Domain 6: Security Assessment & Testing Flashcards
What is a security audit?
A security audit is a test against a published standard
What are the 7 components of a security assessment?
Security assessments view many controls across multiple domains and may include the following:
• Policies, procedures, and other administrative controls
• Assessing the real world-effectiveness of administrative controls
• Change management
• Architectural review
• Penetration tests
• Vulnerability assessments
• Security audits
What does SOC type 1 report on?
SOC 2 Type 1 report on management’s description of a service organization’s system and the suitability of the design of controls.
What does SOC type 2 report on?
SOC 2 Type 2 report on management’s description of a service organization’s system and the suitability of the design and operating
effectiveness of controls.
What happens in a structured audit?
Structured audits (3rd party):
- External auditors are used validate compliance, they are experts and the audit adds credibility.
- Can also be a knowledge transfer for the organization, required annually in many organizations.
What are the 6 phases of a penetration testing?
Planning > Reconnaissance > Scanning (enumeration) > Vulnerability assessment > Exploitation > Reporting.
What does static testing do?
Static testing tests the code passively; the code is not running. This includes walkthroughs, syntax checking, and code reviews
What does dynamic testing do?
Dynamic testing tests the code while executing it. With dynamic testing, security checks are performed while actually running or executing the code or application under review. Common method for closed source applications.
What is synthetic monitoring?
Synthetic Transactions/monitoring - Building scripts or tools that simulate normal user activity in an application
What is white-box software testing?
White-box software testing gives the tester access to program source code, data structures, variables, etc. Black-box testing gives the tester no internal details; the software is treated as a black box that receives inputs.
What is a traceability matrix?
A traceability matrix, sometimes called a requirements traceability matrix (RTM), can be used to map customers’ requirements to the software testing plan; it traces the requirements and ensures that they are being met
What is unit testing?
Unit testing: Low-level tests of software components, such as functions, procedures, or objects.
What is installation testing?
Installation testing: Testing software as it is installed and first operated.
What is integration testing?
Integration testing: Testing multiple software components as they are combined into a working system. Subsets may be tested, or Big Bang integration testing is used for all integrated software components.
What is regression testing?
Regression testing: Testing software after updates, modifications, or patches.
What is acceptance testing?
Acceptance testing: Testing to ensure that the software meets the customer’s operational
requirements. When this testing is done directly by the customer, it is called user acceptance testing.
What is fuzzing?
Fuzzing (also called fuzz testing) is a type of black-box testing that submits random, malformed data as inputs into software programs to determine if they will crash
What is mutation fuzzing?
Mutation (dumb) fuzzing – The tester analyses real info and modifies it iteratively.
What is combinatorial software testing?
Combinatorial software testing is a black-box testing method that seeks to identify and test all unique combinations of software inputs
What is misuse case testing?
Misuse Case Testing:
- Executing a malicious act against a system, attackers won’t do what normal users would, we need to test misuse to ensure our application or software is safe.
What happens in an unstructured audit?
Internal auditors are used to improve security and find flaws, often done before an external audit
What do we need to ensure is synchronized for our audit logs to be admissible in court?
The clocks of all systems in an organization should be connected to multiple synchronized NTP servers, to ensure all clocks are synchronized. If logs have another timestamp than the real time, they are not usable in a trial.
In which form of software testing do we test the connections between the different systems and components?
Interface testing
What are the 5 common problems with audit record management?
Audit record management typically faces five distinct problems:
Log are not reviewed on a regular and timely basis.
Audit logs and audit trails are not stored for a long enough time period.
Logs are not standardized or viewable by correlation toolsets - they are only viewable from the system being audited.
Log entries and alerts are not prioritized.
Audit records are only reviewed for the bad stuff.
What is test coverage analysis?
Identifies the how much of the code was tested in relation to the entire application.
We want penetration testers to prove they can get to our sensitive documents, but we do not want them to access any of them. What could we use for them to prove they reached their target?
Often a dummy file is made and it is the target they should try to reach, if they can see/access/alter the file they have been successful.
When a penetration tester is trying to gain sensitive information from an employee with social engineering. Which type of access control type is she testing?
Social engineering is an attack on administrative controls, it can be mitigated with training and awareness. Administrative (Directive) Controls: Organizational Policies and Procedures. Regulation. Training and Awareness.
Our senior leadership has decided to do a double-blind penetration test. What does that mean?
Double blind is closer to a real attack, the testers are black box (zero knowledge), and the network and security teams are not aware this is a pen test or when it is happening.
What are alternative names for white box penetration testing?
Clear box and crystal box
What is reduction analysis?
Decomposing the application, system or environment to gain a greater understanding of the logic of the product and its interactions with external elements.
What are the four branches of forensic analysis?
Media analysis, network analysis, software analysis, and hardware/embedded device analysis.
What is the zzuf tool used for?
Automating the process of mutation fuzzing by manipulating input according to user specifications
What is generational fuzzing?
Generational (intelligent) fuzzing develops data models and creates new fuzzed input based on an understanding of the types of data used by the program
What are the stages of Process for Attack Simulation and Threat Analysis (PASTA)?
Stage 1: Definition of Objectives
Stage 2: Technical Scope
Stage 3: Application Decomposition and Analysis
Stage 4: Threat Analysis
Stage 5: Weakness and Vulnerability Analysis
Stage 6: Attack Modeling & Simulation
Stage 7: Risk Analysis & Managment
What types of logs does NIST Special Publication 800-92 suggest should be collected and audited?
NIST Special Publication 800-92 suggests the following log types should be collected and audited:
Network Security Software/Hardware:
Antivirus logs, IDS/IPS logs, remote access software (such as VPN logs), web proxy, vulnerability management,
authentication servers, routers and firewalls.
Operating System:
System events, audit records, applications, client requests and server responses, usage information, significant operational actions.
