Domain 6: Security Assessment and Testing Flashcards
Audit
An audit is a systematic assessment of the security controls of an information system.
What is the most important step in planning a security audit?
Setting a clear set of goals
Pros and cons of internal audits
Internal audits benefit from the auditors’ familiarity with the systems.
They may be hindered by a lack of exposure to how others attack and defend systems.
External audits
External audits happen when organizations have a contract in place that includes security provisions.
The contracting party can demand to audit the contractor to ensure those provisions are being met.
Pros and cons of third-party audits
Third-party audits typically bring a much broader background of experience that can provide fresh insights.
They can be expensive.
Test coverage
Test coverage is a measure of how much of a system is examined by a specific test (or group of tests).
Vulnerability test
A vulnerability test is an examination of a system for the purpose of identifying defining and ranking its vulnerabilities.
Black box testing
Black box testing treats the system being tested as completely opaque.
White box testing
White box testing affords the auditor complete knowledge of the inner workings of the system even before the first scan is performed.
Gray box testing
Gray box testing gives the auditor some but not all information about the internal workings of the system.
Penetration testing
Penetration testing is the process of simulating attacks on a network and its systems at the request of the owner.
Blind test
A blind test is one in which the assessors only have publicly available data to work with and the network security staff is aware that the testing will occur.
Double-blind test
A double-blind test (stealth assessment) is a blind test in which the network security staff is not notified that testing will occur.
War dialing
War dialing allows attackers and administrators to dial large blocks of phone numbers in search of available modems.
Log review
A log review is the examination of system log files to detect security events or to verify the effectiveness of security controls.
Synthetic transactions
Synthetic transactions are scripted events that mimic the behaviors of real users and allow security professionals to systematically test the performance of critical services.
Misuse case
A misuse case is a use case that includes threat actors and the tasks they want to perform on the system.
Code Review
A code review is a systematic examination of the instructions that comprise a piece of software performed by someone other than the author of that code.
Interface testing
Interface testing is the systematic evaluation of a given set of exchange points for data between systems and/or users.
How are administrative controls implemented?
Administrative controls are implemented primarily through policies or procedures.
BCP
A business continuity plan (BCP) ensures that the critical business processes of an organization remain uninterrupted or are quickly restored after a serious event.
DRP
A disaster recovery plan (DRP) ensures that the information systems supporting critical business processes remain operational or are quickly restored in the event of a disaster.
Security training
Security training is the process of teaching a skill or set of skills that will allow people to better perform specific functions.
Security awareness training
Security awareness training is the process of exposing people to security issues so that they may be able to recognize them and better respond to them.
Social Engineering
Social engineering in the context of information security is the process of manipulating individuals so that they perform actions that violate security protocols.
Phishing
Phishing is social engineering conducted through a digital communication.
Drive-by download
A drive-by download is an automatic attack that is triggered simply by visiting a malicious website.
KPI
Key performance indicators (KPIs) measure the effectiveness of an organization in performing a given task at a given point in time.
KRI
Key risk indicators (KRIs) measure the risk inherent in performing a given action or set of actions.
Management review
A management review is a formal meeting in which senior organizational leaders determine whether the information security management systems are effectively accomplishing their goals.
What kind of testing is used to determine if program changes have introduced new errors?
Regression testing
Regression testing is the verification that what is being changed and installed does not affect any portion of the system already installed.
Regression testing is software testing that seeks to uncover software errors by partially retesting a modified program. The intent of regression testing is to provide a general assurance that no additional errors were introduced in the process of fixing other problems.
When a system development project is in the middle of the programming coding phase, what is the MOST frequent type of test?
Unit testing
Unit tests are used to ensure that individual programs are working correctly.
This type of test should occur during the programming phase. The development team should have mechanisms in place for the running of unit tests. The other alternatives happen later in the development and testing phases.
True or False - Logging both successful and unsuccessful events is not necessarily important because logging unsuccessful attempts may not reveal unauthorized access attempts.
False
Logging successful and unsuccessful events are equally important because they may reveal unauthorized access or an unauthorized escalation of access rights.
True or False - Known and unknown vulnerabilities can be identified on a host through the use of a vulnerability scanner.
False
A vulnerability scanner is software intended to explore and map known security weaknesses in applications, systems, and networks.
When an organization has a large number of privileged users is it necessary to periodically re-certify them?
Yes. Privileged users should always be re-certified as a way of securing the environment and identifying any fraudulent activity.
It is never a good idea to set systems and user access levels to a privileged default level.
What is Real User Monitoring?
Testing that tests every transaction of every user on a web site.
What are the general types of penetration tests?
- Internal
- External
- Wireless
Are logs reviewed as part of a Physical Security Assessment?
Yes. Access logs of physical controls should be assessed as part of a Physical audit.
To what does the term “footprinting” refer?
Footprinting (also called reconnaissance) is a method used by an attacker to learn information about a victim before actually carrying out scanning and probing activity.
What is Synthetic Performance Monitoring?
Monitoring system performance using automated scripts rather than real users.
Collecting data so a system can be monitored is known as:
Logging
Logs can be used for audit, troubleshooting, and research.
What is the difference between a penetration test and a vulnerability test?
Vulnerability scanners are comprehensive tests that check for numerous potential security weaknesses in the system and reports them.
Penetration testing are specific tests that demonstrate how the existence of vulnerabilities can be exploited using attacker processes.
Penetration testing can be used in conjunction with vulnerability scanning. But neither can replace the other.
What tasks should be carried out before a vulnerability assessment or penetration test is started?
- Have management’s approval
- Understand the goals of the operation
- Be able to identify the resources being tested
What is a Key Performance Indicator?
An interpretation of one or more metrics that describes an element of an Information Security Management System.
