Domain 6: Security Assessment & Testing

Question 1

What is a security audit?

Answer 1

A security audit is a test against a published standard

Question 2

What are the 7 components of a security assessment?

Answer 2

Security assessments view many controls across multiple domains and may include the following:
• Policies, procedures, and other administrative controls
• Assessing the real world-effectiveness of administrative controls
• Change management
• Architectural review
• Penetration tests
• Vulnerability assessments
• Security audits

Question 3

What does SOC type 1 report on?

Answer 3

SOC 2 Type 1 report on management’s description of a service organization’s system and the suitability of the design of controls.

Question 4

What does SOC type 2 report on?

Answer 4

SOC 2 Type 2 report on management’s description of a service organization’s system and the suitability of the design and operating
effectiveness of controls.

Question 5

What happens in a structured audit?

Answer 5

Structured audits (3rd party):

• External auditors are used validate compliance, they are experts and the audit adds credibility.
• Can also be a knowledge transfer for the organization, required annually in many organizations.

Question 6

What are the 6 phases of a penetration testing?

Answer 6

Planning > Reconnaissance > Scanning (enumeration) > Vulnerability assessment > Exploitation > Reporting.

Question 7

What does static testing do?

Answer 7

Static testing tests the code passively; the code is not running. This includes walkthroughs, syntax checking, and code reviews

Question 8

What does dynamic testing do?

Answer 8

Dynamic testing tests the code while executing it. With dynamic testing, security checks are performed while actually running or executing the code or application under review. Common method for closed source applications.

Question 9

What is synthetic monitoring?

Answer 9

Synthetic Transactions/monitoring - Building scripts or tools that simulate normal user activity in an application

Question 10

What is white-box software testing?

Answer 10

White-box software testing gives the tester access to program source code, data structures, variables, etc. Black-box testing gives the tester no internal details; the software is treated as a black box that receives inputs.

Question 11

What is a traceability matrix?

Answer 11

A traceability matrix, sometimes called a requirements traceability matrix (RTM), can be used to map customers’ requirements to the software testing plan; it traces the requirements and ensures that they are being met

Question 12

What is unit testing?

Answer 12

Unit testing: Low-level tests of software components, such as functions, procedures, or objects.

Question 13

What is installation testing?

Answer 13

Installation testing: Testing software as it is installed and first operated.

Question 14

What is integration testing?

Answer 14

Integration testing: Testing multiple software components as they are combined into a working system. Subsets may be tested, or Big Bang integration testing is used for all integrated software components.

Question 15

What is regression testing?

Answer 15

Regression testing: Testing software after updates, modifications, or patches.

Question 16

What is acceptance testing?

Answer 16

Acceptance testing: Testing to ensure that the software meets the customer’s operational
requirements. When this testing is done directly by the customer, it is called user acceptance testing.

Question 17

What is fuzzing?

Answer 17

Fuzzing (also called fuzz testing) is a type of black-box testing that submits random, malformed data as inputs into software programs to determine if they will crash

Question 18

What is mutation fuzzing?

Answer 18

Mutation (dumb) fuzzing – The tester analyses real info and modifies it iteratively.

Question 19

What is combinatorial software testing?

Answer 19

Combinatorial software testing is a black-box testing method that seeks to identify and test all unique combinations of software inputs

Question 20

What is misuse case testing?

Answer 20

Misuse Case Testing:
- Executing a malicious act against a system, attackers won’t do what normal users would, we need to test misuse to ensure our application or software is safe.

Question 21

What happens in an unstructured audit?

Answer 21

Internal auditors are used to improve security and find flaws, often done before an external audit

Question 22

What do we need to ensure is synchronized for our audit logs to be admissible in court?

Answer 22

The clocks of all systems in an organization should be connected to multiple synchronized NTP servers, to ensure all clocks are synchronized. If logs have another timestamp than the real time, they are not usable in a trial.

Question 23

In which form of software testing do we test the connections between the different systems and components?

Answer 23

Interface testing

Question 24

What are the 5 common problems with audit record management?

Answer 24

Audit record management typically faces five distinct problems:
Log are not reviewed on a regular and timely basis.
Audit logs and audit trails are not stored for a long enough time period.
Logs are not standardized or viewable by correlation toolsets - they are only viewable from the system being audited.
Log entries and alerts are not prioritized.
Audit records are only reviewed for the bad stuff.

Question 25

What is test coverage analysis?

Answer 25

Identifies the how much of the code was tested in relation to the entire application.

Question 26

We want penetration testers to prove they can get to our sensitive documents, but we do not want them to access any of them. What could we use for them to prove they reached their target?

Answer 26

Often a dummy file is made and it is the target they should try to reach, if they can see/access/alter the file they have been successful.

Question 27

When a penetration tester is trying to gain sensitive information from an employee with social engineering. Which type of access control type is she testing?

Answer 27

Social engineering is an attack on administrative controls, it can be mitigated with training and awareness. Administrative (Directive) Controls: Organizational Policies and Procedures. Regulation. Training and Awareness.

Question 28

Our senior leadership has decided to do a double-blind penetration test. What does that mean?

Answer 28

Double blind is closer to a real attack, the testers are black box (zero knowledge), and the network and security teams are not aware this is a pen test or when it is happening.

Question 29

What are alternative names for white box penetration testing?

Answer 29

Clear box and crystal box

Question 30

What is reduction analysis?

Answer 30

Decomposing the application, system or environment to gain a greater understanding of the logic of the product and its interactions with external elements.

Question 31

What are the four branches of forensic analysis?

Answer 31

Media analysis, network analysis, software analysis, and hardware/embedded device analysis.

Question 32

What is the zzuf tool used for?

Answer 32

Automating the process of mutation fuzzing by manipulating input according to user specifications

Question 33

What is generational fuzzing?

Answer 33

Generational (intelligent) fuzzing develops data models and creates new fuzzed input based on an understanding of the types of data used by the program

Question 34

What are the stages of Process for Attack Simulation and Threat Analysis (PASTA)?

Answer 34

Stage 1: Definition of Objectives
Stage 2: Technical Scope
Stage 3: Application Decomposition and Analysis
Stage 4: Threat Analysis
Stage 5: Weakness and Vulnerability Analysis
Stage 6: Attack Modeling & Simulation
Stage 7: Risk Analysis & Managment

Question 35

What types of logs does NIST Special Publication 800-92 suggest should be collected and audited?

Answer 35

NIST Special Publication 800-92 suggests the following log types should be collected and audited:
Network Security Software/Hardware:
Antivirus logs, IDS/IPS logs, remote access software (such as VPN logs), web proxy, vulnerability management,
authentication servers, routers and firewalls.
Operating System:
System events, audit records, applications, client requests and server responses, usage information, significant operational actions.