Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CISSP > Domain 6- Security Assessment and Testing > Flashcards

Domain 6- Security Assessment and Testing Flashcards

1
Q

What is the difference between SSAE 16 Type 1 reports and SSAE 16 type 2 reports?

A

The statement on Standards for Attestation engagements document 16 (SSAE 16), “titled reporting on controls” , provides a common standard to be used by auditors performing assessments of service organizations with the intent of allowing the organization to conduct an external assessment. Type 1 rprots provide a description of controls provided by the audited organization as well as the auditor’s opinion based upon the description. Type II reprots cover a minimum 6 month time period and also include an opinion from the auditor on the effectiveness of those controls based upon actual testing performed by the auditor.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What does NIST’s Security Content Automation Protocol do?

A

Provides the security community with a common set of standards to provide a common language for describing and evaluating vulnerabilities. SCAP includes the following compontents

1) Common Vulnerabilites and Exposures (CVE)
2) Common Vulnerability Scoring System (CVSS)
3) Common Configuration Enumeration (CCE)
4) Common Platform Enumeration (CPE)
5) Extensible Configuration Checklist Description Format (XCCDF)
6) Open Vulnerability Assessment Language (OVAL)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which TCP port number is FTP?

A

20/21

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which TCP port number is SSH?

A

22

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which TCP port number is Telnet?

A

23

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which TCP port number is SMTP?

A

25

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which TCP port number is DNS?

A

53

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which TCP port number is HTTP?

A

80

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which TCP port number is POP3?

A

110

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which TCP port number is NTP?

A

123

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which TCP port numbers is Windows File Sharing?

A

135, 137-139, 445

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which TCP port number is HTTPS?

A

443

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which TCP port number is LPR/LPD?

A

515

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Which TCP port number is Microsoft SQL Server?

A

1433/1434

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which TCP port number is Oracle?

A

1521

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which TCP port number is H.323?

A

1720

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Which TCP port number is PPTP?

A

1723

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Which TCP port number is RDP?

A

3389

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Which TCP port number is HP JetDirect Printing?

A

9100

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q 
Adam recently ran a network port scan of a web server running in his organization. He ran the scan from an external network to get an attacker's perspective on the scan. Which one of the following results in the greatest cause for alarm?
A) 80/open
B)22/filtered
C)443/Open
D) 1433/Open
A

D) Only open ports represent potentially significant security risks. Ports 80 and 443 are expected to be open on a web server. Port 1433 is a database port and should never be exposed to an external network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q 
Beth would like to run an nmap scan against all of the systems on her organization's private network. These include systems in the 10.0.0.0 private address space. She would like to scan this entire private address space because she is not certain what subnets are used.What network address should Beth specify as the target of her scan? 
A)10.0.0.0/0
B) 10.0.0.0/8
C) 10.0.0.0/16
D) 10.0.0.0/24
A

B) The use of an 8-bit subnet mask means that the first octet of the IP address represents the network address. In this case, that means 10.0.0.0/8 will scan any IP address beginning with 10.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q 
What port is used to accept administrative connections using the SSH utility? 
A) 20 
B) 22
C) 25
D) 80
A

B) SSH protocol uses port 22 to accept administrative connections to a server.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q 
Which one of the following tests provides the most accurate and detailed information about the security state of a server? 
A) unauthenticated scan
B) Port scan 
c) Half-open scan
d) Authenticated sca
A

D) Authenticated scans can read configuration information from the target system and reduce the instances of false positive and false negative reports.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

According to PCI DSS, how often must a subjected company rescan web applications?

A

PCI DSS requires that subjected organizations rescan applications at least annually, and after any changes in application

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q 
Which of the following is a method used to design new software tests and ensure the quality of tests? 
A) Code auditing 
B) Static code analysis 
C) Regression testing 
D) Mutation Testing
A

D) Mutation testing modifies a program in small ways and then tests that mutant to determine if it behaves as it should or it fails. This technique is used to design and test software tests through mutation. Static code analysis and regression testing are both means of testing code, whereas ode auditing is an analysis of source code rather than a means of designing and testing software tests.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q 
During a port scan, Scott found TCP port 443 open on a system. Which tool is best suited to scanning the service that is most likely running on that port? 
A) zzuf
B) Nikto 
C) Metasplot
D) sqlmap
A

B) TCP port 443 normally indicates an HTTPS server, Nikto is a useful for vulnerability scanning web servers and applications and is the best choice listed for a web server. zzuf is a fuxxing tool and isn’t relevant for vulnerability scans,

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q 
What message logging standard is commonly used by network devices, Linux, and Unix systems, and many other enterprise devices? 
A) Synslog
B) Netlog
C) Eventlog
D) Remote Log Protocol (RLP)
A

A) Syslog is a widely used protocol for event and message logging. Eventlog, netlog, and RLP are all made up terms.

28
Q

Scott needs to scan a system for vulnerabilities, and she wants to use an open-source tool to test the system remotely. Which of the following tools will meet her requirements and allow vulnerability scanning?

1) Nmap
2) OpenVAS
3) MBSA
4) Nessus

A

B) OpenVAS is an open-source vulnerability scanning tool that will provide Scott with a report of the vulnerabilities that it can help identify from a remote, network-based scan. NMAP is an open-source port scanner. Both the Microsoft Baseline security analyzer (MBSA) and Nessus are close-source tools.

29
Q

Scott is performing port scanning of a system, and he receives an open
message status. What does that mean?

A

The port is accessible on the remote system and an application is accepting the connections on that port.

30
Q

Scott is performing port scanning of a system, and he receives a closed
message status. What does that mean?

A

Th port is accessible on the remote system, but no application is accepting connections on that port.

31
Q

Scott is performing port scanning of a system, and he receives a filtered
message status. What does that mean?

A

The port is not accessible on the remote system.

32
Q 
During a wireless network pen test, Scott runs aircrack-ng against the network using a password file. What might cause him to fail in his passwor racking efforts? 
A) Use of WPA2 encryption 
B) Running WPA2 in Enterprise mode 
C) Use of WEP 
4) Running WPA2 in PSK mode
A

B) WPA2 enterprise uses RADIUS authentication for users rather than a preshared key. This means a password attack is more likely to fail as password attempts for a given user may result in account lockout. WPA 2 encryption will not stop a password attack, and WPA2 preshared key mode is specifically targeted by password attacks that attempt to find the key.

33
Q

Which of the following is not a potential problem with active wireless scanning?
A) Accidentally scanning apparent rogue devices that actually belong to guest.
B) Causing alarms on the organization’s wireless IPS
C) Scanning devices that belong to nearby organizations
D) Misidentifying rogue devices

A

B) Not only should active scanning be expected to cause Wireless IPS alarms, but they may actually be desired if the test is done to test responses. Accidentally scanning guests or neighbors or misidentifying devices beloning to 3rd parties are all potential problem with active scanning and require the secuirty assessor to carefully verify the systems that she is scanning.

34
Q 
Ben uses a fuzzing tool that tests an application by developing data models and creating fuzzed data based on information about how the application uses data. What type of fuzzing is Ben doing? 
A) Mutation 
B) Parametric
C) Generational
D) Derivative
A

C) Generational fuzzing relies on models for application input and conducts fuzzing attacks based on that informaton. Mutation-based fuzzers are sometimes called “dumb fuzzers” because they simply modify existing data samplpes to create new test samples. Neither parametric nor derivative are terms used to describe the dype of fuzzers.

35
Q 
Saria wants to log and review traffic information between parts of her network. What type of network logging should she enable on her routers to allow her to perform this analysis? 
A) Audit logging
B) Flow logging
C) Trace logging
D) Route logging
A

B) Flows, also often called network flows are captured to provide insight into network traffic for security, troubleshouting, and performance management. Audit logging provides information about events on the routers, route logging is not a common network logging function, and trace logs are used in troubleshooting specific software packages as they perform functions.

36
Q

What is MTD verification?

A

Mean tolerable downtime

37
Q 
During normal operations, Jennifer's team uses the SIEM applicance to monitor for exceptions recieved via syslog. What system shown does not natively have support for syslog events? 
A) Enterprise wireless access points 
B) Windows desktop systems 
C) Linux web servers
D) Enterprise firewall devices
A

B) Windows system generate logs in the windows native logging format. To send syslog events, windows systems require a helper application or tool. Enterprise wireless access points, firewalls, and linux systems all typially support syslog

38
Q 
Which of the following vulnerabilities is unlikely to be found by a web vulnerability scanner? 
A) Path disclosure
B) Local file inclusion 
C) Race condition 
D) Buffer overflow
A

C) Path disclosures local file inclusion, and buffer overflows are all vulnerabilities that may be found by a web vulnerability scanner, but race conditions that take advantage of timing issues tend to be found either by code analysis or using automated tools that specifically test for race conditions as part of software testing.

39
Q

Which tool scans a system for available services and then connects to them to collect banner information to determine what version of the service is running. It then provides a report detailing what it gathers, basing results on service fingerprinting, banner information, and similar details it gathers combined with CVE information.

A) Port scanner
B) Service Validator
C) Vulnerability scanner
D) Patch management tool

A

C) Vulnerability scanners that do not have administrative rights to access a machine or that are not using an agent scan remote machines to gather information, including fingerprints from responses to queries and connections, banner information from services, and related data.

40
Q 
Emily builds a script that sends data to a web application that she is testing. Each time the script runs, it sends a series of transactions with data that fits the expected requirements of the web application to verify that it responds to typical customer behavior. What type of transactions is she using, and what type of test is this? 
A) Synthetic, passive monitoring
B) Synthetic, Use case testing
C) Actual, dynamic monitoring
D) Actual, fuzzing
A

B) Emily is using synthetic transactions which can use recorded or generated transactions, and is conducting use of testing to verify that the application responds properly to actual use cases. Nor actual data nor dynamic monitoring is an industry term

41
Q 
What passive monitoring technique records all user interaction with an application or website to ensure quality and performance? 
A) Client / Server testing
B) Real use monitoring 
C) Synthetic user monitoring 
D) Passive user recording
A

B) Real user monitoring (RUM) is a passive monitoring technique that records user interaction with an application or system to ensure performance and proper application behavior. RUM is often used as part of a predeployment process using the actual user interface.

42
Q 
Angela wants to test a web browser's handling of unexpected data using an automated tool. What tool should she choose? 
A) Nmap
B) zzuf
C) Nessus 
D) Nikto
A

B) zzuf is the only fuzzer on the list and zzuf is specifically designed to work with tools like web browsers, image viewers, and similar software by modifying network and file input to application.

43
Q

Why should passive scanning be conducted in addition to implementing wireless security technologies like wireless intrusion detection systems
A) It can help identify rogue devices
B) It can test the security of the wireless network via scripted attacks.
C) Their short dwell time on each wireless channel can allow them to capture more packets.
D) They can help wireless IDS or IPS systems.

A

A) Passive scanning help identify rogue devices by capturing MAC address vendor IDs that do not match deployed devices, by verifying that systems match inventories of organizationally owned hardware by hardware addresses, and by monitoring SSIDS or connections.

44
Q

During a pentest, Scott is asked to test the orgs. bluetooth security. Which of the following is not a concern that he should explain to employers?
A) May be time consuming
B) May scan personal devices
C) Passive scans may require multiple visits at different times to identify all targets
D) Active scans can’t evaluate the security mode of Bluetooth devices

A

D) Bluetooth active scans can determine both the strength of the PIN and what security mode the device is operating in.

45
Q 
What term describes software testing that is intended to uncover new bugs introduced by patches or configuration changes? 
A) Nonregression testing
B) Evolution testing
C) Smoke testing
D) Regression testing
A

D) Regression testing, which is a type of functional or unit testing, tests to ensure that changes have not introduced new issues.

46
Q 
Which of the tools cannot identify a target's operting system for a penetration tester? 
A) Nmap
B) Nessus
C) Nikto
D) SQLMAP
A

D) Nmap, Nessus, and NIkto all have OS fingerprinting or other operating system identification capabilities. SQLmap is designed to perform automated detection and testing of SQL in ijection flaws and does not provide OS detection

47
Q

What major difference separates synthetic and passive monitoring?
A) Synthetic monitoring only works after problems have occurred
B) Passive monitoring cannot detect functionality issues
C) Passive monitoring only works after problems have occurred.
C) Passive monitoring only works after problems have occurred
D) Synthetic monitoring cannot detect functionality issues.

A

C) Passive monitoring only works after issues have occured because it requires actual traffic. Synthetic monitoring uses simulated or recorded traffic and thus can be used to proactively identify problems. Both can be used to detect functionality issues.

48
Q 
Which type of the following is not an interface that is typically tested during the software testing process? 
A) APIS
B) Network interfaces
C) UIs
D) Physical interfaces
A

B) Network interfaces are not part of the list that are typically tested in software testing.

49
Q 
Misconfigurations, logical and functional flaws, and poor programming practices are all causes of what common security issues? 
A) Fuzzing
B) Security vulnerabilities 
C) Buffer overflows
D) Race conditions
A

B) Security vulnerabilities can be created by misconfigurations, logical or functional design or implementation issues, or poor programming practices.

50
Q

Which of the following strategies is not a reasonable approach for remediating a vulnerability identified by a vulnerability scanner?
A) Install a patch
B) Use a workaround fix
C) Update the banner or version number
D) Use an application layer firewall or IPS to prevent attacks against the identified vulnerability

A

C) Simply updating the version that an application provides may stop the vulnerability scanner from flagging it, but it won’t fix the underlying issue. Patching, using workarounds, or installing an application layer firewall or IPS can help all help remediate or limit the impact of the vulnerability

51
Q

Match the following:

1) Scanning types
A) TCP Connect
B) TCP ACK
C) TCP Syn 
D) Xmas

2) Scanning descriptions
A) Sends a request to open a new connection
B) Completes a 3 way handshake
C) Sends a packet disguised as part of an active control.
D) Sends a packet with the FIN, PSH, URG flags set

A

A) B
B) C
C) A
D) D

52
Q

Which of the following best describes a typical process for building and implementing security continuous monitoring program as described by NIST SP 800-137

A) Define, establish, implement analyze and report, respond, review , and update
B) Design, build, operate, analyze, respond, review, revise
C) Prepare, detect and analyze, contain, respond, recover, report
D) Define, design, build, monitor, analyze, react, revise

A

A) Define, establish, implement, anlyze and report, respond, review, and update

53
Q

True or False: Static program reviews are typically performed by an automated tool .

A

True

54
Q 
As part of the continued testing of their new app, Susan's QA team has designed a set of test cases for a series of black box tests. These functional tests are then run, and a report is prepared explaining what has occurred. What type of report is typically generated during this testing to indicate test metrics. 
A) Test coverage report 
B) Penetration test report 
C) Code coverage report 
D) Line coverage report
A

A) Test coverage report measures how many of the test cases have been completed and is used as a way to provide test metrics when using test cases

55
Q 
Robin recently conducted a vulnerability scan and found a critical vulnerability on a server that handles sensitive information. What should Robin do next? 
A) Patching
B) Reporting
C) Remediation
D) Validation
A

D) Once a vulnerability scanner identifies a potential problem, validation is necessary to verify that the issue exists Remediation only occurs once the vulnerability is confirmed.

56
Q 
During a port scan of his network, Scott finds that a number of hosts respond on TCP ports 80, 443, 515, and 9100 in offices throughout his organization. What type of devices is Scott likely discovering 
A) Web servers
B) File servers
C) Wireless Access Points
D) Printers
A

D) Network enabled printers often provide services via TCP 515 and 9100, and have both nonsecure and secure web-enabled management interfaces on TCP 80 and 443. Web servers, access points, and file servers would not provide services on the LPR and LPD ports (515 and 9100)

57
Q 
Place the following elements of a Fagan inspection code review in the correct order 
A) Follow-up
B) Inspection 
C) Overview
D) Planning
E) Preparation 
F) Rework
A

D) Planning C) Overview E) Preparation B) Inspection F) Rework A) Follow-up

58
Q 
Scott is designing his organization's log management system and knows that he needs to carefully plan to handle the organization's log data. Which of the following is not a factor that Jim should be concerned with? 
A) Volume of log data 
B) Lack of sufficient log sources
C)  Data storage security requirements
D) Network bandwidth
A

B) Not having enough log sources is not a key consideration in log management system design, although it may be a worry for security managers who can’t capture the data they need

59
Q 
When a windows system is rebooted, what type of a log is generated? 
A) Error
B) Warning
C) Information
D) Failure audit
A

Rebooting a windows machine results in an information log entry. Windows defines 5 types of events: errors, which indicates a significant problem, warnings, which may indicate future problems, information, which records successful operation, and success audits, which record successful security accesses, and failure audits, which record failed security access attempts.

60
Q 
What type of vulnerability scan accesses configuration information from the systems it is run against as well as information that can be accessed via services available via the network
A) Authenticated Scans
B) Web application scans
C) Unauthenticated scans
D) Port scans
A

A) Authenticated scans use a read-only account to access configuration files, allowing more accurate testing of vulnerabilities. Web application, unauthenticated scans, and port scans don’t have access to configuration files unless they are inadvertently exposed.

61
Q 
Ryan is considering the use of fuzz testing in his web application testing program. Which one of the following statements about fuzz testing should  Ryan consider when making his decision?
A) fuzzers only find complex faults 
B) Testers must manually generate input 
C) Fuzzers may not fully cover the code 
D) Fuzzers can't reproduce
A

C) Fuzz testers are capable of automatically generating input sequences to test an application. Therefore, testers do not need to manually generate input, although they may need do so if they wish.

62
Q 
Ken is designing a testing process for software developed by his team. He is designing a test that verifies that every line of code was executed during the test. What type of analysis is Ken performing? 
A) Branch coverage 
B) Condition coverage 
C) Function coverage 
D) Statement coverage
A

D) Statement coverage tests verify that every line of code was executed during the test. Branch coverage verifies that every if statement was executed under all if an else conditions. Condition coverage verifies that every logical test in the code was executed under all sets of inputs. Function overage verifies that every function in the code was called and returns results.

63
Q

Saria needs to write an RFP for coed review and wants to ensure that the reviewers take the business logic behind her organization’s application into account. What type of code review should she specify in the RFP?

A

C) Manual code review, which is performed by humans who review code line by line, is the best option when it is important to understand the context and business logic in the code. Fuzzing, dynamic, and static code review can all find bugs that manual code review might not but won’t take the intent of the programmers into account.

64
Q 
What type of diagram used in application threat modeling includes malicious users as well as descriptions like mitigates and threatens? 
A) Threat trees 
B) Stride charts
C) Misuse case diagrams
D) DREAD diagrams
A

C) Misuse case diagrams use language beyond typical use case diagrams, including threatens and mitigates.

65
Q 
What is the first step that should occur before a penetration test is performed? 
A) Data gathering 
B) Port Scanning
C) Getting permission 
D) Planning
A

C) The most important first step is getting permission. Once permission has been received, planning, data gathering, and then elements of the actual test like port scanning can commence.

66
Q

Nmap is an example of what type of tool?

A) Vulnerability scanner
B) Web application fuzzer
C) Network design and layout
D) Port scanner

A

D) Nmap is a very popular open-source source port scanner. Nmap is not a vulnerability scaner, nor is it a web application fuzzer.

67
Q

NIST specifies four attack phase steps: Gaining access, escalating privileges, system browsing, and installing additional tools. Once attackers install additional tools, what phase will a penetration tester typically return to?

A) Discovery
B) Gain access
C) Escalating privileges
D) System browsing

A

B) Once additional tools have been installed, penetration tester will typically use them to gain additional access. From there they can escalate privileges, search for new targets or data, and once again, install more tools to allow them to pivot further into infrastructure or systems.

CISSP (9 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions