Domain 6: Security Assessment and Testing 12%

Question 1

Static testing

Answer 1

we passively test the code, we do not run it. Walkthroughs, syntax checking, and code reviews.

Question 2

Dynamic Testing

Answer 2

We test code while executing it.

Question 3

Fuzzing (Fuzz Testing)

Answer 3

A black box testing that submits random, malformed data as inputs into software programs to determine if they will crash.

Question 4

Penetration Testing (Pen Testing)

Answer 4

We pay someone to test our security by trying to compromise our safeguards. This is testing both our orgs physical and logical perimeter.

Question 5

Synthetic Transactions/monitoring

Answer 5

building scripts or tools that simulate normal user activity in an application.

Question 6

Security Assessments

Answer 6

A full pic approach to assessing how effective our access cntrls are, they have a very broad scope.
Policies, procedures, and other admin cntrls. Assessing the real, wrld-effectiveness of admin cntrls. Change management, architectural review, penetration tests, vulner assessments, security audits.

Question 7

Security audit

Answer 7

a test against a published standard. Purpose is to validate/verify that an org meets the requirements as stated in the pub standards.

Question 8

SOC 2 Type 1

Answer 8

report on management’s descript of a service orgs sys and the suitability of the dsign of controls.

Question 9

SOC 2 Type 2

Answer 9

report on managment’s descript of a service orgs sys and the suitability of the design and operating effectiveness of controls.

Question 10

Structured audits (3rd prty)

Answer 10

Ext auditors who validate our compliance, they are experts and the audit adds credibility. Can also be a knowledge transfer for the org, req annlly in many orgs.

Question 11

Unstructured audits

Answer 11

Int auditors to improve our security and find flaws, oftn done before an ext audit

Question 12

Security Audit Logs

Answer 12

Reviewing security audit logs in an IT system is one of the easiest ways to verify that access cntrl mechanisms are wrking as intended. Reviewing audit logs is primarily a detective cntrl.

Question 13

NIST Special Pub 800-92

Answer 13

suggests the following log types should be collected and audited.

Question 14

Network Security Software/Hardware

Answer 14

Antivirus logs, IDS/IPS logs, remote access software (VPN logs), web proxy, vulnerability managment, authn srvrs, routers and firewalls.

Question 15

OS

Answer 15

System events, audit rcds, app, client requests, srvr responses, usage info, segnfcnt operational actions

Question 16

Centralized Logging

Answer 16

Should be automated, secure and even admins should have limited access. Often a cntral repository is hashed and never touched, and a 2nd copy is analyzed to ensure integrity. Logs shold have retention policy.

Question 17

Audit record management typically faces 5 distinct prblms

Answer 17

1. Log are nto reviewed on a regular and timely basis. 2 Audit los and audit trails are not stored for a long enough time period. Logs are not standardized or viewable by correlation toolsets. Log entries and alerts are not prioritized. Audit records are only reviewed for the bad stuff.

Question 18

Vulnerability scanning/testing

Answer 18

is used to scan network or sys for a list of predefined vulner such as sys misconfig, outdated sftwr, or a lack of patching. Risk = Threat x Vulnerability. Common vulner scnners cld be Nessus or OpenVAS

Question 19

Penetration Testing

Answer 19

often called Ethical Hacking. Test if the vulnerabilities are exploitable. *Very clear rules of engagement defined in a SOW. Which IP ranges, time frame, tools, POC, how to test, wehat to test. Confirm with Legal team before hiring Pen Testers, even if you allow it what they do may still be illegal. Senior management set the goals for the Pen testing. Pen testers are there to test and document the vulerabilities, not to fix them. Provide the report to senior management and the decide which vuln they want to address. Use multiple attack vectors and Pen testing uses an iterative process that is similar to the Agile project planning.

Question 20

Penetration Testing

Answer 20

1. Discovery (planning). 2 Gaining access. 3 Escalate Privileges. 4 Sys Browsing. 5 Install Additional tools

Question 21

Black box Pen testing

Answer 21

Zero Knowledge about the org other than publicly avail info.

Question 22

White box (Crystal/Clear) Pen testing

Answer 22

Full knowledge. Attacker has knowledge of the internal network and access to it like a privildged employee would. Normally admin access employee with full knowledge of our enviroment.

Question 23

Gray (Grey box)

Answer 23

Partial Knowledge, limited enviroment knowledge

Question 24

White hat hackers

Answer 24

Pro Pent Tester typing to find flaws so we can fix it (Ethical Hackers)

Question 25

Black hat hackers

Answer 25

malicious hackers, trying to find flaws to exploit them

Question 26

Gray/Grey hat hackers

Answer 26

They are somewhere btwn the white/black hats.

Question 27

Social engineering Authority

Answer 27

uses people skills to bypass security controls. Authority- look and sound like an authority figure, be in charge, uniform or a suit,

Question 28

Social engineering Intimidation

Answer 28

(if you don’t bad thing happens) virus on the network, CC compromised, lawsuit against your cmpny

Question 29

Social engineering Consensus

Answer 29

following the crowd

Question 30

Social engineering Scarcity

Answer 30

If you don’t act now, it is too late

Question 31

Social engineering Urgency

Answer 31

It has to happen now or else

Question 32

Social engineering Familiarity

Answer 32

Have a common ground, or build it

Question 33

War dialing

Answer 33

attacker uses modem to dial a series of phone #’s, looking for an answering modem carrier tone, then attempt to access the sys.

Question 34

War driving (AP mapping)

Answer 34

driving or walking around, mapping ap’s and trying to gain access to them.

Question 35

Network attacks

Answer 35

client-side attacks, server-side attacks, or Web app attacks.

Question 36

Wireless tests

Answer 36

evaluate the risk related to potential access to your wireless network. Uses the pwd comb & sniffing technique for cracking unsecured wireless network, so proper setup is required for making the whole process semi-automated/automated.

Question 37

TM/RTM (Requirements Traceability Matrix)

Answer 37

Normally a table, used to map customer req to the testing plan using a many-tomany relaionship comparison.

Question 38

Unit testing

Answer 38

tests that verify the functionality of a specific section of code.

Question 39

Integration testing

Answer 39

Seeks to verify the interfaces between components against a software design.

Question 40

Component interface testing

Answer 40

Testing can be used to check the handling the data passed btwn various units, or subsys components, beyond full integration testing btwn those units.

Question 41

Operational acceptance

Answer 41

Used to conduct oper readiness (pre-release) of a product, service or sys as part of a quality management system.

Question 42

Installation testing

Answer 42

assures that the sys is installed correctly and working at actual customer’s hardware

Question 43

Regression testing

Answer 43

finding defects after a major code change has occurred.

Question 44

Fuzzing (Fuzz testing)

Answer 44

Testing that provides a lot of different inputs in order to try to cause unautho access or for the app to enter unpredictable state or crash.

Question 45

Mutating fuzzing

Answer 45

the tester analyses real info and modify it iteratively.

Question 46

All-pairs testing (Pairwise testing)

Answer 46

is defined as A black-box test design technique in which test cases are designed to execute all possible discrete comb of each pair of input parameters. The most common bus in a program are generally triggered by either a single input parameter or an inter btw pairs of parameters.

Question 47

Misuse Case Testing

Answer 47

Executing a malicious act against a system, attackers won’t do what normal users would, we need to test misuse to ensure our application or software is safe.

Question 48

Test Coverage Analysis

Answer 48

Ids how much of the code was tested in relation to the entire app. To ensure there are no significant gaps where a lack of testing could allow for bugs or security issues to be present that otherwise should have been discovered.

Question 49

Risk

Answer 49

= Threat x Vulnerability