Domain 6, Security Assessments and Testing Flashcards

1
Q

Dynamic Testing

A

tests code, while it’s being executed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Fuzzing

A

‘black box’ testing that submits random malformed data as inputs to software to see if it crashes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

pen test

A

authorized attempt to break in

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Static testing

A

Tests code passively, code is not running

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Synthetic transactions

A

AKA Synthetic monitoring, involves building scripts or tools that simulate activities normally performed by an application.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Scope of assessment

A

What are we testing? Why are we testing that?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

War Dialing

A

Uses a modem to dial a series of phone numbers looking for other Modems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Social Engineering

A

Trick people into letting you in.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

zero knowledge test

A

blind test. Hacker has zero knowledge of what they’re testing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Full knowledge test

A

AKA Crystal Box

Pen tester has all network info availalbe to help with testing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Partial knowledge test

A

Tests are in between zero and full knowledge.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Metasploit

A

open source framework for exploitations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Pen testing Methodology

A
  • Planning
  • Reconnaissance
  • Scanning (enumeration)
  • Vulnerability assessment
  • Exploitation
  • Reporting
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Vulnerability Testing/Scanning

A

Scans a network/system for a list of predefined vulnerabilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Nessus

A

Vuln scan tool

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Nessus

A

Vuln scan tool

17
Q

CVSS

A

Common Vulnerability Scoring System.

List of vulnerabilities and way to score a client.

18
Q

CVSS

A

Common Vulnerability Scoring System.

List of vulnerabilities and way to score a client.

19
Q

Security assessment

A

Holistic approach to the effectiveness of access control. Broad Scope. Includes assessment of many controls across multiple domains.

20
Q

Internal audit

A

Structured and unstructured audits. Done by internal employee/team

21
Q

3rd party audit

A

Outisde view, expert consultation. Teaching moment.

22
Q

Log Reviews

A

Look at sec audit logs.

23
Q

NIST 800-92

A

Describes logs that should be getting collected

24
Q

NIST 800-92

A

Describes logs that should be getting collected

25
Q

White box software testing

A

Gives tester access to program source code, data structures, variables, etc.

26
Q

Tracability matrix

A

Can be used to map customers requirements for software test plan. Traces the requirements

27
Q

Combinatorial Software Testing

A

Black box testing method that seeks to identify and test all unique combos of software inputs.

28
Q

Unit testing

A

low level test of software components, such as objects, procedures, or functions.

29
Q

Install testing

A

Testing software as it gets installed

30
Q

Integration testing

A

Testing multiple software components as they are combined into a working system.

31
Q

Reression testing

A

test software after updates, mods, patches.

32
Q

Acceptance testing

A

Test to ensure software meets the operational requirements. When done by customer, called user acceptance testing.

33
Q

Mis-use case testing

A

Intentionally misuse software to see if you can break or cause it to misbehave.

34
Q

Interface testing

A

Testing all interfaces exposed by the application.

35
Q

test coverage analysis

A

attempts to identify the degree to which code testing applies to the application. confirm there aren’t large gaps in testing.

36
Q

Security Audit

A

A test against a published standard. An Auditor verifies that a site or organization meets the published standards.

37
Q

Breach and Attack Simulations

A

BAS, AKA Breach Attack Simulations:

BAS combines elements of vulnerability scanning and automated penetration testing. BAS tools utilize a continuously refreshed database of attack methods and newly discovered vulnerabilities to test the ability for the organization to withstand newly evolved threats.