IS3230 CHAPTER 14

Question 1

The use of software to control the execution of a test suite is called ___.

Answer 1

AUTOMATED TESTING

Question 2

A hole in system or network security placed deliberately either by system designers or attackers and also a way of quickly bypassing normal security measures is called ___.

Answer 2

BACKDOOR

Question 3

In a penetration test, the ___ consists of IT staff who defend against the penetration testers. They are generally aware that a penetration test is happening but do not know what methods the penetration testers will user.

Answer 3

BLUE TEAM

Question 4

The outermost extremes of test conditions is called ___.

Answer 4

BOUNDARY CONDITIONS

Question 5

An industry mailing list provided by Symantec that reports new vulnerabilities as they are discovered is called ___.

Answer 5

BUGTRAQ

Question 6

An attack in which malicious code is introduced into an application. This type of attack is possible because of lax input validation in the target application and is called ___.

Answer 6

CODE INJECTIONS

Question 7

A document that defines every data element and database table in a piece of software is called ___.

Answer 7

DATA DICTIONARY

Question 8

.The process of identifying the difference between reality–the current state of an organization’s IT infrastructure–and the organization’s security goals is called ___.

Answer 8

GAP ANALYSIS

Question 9

The authorization memo, signed by a member of upper management, that states that a penetration test has been authorized and exactly what methods the test will include. Every member of a penetration testing team should carry a copy of this memo at all time to avoid misunderstandings with security and law enforcement and is called ___.

Answer 9

GET OUT OF JAIL FREE CARD

Question 10

The process by which vulnerabilities are addressed to create a secure system is called ___.

Answer 10

HARDENING

Question 11

The process of scanning the network to find out which Internet Protocol (IP) addresses are attached to interesting resources is called ___.

Answer 11

HOST DISCOVERY

Question 12

The process of testing how individual components function together as a complete system is called ___.

Answer 12

INTEGRATION TESTING

Question 13

Security testing methods that expo it possible vulnerabilities in order to prove their existence and potential impact is called ___.

Answer 13

INTRUSIVE TESTING METHODS

Question 14

A way of measuring how software will perform with an average number of user, as well as how it will perform under extreme load conditions is called ___.

Answer 14

LOAD TESTING

Question 15

A proprietary security scanner developed by Tenable Network Security. It is network-centric with Web-based consoles and a central server is called ___.

Answer 15

NESSUS

Question 16

An open source port scanning and host detection utility is called ___.

Answer 16

NMAP

Question 17

.Security testing methods that do not exploit possible vulnerabilities is called ___.

Answer 17

NONINTRUSIVE TESTING METHODS

Question 18

The act of simulating an attack on an organization’s resources to assess an infrastructure’s true vulnerability. This is an actual attack where testers use a variety of methods including social engineering, software hacking, and physical intrusion and is called ___.

Answer 18

PENETRATION TESTING

Question 19

A technique designed to probe a networks’s open ports looking for a weakness is called ___.

Answer 19

PORT SCANNING

Question 20

A high level abstraction of code used to outline the steps in an algorithm is called ___.

Answer 20

PSEUDOCODE

Question 21

In a penetration test, this team consists of penetration testers who have been given some background knowledge of the infrastructure is called ___.

Answer 21

RED TEAM

Question 22

A graphically intensive vulnerability scanner is called ___.

Answer 22

RETINA

Question 23

In a penetration test, theis team is comprised of testers who are given no knowledge of the infrastructure, and are attacking a target that is unaware of their existence until the attack is made and is called ___.

Answer 23

TIGER TEAM

Question 24

A method of testing that ensures that a specific function or module works as designed is called ___.

Answer 24

UNIT TESTING

Question 25

1. It is necessary to consider security issues during every phase of the software development life cycle.
   TRUE OR FALSE

Answer 25

TRUE

Question 26

2. What occurs during the sunset phase of a security system’s life cycle?
3. Electronic media is wiped clean
4. Paper documentation is shredded or archived
5. Old equipment is destroyed or disposed of in a secure manner.
6. All the above

Answer 26

Electronic media is wiped clean
Paper documentation is shredded or archived
Old equipment is destroyed or disposed of in a secure manner.

Question 27

3. Which of the following are primary activities for an information security team? (Select two)
4. Researching new exploits
5. Monitoring/incident handling
6. Testing
7. Upgrading security systems

Answer 27

Monitoring/incident handling

Testing

Question 28

4. Port scanning is an example of ___ testing.

Answer 28

Nonintrusive

Question 29

5. Penetration testing is an example of ___ testing.

Answer 29

Intrusive

Question 30

6. Which of the following test is the most accurate way to test security incident response?
7. Open
8. Blind
9. Double-blind
10. Automated

Answer 30

Double-blind

Question 31

7. Gap analysis in which domain focuses primarily on the effectiveness of an organization’s training program?
8. User
9. Workstation
10. LAN
11. LAN to WAN
12. WAN
13. System/Application
14. Remote access

Answer 31

User

Question 32

8. A Web application security scanner is a good tool to use when testing which domain?
9. User
10. Workstation
11. LAN
12. LAN to WAN
13. WAN
14. Remote access

Answer 32

WAN

Question 33

9. Penetration testing is a risky operation for both the organization and the testers.
   TRUE OR FALSE

Answer 33

TRUE

Question 34

10. Which penetration testing team may be comprised of systems administrators in other departments of within an organization?
11. Red
12. Blue
13. Tiger
14. Orange

Answer 34

Red

Question 35

11. Which penetration testing team is comprised of systems administrators who defend the network and respond to the activities of the penetration testers?
12. Red
13. Blue
14. Tiger
15. Orange

Answer 35

Blue

Question 36

12. Which penetration testing team is given no prior knowledge of the IT infrastructure and uses the same tools and strategies that an actual attacker would use?
13. Red
14. Blue
15. Tiger
16. Orange

Answer 36

Tiger

Question 37

13. The clean-up phase of a penetration test is the responsibility of which individual or group?
14. Systems administrator
15. Upper management
16. Penetration testing team
17. Help desk

Answer 37

Penetration testing team

Question 38

14. A penetration test report should include which of the following? (Select three)
15. Description of gaps and risk exposures found during the test
16. List of passwords uncovered by the penetration testing team
17. Remediation plans for closing security gaps
18. Cost analysis and solution prioritization based on risk exposure

Answer 38

Description of gaps and risk exposures found during the test

Remediation plans for closing security gaps

Cost analysis and solution prioritization based on risk exposure