Security Assessment and Testing Flashcards
How is interface testing different from misuse case testing?
A. Interface testing is intended to determine correct function, whereas misuse case testing is intended to determine error conditions.
B. Interface testing is intended to determine usability, whereas misuse case testing is intended to determine when misuse has occurred.
C. Interface testing and misuse case testing are essentially the same.
D. Interface testing is intended to determine correct function, whereas misuse case testing is intended to determine if an error condition could be problematic.
D. All apps must undergo interface testing to be properly functional and usable. But they should also undergo misuse case testing in order to determine whether an intentional misuse of them could result in an error that subverts the confidentiality, integrity, and availability of the data the app provides access to.
Images A is incorrect because error conditions are likely to arise, but not necessarily as a result of misuse conditions.
Images B is incorrect because, while detection of events of misuse is important, testing for the results of intentional misuses is more important.
Images C is incorrect because of the distinct differences discussed for answers A and B.
What are the key stages of account management?
A. Provisioning or adding accounts, modifying accounts, and suspending accounts
B. Adding accounts, deleting accounts, and deleting users’ data
C. Verifying account passwords, validating account usage, and deleting accounts
D. Provisioning accounts, modifying accounts, auditing the use of accounts, and suspending accounts
D. All stages in the life cycle of authenticated access should be accounted for. Access should not be granted without appropriate direction, nor should access be allowed or denied without expected permissions. And the suspension of access should be auditable as well.
Images A is incorrect because the auditing of the use of accounts is not included.
Images B is incorrect because the deletion of users’ data may conflict with data retention requirements.
Images C is incorrect because it is simply a stage of authentication and doesn’t relate to account management.
What is a code review?
A. Making sure coders work in parallel to watch each others’ work while they are coding
B. Making sure coders’ work has been reviewed by other coders after they are done
C. Making sure that the appropriate Q/A harnesses have been applied prior to check in
D. Making sure that appropriate Q/A harnesses exist
B. A static code review requires that at least one other set of eyes inspects the code before it is deployed in order to search for flaws that may have not been obvious to the author, but that may be apparent to another engineer. In science we call it peer review.
Images A is incorrect because, while parallel or team coding is a good practice to provide peer review, it is not considered a static review.
Images C is incorrect, though a good practice.
Images D is incorrect, but is likewise a best practice.
Which of the following statements is true with respect to security audits, vulnerability assessments, and penetration tests?
A. Third-party security audits are only necessary when regulations require them.
B. Vulnerability assessments and penetration tests are essentially the same.
C. Vulnerability assessments help to prioritize weaknesses that need to be addressed.
D. Internal assessments have very little value.
C. The most valuable aspect of vulnerability assessments, whether conducted internally or by a third party, is that they help to enumerate all of the potential vulnerabilities that an enterprise has so that remediation can be prioritized.
Images A is incorrect because even though some organizations may not be required to have independent reviews, they will often bring to light weaknesses that might otherwise have been overlooked.
Images B is incorrect because vulnerability assessments seek to enumerate every weakness so that the countermeasures for them can be appropriately prioritized. Penetration tests seek to examine the likelihood that a real-world attacker could exploit any given weakness to achieve a goal.
Images D is incorrect because internal audits of an enterprise security posture are not usually sufficient, but can be very beneficial if conducted in concert with third-party reviews.
Which of the following is the most important reason to log events remotely?
A. To prevent against log tampering
B. To have several copies of the logs of every event
C. To make it easier to back up the logs on a single write-once media
D. To facilitate log review and analysis
A. Event logs are usually one of the first things that an intruder will seek to modify in order to cover their tracks. If events are being logged only locally, a compromise means that those logs can no longer be considered valid for investigative purposes.
Images B is incorrect because even though redundancy of event logs can be useful, the primary reason to log events remotely is to ensure that a copy exists that hasn’t been subject to tampering, making it a valid tool in the investigation of the compromise.
Images C is incorrect because backing up logs to immutable media is important for many reasons, but the best one is that events recorded remotely cannot easily be altered by an intruder.
Images D is incorrect in this context, even while true. Log aggregation can certainly facilitate reviews of events, and aid in intrusion detection and analysis. However, answer A is still the most important reason because all intrusion analysis relies on unaltered evidence.
How can a backup strategy be made most effective?
A. By ensuring that all user data is backed up
B. By testing restoration procedures
C. By backing up database management systems (DBMSs) via their proprietary methods
D. By reviewing backup logs to ensure they are complete
B. Unless the ability to restore from backups successfully is tested routinely, no other activities around data retention have value.
Images A is incorrect because although making copies of user data is important, unless the copies can be assured to be restorable, copying is futile.
Images C is incorrect because although it is a good idea to use a DBMS’s native means for ensuring transactional copies are available, those copies are not to be trusted unless restoration is tested.
Images D is incorrect because although monitoring backup logs for completion is a good operational practice, it is no replacement for periodic testing of the backups themselves and the ability to truly recover from data loss.
What is a synthetic transaction?
A. A bogus user transaction that must be disallowed
B. A scripted process used to emulate user behavior
C. User behavior intended to falsify records
D. A scripted process by an attacker used to violate policy
B. Testing applications commonly involves the need to emulate usual user behaviors. However, in a test environment, the typical load of user activity is unavailable. Consequently, scripts of common user transactions can be constructed to facilitate various forms of tests.
Images A is incorrect because synthetic transactions are neither bogus nor user driven. Improper user behavior can be systematically tested through synthetic transactions, but the behavior is generated by a script.
Images C is incorrect because live attacks are not synthetic. Attempts to bypass integrity controls can be part of a scripted set of tests, but they do not involve actual users.
Images D is incorrect because a scripted process by an attacker is not a synthetic transaction, for the reasons stated in the previous explanations. Emulating scripted attack traffic may be the goal of synthetic transactions, but the actual live attack is out of the context of lab testing.
Why are security metrics so important as performance and/or risk indicators?
A. They enable management to understand the performance of a security program.
B. They can be used to document deviations from standards.
C. They can help auditors determine whether incidents have been properly resolved.
D. They can be used to determine the cost of a countermeasure.
A. The greatest value of security metrics is to establish the key performance indicators (KPIs) and key risk indicators (KRIs) that must be used by senior management to evaluate the effectiveness of an information security management system (ISMS). The best way to determine whether such a program is actually improving the security posture of an enterprise and reducing overall risk is through longitudinal tracking of quantified data.
Images B is correct, but it is not the best answer. Incidents of discovered deviations from standards can be quantified and provide the basis for KPIs and KRIs, but they are useless unless they are tracked consistently and are acted upon by management in concert with other indicators.
Images C is incorrect because the necessary requirement for auditors to determine proper resolution of security incidents is an adequate tracking system capable of recording the process of response and mitigation.
Images D is incorrect because although the total cost of ownership (TCO) of any countermeasure should optimally be thoroughly quantified, those costs are not usually related to security metrics. Rather, those costs are usually measured in terms of capital expenditures (CAPEX) and operational expenditures (OPEX).
When providing a security report to management, which of the following is the most important component?
A. A list of threats, vulnerabilities, and the probabilities that they will occur
B. A comprehensive list of the probabilities and impacts of adverse events anticipated
C. An executive summary that is comprehensive but does not exceed two pages
D. An executive summary that is as long as is necessary to be technically comprehensive and that includes the lists referenced in options A and B
C. No matter how technically comprehensive a report to management must be, the executive summary should never exceed two pages. IT security professionals must understand that the risks posed to an enterprise by data compromise are only one of many concerns that senior management must try to understand and prioritize. C-level executives have to be concerned with a lot of risks, and highly technical threats with which they are not familiar may be difficult for them to sort out appropriately. That means that it is the primary job of the IT security professional to summarize the risks in a way that makes sense to management, and as briefly as possible.
Images A is incorrect because it is not the most important component when reporting to management. While such a list is essential to a comprehensive security report, providing it to management will be unlikely to result in effective action without a well-crafted executive summary.
Images B is incorrect because it is not the most important component when reporting to management Again, while such a list is critical in any technical report, the executive summary is crucial to achieving action on the goal of risk reduction.
Images D is incorrect because it describes what might be the most common and critical failure when reporting to management. The audience of the executive summary is unlikely to read past a page or (at most) two of technical details, which is reasonable given the need to balance their attention among so many competing concerns. For a topic with which they are particularly unfamiliar, their tolerance for obscure information will be low.
What is the difference between security training and a security awareness program; which is most important?
A. A security awareness program addresses all employees regardless of role, whereas security training is role specific. The awareness program is most important.
B. A security awareness program focuses on specific roles, whereas security training addresses the needs of all employees. Both are equally important.
C. A security awareness program focuses on specific roles, whereas security training addresses the needs of all employees. Training is most important.
D. A security awareness program addresses all employees regardless of role, whereas security training is role specific. Both are equally important.
D. The main difference between a security awareness program and security training is the focus on employee role. All employees have a role in maintaining enterprise security, so awareness of the threats and their responsibilities to be mindful of them is the goal of an awareness program. Conversely, some employee roles require skill-specific training in security because it is an inherent part of their job. This requires specific security training. Regardless of the difference between the two, both are absolutely equally required for an enterprise to be secure.
Images A is incorrect because of the second sentence. A security awareness program is essential, but equally so is security training for specific critical employee roles.
Images B is incorrect because it transposes the focus of a security awareness program and the focus of role-specific security training.
Images C is incorrect for the same reason as answer B and further emphasizes one over the other.
Which of the following describes a parallel test during disaster recovery testing?
A. It is performed to ensure that some systems will run at the alternate site.
B. All departments receive a copy of the disaster recovery plan to review it for completeness.
C. Representatives from each department come together and go through the test collectively.
D. Normal operations are shut down.
A. In a parallel test, some systems are run at the alternate site and results are compared with how processing takes place at the primary site. This is to ensure the systems work at the alternate site and productivity is not affected. This also extends the previous test and allows the team to walk through the steps of setting up and configuring systems at the offsite facility.
Images B is incorrect because this option describes a checklist test.
Images C is incorrect because this option describes a structured walk-through test.
Images D is incorrect because this option describes a full-interruption test.
Which of the following describes a structured walk-through test during disaster recovery testing?
A. It is performed to ensure that critical systems will run at the alternate site.
B. All departments receive a copy of the recovery plan to review it for completeness.
C. Representatives from each department come together and go through the test collectively.
D. Normal operations are shut down.
C. During a structured walk-through test, functional representatives meet and review the plan to ensure its accuracy and that it correctly and accurately reflects the company’s recovery strategy by walking through it step-by-step.
Images A is incorrect because this option describes a parallel test.
Images B is incorrect because this option describes a checklist test.
Images D is incorrect because this option describes a full-interruption test.
John and his team are conducting a penetration test of a client’s network. The team will conduct its testing armed only with knowledge it acquired from the Web. The network staff is aware that the testing will take place, but the penetration testing team will only work with publicly available data and some information from the client. What is the degree of the team’s knowledge and what type of test is the team carrying out?
A. Full knowledge; blind test
B. Partial knowledge; blind test
C. Partial knowledge; double-blind test
D. Zero knowledge; targeted test
B. The penetration testing team can have varying degrees of knowledge about the penetration target before the tests are actually carried out. These degrees of knowledge are zero knowledge, partial knowledge, and full knowledge. John and his team have partial knowledge; the team has some information about the target. Tests may also be blind, double-blind, or targeted. John’s team is carrying out a blind test, meaning that the network staff knows that the test will take place.
Images A is incorrect because John and his team do not have full knowledge of the target. Full knowledge means that the team has intimate knowledge of the target and fully understands the network, its software, and configurations. John’s team has gathered information from the Web and partial information from the client. This is partial knowledge. The rest of the answer is correct; the team is conducting a blind test.
Images C is incorrect because John and his team are not conducting a double-blind test. A double-blind test, also called a stealth assessment, is when the assessor carries out a blind test without the security staff’s knowledge. This enables the test to evaluate the network’s security level and the staff’s responses, log monitoring, and escalation processes and is a more realistic demonstration of the likely success or failure of an attack.
Images D is incorrect because John and his team do not have zero knowledge, nor are they conducting a targeted test. Zero knowledge means that the team does not have any knowledge of the target and must start from ground zero. John’s team is starting the project with knowledge it acquired about the target online and with information provided by the client. Targeted tests commonly involve external consultants and internal staff carrying out focused tests on specific areas of interest. For example, before a new application is rolled out, the team might test it for vulnerabilities before installing it into production. John’s team is not focusing its testing efforts on any one specific area.
Fred is a new security officer who wants to implement a control for detecting and preventing users who attempt to exceed their authority by misusing the access rights that have been assigned to them. Which of the following best fits this need?
A. Management review
B. Two-factor identification and authentication
C. Capturing this data in audit logs
D. Implementation of a strong security policy
A. The goal of this question is for you to realize that management and supervisor involvement is critical to ensure that these types of things do not take place or are properly detected and acted upon if they do take place. If the users know that management will take action if they misbehave, this can be considered preventive in nature. The activities will only be known of after they take place, which means that the security office has to carry out some type of detective activity so that he can then inform management.
Images B is incorrect because identification and authentication is preventive, not detective.
Images C is incorrect because audit logs are detective but not preventive. However, in order to be detective, the audit logs must be reviewed by a security administrator. While some of the strongest security protections come from preventive controls, detective controls such as reviewing audit logs are also required.
Images D is incorrect because a security policy is preventive, not detective. A security policy is developed and implemented to inform users of what is expected of them and the potential ramifications if they do not follow the constructs of the policy.
