Domain 6: Security Assessment and Testing Flashcards

1
Q

Pen test begins with no info begins the attack with public info only

A

Zero-knowledge test aka Black Box Penetration Test

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Provides internal info to the pen tester, including network diagrams, policies and procedures

A

Full-knowledge test aka White Box Penetration Test

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Pen tester receives some limited info

A

Partial-knowledge test aka Gray Box Penetration Test

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

List the pen tester methodology

A
  1. Planning
  2. Reconnaissance
  3. Scanning (aka Enumeration)
  4. Vulnerability Assessment
  5. Exploitation
  6. Reporting
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Scans the network for a list of predefined vulnerabilities such as system misconfiguration, outdated software or lack of patching

A

Vulnerability Scanning

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Framework the facilitates the automation of interactions between different security systems

A

Security Content Automation Protocol (SCAP)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q
  • SCAP Component

- Provides a naming system for describing security vulnerabilities

A

Common Vulnerabilities and Exposures (CVE)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q
  • SCAP Component

- Provides a standardized scoring system for describing the severity of security vulnerabilities

A

Common Vulnerability Scoring System (CVSS)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q
  • SCAP Component

- Provides a naming system for system configuration issues

A

Common Configuration Enumeration (CCE)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q
  • SCAP Component

- Provides a naming system for OS, applications, and devices

A

Common Platform Enumeration (CPE)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q
  • SCAP Component

- Provides a language for specifying security checklists

A

Extensible Configuration Checklist Description Format (XCCDF)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q
  • SCAP Component

- Provides a language for describing security testing procedures

A

Open Vulnerability and Assessment Language (OVAL)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q
  • Formal process where auditor comes and verifies that an organization meets a specific regulation standard - i.e. PCI DSS
A

Security Audit

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q
  • Informal process where security controls are evaluated i.e. policies, procedures and other administrative controls
A

Security Assessment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Tests the code passively; the code is not running i.e. walkthroughs, syntax checking, and code reviews.

A

Static testing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Tests the code while executing it

A

Dynamic testing

17
Q
  • Used to map customers requirements to the software testing plan
  • Traces the requirements ensures that they are being met.
A

Traceability Matrix

18
Q
  • Involves building scripts or tools that simulate activities performed in a application
  • Goal is to monitor and establish expected norms for the performance of these transactions
A

Synthetic Transactions

19
Q

Low-level tests of software components, such as functions, procedures, or objects.

A

Unit testing

20
Q

Testing software as it is installed and first operated

A

Installation testing

21
Q

Testing multiple software components as they are combined into a working system

A

Integration testing

22
Q

Testing software after updates, modifications or patches

A

Regression testing

23
Q

Testing to ensure that the software meets the customer’s operational requirement

A

Acceptance testing

24
Q

Submits random, malformed data as inputs into software to determine if it will crash

A

Fuzzing

25
Q

Seeks to identify and test all unique combinations of software inputs

A

Combinatorial Software Testing

26
Q

Spells out the use cases for applications i.e. how various functionalities will be leveraged within a applications

A

Misuse Case Testing Leverages