has been built is traceable to customer requirements.
Regression Testing - The process of rerunning a portion of a test scenario or test plan to ensure that changes or corrections have not introduced new errors. The data used in regression testing should be same as original data.
Parallel Testing - This is the process of feeding test data into two systems – the modified system and an alternative system and comparing the result.
Sociability Testing - The purpose of these tests is to confirm that new or modified system can operate in its target environment without adversely impacting existing system. This should cover not only platform that will perform primary application processing and interface with other system but , in a client server and web development, changes to the desktop environment. Multiple application may run on the users desktop, potentially simultaneously , so it is important to test the impact of installing new dynamic link libraries (DLLs ) , making operating system registry or configuration file modification, and possibly extra memory utilization.

Question 6

Once a penetration tester has gained a basic account on the system, what is his next step?

Answer 6

Escalate privileges

Question 7

In regards to testing of Software, which of the following is an advantage in using a bottom-up versus a top-down approach to software testing?

Answer 7

Errors in critical modules are detected earlier.

Question 8

Which of the following test makes sure the modified or new system includes appropriate access controls and does not introduce any security holes that might compromise other systems?

Answer 8

Security testing

Question 9

The server has been built, locked down, patched and scanned for baseline security and there’s another step you want to take to actively ensure it is resistant to attack and the controls are performing as they should.

What could it be?

Answer 9

Penetration Test

Question 10

Which of the following is a penetration test where the penetration tester is provided with limited or no knowledge of the target system(s)?

Answer 10

Blind Testing

Question 11

Which of the following is the process of feeding test data into two systems – the modified system and alternative system and comparing the result?

Answer 11

Parallel Test

Question 12

What would a significant benefit be from conducting an unannounced penetration test?

Answer 12

The pen test would be a more realistic analysis of the target network

Question 13

One risk of being a penetration tester and security analyst is liability when things go wrong and something is damaged. What is a primary defense against such liability?

Answer 13

Insurance

Question 14

zero-knowledge (also called black box) test is “blind”;

.

Answer 14

the penetration tester begins with no external or trusted information, and begins the attack with public information only.

Question 15

A full-knowledge test (also called crystal-box)

Answer 15

provides internal information to the penetration tester, including network diagrams, policies and procedures, and sometimes reports from previous penetration testers.

Question 16

Security Audit

Answer 16

A security audit is a test against a published standard.

ie; Organizations may be audited for PCI-DSS

Question 17

Security Assessments

Answer 17

Security assessments are a holistic approach to assessing the effectiveness of access control.

Security assessments view many controls across multiple domains, and may include the following:
• Policies, procedures, and other administrative controls
• Assessing the real world-effectiveness of administrative controls
• Change management
• Architectural review
• Penetration tests
• Vulnerability assessments
• Security audits

Question 18

Static testing

Answer 18

tests the code passively; the code is not running.

This includes walkthroughs, syntax checking, and code reviews. Static analysis tools review the raw source code itself looking for evidence of known insecure practices, functions, libraries, or other characteristics having been used in the source code.

Question 19

Dynamic testing

Answer 19

tests the code while executing it. With dynamic testing, security checks are performed while actually running or executing the code or application under review.

Question 20

White box software testing

Answer 20

gives the tester access to program source code, data structures, variables, etc.

Question 21

Black box testing

Answer 21

gives the tester no internal details: the software is treated as a black box that receives inputs.

Question 22

Synthetic transactions

Answer 22

or synthetic monitoring, involves building scripts or tools that simulate activities normally performed in an application.

Can establish expected norms for the performance of these transactions. These synthetic transactions can be automated to run on a periodic basis to ensure the application is still performing as expected.

Question 23

Software Testing Levels

Answer 23

Unit Testing, Installation Testing, Integration Testing, Regression Testing, and Acceptance Testing

Question 24

Unit Testing:

Answer 24

Low-level tests of software components, such as functions, procedures or objects

Question 25

Installation Testing:

Answer 25

Testing software as it is installed and first operated

Question 26

Integration Testing:

Answer 26

Testing multiple software components as they are combined into a working system. Subsets may be tested, or Big Bang integration testing tests all integrated software components

Question 27

Regression Testing:

Answer 27

Testing software after updates, modifications, or patches

Question 28

Acceptance Testing:

Answer 28

testing to ensure the software meets the customer’s operational requirements. When this testing is done directly by the customer, it is called User Acceptance Testing.

Question 29

Fuzzing (also called fuzz testing)

Answer 29

is a type of black box testing that submits random, malformed data as inputs into software programs to determine if they will crash.

Question 30

Combinatorial software testing

Answer 30

is a black-box testing method that seeks to identify and test all unique combinations of software inputs.

Question 31

Misuse Case Testing

Answer 31

The idea of misuse case testing is to formally model, again most likely using UML, how security impact could be realized by an adversary abusing the application.

Question 32

Test or code coverage analysis

Answer 32

attempts to identify the degree to which code testing applies to the entire application. The goal is to ensure there are no significant gaps where a lack of testing could allow for bugs or security issues to be present that otherwise should have been discovered.

Question 33

Interface Testing

Answer 33

Traditional interface testing within applications is primarily concerned with appropriate functionality being exposed across all the ways users can interact with the application.

Question 34

Which software testing level tests software after updates, modifications, or patches?

Answer 34

Regression testing

Question 35

What is a type of testing that submits random malformed data as inputs into software programs to determine if they will crash?

Answer 35

Fuzzing

Question 36

What type of software testing tests code passively?

Answer 36

Static testing

Question 37

What term describes a black-box testing method that seeks to identify and test all unique combinations of software inputs?

Answer 37

Combinatorial software testing

Question 38

What term describes a holistic approach for determining the effectiveness of access control, and has a broad scope?

Answer 38

Security assessment

Question 39

What type of penetration test will result in the most efficient use of time and hourly consultant expenses?

Answer 39

Full knowledge

Question 40

Syslog characteristics

Answer 40

Uses UDP
Data is in Plaintext
Easily spoofed

Question 41

A network-based vulnerability assessment is a type of test also referred to as:

Answer 41

An active vulnerability assessment.

PASSIVE: You don’t send any packet or interact with the remote target. You make use of public database and other techniques to gather information about your target.

ACTIVE: You do send packets to your target, you attempt to stimulate response which will help you in gathering information about hosts that are alive, services runnings, port state, and more.

Question 42

Which of the following answers best describes the type of penetration testing where the analyst has full knowledge of the network to perform a test?

Answer 42

White-Box Penetration Testing

In general there are three ways a pen tester can test a target system.

• White-Box: The tester has full access and is testing from inside the system.
• Gray-Box: The tester has some knowledge of the system he’s testing.
• Black-Box: The tester has no knowledge of the system.

Question 43

When you look at the results of one particular system, you see a few ports open on the system.
What is it that you are seeing in the nmap scan results of the remote system?

Why would these scan results appeal to a hacker?

Answer 43

Services being offered on the remote system

Question 44

Which of the following is the process of repeating a portion of a test scenario or test plan to ensure that changes in information system have not introduced any errors?

Answer 44

Regression Testing

Question 45

Which of the following statement correctly describes the difference between black box testing and white box testing?

Answer 45

Black box testing focuses on functional operative effectiveness where as white box assesses the effectiveness of software program logic

Question 46

Which of the following answers best describes the type of penetration testing where the analyst has no knowledge of the network on which he is working?

Answer 46

Black-Box Penetration Testing

Question 47

BLACK BOX TESTING

Answer 47

also known as Behavioral Testing, is a software testing method in which the internal structure/design/implementation of the item being tested is not known to the tester. These tests can be functional or non-functional, though usually functional.

Question 48

Black box penetration testing

Answer 48

the penetration tester has no previous information about the target system.

Question 49

White box penetration testing, also known as clear box testing or glass box testing

Answer 49

penetration testing approach that uses the knowledge of the internals of the target system to elaborate the test cases.

Question 50

White Box Testing

Answer 50

White box testing is the software testing method in which internal structure is being known to tester who is going to test the software.

This type of testing is carried out by software developers.

Question 51

__________ is a hardware or software test that evaluates the connection of two or more components that pass information from one area to another.

Answer 51

Interface testing

Question 52

What would a significant benefit be from conducting an unannounced penetration test?

Answer 52

The pen test would be a more realistic analysis of the target network