Domain 6: Security Assessment and Testing

Question 1

Define security testing

Answer 1

Verifies that a control is functioning properly. These tests include automated scans, tool-assisted penetration tests and manual attempts to undermine security.

Question 2

Verification

Answer 2

Objective evidence that the design outputs of a phase of the SDLC meet requirements. This may be performed by a third party entity.

Question 3

Validation

Answer 3

Develop a “level of confidence” that the software meets all requirements and expectations, software improve over time.

Question 4

Network flow - Logging

Answer 4

Captured to provide insight into network traffic for security, troubleshooting, and performance management.

Question 5

Audit logging (network)

Answer 5

Provides information about events that have occurred, on routers/other network devices.

Question 6

NTP

Answer 6

Network Time Protocol.

Question 7

Why is accurate time important for an environment?

Answer 7

Logs must have accurate time stamps that these time stamps remain consistent throughout the environment. A common method is to set up an internal NTP server that is synchronised to a trusted time source such as a public NTP server. Other systems can then sychronise with this internal NTP server.

Question 8

Syslog

Answer 8

Message logging standard commonly used by network devices, Linux and Unix systems and other devices (firewalls).

Question 9

Modified logs are a sign of…

Answer 9

Intrusion or malicious intent.

Question 10

War driving

Answer 10

Driving a car with a laptop to find open AP’s

Question 11

IDS

Answer 11

Intrusion Detection Systems.

Question 12

What are the two types of IDS

Answer 12

1. Network Based

2. Host Based

Question 13

Network Based IDS

Answer 13

Detects intrusions on the LAN behind a firewall. It is a passive device while it acquires data and reviews packets and headers. However, the issue with NIDS is that it will not detect attacks by users logged into hosts.

Question 14

Host based IDS

Answer 14

Monitors servers through Event and System logs. However, it is only as good as the host logging created. However, it can be easier to discover and disable.

Question 15

Signature based method (AKA Knowledge based)

Answer 15

Attacks are compared with signature attack database

Question 16

Statistical anomaly based

Answer 16

Defines a normal behavior and detects abnormal behaviors

Question 17

Response Box

Answer 17

Is a part of an IDS that initiates an alarm or activity

Question 18

Response Box Components

Answer 18

Information source/sensor, centralised monitor software, data and event report analysis, database components and response to an event or intrusion

Question 19

IPS Intrusion Prevention System

Answer 19

Detect attack and PREVENT that attack from being successful

Question 20

Remote Acces Software

Answer 20

Granted and secured through VPNs

Question 21

Web Proxies

Answer 21

Form of gateway that provides clients with a filtering, caching, or other service that protects their information from remote systems.

Question 22

Vulnerability Management System

Answer 22

Such as Nessus, used to enable effective patch management strategy

Question 23

Authentication Servers

Answer 23

System that facilitates authentication of an entity, such as SSO servers

Question 24

Routers

Answer 24

Opens up data packet, reads hardware or network address and then forwards it to the correct network.

Question 25

Firewalls

Answer 25

Network device to analyse the network traffic entering and leaving a network.

Question 26

Clipping Level

Answer 26

Where companies can set predefined thresholds for the number of certain types of errors that will be allowed before the activity is considered suspicious

Question 27

Audit Trails

Answer 27

A history of audit log events that may include transaction date/time, who processed the transaction, and at which terminal

Question 28

Breaches

Answer 28

Incident that results in disclosure or potential disclosure of data. It is about breaking the confidentiality of data.

Question 29

Availability of logs

Answer 29

Archival process to prevent loss by overwritten logs

Question 30

Log analysis

Answer 30

Study logs for events of interest.

Question 31

Log size

Answer 31

Set maximum size. If too small, attackers can make little changes and push them out of window

Question 32

Real User Monitoring

Answer 32

Aims to capture and analyse every transaction of a user

Question 33

Synthetic Performance Monitoring

Answer 33

Uses scripted or recorded data. Proactive monitoring involves having external agents run scripted transactions against a web application.

Question 34

Code Review

Answer 34

Foundation of software assessment programs. Other developers review code for defects.

Question 35

Fagan Inspections

Answer 35

Most formal code review process, which follows a rigorous review and testing process with six steps:

1. Planning
2. Overview
3. Preparation
4. Inspection
5. Rework
6. Follow-up

Question 36

Code Coverage Report

Answer 36

Information on the functions, statements, branches and conditions covered in testing.

Question 37

Use cases - test coverage

Answer 37

Used as part of test coverage calculation that divides the tested use case by total use cases.

Question 38

Code Review Report

Answer 38

Generated if the organisation was manually reviewing the application’s source code

Question 39

Black box testing

Answer 39

Observes the system’s external behavior, no internal detains known

Question 40

Dynamic Testing

Answer 40

Does not require access to source code, evaluates code in a runtime environment

Question 41

White box Testing

Answer 41

Detailed examination of a logical path, checking the possible conditions. Requires access to source code

Question 42

Static Testing

Answer 42

Requires access to source code, performs code analysis

Question 43

CVE

Answer 43

Common Vulnerability and Exposures Dictionary. The CVE dictionary provides a standard convention used to identify vulnerabilities, produced by MITRE.

Question 44

CVSS

Answer 44

Common Vulnerability Scoring System, metrics and calculation tools for exploitability, impact, how mature exploit code is, and how vulnerabilities can be remediated, also to score vulnerabilities against unique requirements.

Question 45

NVD

Answer 45

National Vulnerability DB

Question 46

Compiled Code

Answer 46

Poses more risk than interpreted code because malicious code can be embedded in the compiled code and can be difficult to detect

Question 47

Regression Testing

Answer 47

Is the verification that what is being installed does not affect any portion of the application system already installed. It generally requires the support of automated process to repeat tests previously undertaken. Known inputs against an application then compares results to earlier version results

Question 48

Non Regression Testing

Answer 48

Code works as planned

Question 49

Code comparison

Answer 49

Normally used to identify the parts of the source code that have changed

Question 50

Integration Testing

Answer 50

Aimed at finding bugs in the relationship and interfaces between pairs of components. It does not normally test all functions

Question 51

Attack surface

Answer 51

Exposure

Question 52

STRIDE: Threat Modelling

Answer 52

Is often used in relation to assessing threats against applications, or OS’s, threat categorisation scheme, spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege

Question 53

Spoofing

Answer 53

An attack with the goal of gaining access to a target system through the use of falsified identity. Spoofing can be used against IP addresses, MAC address, usernames, system names, wireless network SSIDs, and other types of logical identification.

Question 54

Tampering

Answer 54

Any action resulting in the unauthorised changes or manipulation of data, whether in transit or in storage. Tampering is used to falsify communications or alter static information. Such attacks are a violation of integrity as well as availability.

Question 55

Repudiation

Answer 55

The ability for a user or attacker to deny having performed an activity

Question 56

Information disclosure

Answer 56

The revelation or distribution of private, confidential, or controlled information to external or unauthorised entities.

Question 57

Elevation of privilege

Answer 57

An attack where a limited user account is transformed into an account with greater privileges/powers/access.

Question 58

Examples of Security KPI’s

Answer 58

Number of open vulnerabilities, time to resolve vulnerabilities, number of compromised accounts, number of software flaws detected in pre-production scanning and repeat audit findings, and user attempts to visit known malicious sites.

Question 59

Vulnerability scans

Answer 59

Automatically probe systems, applications, and networks, looking for weaknesses that may be exploited

Question 60

Network discovery scanning

Answer 60

Uses a variety of techniques to scan a range of IP addresses, searching for systems with open ports.

Question 61

TCP SYN Scanning

Answer 61

Sends a single packet to each scanned port with the SYN flag set. This indicates a request to open a new connection. If the scanner receives a response that has the SYN and ACK flags set, this indicates that the system is moving to the second phase in the three-way TCP handshake and that the port is open. TCP SYN scanning is also known as “half-open” scanning.

Question 62

TCP Connect Scanning

Answer 62

Opens a full connection to the remote system on the specified port. This scan type is used when the user running the scan does not have the necessary permissions to run a half-open scan.

Question 63

TCP ACK Scanning

Answer 63

Sends a packet with the ACK flag set, indicating that it is part of an open connection

Question 64

Xmas Scanning

Answer 64

Sends a packet with the FIN, PSH, and URG flags set. Its like a christmas tree

Question 65

Passive Scanning

Answer 65

User scans wireless to look for rogue devices in addition to IDS

Question 66

Authenticated Scans

Answer 66

Read-only account to access config files

Question 67

Static Testing

Answer 67

Evaluates the security of software without running it by analysing either the source code or the compiled application. Static analysis usually involves the use of automated tools designed to detect common software flaws, such as buffer overflows.

Question 68

Dynamic Testing

Answer 68

Evaluates the security of software in a runtime environment and is often the only option for organisations deploying applications written by someone else. In those cases, testers often do not have access to the underlying source code. One common example of dynamic software testing is the use of web application scanning tools to detect the presence of issues.

Question 69

Fuzz Testing

Answer 69

Specialised dynamic testing technique that provides many different types of inputs to stress its limits and find previously undetected flaws. Fuzz testing software supplies invalid input to the software, either randomly generated or specially crafted to trigger known software vulnerabilities.

Question 70

Mutation (Dumb) Fuzzing

Answer 70

Takes previous input values from actual operation of the software and manipulates (or mutates) it to create fuzzed input. For example, it might alter the characters of the content, append strings to the end of the content, or perform other data manipulation techniques.

Question 71

Generational (Intelligent) Fuzzing

Answer 71

Develops inputs based on models of expected inputs to perform the same task. The zzuf tool automates the process of mutation fuzzing by manipulating input according to user specifications.

Question 72

Misuse Case Testing

Answer 72

Software testers use this process or abuse case testing to evaluate the vulnerability of their software to known risks.

Question 73

Test Coverage Analysis

Answer 73

Method used to assess how well software testing covered the potential use of an application

Question 74

Interface Testing

Answer 74

Interface testing includes the hand-offs between separately developed modules. Interface testing assesses the performance of modules against the interface specifications to ensure that they will work together properly when all of the development efforts are complete.

Question 75

Types of Interface Testing

Answer 75

1. API Testing
2. UI Testing
3. Physical Interfaces

Question 76

API Testing

Answer 76

Testing of APIs to ensure that they enforce all security requirements.

Question 77

UI Testing

Answer 77

Review GUI to verify that they function properly

Question 78

Physical Interfaces

Answer 78

Exist in some applications that manipulate machinery, logic controllers, or other objects in the physical world.

Question 79

Unit Testing

Answer 79

Testing small pieces of software during a development stage by developers and QA. This ensures that quality units are furnished for integration into final product

Question 80

Integration Level Testing

Answer 80

Focus on transfer of data and control across a programs interfaces.

Question 81

System level testing

Answer 81

Demonstrates that all specified functionality exists and that the software product is trustworthy.

Question 82

SOC Reports

Answer 82

Service organisation control report.

Question 83

SOC 1 Report

Answer 83

Covers only internal controls over financial reporting.

Question 84

SOC 2 Report

Answer 84

Design and OE. This verifies the security, integrity, privacy and availability controls, in detail for business partners and auditors.

Question 85

SOC 3 Report

Answer 85

Shared with broader community, website seal. Supports organisations claims about their ability to provide CIA.
Type 1: Is a Point in Time covering design
Type 2: Period of time covering design and OE.

Question 86

Log Management System

Answer 86

Volume of log data, network bandwidth, security of data, and amount of effort to analyse. Not enough log sources

Question 87

OPSEC process

Answer 87

Understanding your day to day operations from the viewpoint of a competitor, enemy, or hacker and then developing and applying countermeasures.

Question 88

Penetration Teting

Answer 88

Testing of network security as would a hacker do to find vulnerabilities. Always get management approval first.

Question 89

Port Scanner

Answer 89

Program that attempts to determine whether any of a range of ports is open on a particular device.

Question 90

Ring Zero

Answer 90

Inner code of the OS. Reserved for privileged instructions by the OS itself

Question 91

War dialer

Answer 91

Dials a range of phone numbers as in the movie Wargames

Question 92

Superzapping

Answer 92

System utility or application that bypasses all access controls and audit/logging functions to make updates to code or data

Question 93

Operational assurance

Answer 93

Verification that a system is operating according to its security requirements. This includes:

• Design and development reviews
• Formal modeling
• Security architecture
• ISO 9000 quality techniques

Question 94

Piggybacking

Answer 94

When an unauthorised person goes through a door behind an authorised person

Question 95

Tailgating

Answer 95

Authorised person circumventing controls

Question 96

Supervisor mode

Answer 96

Processes running in inner protected ring