Domain 6: Security Assessment and Testing

Question 1

What are the three major component s of a security assessment program?

Answer 1

Security Tests, Security Assessments, Security Audits

Question 2

What do security tests do?

Answer 2

Verify that a control is functioning properly

Question 3

What are security assessments?

Answer 3

comprehensive reviews of the security of a system, application, or other environment

Question 4

What do security audits do?

Answer 4

evaluations performed with the purpose of demonstrating the effectiveness of controls to a third party

Question 5

Three main categories of vulnerability scans

Answer 5

network discovery scans, network vulnerability scans, and web application vulnerability scans

Question 6

Network Activity Scanning

Answer 6

scan a range of IP addresses searching for open network ports

Question 7

TCP SYN Scanning

Answer 7

sends a single packet to each scanned port with a SYN flag set

Question 8

TCP Connect Scanning

Answer 8

opens a full connection

Question 9

TCP ACK Scanning

Answer 9

sends a ACK flag

Question 10

XMAS Scanning

Answer 10

sends FIN, PSH, and URG flags

Question 11

False Positive

Answer 11

reports a vulnerability when one does not exist

Question 12

False Negative

Answer 12

fails to report a vulnerability

Question 13

FTP Port

Answer 13

21

Question 14

SSH Port

Answer 14

22

Question 15

Telent

Answer 15

23

Question 16

SMTP

Answer 16

25

Question 17

DNS

Answer 17

53

Question 18

HTTP

Answer 18

80

Question 19

POP3

Answer 19

110

Question 20

NTP

Answer 20

123

Question 21

HTTPS

Answer 21

443

Question 22

MS SQL Server

Answer 22

1433

Question 23

Oracle

Answer 23

1521

Question 24

H.323

Answer 24

1720

Question 25

PPTP

Answer 25

1723

Question 26

RDP

Answer 26

3389

Question 27

Penetration Testing

Answer 27

attempts to exploit systems

Question 28

White Box Pen Testing

Answer 28

attackers have detailed information

Question 29

Black Box Pen Testing

Answer 29

attackers have no info

Question 30

Gray Box Pen Testing

Answer 30

attackers have partial knowledge

Question 31

Fagan Code Review 6 steps

Answer 31

Planning, Overview, Preparation, Inspection, Rework, and Follow up

Question 32

Static Testing

Answer 32

evaluates code without running it

Question 33

Dynamic Testing

Answer 33

evaluates code in a runtime environment

Question 34

Fuzz Testing

Answer 34

provides many different types of input to software to stress its limits

Question 35

Mutation (Dumb) Fuzzing

Answer 35

takes previous input, manipulates it, to create fuzzed input

Question 36

Generational (Intelligent) Fuzzing

Answer 36

develops data models and creates new fuzzed inputs

Question 37

Interface Testing

Answer 37

assess the performance of modules against the interface specs

Question 38

Application Programming Interfaces - APIs

Answer 38

standardized way for code to interact and be exposed to the outside world

Question 39

Three types of interfaces to test during SW testing

Answer 39

APIs, UIs, and Physical Interfaces

Question 40

User Interfaces (UIs)

Answer 40

GUIs and command line interfaces, provide end users with the ability to interact with the software

Question 41

Physical Interfaces

Answer 41

exist in apps that manipulate machinery, logic controllers and other objects in the physical world

Question 42

Test Coverage Analysis

Answer 42

estimate degree of testing conducted against new sw