Wondershare EdrawMind
MindMap Gallery CISSP Study Notes-Domain 6 (Security Assessment and Testing)
- 53
CISSP Study Notes-Domain 6 (Security Assessment and Testing)
This is a mind map about CISSP study notes - Domain 6 (Security Assessment and Testing). The main content includes: review questions and knowledge points.
Edited at 2024-04-06 10:04:44
- bacteria
This is a mind map about bacteria, and its main contents include: overview, morphology, types, structure, reproduction, distribution, application, and expansion. The summary is comprehensive and meticulous, suitable as review materials.
- Plant asexual reproduction
This is a mind map about plant asexual reproduction, and its main contents include: concept, spore reproduction, vegetative reproduction, tissue culture, and buds. The summary is comprehensive and meticulous, suitable as review materials.
- Reproductive development of animals
This is a mind map about the reproductive development of animals, and its main contents include: insects, frogs, birds, sexual reproduction, and asexual reproduction. The summary is comprehensive and meticulous, suitable as review materials.
CISSP Study Notes-Domain 6 (Security Assessment and Testing)
- bacteria
This is a mind map about bacteria, and its main contents include: overview, morphology, types, structure, reproduction, distribution, application, and expansion. The summary is comprehensive and meticulous, suitable as review materials.
- Plant asexual reproduction
This is a mind map about plant asexual reproduction, and its main contents include: concept, spore reproduction, vegetative reproduction, tissue culture, and buds. The summary is comprehensive and meticulous, suitable as review materials.
- Reproductive development of animals
This is a mind map about the reproductive development of animals, and its main contents include: insects, frogs, birds, sexual reproduction, and asexual reproduction. The summary is comprehensive and meticulous, suitable as review materials.
- Recommended to you
- Outline
Information system project manager knowledge system (Chapter 3 Project scope management)
- 27
- 1
Information system project manager knowledge system (Chapter 10 Project communication management and stakeholder management)
- 21
- 1
Information system project manager knowledge system (Chapter 9 Project Human Resources Management)
- 29
- 1
Information system project manager knowledge system (Chapter 11 Project Risk Management)
- 23
Information system project manager knowledge system (Chapter 12 Project Procurement Management)
- 14
- 1
CISSP Study Notes-Domain 6 (Security Assessment and Testing)
Knowledge points
6.1 Plan and validate assessment, testing and auditing strategies
6.1.1. Assessment, testing and auditing
6.1.1.1Tests
A technical activity that involves executing a system to confirm that it meets specific requirements or expected behavior. Testing is often used to find problems and errors in a system. In the security field, testing includes vulnerability scanning, penetration testing, etc., which are used to discover and evaluate potential security risks of the system.
6.1.1.2Assessments
Assessment is a comprehensive evaluation activity for a specific object, system or process. It can be based on quantitative or qualitative standards. For example, risk assessment is to evaluate the possibility of a specific risk occurring, or it can be to evaluate the quality of the organization's safety process.
6.1.1.3Audit
An audit is a more formal, structured process whose primary goal is to verify and confirm the compliance of an object or system according to defined standards or specifications. Audits are usually conducted by independent third-party organizations to ensure the impartiality and fairness of the audit results. For example, a system audit might determine whether a system complies with the Payment Card Industry Data Security Standard (PCI DSS).
6.1.2. Internal audit
Internal assessments and audits are assessment and audit activities conducted by an organization's own personnel. This activity can be carried out on an ongoing basis as part of the organization's security management.
1. Advantages and Disadvantages of Internal Auditing
•Benefits: Because insiders have a deep understanding of the organization's operations and business, they are able to conduct tests or evaluations more accurately and efficiently. In addition, internal auditing is also more flexible and can be conducted at any time according to the needs of the organization.
•Disadvantages: There are potential conflicts of interest, such as "Whoever makes the policy should not be audited." As a result, internal audit may lack independence and impartiality.
2. Types of testing suitable for in-house testing
•Vulnerability Scanning: Conducted regularly to discover unpatched software or unknown assets.
•Process and procedure audits: such as change management, employee training completion, etc.
•Phishing Simulation: Test employees' ability to recognize and respond to phishing attacks.
3. Prepare for external audits
Before conducting an external audit, an organization may choose to conduct an internal preparatory audit. This can help improve the outcome of external audits by identifying and fixing any existing problems or deficiencies before the formal audit begins.
6.1.3. External audit
External audits are usually conducted by independent third-party organizations that have no direct interest in the organization being audited. Therefore, external audits can provide unbiased and independent assessments and audit results, which are particularly valuable in identifying and improving problems that the organization may have overlooked. But it may also require an investment of more time and resources. Therefore, organizations need to weigh the pros and cons and consider their specific business needs and conditions when deciding to conduct an external audit.
Situations where external audit is applicable include:
•Compliance audit: To meet specific compliance requirements, such as Payment Card Industry Data Security Standard (PCI-DSS), International Information Security Management System Standard (IS0 27001), etc., external audits are required.
Legal or regulatory requirements: In some cases, an organization may be required to conduct an external audit due to legal or regulatory requirements. For example, to meet specific business requirements, a maturity assessment based on a maturity model may be required.
6.1.4. Third-party audit
Audits of third parties. Also called supply chain audit. It is an important means of assessing and managing supply chain security risks, and can be conducted by the organization itself or a third-party auditor. The audit process will evaluate security controls and policies in the supply chain, identify risks and propose mitigating measures. Some vendors may provide third-party audit reports, such as Service Organization Controls 2 (SOC2) reports, which can help organizations better understand and manage supply chain risks.
6.2. Carry out security control testing
6.2.1. Vulnerability assessment
1. Strategy Overview
Vulnerability assessment is a key component of risk management, which focuses on identifying and assessing the vulnerabilities of hardware and software assets to prevent them from being exploited by attackers.
The main steps of vulnerability assessment include:
1) Create an asset inventory: Identify your organization’s critical assets and prioritize vulnerability scans.
2. Select a scanning tool: Choose an appropriate vulnerability scanning tool based on factors such as legal, contractual or regulatory requirements, platform compatibility, and cost.
2. Frequently Asked Questions about Vulnerability Assessment
1. Excessive traffic and DoS
Description: Vulnerability scanners can generate large amounts of traffic, consume network bandwidth, and potentially cause DoS conditions on networks and systems as they struggle to process information.
solution:
1) Correct configuration, such as implementing request throttling to limit the number of requests generated by the scanner in a specific time period
2) Voucher-based scanning to obtain configuration information and accurately scan target ports
3) Schedule scans to ensure scanning occurs at times of low user activity.
2.Alerts and events
Description: Scanning the host will simulate tactics commonly used by attackers and will generate security alerts.
Solution: Configure a policy to filter your own test traffic and mark port scans from the vulnerability scanner IP address as non-suspicious.
3. Cross-functional ownership
Description: If the business department does not pay attention, your security alarm may be ignored.
Solution: Nurture relationships between teams and format feedback results in a way that is understandable to asset owners;
4.Pollution
Description: Auto-populated test data can pollute the online environment.
Solution: Modify the configuration policy to reduce or ignore some destructive operations, such as form operations, sending emails, etc. The scanner can be configured to put in recognized test data types that can be easily ignored or cleaned up after scanning
5. Network segmentation
Description: Using access control measures such as firewalls to segment or isolate different parts of the network is a security best practice, but may prevent the scanner from reaching the target address.
Solution: Distributed scanning places the scanning agent within a network segment, allows the endpoints of the network segment to be scanned, and then integrates the results into the central control unit.
6.2.2. Penetration testing
Vulnerability assessment looks for weaknesses that can theoretically be exploited, while penetration testing (also called pen testing) goes a step further and proves that these weaknesses can be exploited.
1Types of Penetration Testing
1) White box penetration testing (also called full knowledge testing)
The testing team fully understands the infrastructure and its architecture, including operating systems, network segmentation, devices, and their vulnerabilities. This type of testing helps focus the testing team on a specific area of interest or a specific vulnerability.
2) Black box penetration testing (also called zero-knowledge testing)
The testing team does not have any knowledge of the infrastructure and discovers the network structure and its vulnerabilities from an attacker's perspective
3) Gray box penetration testing (also called local knowledge testing)
A penetration test that mediates between white box testing and black box testing, where the testing team has partial knowledge of the infrastructure.
2. Penetration Tester
1) White hat hacker (ethical)
A security professional who tests a system to determine its weaknesses so that those weaknesses can be mitigated and the system better protected.
2) Black hat hackers (unethical)
Malicious entities invade systems through blackmail, obtain sensitive data, or disrupt the operation of infrastructure.
3) Gray hat hackers
Hackers who move back and forth between the white hat and black hat worlds. Sometimes selling their expertise for the benefit of the organization
4) Red Team
Attack groups during security testing or exercises
5) Blue Team
Defenders during security tests or exercises
6) White team
The team that manages the exercise during a safety test or exercise
3 Penetration Testing Rules
Penetration testing should never be conducted unless properly authorized. Testing rules should also be clear, including determining the scope of the test, identifying participants, defining test methods and expected communication methods, etc.
Internal customers usually defined in rules files include the following aspects:
•What systems, offices, or other targets are within the scope of testing?
•Are any systems, offices, or other targets specifically excluded from testing?
. Are any testing methods prohibited, such as social engineering or password cracking?
. Is physical security covered? If so, what facilities or objectives are included?
•What level of authority are testers granted? Testers can be provided with accounts to assess insider threats or conduct verification activities if they can gain access.
•What is the expected communication style and cadence? Some organizations may require immediate notification of any potentially critical security issues, while others may be content to wait for a final report.
•Who is conducting the testing, what equipment and software is allowed, and when will the testing occur?
•What procedures will be used when handling sensitive data such as internal network configurations, customer records, etc.?
•How will sensitive data be securely handled after testing?
•What is the expected service level. For example, do testers retest immediately after implementing a fix, or wait for a prescribed retest time?
•What are the expectations for documentation, in particular details of any issues found, showing the work done to verify test results, and the format of any reports?
4. Penetration testing process
5. Physical Penetration Testing
Physical penetration testing is when a tester attempts to gain unauthorized entry into a facility such as an office or data center with the goal of discovering potential weaknesses in physical security controls. Common social engineering tactics include carrying bulky items and asking someone to open the door, or appearing dressed as an official.
6.2.3. Log review
Log review is an important part of information security management. It involves analyzing and reviewing logs generated by systems, terminals, devices, and applications. The goal is to capture and parse meaningful information in these logs to facilitate the detection and response to security incidents. .
1 The importance of log review
Logs provide detailed information about system behavior, user behavior, security events, system errors, and more. Review and analysis of logs can help organizations understand the status and behavior of their systems, as well as any potential security issues.
2) Audit and evaluation of log management
The generation, collection, storage and processing of the logs themselves also need to be audited and evaluated. This involves ensuring log integrity, availability and confidentiality, as well as compliance. This may require reference to applicable legal requirements, industry codes and international standards to ensure that logs are managed compliantly.
3) Log review strategy
Organizations need to develop log review policies, procedures and technical configurations to ensure the effectiveness of log review. This may include determining the frequency of log review, the depth of the review, the tools and techniques to use, and how to handle the results of the review.
6.2.4 Synthetic Transactions
Synthetic transactions refer to automated processes used to test and monitor system performance that simulate specific user behaviors or actions to verify the performance and reliability of an application, system, or network.
6.2.4.1 Common usage scenarios of synthetic transactions:
•Service Level Agreement (SLA) Monitoring: Synthetic transactions can be used to monitor whether a host or cloud-based service meets agreed service level standards.
•Data integrity monitoring: By simulating business logic rules and processing test data, synthetic transactions can raise alerts when data processing results do not meet expectations.
•System or service monitoring: Even in the absence of an SLA, systems or services can be monitored through synthetic transactions to ensure they are online and responsive.
6.2.4.2Real User Monitoring (RUM)
RUM is a monitoring technology that monitors user interactions with an application or service in real time. This monitoring can be used to detect potential issues such as slow or unresponsive pages. However, RUM may raise privacy concerns and requires special care when used.
6.2.5. Code review and testing
Software is made up of code, so reviewing and testing code to identify and fix defects are critical security controls.
1. Test classification
Black box testing: The tester does not touch the source code or the internal working principle of the application, but simulates and tests from the perspective of an external attacker or user.
White-box testing: Testers have access to the source code or internal structure of the application to discover possible flaws and errors by conducting in-depth analysis of it.
2.Test method
•Code Peer Review: This is a manual method where developers review each other's code to find possible errors and improvements.
•Static code analysis: This is an automated code review method that uses specialized software to simulate the execution of code to identify possible vulnerabilities, such as buffer overflows, etc.
• Dynamic analysis testing: This is a run-time testing method that runs the program and observes its behavior to identify possible problems and vulnerabilities.
3.Test goals
•Coverage: The goal of testing should be to cover all code and functionality as much as possible to ensure that no defects or errors are missed.
•Automation: To balance development speed and security, the testing process should be automated as much as possible. For example, some common testing and remediation tasks can be automated through security orchestration automation and response (SOAR) tools.
6.2.6. Misuse case testing
6.2.6.1 Misuse case
Also called negative testing (neoative testing). The purpose is to evaluate the response of a system or application to unexpected inputs or situations and to identify vulnerabilities that may be exploited in these unexpected situations.
For example, if the user enters a username but leaves the password blank, this may cause the application to crash or allow direct access to the system.
6.2.6.2 Abuse case
Abuse case testing is an integral part of threat modeling, modeling how a system or feature can be misused and describing specifically how an attacker could exploit this vulnerability.
6.2.7. Test coverage analysis
1. Test coverage = (number of tested components/total number of components) x 100%
2. Six common standards:
1) Branch coverage: Ensure that every branch in the control statement is executed.
2) Condition coverage: A condition that requires every Boolean expression in the code to be verified as true and false.
3) Western Digital coverage (Function coverage): Ensure that every Western Digital function in the program is called.
4) Statement coverage: Verifies the execution of each line of code in the program.
5) Decision coverage: A combination of Western and branch coverage was verified to test various input and output situations
6) Parameter coverage: Test the behavior of Western Digital that accepts parameter input
Note: The ideal situation is 100% coverage, but due to cost, it is impossible to complete all tests within a certain period of time to ensure sufficient test coverage for key system functions.
6.2.8. Interface testing
Interface Testing is a key component of system testing. It mainly focuses on the points where the system interacts with external elements. These elements may be other systems, users or processes.
The main interface types include:
•User Interface (U): This is the main way the user interacts with the system and can be either a Graphical User Interface (GU) or a Command Line Interface (CLI).
•Application Programming Interface (API): This is how the system interacts with other software, such as the REST API for web applications, or API for inter-process communication (IPC) and remote procedure calls (RPC)
The goal of interface testing is to ensure that data is transferred and converted correctly between entities and that all error conditions are handled appropriately. This includes verifying that data is formatted correctly, checking the effectiveness of error handling mechanisms, and ensuring that correct access controls are enforced during transmission. This can ensure data integrity, system stability and security, and prevent data loss or damage due to interface errors.
6.2.9. Vulnerability attack simulation
6.2.9.1 Breach Attack Simulation (BAS)
Vulnerability attack simulation is an emerging automated security testing technology whose main goal is to simulate real attacker behavior in an attempt to gain unauthorized system access. It combines the elements of vulnerability scanning and automated penetration testing, using the latest attack methods and newly discovered vulnerabilities to test an organization's defense capabilities against new threats. With a BAS solution, this testing can be performed more frequently to uncover possible security vulnerabilities faster than traditional periodic vulnerability scans or penetration tests.
6.2.9.2 BAS attack categories
•Endpoint attacks
BAS performs actions on or against network endpoints, such as creating files or processes that match known malware signatures, to test endpoint detection and response (EDR) capabilities. This can be done via a BAS device or control unit, or via a software agent running on the endpoint.
•Network attacks
BAS sends network traffic that should be blocked, triggering alerts if known malicious traffic is not blocked by devices such as firewalls or routers
•E-mail attacks
BAS generates and sends test emails to test the effectiveness of spam filters, email fraud controls, and content filters. If the message successfully reaches the inbox or is opened by the user, it indicates a vulnerability in email security controls
•Behavior-based attacks
Advanced BAS capabilities can also test behavior-based security controls, such as detecting malicious network scanning activity or complex interactions with applications that should normally be blocked by a web application firewall (WAF).
6.2.10. Compliance Checks
Compliance is not synonymous with security, but it is an important starting point for an organization's risk management program. A compliance framework typically covers a set of industry- or region-specific risks, and the security controls implemented are designed to mitigate those risks.
Compliance reviews are part of the regulatory process and the goal is to identify controls that have become insufficient or ineffective due to changes in the risk environment, or that are no longer performing correctly. Typically, this review is carried out through an audit, for example:
•PCI-DSS (Payment Card Industry Data Security Standard): This is a security standard for organizations that process, store, or transmit credit card information. PCI-DSS requires organizations to conduct an annual compliance audit.
SOC2 (Service Organization Control 2): This is a standard that evaluates a service organization's controls over security, availability, processing integrity, confidentiality, and privacy. SOC 2 requires organizations to conduct an annual compliance audit.
- S027001 This is an international standard on information security management. 1S027001 requires organizations to conduct a compliance audit every three years.
6.3. Collection of security program data (e.g. technical and administrative)
6.3.1. Technical controls and procedures
1 data source
Technical or logical control is achieved through electronic systems, often resulting in native records. This technical data may include information that forms part of the organization's logging and monitoring policies, as well as data generated from the analysis of such log data. For example, the application's access logs and the logs of network devices (such as routers or firewalls).
2. Collection stage
By implementing and monitoring the following controls and processes, organizations can collect useful metrics and data about their security posture so they can take the necessary steps to protect their data and systems:
1) Loss prevention processes: The goal of these processes is to prevent security threats. They may include technical controls such as data encryption, network access control, and endpoint control.
2) Detection processes: The goal of these processes is to detect security incidents or abnormal behaviors. They may include technical controls such as endpoint detection and response (EDR) and security information and event management (SIEM).
3) Response processes: The goal of these processes is to resolve security issues. They may include technology controls such as endpoint detection and response (EDR) and intrusion prevention systems (IPS).
6.3.2. Administrative controls
Administrative controls guide the appropriate behavior of employees and other users by establishing and enforcing policies and procedures. These controls may involve various codes of conduct, work processes and guidelines. Measuring the effectiveness of administrative controls often requires the collection and analysis of data related to policy implementation.
Take, for example, an organizational policy that prohibits the use of social media on organizational devices. Data can be collected from:
• Policy Scope: How many users have read and understood the policy and confirmed their understanding and compliance by signing?
•Educational effectiveness: How many users attempted to access restricted content? This may reflect the extent to which employees understand the policy and the dissemination and educational effectiveness of the policy.
. Technical Availability: Based on network traffic, how many users are able to access restricted content? This may reflect the effectiveness of technical controls in enforcing policy.
6.3.3. Account management
Account management is a critical component of information system security because it directly affects the implementation of access controls. Account management data is an important focus when collecting data about security processes.
Here are some key data you may need to collect during the account management process:
•Timely account management: For example, when a user's role changes or leaves the company, whether their access rights can be adjusted or revoked within a specified time frame.
• Account provisioning or de-provisioning notifications: For example, whether users can be notified within 24 hours when they join or leave an organization.
•Account Reviews: Are appropriate account reviews conducted according to the organization’s defined schedule to ensure all accounts are still required and at the correct permission levels.
• Correct execution of procedures: For example, whether proper verification is done during password reset or sending, or whether network access controls are configured correctly.
6.3.4. Management review and approval
Management review and approval is a critical safety process that involves the evaluation, reporting, and approval of a variety of safety-related documentation. This documentation is not only critical for audits and reconciliations, but also demonstrates management approval and involvement in the security program. In addition, these records can establish due diligence and due care for any issues related to sand and security processes.
The following framework formally defines the security-related management review and approval process:
• ISO 27001
Management must regularly review the information security program's "continued suitability, appropriateness and effectiveness"
•NIST and FedRAMP
These frameworks define management roles for assessment and authorization as well as ongoing monitoring. Management needs to review the plans and results of the evaluation of the information system and then make a formal decision authorizing the system's use. Management also uses continuous monitoring data to ensure the effectiveness of risk remediation actions.
• Certification and accreditation
This involves similar processes of assessment and authorization. Certification is a formal evaluation of a system or process against a set of standards, while accreditation is a formal decision about a system's suitability to perform a specified function. This approach helps organizations develop governance processes to formally evaluate and approve systems based on their security capabilities and needs.
• SOC 2
This framework requires management to establish “performance measures” and generate and use “relevant, high-quality information to support the operation of internal controls.”
•Control Objectives for Information Technology (COBIT)
This is a management framework for information technology and cybersecurity that emphasizes management's responsibility in planning resources, capabilities and monitoring tasks, as well as the task of reviewing organizational control plans.
6.3.5.Key performance and risk indicators
Key performance indicators (KPIs) and key risk indicators (KRIs) are important tools for measuring and tracking the effectiveness of an organization's risk management. KPIs are used to monitor the effectiveness of existing risk mitigation measures, while KRIs can help organizations foresee and prepare for risks that may arise in the future. Various organizations will set their own KPIs and KRl according to their own specific situations.
1. Key Performance Indicators (KPIs)
Here are some common and important KPIs:
•Mean Time to Detection (MTTD): Measures the average time it takes to detect a security incident or threat.
•Mean Time to Recovery (MTTR): Measures the average time required to resolve a security incident.
• Security Score: Many vendors provide a security scorecard or rating, which can be used as an important indicator of an organization's security performance maturity.
•Return on Investment (ROI): Measures the effectiveness of controls in reducing risk versus cost.
2. Key Risk Indicators (KRI): Here are some valuable KRIs:
• Number of security incidents. An increase in security incidents may indicate that the threat environment has changed, which may require stronger security tools or additional staff to deal with it.
-Number of issues discovered: An increase in audit and assessment findings may indicate gaps in the security program, which may require additional attention or resources to correct.
• Number of phishing attempts discovered or reported: An increase in phishing attempts often indicates an ongoing attack as attackers attempt to obtain valid credentials to access an organization's resources. In this regard, organizations may need to add monitoring systems, adopt multi-factor authentication, strengthen user training and other measures
6.3.6. Back up verification data
Backup verification data can come from written logs of backup occurrences manually recorded by IT staff, but more commonly comes from logs produced by the backup application or system. All critical information should be backed up in case an incident occurs that renders the data unusable or damages the system. The events leading to data loss should be well documented, along with the complete recovery process of the backed up data. The backup strategy will be introduced in detail in Chapter 7.
6.3.7. Training and awareness
Establishing and maintaining a program that provides security awareness, education, and training is critical because users are both an important line of defense against attacks and high-value targets for attacks.
The following are key metrics for assessing the effectiveness of such programs:
•Training Completion Rate: Employees who do not complete training may be prone to overlooking potential threats.
•Information retention and behavior change: Successful training requires employees to remember and apply learned knowledge over the long term.
•Continuous updates: Training content needs to be updated as threats and risks change.
•Adapt to the audience: Training materials and methods need to be customized to the skill level and learning needs of employees.
6.3.8. Disaster Recovery (DR) and Business Continuity (BC)
DR and BC data should include details such as critical recovery point objectives, recovery time objectives, and maximum allowed downtime. The most critical thing is to assess how well the organization achieves these goals during actual events.
When evaluating and monitoring the effectiveness of disaster recovery (DR) and business continuity (BC) plans, the following core questions should be considered:
•Plan adaptability and timeliness: Is there a complete BCDR and operations continuity plan? Are they updated regularly to reflect organizational changes?
• Personnel awareness and readiness: Do key personnel understand their roles and responsibilities in the plan?
•Plan accessibility: Is the latest version of the plan readily available and stored securely?
•Comprehensiveness of the plan: Does the plan cover the organization's current critical functions?
Timely updates to the plan: Are there major organizational changes that are not reflected in the plan, such as major IT structural changes or business activities?
Planned testing and improvements: Is the plan tested regularly and any defects found fixed?
• Management of third-party dependencies: If the organization relies on critical third parties or services, are these dependencies tested?
•Integration with other processes: Are other processes, such as handover management, integrated with the BCDR plan to ensure that changes to the organization are appropriately re-evaluated?
6.4 Analyze test output and generate reports
6.4.1. Typical audit report content
Audit reports usually include the following sections:
•Executive summary: Provides an overview of testing activities and results.
-Assumptions and Limitations: Reveal constraints and presuppositions in the evaluation process, providing context for understanding the results.
•Scope: Clarify the scope covered by the assessment.
•Activity Summary: Provides an overview of all testing and audit activities performed by the assessment team.
•Findings and Issues: List all findings, defects, or issues and provide their location, severity, and associated evidence
• Suggestions: Provide solutions and suggestions for the discovered problems, generally including solution steps and specific configuration commands that may be required.
•Appendices: The appendix passband contains detailed information outside of the main body of the report, making the report easier to read and understand while providing technicians with the detailed information they need.
6.4.2. Remedies
1. Remedial action process:
1) Identify problems: Discover gaps or problems in security control.
2) Create a plan: Create a remediation plan to solve the problem.
3) Perform remediation: Follow the plan to resolve the issue.
4) Retest: Retest to confirm the effectiveness of the remedy.
2. Elements of a remediation plan:
•Issue Details: Describe the issue found in detail.
• Mitigation measures: planned remedial steps or measures.
•Priority: Prioritize issues based on their severity and risk.
•Resolution time: The total time estimated to be required to resolve the issue.
•Resource requirements: The resources required to perform remediation actions.
••Milestones and Expectations: Set key completion dates and desired outcomes.
3. The importance of retesting:
Retesting is a critical step in confirming that remediation measures are effective, which is typically verified through regular vulnerability scans.
6.4.3. Exception Handling
1. Definition:
Refers to the handling of issues discovered during an audit or security assessment that cannot be resolved through conventional remedial measures.
2.Purpose:
Grant exceptions temporarily to address issues that cannot be resolved directly. These exceptions should only be granted on a temporary basis and there should be no permanent requests for exceptions. If required in the long term, relevant policies should be updated to adapt to new needs.
3. Recorded information:
• Risk details: include specific details of the risk, shortcoming or problem, and when and by whom it was discovered.
•Reasons for anomalies: Management needs to explain why a particular risk cannot be mitigated.
. Compensating controls: If a risk cannot be addressed directly to achieve the organization's risk value, consider partially mitigating the risk through compensating controls (such as increased monitoring).
. Exception Approval: Management must clearly decide to take additional risks and document the review and approval process to clarify responsibilities.
•Exception duration: Most exceptions should be granted on a temporary basis, with a clear period of validity for the exception authority.
6.4.4. Ethical Disclosure
1. Best Practices for Ethical Disclosure
Organizations should be prepared to receive ethical disclosures about vulnerabilities. This includes developing a disclosure policy, receiving vulnerability disclosures, and not adopting a hostile attitude. As a security researcher or ethical hacker, you should abide by these policies and act within the boundaries of the law.
2. Type of vulnerability disclosed:
• Non-disclosure: Disclosure of a vulnerability may be prohibited due to contractual or legal obligations, for example, disclosure of the vulnerability may harm an ongoing criminal investigation.
•Full Disclosure: When a vulnerability is discovered, it should be reported fully and transparently as quickly as possible to the organization responsible for remediation. However, many vendors can be hostile to researchers trying to report vulnerabilities.
•Responsible disclosure: This principle states that discoverers should promptly report vulnerabilities to the organization and give the organization time to remediate the vulnerability before public disclosure.
•Mandatory reporting: In some cases, reporting discovered vulnerabilities to law enforcement or other agencies may be mandatory.
• Whistleblowing: In the event a security vulnerability is discovered, if the whistleblower follows the appropriate channels to disclose the discovered vulnerability, they may be legally protected from prosecution for copyright infringement or other relevant laws.
6.5. Conduct or promote security audits
6.5.1. Common audit frameworks
Security professionals can use audits to assess an organization's compliance with various security standards. The audit plan needs to have management support, appropriate resources, effective oversight, and realistic timetables. Here are some common audit frameworks:
1)SSAE 18 (SOC 2): Focuses on a service organization’s controls over security, availability, processing integrity, confidentiality, and privacy.
2) ISO/EC 15408-1:2009: Provides a general framework for evaluating the security functions of information technology products and systems.
3) 1SO/EC 18045:2008: Provides methods for performing ISO/EC 15408 assessments.
4) 1SO/EC 27006:2015: Specifies the requirements for performing ISO/EC 27001 Information Security Management System (ISMS) certification.
5) NIST SP 800-53A: Provides a method for evaluating security controls for federal information systems.
6) NIST CSF: Provides a risk management framework for enhancing the security of an organization's networks and information systems.
7 FedRAMP SAF: Federal Risk and Authorization Management Program Security Assessment Framework for federal government cloud products and services.
During an audit, sampling is often performed to reduce the workload while ensuring an understanding of possible deficiencies. The sample should be representative of the whole being audited.
6.5.2. Internal audit
Internal audits are audits performed by people within an organization. It has the following characteristics:
•Familiarity: Internal auditors have in-depth knowledge of the organization's processes, tools, and people, which enables them to better understand and evaluate the organization's internal controls and operational effectiveness.
•Risk of bias: Internal auditors may overlook or misinterpret certain aspects of the organization's operations because of their overly familiarity with the organization's operations. Therefore, they need to try to remain objective or seek the opinions of outside observers
. Independence issues: Because internal auditors are part of the organization, they may be subject to pressures that affect their independent judgment and impartial reporting.
• Preparation for external audits: Internal audits are often used to pre-discover and resolve problems that may be discovered during external audits in order to obtain better results during the formal external audit.
6.5.3. External audit
An external audit is an audit performed by an auditor outside the organization. Its main features include:
. Independence: External auditors are not influenced by pressure within the organization and therefore can conduct the audit objectively and impartially. They can view an organization's operations and controls without bias and provide an unbiased opinion.
•Specialized skills: External auditors usually have highly specialized skills and experience, such as certified public accountants (CPA). They can perform complex audit tasks such as SOC 2 audits.
•Cost and time: External audits typically cost more than internal audits, in part because of the time required to understand the organization's operations and processes. Additionally, they may miss some details due to unfamiliarity with the organization.
•Compliance requirements: Many compliance frameworks and regulations require organizations to conduct regular external audits to demonstrate the effectiveness of their internal controls.
6.5.4. Third-party audit
Third-party audit is a risk assessment process for an organization’s external suppliers or partners, which mainly includes the following:
•Risk management tools: Third-party auditing is a key tool for managing risks in relationships with third parties such as suppliers, partners, etc. It helps identify and mitigate risks that may have an impact on the organization.
• Sensitive data protection: It is extremely important to conduct security audits of third parties who have access to the organization's sensitive data. This can help organizations reduce legal liability resulting from security incidents caused by third parties.
•Common third-party audits: Common third-party audits include SOC2 audits and CSA STAR audits. During the audit process, attention needs to be paid to audit standards, data sharing, risk discovery, third-party risk response methods, and their repair plans.
•Supply chain complexity: Due to the complexity of modern supply chains, the third-party risk assessment process has become increasingly complex. Organizations need to identify all suppliers in their supply chain and ensure they are adequately audited and assessed to minimize the risks they face.
Review questions
1. While performing a port scan, Susan found a system running services on TCP and UDP ports 137-189 and TCP 445 and 1433. If she were connected to this machine, what type of system would she likely find? A. A Linux email server B. A Windows SQL server C. A Linux file server D. One-in-one Windows workstation
B
139\445
2. Which of the following is a method for automatically designing tests for new software and ensuring test quality? A. Code audit B. Static code analysis C. Regression testing D.Mutation testing
D
3. While performing a port scan, Naomi discovered that TCP port 443 was open on one system. Which tool is best for scanning services that may be running on this port? A. ZZUf B. Nikto C. Metasploit D. sqlmap
B
WEB Penetration: FireBug, Autoproxy, nmap, sqlmap, metasploit, Wireshark Fuzz testing provides software with invalid input (randomly generated or specially constructed input) zzuf sqlmap database vulnerability scanning Web vulnerability scanning: Nikto Network port scan: nmap
4. Which message logging standard is commonly used by network equipment, Linux and Unix systems, and many other enterprise devices? A. Syslog B. Netlog C. Eventlog D. Remote Logging Protocol (RLP)
A
5 Alex wants to use automated tools to populate web application forms to test for format string vulnerabilities. What type of tools should he use? A. Black box B. Brute force cracking tools C. Fuzzer D. Static analysis tools
C
P579 Fuzz testing - test software boundaries, append strings at the end, and perform other data manipulation methods
6. Susan needs to perform a vulnerability scan on a system and wants to use an open source tool to test the system remotely. Which of the following tools meets her requirements and allows for vulnerability scanning? A. Nmap B.OpenVAS C.MBSA D Nessus
B
OpenVAS, which stands for OpenVulnerability AssessmentScanner, is a highly trusted open source tool. Its rich functionality and easy-to-use interface enable users to easily detect and fix known security vulnerabilities. Microsoft Baseline Security Analyzer (MBSA) can check for operating system and SQL Server updates. MBSA can also scan computers for insecure configurations. Nessus is the most used system vulnerability scanning and analysis software in the world. In 2002, Renaud, Ron Gula, and Jack Huffard founded an organization called Tenable Network Security. When the third version of Nessus was released, the organization took back the copyright and program source code of Nessus (originally open source) and registered it as the organization's website. This institution is located in Columbia, Maryland, USA.
7. Morgan is implementing a vulnerability scoring and assessment system that uses standards-based components to score and evaluate discovered vulnerabilities. management system. Which of the following is most commonly used in providing a severity score for a vulnerability? A. CCE B.CVSS С. СРЕ D.OVAL
B
•Common Vulnerabilities and Exposures (CVE): Provides a naming system for describing security vulnerabilities. •Common Vulnerability Scoring System (CVSS): Provides a standardized scoring system that describes the severity of security vulnerabilities. •Common Configuration Enumeration (CCE): Provides a naming system for system configuration issues. •Common Platform Enumeration (CPE): Provides a naming system for operating systems, applications, and devices. •Extensible Configuration Checklist Description Format (XCCDF): Provides a language for describing security checklists. •Open Vulnerability and Assessment Language (OVAL): Provides a language to describe the security testing process.
Vulnerability description •Security Content Automation Protocol (SCAP): SCAP is a common standard for vulnerability description and assessment provided by NIST to the security community, promoting the automation of interactions between different security systems. SCAP components include: •Common Vulnerabilities and Exposures (CVE): Provides a naming system for describing security vulnerabilities. •Common Vulnerability Scoring System (CVSS): Provides a standardized scoring system that describes the severity of security vulnerabilities. •Common Configuration Enumeration (CCE): Provides a naming system for system configuration issues. •Common Platform Enumeration (CPE): Provides a naming system for operating systems, applications and devices. •Extensible Configuration Checklist Description Format (XCCDF): Provides a language for describing security checklists. •Open Vulnerability and Assessment Language (OVAL): Provides a language to describe the security testing process.
8.Jim was commissioned to conduct penetration testing of a bank’s main branch. To make the test as realistic as possible, he was not given any information about the head bank other than its name and address. What type of penetration testing does Jim agree to perform? A. Crystal Box Penetration Testing B. Gray box penetration testing C. Black box penetration testing D. White box penetration testing
C
9. In response to a request for proposal, Susen received an SSAE 18 SOC report. If she wants the report to include details about the effectiveness of the operation, on what basis and why should she ask Susan follow-up questions? A. A SOC 2Type II report because Type I does not cover operational effectiveness B. A SOC 1 Type I report because SOC 2 does not cover operational effectiveness C. A SOC2 Type I report because SOC2 Type II does not cover operational effectiveness D. A sOC3 report because the SOC1 and SOC2 reports are obsolete
A
P563 SSAE 18 and ISAE 3402 statements are commonly referred to as service organization controls (SOC) audits and come in three forms. SOC1 Statement: Evaluate organizational controls that may affect the accuracy of financial reporting. SoC2 Statement: Evaluate the organization's controls that impact the security (confidentiality, integrity, and availability) and privacy of information stored in the system. SOC2 audit results are confidential and are generally shared only under a confidentiality agreement. SOC3 Statement: Evaluate the organization's controls that impact the security (confidentiality, integrity, and availability) and privacy of information stored in the system. However, SOC3 audit results are intended for public disclosure.
•Type I report Type I reports describe the controls provided by the audited organization and the auditor's opinion based on that description. Type I reports are for a point in time and do not involve actual testing of controls by the auditor. •Type II reporting Type II reports cover a minimum period of 6 months and also include the auditor's opinion on the effectiveness of those controls based on actual testing results. Type II reports are generally considered more reliable than Type I reports because Type II reports include independent testing of controls. Type I reports simply allow the service organization to demonstrate that the controls have been implemented as described.
10. During a wireless network penetration test, Suson uses a password file to run alrcrack-ng against the network. Which of the following factors might have contributed to her failure in her attempt to crack the code? A. Use WPA2 encryption B. Running Enterprise Mode in WPA2 C. Use WEP encryption Port. Running PSK mode in WPA2
C
11. A zero-day vulnerability appeared in a popular Apache web server during the course of a working day. As an information security analyst, Jacob needs to quickly scan his network to determine which servers are affected by the issue. Jacob What is the fastest way to identify a system that is vulnerable to a vulnerability? A Run a Nessus scan of all servers immediately to determine which systems are vulnerable. B. Check the CVE database for vulnerability information and patch information. C. Create a custom IDS or IPS signature. D. Determine the affected version and use an automated scanning tool to check the system's version number.
D
12. What type of testing is used to ensure that individually developed software modules exchange data correctly? A.Fuzzing (fuzz testing) B. Dynamic testing C.Interface testing D.API checksum
C
13. Salen wants to provide security assessment information to customers who want to use the local organization's cloud services. Which of the following Options should be selected to ensure that as many customers as possible are satisfied with the assessment information? A uses Internal Audit Team Four to conduct self-assessments based on internal metrics. B. Use a third-party auditor. C. Use in-house technical staff who understand the system. D. Use the internal audit team to conduct self-assessments against commonly used standards such as COBIT.
B
14. Yasmine was asked to consider an intrusion and attack simulation system. What type of system should she be looking for? A. A ticketing and change management system designed to help manage incidents B. A system to run incident response simulations for blue teams to test their skills C. An automated system that combines red team and blue team technologies D. A security operations and response (SOAR) system
C
15.Monica wants to collect information about the organization's security awareness. Most Common Techniques for Assessing Security Awareness What is it? A. Fishing simulator B. Gamified Applications C. Evaluation test D. Questionnaire
D
16.Jim was commissioned to conduct a gray box penetration test and his client provided him with the following information about their network so that he could scan it: Data center: 10.10.10.0/24 Sales: 10.10.11.0/24 Billing: 10.10.12.0/24 Wireless network: 192.168.0.0/16 What problems would he encounter if he were entrusted with scanning from the outside? A. The IP range is too large and cannot be scanned efficiently. B. The IP address provided cannot be scanned. C. Duplicate IP ranges will cause scanning issues. D. The IP address provided is an RFC 1918 address.
D
17. Mark's company was notified that their web application was vulnerable. Anonymous informed him , they have two weeks to fix it before releasing details of the vulnerability and sample exploit code. connect Which industry code did an individual in mark's company violate? A. Zero-day reporting B. Ethical Disclosure C. Ethical Hacking D.(SC)2 Vulnerability Disclosure Ethics Statement
B
For questions 18-20, consider the following scenario: jennifer's company has implemented a centralized logging infrastructure, as shown in the following figure. use Use this diagram and your knowledge of logging systems to answer the following questions. 18.Jennifer needs to ensure that all Windows systems provide the same log information to the SIEM. How can she best ensure that all Windows desktop systems have the same logging settings? A. Conduct regular configuration audits. B. Use Group Policy. C. Use local policies. D. Deploy the Windows syslog client. 19. During normal operations, Jennifer's team uses a SIEM device to monitor anomalies through syslog. Which system shows a situation that does not support syslog events? A. Enterprise Wireless Access Point B. Windows desktop system C.Linux Web Server D.Enterprise firewall equipment 20. For each device shown in the diagram, what techniques should the organization use to ensure time-sequenced logging across the entire infrastructure? A. Syslog B.NTP C.Logsync D. SNAP
B
B
P582 Windows needs to install a third-party client to support syslog, Windows Group Policy
B
21. During a penetration test, hetele needs to identify the system, but he has not yet gained sufficient permissions to generate raw packets on the system being used. Which type of scan should she run to verify the most open services? A. TCP connection scanning B. TCP SYN scan C. UDP scanning D.ICMP scan
A
22. While using nmap to perform a port scan, Josezoh found a system showing two open ports. mouth, which immediately worried him: 21/open 23/open What services might be running on these ports? A.SSH and FTP B. FTP and Telnet C. SMTP and Telnet D. POP3 and SMTP
B
23.Aaron wants to verify his company's compliance with PCI-DSS. His company is a large business organization with millions of dollars of transactions annually. What is the most common way for large organizations to conduct this type of testing? A. Self-assessment B. Conduct a third-party assessment of COBIT C. Partner with another company and conduct an assessment exchange between the two organizations D. Use a qualified security assessor to conduct a third-party assessment
D
24. What is a common method used to evaluate software testing coverage for potential usage of an application? A. Test coverage analysis B. Source code review C. Fuzzy analysis D. Code review report
A
25. Tests that focus on functionality that the system should not allow are examples of what type of testing? A. Use case testing B. Manual testing C. Misuse case testing D.Dynamic testing
C
26. What type of monitoring uses simulated traffic to a website to monitor performance? A. Log analysis B. Comprehensive performance monitoring C. Passive monitoring D. Simulated transaction analysis
B
27.Perek wants to ensure that his organization tracks all changes to all accounts throughout their lifecycle. What type of tools should his organization invest in? A. Directory service like LDAP B.IAM system C. SIEM system D.EDR system
B
Lightweight Directory Access Protocol (English: Lightweight Directory Access Protocol, abbreviation: LDAP) is an open, neutral, industry-standard application protocol that provides access control and maintains directory information of distributed information through the IP protocol. Unified identity authentication management platform (IAM) Security information and event management (SIEM) is a security solution that helps organizations identify and resolve potential security threats and vulnerabilities before they have a chance to disrupt business operations. SIEM systems help enterprise security teams detect anomalies in user behavior and use artificial intelligence (AI) to automate many manual processes related to threat detection and incident response. The original SIEM platform is a log management tool that combines security information management (SIM) and security event management (SEM) to enable real-time monitoring and analysis of security-related events, as well as tracking and recording security data for compliance or audit purposes. (Gartner coined the term SIEM in 2005 to refer to the combination of SIM and SEM technologies.) SIEM software has evolved over the years to incorporate user and entity behavior analytics (UEBA) and other advanced security analytics, artificial intelligence, and machine learning capabilities , used to identify anomalous behavior and advanced threat indicators. Today, SIEM is a staple in modern security operations centers (SOCs) for security monitoring and compliance management use cases. Endpoint detection and response (EDR) is a form of technology that provides continuous monitoring and response to advanced cybersecurity threats against enterprise networks and systems. EDR is a subset of endpoint security that takes a holistic approach to protecting corporate networks and data when employees access the network remotely via laptops, smartphones, and other mobile devices. Because these assets are at the end of the chain that connects users to the company's technology stack, they are called endpoints.
28.Jm uses a tool to scan the system for available services and then connects to those services to collect banner information to determine the version of the service. It then provides a report detailing what it collected, based on service fingerprints, banner information, and similar details, combined with CVE information for the results. What type of tool does Jim use? A. Port scanner B. Service Validator C. Vulnerability Scanner D. Patch management tools
C
29.Emily writes a script to send data to a web application she is testing. Each time the script runs, it sends a series of data transactions that match the expected requirements of the web application to verify its Responses to typical customer behavior. What type of transaction is she using, and what type of test is this? A. Comprehensive, Passive Surveillance B. Comprehensive, use case testing C. Actual, dynamic monitoring D. Actual, fuzz testing
B
30. Which passive monitoring technology records all user interactions with an application or website to ensure quality and performance? A. Client/Server Testing B. Real User Monitoring C. Comprehensive User Monitoring D. Passive user recording
B
31Earlier this year, Jim's employer's information security team discovered a vulnerability in the web server he was responsible for maintaining. He immediately applied the patch and was confident it had been installed correctly, but vulnerability scans still incorrectly flagged the system as vulnerable. To solve this problem so that it is no longer mislabeled? A. Uninstall and reinstall the patch. B. Request the information security team to mark the system as fixed and no longer harboring that specific vulnerability. C. Update the version information in the web server configuration. D. Review the vulnerability report and use other remediation options.
B
32 Anools wants to use automated tools to test the processing of external data by web browsers. She should set Which tool to choose? A. Nmap B.zzuf C. Nessus D. Nikto
B
Network Vulnerability Scanner: •Nessus, a widely used vulnerability scanner. •QualysGuard, Qualys Corporation. •NeXpose, a Rapid7 company. •OpenVAS, an open source scanner.
Commonly used web application vulnerability scanning tools include: •Nessus •Commercial scanner Acunetix •Open source scanners Nikto and Wapiti •Open source scanner Wapiti •Proxy tool BurpSuite
Network Discovery Scanner: Nmap Xmas scan
Database vulnerability scan: sqlmap
Penetration Tools: Metasploit
remember
33. STRIDE stands for Impersonation, Tampering, Denial, Information Disclosure, Denial of Service, Elevation of Privilege. In which part of application threat modeling is it useful? A. Vulnerability Assessment B. Misuse Case Testing C.Threat classification D. Penetration test planning
C
1. Spoofing is disguise. For example, if I use someone else’s ID to speak, it is Identity Spoofing. I thought of changing the IP, which is IP Spoofing. 2. Tampering means tampering. For example, the way I use someone else's ID to speak is to tamper with legitimate packages, and their server does not have corresponding checking measures. 3. Repudiation means refusing to admit. For example, if I carried out these attacks and they didn’t know that I did it, and there is no evidence that I did it, I don’t have to admit it. 4. Information Disclosure is the leakage of information. For example, their string of digital pictures does not have any protection, and the information on the pictures can be easily obtained by others. 5. Denial of Services is a denial of service. For example, my automatic posting makes it unavailable to normal users. This is an attack. 6. Elevation of Privileges is the elevation of privileges. For example, when I try to do things with administrator privileges, it falls into this category.
34. Why should passive scanning be performed in addition to implementing wireless security technology such as wireless intrusion detection systems? A. It can help identify rogue devices. B. It can test the security of wireless networks through script attacks. C. They stay on each wireless channel for a short time and can capture more data packets. D. They can help test wireless IDS or IPS systems.
A
35.Paul is reviewing the approval process for a penetration test and wants to ensure that it undergoes appropriate management review. Who should he ensure has approved a request to conduct a penetration test of a commercial system? A. Change Advisory Committee B. Senior Management C. The system administrator of the system D. Service Owner
B
36. Which term describes software testing designed to reveal new bugs introduced by patches or configuration changes? A. Non-regression testing B. Evolution testing C. Smoke test D Regression testing
D
37.Which of the following tools does not identify the target operating system to a penetration tester? A. Nmap B. Nessus C. Nikto D. sqlmap
D
38 Susan needs to predict high-risk areas for her organization and wants to use metrics to assess risk trends. What should she do to deal with this problem? A Conduct risk assessments annually. B. Hire a penetration testing company to regularly test the security of your organization. C. Identify and track key risk indicators. D. Use a SIEM device to monitor logs and events.
C
39. What are the main differences between comprehensive and passive monitoring? A. Comprehensive monitoring only works after a problem occurs. B Passive monitoring cannot detect functional problems. C. Passive monitoring only works after a problem occurs. D. Comprehensive monitoring cannot detect functional problems.
C
For questions 40-42, consider the following scenario. Chris used the standard penetration testing method shown here. Use this method and your penetration testing knowledge to answer questions about tool usage during penetration testing. 40. What are the most important tasks in Phase 1 planning? A. Build a test lab B. Obtain authorization C. Gather the appropriate tools D. Determine whether the test is white box, black box or gray box 41. Which of the following tools is most likely to be used during the discovery phase? A. Nessus B.john C. Nmap D. Nikto 42. Which of the following issues is most important to address during the planning stage to ensure that no problems are caused during the reporting stage? A. Which CVE format to use B. How to store and send vulnerability data C. Which goals are prohibited D. How long should the report take?
B
C
B
•The planning phase includes agreement on test scope and rules. The planning phase is an extremely important stage to ensure that the testing team and management agree on the nature of the testing and that it is clear that the testing is authorized. •Information collection and discovery phase combines manual and automated tools to collect information about the target environment. This phase includes executing Basic reconnaissance to determine system functionality (such as accessing websites hosted on the system) and perform network discovery scans to identify the system's open ports. •Vulnerability scanning stage detects system vulnerabilities, combining network vulnerability scanning, Web vulnerability scanning and database vulnerability scanning. •The vulnerability exploitation stage attempts to use manual and automated vulnerability exploitation tools to try to break through system security defenses. •The reporting phase summarizes the penetration test results and makes recommendations to improve system security.
43. What four types of coverage criteria are commonly used when verifying the work of a code test suite? A. Input, statement, branch and condition coverage B. Western numbers, statements, branches and condition coverage C. AP, Branch, Boundary and Condition Coverage D. Boundaries, branches, loops and condition coverage
B
44. As part of his role as security manager, Jacob provides the following chart to the organization's management team. What type of measurement does he provide them with? A. Coverage Measurement B. Key Performance Indicators C. Survival time indicator D. Business importance indicators
B
45. When reviewing logs, what does using a unique user ID for all users provide? A. Confidentiality B.Integrity C.Availability D. Accounting responsibility
D
46. During software testing, which of the following is not a commonly tested interface? A.API B.Network interface C. User interface D.Physical interface
B
P580 Three types: API-Application Programming Interface UI physical interface
47.Alan’s organization uses the Security Content Automation Protocol (SCAP) to standardize its vulnerability management procedures. Which component of SCAP can Alan use to reconcile the identities of vulnerabilities generated by different security assessment tools? A.OVAL B. XCCDF C. CVE D. SCE
C
Vulnerability description •Security Content Automation Protocol (SCAP): SCAP is a common standard for vulnerability description and assessment provided by NIST to the security community, promoting the automation of interactions between different security systems. SCAP components include: •Common Vulnerabilities and Exposures (CVE): Provides a naming system for describing security vulnerabilities. •Common Vulnerability Scoring System (CVSS): Provides a standardized scoring system that describes the severity of security vulnerabilities. •Common Configuration Enumeration (CCE): Provides a naming system for system configuration issues. •Common Platform Enumeration (CPE): Provides a naming system for operating systems, applications and devices. •Extensible Configuration Checklist Description Format (XCCDF): Provides a language for describing security checklists. •Open Vulnerability and Assessment Language (OVAL): Provides a language to describe the security testing process.
48. Susan is reviewing software test coverage data and sees the information shown in the following chart. What can she determine about this testing process? (Select all that apply.) A. Testing is not fully covered. B. Test 4 did not fail. C Test 2 did not run successfully. D. A fifth run of the test is required.
B.C.
49. Which of the following strategies is not a reasonable approach to correcting vulnerabilities discovered by vulnerability scanners? A. Install the patch. B. Use temporary fixes. C. Update banner or version number. D. Use the application layer
C
50. During the penetration test, Selah called the target company's help desk and claimed to be an assistant to a senior associate at the company. She asked the help desk to reset the senior associate's password because they were experiencing problems with their laptop while traveling, and was successfully persuaded to do so. What type of attack did she successfully complete? A. Zero-knowledge attack B. Helping and deceiving C. Social engineering attacks D. Black box testing
C
51. In this image, what issues might arise due to the log processing setup? A. Logs may be lost during archiving. B. Log data may be overwritten. C. Log data may not contain the required information. D. Log data may fill the system disk.
D
52. Which of the following is not a risk associated with penetration testing? A. Application crashes B. Denial of service C.Power outage D.Data corruption
C
53. Which NIST special publication covers the evaluation of security and privacy controls? A. 800-12 B. 800-53A C. 800-34 D. 800-86
B
54 Michelle is conducting a quantitative business impact assessment and wants to collect data to determine the cost of downtime. What information does she need to gather from the previous year's outages to calculate the cost of those outages to the business? (Select all that apply.) A. Total business downtime B. Number of staff hours required to recover from the failure C. Business lost per hour during outage (in U.S. dollars) D. Average employee wages per hour
ABCD
55. If Kara's main concern is to prevent eavesdropping attacks, which port should she block? A. 22 B. 80 C. 443 D. 1433
B
56. If Kara's main concern is to prevent administrative connections to the server, which port should she block? A. 22 B. 80 C. 443 D. 1433
A
57. During the course of a third-party audit, Jim's company received a discovery. states: "Administrators should review logs of backup successes and failures on a daily basis and take prompt action to resolve reported anomalies.. Which potential problem is this finding indicative of?" A. The administrator has no way of knowing whether the backup succeeded or failed. B. The backup may not have been logged correctly. C backup may not be available. D. The backup logs may not have been properly reviewed.
C
58.Jim is helping his organization decide on auditing standards to use in its international organization. Which of the following is not What IT standards might Jim's organization use in review? A. COBIT B. SSAE-18 C.ITIL D. ISO 27001
C
59 Nicole wants to conduct a standards-based audit of her organization. Which of the following is commonly used to describe common requirements for information systems? A.IEC B. COBIT C.FISA D.DMCA
B
60.Kely’s team conducts regression testing with every patch released. Which key performance indicator should they maintain to measure the effectiveness of their testing? A. Vulnerability fix time B. Defect reoccurrence rate indicator C. Weighted risk trends D. Measurement of specific coverage of testing
B
61. Which of the following types of code reviews is not typically performed by humans? A. Software Check B. Pair Programming C. static program analysis D.Software walkthrough
C
For questions 62-64, consider the following scenario: Susan is the leader of her company's quality assurance team. The team was commissioned to conduct testing for a major release of the company's core software product. 62.Susan's software testing team needs to test every code path, including paths that are used only when error conditions occur. What type of testing environment does her team need to ensure complete code coverage? A. White box testing B. Gray box testing C. Black box testing D. Dynamic testing 63. As part of ongoing testing of their new application, Susan's quality assurance team designed a set of test cases for a series of black-box tests. These functional tests are then run and a report is prepared explaining what happened. What type of reports are typically generated during this testing process to indicate test metrics? A. Test Coverage Report B. Penetration Test Report C. Code Coverage Report D. row coverage report 64. As part of their code coverage testing, Susan's team uses logging and tracing tools for analysis in a non-production environment. Which of the following types of coding problems are likely to be overlooked due to changes in the operating environment? A. Incorrect bounds checking B. Input validation C race condition D pointer operations
A
A
C
65.Robin recently conducted a vulnerability scan and discovered a critical vulnerability on a server that handles sensitive information. What should Bobin do next? A. patch B. Report C.Correction D.Verification
D
P574 Detect---Verify---Repair
66.The automated code tests and integrations Andrea runs in her organization's CI/CD process fail. What should Andrea do if the company needs to release code immediately? A. Manually bypass the test. B. Check the error log to determine the problem. C. Rerun the test to see if it works properly. D. Send the code back to the developer for fixing.
B
67. Michelle wants to compare the vulnerabilities she finds in her data center based on metrics such as vulnerability exploitability, presence of exploit code, and difficulty of remediation. What scoring system should she use to compare these vulnerability indicators? A.CSV B. NVD C. VSS D.CVSS
D
SCAP components include: •Common Vulnerabilities and Exposures (CVE): Provides a naming system for describing security vulnerabilities. •Common Vulnerability Scoring System (CVSS): Provides a standardized scoring system that describes the severity of security vulnerabilities. •Common Configuration Enumeration (CCE): Provides a naming system for system configuration issues. •Common Platform Enumeration (CPE): Provides a naming system for operating systems, applications and devices. •Extensible Configuration Checklist Description Format (XCCDF): Provides a language for describing security checklists. •Open Vulnerability and Assessment Language (OVAL): Provides a language to describe the security testing process.
68. While performing a port scan on his network, Alex discovered that TCP ports 80, 443, 515, and 9100 were responding on multiple hosts in various offices throughout the company. What type of device might Alex have discovered? A. Web server B. File server C. Wireless access point D.Printer
D
69 What types of tools are Nito, Burp Sure and Woot? A.Web application vulnerability scanning tools B. Code review tools C. Vulnerability scanning tools D.Port scanning tool
A
70 Frank's team is testing new APIs that the company's developers are building for their application infrastructure. Which of the following is not a common API issue that Frank's team might find? A. Incorrect encryption B. Object-level authorization issues C. User authentication issues D. Lack of rate limiting
A
Encryption is not at the application layer
71Jim is working with a penetration testing contractor who recommends using Metasploit. What should Jim expect to happen when using Metasploit? A. Will scan the system for vulnerabilities. B. Exploit known vulnerabilities in the system. C. Detect buffer overflows and other unknown defects in the service. D. Conduct zero-day vulnerability testing on the system.
B
72 Susan needs to ensure that the interactions between the various components of her e-commerce application are handled correctly. She intends to validate communications, error handling, and session management capabilities throughout the infrastructure. What type of testing does she plan to perform? A. Abuse Case Testing B. Fuzz testing C. Regression testing D.Interface testing
D
73. Jim is designing the organization's log management system and knows that he needs to carefully plan for handling the organization's log data. Which of the following is not a factor Jim should be concerned about? A. Amount of log data B. Lack of sufficient log sources C. Security requirements for data storage D.Network bandwidth
B
74. Ryan's organization wants to ensure proper account management but does not have a centralized identity and access management tool. Rvan What is the best option when conducting verification of account management processes during an internal audit? AVerify all account changes in the past 90 days. B. Select to verify high-value administrator accounts. C. Verify all account changes within the past 180 days. D. Conduct random sampling verification of accounts.
D
75. What type of log is generated when a Windows system restarts? A. Error B. Warning C. Information D. failed review
C
76. During the investigation, Alex noticed that Michelle logged into her workstation at 8 a.m. each morning but was logged into the department's main web application server shortly after 3 a.m. that day. What common logging problem might Alex be experiencing? A. Inconsistent log format B. Modified log C. Inconsistent timestamps D. Multiple log sources
C
77. Which type of vulnerability scan accesses configuration information obtained from the system on which the scan is run, as well as information obtained through services available on the network? A. Certified Scan B. Web Application Scanning C. Unauthenticated scan D.Port scanning
A
What types of vulnerability scanning can provide access to configuration information of running systems and services provided over the network? Authenticated scan (correct answer) Web application scanning Uncertified scan port scan Authenticated scans use read-only account access to configuration files, allowing for more accurate testing of vulnerabilities. Web application scans, unauthenticated scans, and port scans do not have access to configuration files unless the configuration files are inadvertently exposed.
For questions 78-80, consider the following scenario: Ben's organization has begun using STRIDE to assess its software and identify threat agents and the business impact these threats may have. They are now working to identify appropriate controls to address the issues identified. 78.Ben's development team needs to resolve an authorization issue that could lead to an elevation of privilege threat. Which of the following controls would be most appropriate for this type of problem? A. Enable auditing and logging. B. Use role-based access control for specific operations. C. Enable data type and format checking. D. Perform whitelist testing on user input. 79.Ben's team is trying to classify transaction identification problems caused by symmetric keys shared by multiple servers. Which of the following STRIDE categories should this fall into? A. Information leakage B. Denial of service C. Tampering D. Deny 80. The traffic was highest during the denial of service attack. Ben Xizhao used a third-party service to help evaluate the denial of service. Absolute service attack vulnerability. What type of engagement should he recommend to the organization? A. Social engineering participation B. Penetration testing C.Load or stress test D. Test using fuzz testing
B
D
C
81 Chris is solving the organization's security information and event management (SIEM) reporting issues. After analyzing the problem, he believed that the time of log entries in different systems was inconsistent. What protocol can he use to solve this problem? A.SSH B. FTP C.TLS D.NTP
D
82.Ryan is considering using fuzz testing in his web application testing project. Making a decision Which of the following statements about fuzz testing should Ryan consider? A. Fuzz testing can only find complex faults. B. Testers must generate input manually. C. Fuzz testing may not fully cover the code. D. Fuzz testing cannot reproduce the error.
C Fuzz testing usually cannot completely cover all the code of the program and is generally limited to detecting simple vulnerabilities that do not involve complex business logic.
83.Ken is designing a testing process for the software his team is developing. He designed a test to verify that every line of code was executed during the test. What type of analysis is Ken conducting? A. Branch coverage B. Condition coverage C. Function coverage D. Statement coverage
D
For questions 84-86, consider the following scenario. When doing a port scan, Ben used nmap's default settings and saw the following results. 84. If Ben is conducting a penetration test, what should be his next step after receiving these results? A. Use a web browser to connect to the web server. B. Use a Telnet connection to test the vulnerable account. C. Identify interesting ports for further scanning. D. Use sqlmap on the open database. 85. Based on the scan results, what is the most likely operating system (OS) that the scanned system is running? A. Windows desktop version B. Linux C. Network equipment D. Windows Server 86.Ben's manager is concerned about the scope of his scan. What might his manager be worried about? A. Ben has not tested the UDP service. B.Ben found no ports other than "well-known ports." C. Ben did not do OS fingerprinting. D.Ben only tested a limited number of ports.
C
B
D
87.Lucca is reviewing data about his organization’s disaster recovery process and notices that the business’s main website The MTD is two hours. While testing and validating, what did he learn about the site's RTO? A. It takes less than two hours. B. It takes at least two hours. C. The MTD time is short and takes longer. D. The RTO time is too short and will take longer.
A
MTD is the maximum tolerated downtime. If MTD verification is to be performed, the verification results will only tell her the maximum time the system can be offline.
88.Diana has hired a third-party auditor and wishes to issue an audit certificate to the third party without containing the details of the audit. Which type of SSAE 18 SOC report should she request? A. SOC 1 B. SOC 2 C. SOC 3 D. SOC 4
C
89. While reviewing software testing output for the organization's new application, Madhuri noticed that the application produced errors containing directory and file information that was displayed to Web application testers. Which question should be included in her report? A. It does not perform proper exception handling. B. The software does not properly handle misuse case testing. C. Debugging statements need to be deleted. D. The code was not fully tested due to errors.
A
90. What is the first step that should occur before conducting a penetration test? A. Data collection B. Port scanning C. Obtain permission D.Plan
C
91.JOHn CEO is concerned about the serious increase in crypto-malware in the industry. She asked for assurance that the company's data could be recovered if malware hit and encrypted its production systems. What process is required to tell her that the company is prepared? A. Encrypt all sensitive data. B. Hash all of an organization's data to detect cryptographic malware. C. Perform backup verification. D. Use anti-encryption technology to prevent malware from encrypting the drive.
C
92 Joanna is the CISO of the organization in a security operations oversight role. She wants to ensure that management oversight of security-related changes is ongoing. In most organizations, which system should she focus on tracking this type of data? A. SIEM system B.IPS system C.CMS tools D.ITSM workbench
D
93. Henry wants to verify that his backup is valid. Which of the following options is his best way to ensure that backups are useful in a real disaster recovery scenario? A. Periodically restore a random file to ensure the backup is working properly. B. Periodically check configuration and settings to verify backup settings. C. Check the backup log to make sure no errors occurred. D. Periodically perform full restores from backups to verify success.
D
94.What types of vulnerability scanners cannot find? A. Local vulnerabilities B. Service vulnerabilities C. Zero-day vulnerabilities D. Vulnerabilities requiring authentication
C
95.Jacinda would like to measure the effectiveness of her safety training as one of her safety indicators. Which of the following measures are most useful for evaluating the effectiveness of security awareness training? (Select all that apply.) A. Number of people participating in the training B.Safety awareness level before and after training C. Training duration (in hours) 口.Number of training events each person has participated in this year
AB
96, Elaine discovered a previously unknown critical vulnerability in a product used by her organization. Her organization takes ethical disclosure very seriously and Elaine follows common ethical disclosure practices. what should she do first A. Build internal remediation measures or controls, and then publicly disclose the vulnerability to prompt vendors to quickly patch the vulnerability B. Build internal remediation measures or controls and then notify the supplier of the issue. C. Notify the supplier and give them a reasonable amount of time to fix the problem. D. Publicly disclose vulnerabilities so that vendors can patch them in the appropriate time.
C
For questions 97-99, consider the following scenario. NIST Specral Puolircatton 800-115, Technical Guide to Penetration Testing and Penetration Testing, provides NIST's NIST-tested process for penetration testing. Use this image and your knowledge of penetration testing to answer questions. 97.Which of the following is not part of the discovery phase? A. Collection of host name and IP address information B. Service information capture C. Trash can search D. Privilege escalation 98. NIST specifies four attack phase steps: gaining access, escalating privileges, system browsing, and delivering tools. Once an attacker has installed additional tools: To which stage does a penetration tester typically return? A. Discover B. Gain access C. Privilege escalation D. System browsing 99.Which of the following is not a typical part of a penetration testing report? A. List of identified vulnerabilities B. All sensitive data collected during testing C. Risk rating for each discovered issue D. Mitigation guidance for identified issues
D
B
B
100. Alox is using nmnao to perform a port scan on the system and he received three different port status messages in the results. Match each numbered status message to the appropriate message description. Each item can only be used once. status message 1.Open 2. Close 3. Filter describe A. The port on the remote system is accessible, but no application accepts connections on the port. B. The port on the remote system is not accessible. C. The port on the remote system is accessible and the application accepts connections on that port.
CBA