Domain 6 - Security Assessment and Testing

Question 1

Verifies that a control is function properly

Answer 1

Security Testing

Question 2

Comprehensive review of the security of a system, application and/or environment.

Answer 2

Security Assessment

Question 3

Provides objective evidence that the design outputs of a particular phase of the software development life cycle meet all of the specified requirements for that phase.

Answer 3

Verification

Question 4

Developing a level of confidence that the software or system meets all requirements and user expectations as documented.

Answer 4

Validation

Question 5

Security and Privacy Controls for federal information systems and organizations

Answer 5

NIST SP 800-53A R4

Question 6

Determine which type of AUDIT the following represents:

Performed by a team from within the organization, usually meant for internal consumption.

Answer 6

Internal

Question 7

Determine which type of AUDIT the following represents:

Performed by an outside auditing firm not connected with the organization

Answer 7

External

Question 8

Determine which type of AUDIT the following represents:

Conducted by and/or on behalf of another organization, such as a regulatory body

Answer 8

Third-Party

Question 9

Security assessment performed by independent auditors

Answer 9

Security audits

Question 10

What type of audit is defined:

High level review of documentation and controls. Randomly sampling controls to verify the validity of those controls.

Answer 10

Type 1 Report

DOCUMENTATION WITH RANDOM SAMPLING

Question 11

What type of audit is defined:

Testing the controls with 6 months worth of data. Auditor supplies opinion of effectiveness upon test

Answer 11

Type 2 Report

MORE TECHNICAL

Question 12

What reports are generated after an audit?

Answer 12

SOC1 , SOC2 and SOC3

Question 13

which Report is defined:

Report on controls at a Service Organization which are relevant to user entities internal control over financial reporting. Can be Type 1 or 2

Focused on financial reporting controls

Answer 13

SOC1

Just Finance !!

Question 14

which Report is defined:

Performed in accordance with AT-C and based upon the Trust Services Criteria, with the ability to test and report on the design and operating effectiveness of a service orgs controls.

Focuses on a business non financial reporting controls as the relate to security, availability, processing integrity, confidentiality, and privacy of a system. Can be Type 1 or 2

Answer 14

SOC2

Finance + Security !!!

Question 15

which Report is defined:

Can only be done as a Type 1 report.

Answer 15

SOC3

Generic Scrubbed publicly available version of a SOC2 report with no internal data

Question 16

Identify the Process:

criteria relevant to how an entity identifies the need for changes, makes the changes using a controlled change management process, and prevents unauthorized changes from being made.

Answer 16

Change Management

Question 17

Another term for WEAKNESS within the organization

Answer 17

Vulnerability

Question 18

When scanning, which scan is the “noisiest” and would bring the most attention or set off alarms?

Answer 18

XMAS Scan

Question 19

Uses a single packet sent to each scanned port with the SYN flag set, indicating a request to establish connectivity and begin the TCP three way handshake.

Answer 19

TCP SYN Scan

Question 20

Opens a full connection to the target on a specified port. Used when sender does not have permission to run a TCP SYN Scan

Answer 20

TCP Connect scan

Question 21

Sends a packet with the ACK flag set to target. Used to probe firewall rules

Answer 21

TCP ACK Scan

Question 22

Sends a packet with the FIN, PSH, & URG flags set

Answer 22

XMAS Scan

Question 23

What are the three port status’es returned by NMAP?

Answer 23

1. Open
2. Closed
3. Filtered

Question 24

1. Planning
2. Recon
3. Vulnerability Scanning
4. Exploitation
5. Reporting

Answer 24

Five phases of pen-testing

Question 25

Reviewing code without running it

Answer 25

Static testing

Question 26

Executing software in a runtime environment to see what it does

Answer 26

Dynamic Testing

Question 27

Specialized form of dynamic testing that uses randomized inputs to stress a system looking for unexpected outcomes. There are two types:

1. Mutation (dumb)
2. Generational (intelligent)

Answer 27

Fuzz testing

Question 28

Assessing the performance of modules against the interface specifications to ensure the proper operations. Three types:

a Application Programming Interface
b User Interface
c Physical Interface

Answer 28

Interface Testing

Question 29

Estimation of the degree of testing conducted against the system

                         Number of use cases Test Coverage = -------------------------------
                         Total number of cases

Answer 29

Test Coverage Analysis