Security Assessment and Training

Question 1

Security assessments, audits, tests, or other assessment activities can be of two types:

Answer 1

formal and informal

Question 2

formal assessments, the audit, test, or other assessment activity is

Answer 2

an evaluation against a compliance standard

Question 3

And audit is a formal evaluation against a compliance standard. It is performed by

Answer 3

individuals who are outside the audited entity’s management structure

Question 4

For informal assessments, the audit, test, or other assessment activity is conducted to provide insights and observations about the systems being evaluated but not for the direct purpose of meeting a compliance requirement.

Answer 4

the direct purpose of meeting a compliance requirement.

Question 5

The accuracy of the audit depends on

Answer 5

the integrity of the artefacts.

Question 6

A typical finding would identify these elements.

Answer 6

Condition is a statement that describes the results of the audit.
Criteria are the standards used to measure the activity or performance of the auditee.
Cause is an explanation of why a problem occurred.
Effect is the difference between and significance of the condition and the criteria.
Recommendation is the action that must be taken to correct the cause.

Question 7

Formal security assessments are primarily related to

Answer 7

Risk management compliance such as that required by law

Question 8

For U.S. government agencies and many of their contractors, the Risk Management Framework ___________ serves as the standard against which audits and control assessments will be performed.

Answer 8

SP 800-37r2

Question 9

What is NIST SP 800-171r1, Protecting Controlled Unclassified Information in Nonfederal Systems and Organisations for?

Answer 9

When private companies become part of a Federal government supply chain or process, they need to take on the responsibility of protecting information covered by this security category.

Question 10

What are SOC reports

Answer 10

Service Organization Control Reports. reports that evaluate organizational controls against a set of five Trust Services Principles.

Question 11

The SOC framework defines two major report types:

Answer 11

SOC 1: Attests to the condition of the organisation’s Internal controls over financial reporting (ICFR.)
SOC2: Trust Services Criteria Principles. AICPA defines these to be:
Security
Availability
Confidentiality
Processing Integrity
Privacy

Question 12

Aside from SOC1 and SOC2 what are the other aspects of a SOC report

Answer 12

• SOC 3 reports provide a summary of the findings and attestations of a SOC 2 report, in less technical form.
• SOC for Cybersecurity: This report focuses specifically on the cybersecurity plans, programs, processes, procedures, services or functions used by the organisation to meet its cybersecurity requirements.

Question 13

What is the difference between Type 1 and Type 2 reports for SOC1 and SOC2

Answer 13

Type 1 - Point in time (Initial baseline)
Type 2 - Performance over time

Question 14

What is the focus of SOC 1 reports

Answer 14

Internal Control over Financial Reporting

Question 15

What is the focus of SOC 2 reports

Answer 15

Security controls

Question 16

What are the five trust services criteria

Answer 16

Security, Availability, Processing Integrity, Confidentiality and Privacy

Question 17

The SOC 3 report has been used where there is a need to communicate a level of assurance to a broad base of users without having to

Answer 17

disclose detailed controls and test results

Question 18

Which of the SOC 2 types proves design effectiveness

Answer 18

Type II -> Type 1 is only point in time, therefore only confirms the design

Question 19

ISO 27001:2013 control 12.4.1 addresses event logging and states the following

Answer 19

Event logs recording user activities, exceptions, faults and information security events should be produced, kept and regularly reviewed.

Question 20

In security assessments tests of controls are generally categorized as

Answer 20

compliance tests or substantive tests

Question 21

In security assessments Compliance tests determine if, in the opinion of the controls assessor, give an example

Answer 21

the control exists and is operating properly
a compliance test might compare a sample of the organization’s employees who are entitled to access a system with the named users of the system. The expected outcome should show that the two lists are identical.

Question 22

A substantive test evaluates …
Give an example

Answer 22

A substantive test evaluates the proper operation of the process. In the same example, a tester might perform an onboarding operation to give access to a new user, attempt to use the credentials for an authorised transaction, and then off-board that identity.

Question 23

The adoption of ______________________ and de-perimeterization practices are moving to erase the concept of insiders versus outsiders

Answer 23

zero-trust security models

Question 24

In the development stages where an application is not yet sufficiently mature enough to be placed into a test environment, the following techniques are applicable:

Answer 24

Static analysis and security testing (SAST): Throughout development, analysis tools and procedures can be used to find possible vulnerabilities without actually executing the source code
Static binary code analysis and manual binary review: Analysis of the compiled application (binary) for finding vulnerabilities without executing the application.

Question 25

Once the organization has determined that a penetration test should be conducted, ____________________(A) are drafted which define the ________(B), _________(C) and ___________(D) associated with the penetration test activities. The (A) will be subjected to formal ________________(E) by the organization.

Answer 25

A. Rules of engagement
B. Scope
C. Methods
D. Constraints
E. Formal risk assessment

Question 26

This approach forces production systems to fail, and then tracks the detection, incident response and recovery activities

Answer 26

Chaos engineering

Question 27

a primary tenet of the Gramm–Leach–Bliley Act (GLBA) is the requirement for

Answer 27

financial institutions to protect customer information, and their log reviews can be used to identify and rectify security violations.

Question 28

The _________________ provides a centralized repository of all information pertaining to a given identity that is known to the organization.

Answer 28

Identity store

Question 29

What are the three subsystems in the centre of an IAM system

Answer 29

Identity store
Access Accounting
System, App Logs

Question 30

_________________________ is an approach to monitoring that aims to capture and analyze every transaction of every user of a website or application.

Answer 30

Real user monitoring (RUM)

Question 31

Synthetic performance monitoring, sometimes called proactive monitoring, involves

Answer 31

having external agents run scripted transactions against a web application. These scripts are meant to follow the steps a typical user might follow to search, view product, log in, and check out to assess the experience of a user.

Question 32

This involves having external agents run scripted transactions against a web application. These scripts are meant to follow the steps a typical user might follow to search, view product, log in, and check out to assess the experience of a user.

Answer 32

Synthetic performance monitoring, sometimes called proactive monitoring, involves

Question 33

ISO 27001, Annex A:12.3 is the principal control addressing

Answer 33

backup

Question 34

Who can declare a disaster?
A. The security professionals
B. Physical and IT security teams
C. Members of a BCP Committee
D. Previously designated members of staff only

Answer 34

The correct answer is D.

Now when it comes to actually declaring a disaster, this does need to be a previously identified and designated set of individuals, typically senior management, as declaring a disaster can and will have serious implication on business operations. The BCP Committee should have identified these roles ahead of time.

Question 35

Which type of monitoring is an approach to web monitoring that aims to capture and analyze every transaction of every user of a website or application?
A. Real user
B. End user
C. Synthetic performance
D. Proactive

Answer 35

A Real User

Question 36

end-user experience monitoring (EUM), is

Answer 36

a form of passive monitoring, relying on web-monitoring services that continuously observe a system in action, tracking availability, functionality, and responsiveness.

Question 37

Synthetic performance monitoring, sometimes called proactive monitoring involves

Answer 37

having external agents run scripted transactions against a web application. These scripts are meant to follow the steps a typical user might follow to search, view product, log in, and check out to assess the experience of a user.

Question 38

Perhaps the most commonly used (Continuous Process Improvement) CPI model is

Answer 38

the Plan-Do-Check-Act PDCA

Question 39

If a weakness or vulnerability is discovered in testing is there ever a case for Non-Disclosure

Answer 39

Ethically, one can argue that disclosure to the affected party is required; contractually and legally, however, this can place the discovering party in jeopardy, either of compromising a potential civil or criminal investigation, of violating the privacy or data protection rights of an individual, or other violations. The bottom line is that in these circumstances, non-disclosure may be the only legal and ethical course of action.

Question 40

Full disclosure implies that when a weakness is discovered, the individual or organization discovering the weakness should

Answer 40

publicize the weakness as soon as possible to all potentially affected organizations.

Question 41

Responsible disclosure implies that the individual discovering a weakness should

Answer 41

report the weakness to the organization responsible for addressing the weakness and give that organization some time to address the weakness before public disclosure

Question 42

During which phase of the Plan-Do-Check-Act model are root causes of failure identified, risk is re-evaluated, and the baseline is determined to measure performance of future changes?
A. Plan
B. Do
C. Check
D. Act

Answer 42

D. Act
Act (Adjust) is the correct phase as it is based on the information generated in the Do and Check phases, root causes of failure are identified, risk is re-evaluated, and the baseline is determined to measure performance of future changes. Choices A, B and C are incorrect.

Question 43

Difference between white box, black box and grey box testing

Answer 43

black box testing is used to simulate an external attacker with no prior knowledge of the system, grey box testing is used to simulate an attacker with limited knowledge, and white box testing is used to simulate an insider with full knowledge of the system.

Question 44

What report would be good for attracting additional clients yet unknown to your business?
Question options:

A) SOC 5 Type II
B) SOC 3
C) SOC 5 Type II New Client
D) SOC 5 Type I Existing Content

Answer 44

The correct answer is B. SOC 3 is an executive summary that can be used as a web seal to advertise a summary opinion of technical controls. The summary can be posted to a website to advertise for potential customers. There are no SOC 5 reports

Question 45

What are SOC 5 reports

Answer 45

There are none

Question 46

All of the major control frameworks emphasize the importance of organizational logging practice. Which of the following does not stipulate the need for log management and review?
Question options:
A) NIST SP 800-92
B) Gramm-Leach-Bliley Act (GLBA)
C) Sarbanes-Oxley Act (SOX)
D) They all do

Answer 46

The correct answer is D. While all of the examples relate to
different areas or organizations, they all place an emphasis on the
importance of effective and timely log management. Remember
one of the five critical tenets from the Center for Internet Security
(CIS): Offense informs defense. By knowing what is happening
and what has happened, an organization is able to take the
appropriate actions.  

Question 47

What is a compliance calendar

Answer 47

A calendar that tracks an organization’s audits, assessment, required filings, their due dates, and related details.

Question 48

Compliance Tests

Answer 48

An evaluation that provides assurance an organization’s controls are being applied in accordance with management policies and procedures.

Question 49

Assessment

Answer 49

The testing or evaluation of the controls in an information system or an organization to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome

Question 50

Audit/Auditing

Answer 50

The process of reviewing a system for compliance against a standard or baseline

Question 51

Chaos Engineering

Answer 51

The discipline of experimenting on a software system in production in order to build confidence in the system’s capability to withstand turbulent and unexpected conditions.

Question 52

Examination

Answer 52

The process of reviewing, inspecting, observing, studying, or analyzing one or more assessment objects

Question 53

Judgmental Sampling

Answer 53

Also called purposive sampling or authoritative sampling, and is a non-probability sampling technique in which the sample members are chosen only on the basis of the researcher’s knowledge and judgment.

Question 54

Testing strategy and technique from the point of view of an actor hostile to the system, using deliberately chosen sets of actions, which could lead to systems integrity failures, malfunctions, or other security or safety compromises.

Answer 54

Misuse Case Testing

Question 55

POA&M

Answer 55

Plan of Action and Milestones

Question 56

Substantive Test

Answer 56

The testing technique used by an auditor to obtain the audit evidence in order to support auditor opinion.