ICS2 Official Practice Test Domain 6: Identity and Access Management
During a penetration test, Danielle needs to identify systems, but she hasn't gained sufficient access on the system she is using to generate raw packets. What type of scan should she run to verify the most open services?
A TCP connect scan When a tester does not have raw packet creation privileges, such as when they have not escaleted priveges on a compromised host, a TCP connect scan can be used. TCP SYN scans require elevated privileges on most Linux systems due to the need to write raw packets. A UDP scan will miss most services that are provied via TCP, and an ICMP is merely a ping sweep of systems that respond to pings and won't In the Nmap TCP connection scan, Nmap asks its underlying Operating network to establish a connection with the target server by issuing the "connect" system call.But the problem with this scan is that it takes time to complete and it require to generate more packets to obtain information.In the other hand, targets are more likely to allow the connection because it tries to establish a connection with target same as network enabled applications like web brows TCP SYN scan is a most popular and default scan in Nmap because it perform quickly compare to other scan types and it is also less likely to block from firewalls.Another reason is that when it comes to states open,closed and filtered ,TCP SYN scan gives a clear definition.Main concept behind this scan is TCP three way handshake. TCP SYN scan required raw-packet privileges that needs root access.
Jim has contracted with a software testing organization that uses automated testing tools to validate software. He is concerned that they may not completely test all statements in his software. What measurement should he ask for in their report to provide information about this?
A code coverage report Jim should ask for a code coverage report, which provides information on the functions, statements, branches and conditions or other elements that were covered in the testing. Use cases are used as part of a test coverage cacluation that devides the tested use cases by the total use cases, but use cases may not cover all possible functions or branches. A code review report would be generated if the organizaion was manually reviewing the application's source code.
As a part of his role as a security manager, Jacob provides the following chart to his organizations management team. What type of measurement is he providing for them? Chart shows: Time to remidiate in days vs. Number of vulnerabilities.
A key performance indicator Time to re-mediate a vulnerability is a commonly used key performance indicator for security teams. Time to live measures how long a packet can exist in hops, business criticality is a measure used to determine how important a service or system is to an organization, and coverage rates are used to measure how effective code testing is.
Jim is designing his organizations log management systems and knows that he needs to carefully plan to handle the organizations log data. Which of the following is not a factor that jim should be concerned with?
A lack of sufficient log resources. Not having enough log sources is not a key consideration in log management system design, although it may be a worry for security mangers who can't capute the data they need. Log management system designs must take into account the volume of log data and the network bandwidth it consumes, the security of the data, and the amount of effort required to analyze data.
NIST special publication 800-53A describes four major types of assessment objects that can be used to identify items being assessed. If the assessment covers IPS devise, which of the types of assessment objects is being assessed?
A mechanism An IPS is an example of a mechanism like a hardware-, software-, or firmware-based control or system. Specifications are document-based artifacts like policies or designs, activities are actions that support an information system that involves people, and an individual is one or more people applying specifications, mechanisms, or activities.
What term describes an evaluation of the effectiveness of security controls performed by third party?
A security audit Security audits are security assessments performed by third parties and are intended to evaluate the effectiveness of security controls. Security assessments are conducted by internal staff, and security tests are used to verify that a control is functioning effectively. Penetration tests can be conducted by internal or external staff and test systems by using actual exploitation techniqes.
As part of the continued testing of their new application, Susan's quality assurance team has designed a set of test cases for a series of black box tests. These functional tests are then run, and report is prepared explaining what has occurred. What type of report is typically generated during this testing to indicate test metrics?
A test coverage report A test coverage report measures how many of the test cases have been completed and is used as a way to provide test metrics when using test cases. A penetration test report is provided when a penetration test has been conducted, this is not a penetration test. A code coverage report covers how much of the code has been tested, A line coverage report is a type of code coverage report.
Jim uses a tool that scans a system for available services, then connects to them to collect banner information to determine what version of the service is running. It then provides a report detailing what it gathers, basing results on service fingerprinting, banner information, and similar details it gathers combined with CVE (common vulnerabilities and exposure) information. What type of tool is Jim using?
A vulnerability scanner Vulnerability scanners that do not have administrative rights to access a machine or that are not using an agent scan remote machines to gather information, including fingerprints from response to queries and connections, banner information from services, and related data. CVE information is Common Vulnerability and Exposure information, or vulnerability information. A port scanner gathers information about what service ports are open, although some port scanners blur the line between port and vulnerability scanners. Patch management tools typically run as an agent on a system to allow them to both monitor patch level and update the system as needed. Service validation typically involves testing the functionality of a service, not its banner and response patterns.
During a port scan, Susan discovers a system running services on TCP and UDP 137-139 and TCP 445, as well as TCP 1433.What type of system is she likely to find if she connects to the machine?
A windows SQL server TCP and UDP ports 137-139 are used for NetBIOS services. Where ass 445 is used for Active Directory. TCP 1433 is the default port for Microsoft SQL, indicating that this is probably a Windows server providing SQL user NetBIOS (Network Basic Input/Output System) is a program that allows applications on different computers to communicate within a local area network (LAN). It was created by IBM for its early PC Network, was adopted by Microsoft, and has since become a de facto industry standard.
Which type of SOC report is best suited to provide assurance to users about an organization's security, availability and the integrity of their service operations?
An SOC 3 report SOC 3 reports are intended to be shared with a broad community, often with a website seal, and support the organization's claims about their ability to provide, integrity, availability, and confidentiality SOC 1 reports report on controls over financial reporting, whereas SOC 2 reports cover security, availability, integrity and privacy for business partners, regulators, and other similar organizations in detail that would not typically be provided to a broad audience.
Durring a penetration test of her organization, Kathleen's IPS detects a port scan that has the URG, FIN, and PSH flags set and produces an alarm. What type of scan is the penetration tester attempting?
An Xmas scan A TCP scan that sets all or most of the posssible TCP flags is called a chrismas tree, or Xmas, scan since it is said to "light up like a Christmas tree" with the flags. A SYN scan would attempt to open TCP connections, Whereas an ACK scan sends packets with the ACK flag set.
What type of vulnerability scan accesses configuration information from the system it is run against as well as information that can be accessed via sevices available via network?
Authenticated Scans Authenticated scans use a read-only account to access configuration files, allowing more accurate testing of vulnerabilities. Web application unauthenticated scans, and port scans don't have access to configuration files unless they are inadvertently exposed. Microsoft's STRIDE threat assessment model places threats into one of six categories. Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of Privileges.
Ben's manager expresses concern about the coverage of his scan. Why might his manger have this concern?
Ben tested only a limited number of ports. Nmap only scans 1000 TCP and UDP ports by default, including ports outside of 0-1024 range of "well-known" ports. By using the defaults for nmap, Ben missed 64,535 ports. OS fingureprinting won't cover more ports but would have provided a best guress of the OS running on the scanned system.
During a penetration test, Lauren is asked to test the organizations Bluetooth security. Which of the following is not a concern she should explain to employers?
Bluetooth active scans can't evalutate the security mode of bluetooth devices. NOT 1. Bluetooth scanning can be time consuming 2. Many devies that may b e scanned are liley to be personal devices. 3. Bluetooth passive scans may require multiple visits at different times to identify all targets.
DREAD
DREAD is part of a system for risk-assessing computer security threats previously used at Microsoft and currently used by OpenStack and many other corporations[citation needed]. It provides a mnemonic for risk rating security threats using five categories. The categories are: Damage - how bad would an attack be? Reproducibility - how easy is it to reproduce the attack? Exploitability - how much work is it to launch the attack? Affected users - how many people will be impacted? Discoverability - how easy is it to discover the threat?
Which of the following is not a hazard with penetration testing?
Exploitation of vulnerabilities Penetration tests are intended to help identify vulnerabilities, and exploiting them is part of the process rather than a hazard.l Application crashes, denial of service due to system, network, or application failure; and even data corruption can all be hazards of penetration tests.
Ben wants to prevent or detect tampering with data which of the following is not an appropriate solution?
Filtering Filtering is useful for preventing denial of service attacks but won't prevent tampering with data. Hashes and digital signatures can both be used to verify integrity of data, and authorization controls can help ensure that only those with proper rights can modify the data.
Saria wants to log and review traffic information between parts of her network. What type of network logging should she enable on her routers to allow her to perform this analysis.
Flow logging Flows, also often called network flows, are captured to provide insight into network traffic for security, troubleshooting, and performance management. Audit logging is not a common network logging function, and trace logs are used in troubleshooting specific software packages as they perform their functions.
Which of the following is not an issue when using fuzzing to find program faults?
Fuzz testing bugs are often severe. Finding sever bugs in not a fault - in fact, fuzzing often finds important issues that would otherwise have been exploitable. Fuzzers can reproduce errors, but typically don't fully cover the code - code coverage tools are usually paired with fuzzers to validate how much coverage was possible. Fuzzsers are often limited to simple errors because they won't handle business logic or attack that require knowledge from the application user.
Alex wants to use an automated tool to fill web application forms to test for format string vulnerabilities. What type of tool should he use?
Fuzzers Fuzzers are tools that are designed to provide invalid or unexpected input to applications, testing for vulnerabilities like formal sting vulnerabilites, buffer overflow issues, and other problems. A static analysis relies on examining code without running the application or code, and thus would not fill forms as part of a web application. Brute-force tools attempt to bypass security by trying every possible combination for passwords or other values. A black box is a type of penetration test where the testers do not know anything about the enviornment.
Ben uses a fuzzing tool that develops data models and creates fuzzed data based on information about how the application uses data to test the application. What type of fuzzing is Ben doing?
Generational Generational fuzzing relies on models for application input and conducts fuzzing attacks based on that information. Mutation based fuzzers are sometimes called "dumb" fuzzers because they simply mutate or modify existing data samples to create new test samples. Neither parametric nor derivative is a term used to describe types of fuzzers.
Which of the following describes a typical process for building and implementing an information security continuous monitoring program as described by NIST special publication 800-147?
ICSM: Define, establish, implement, analyze and report, respond, review, and update. incident response plan: Prepare, detect and analyze, contain, respond, recover, report is an incident plan.
A zero-day vulnerability is announced for the popular Apache web server in the middle of a workday. In Jacob's role as information security analyst, he needs to quickly scan his network to determine what servers are vulnerable to the issue. What is Jacob's best route to quickly identify vulnerable systems?
Identify affected versions and check systems for that versions number using an automated scanner.
Susan needs to predict high-risk areas for her organization and wants to use metrics to assess risk trends as they occur. What should she do to handle this?
Identify and track key risk indicators Key risk indicators are used to tell those in charge of rick management how risky an activity is and how much impact changes are having on that risk profile. Identifying key rick indicators and monitoring them can help to identify high-risk areas earlier in their life cycle. Yearly risk assessments may be a good idea, but only provide a point in time view, whereas penetration tests may miss out on risks that are not directly security related. Monitoring logs and events using a SIEM device can help detect issues as they occur but won't necessarily show trends in risk.
When a Windows system is rebooted, what type of log is generated?
Information log Rebooting a windows machine results in an information log entry.
Susan needs to ensure that the interactions between components of her e-commerce application are all handled properly. She intends to verify communications, error handling, and session management capabilities throughout her infrastructure. What type of testing is she planning to conduct.
Interface testing Susan is conducting interface testing. Interface testing involves testing system or application components to ensuere that they work properly together. Misuse case testing focuses on how an attacker migh misuse the application and would not test normal cases. Fuzzing attempts to send unexpected input and might be involved in interface testing, but it won't cover the full concerns. Regression testing is conducted when testing changes and is used to ensure that the application or system functions as it did before the update or change.
Why should passive scanning be conducted in addition to implementing wireless security technologies like wireless intrusion detection systems?
It can help identify rogue devices. Passive scanning can help identify rogue devices by capturing MAC address vendor IDs that do not match deployed devices, by verifying that systems match inventories of organizationally owned harware by hardware address, and by monitoring for rogue SSIDs or connecitons.
What type of diagram used in application threat modeling includes malicious users as well as descriptions like mitigates and threats?
Misuse case diagrams Misusue case diagrams use language beyond typical use case diagrams, including threatens and mitigates. Threat trees are used to map threats but don't use specialized languages like threatens and mitigates. STRIDE is a mnemonic model used in threat modeling, and DREAD is a risk assessment model.
Earlier this year, the information security team at Jim's employer identified a vulnerabilty in the web server that Jim is responsible for maintaining. He immediately applied the patch and is suere that it installed properly, but the vulnerability scanner has continued to incorrectly flag the system as vulnerable due to the version number it is finding even though Jim sure paatch is installed. Which of the following options is Jim's best choice to deal with the issue?
Jim should ask the information secuity team to flag the issue as resolved if he is sure the patch was installed. Many vulnerability scanners rely on version information or banner information, and my flag patched versions if the software provider does not update the information they see.
During a port scan, Ben uses nmap's default settings and sees the following results. Use this information to answer the following. Based on the scan results, what OS was the system that was scanned most likely running on?
Linux The system is most likely a Linux system. The system shows X11, as well as login, shell, and nfs ports, all of which are more commonly found on Linux systems than Windows systems or network devices.
Karen's organization has been performing system backups for years but has not used the backups frequently. During a recent system outage, when administrators tried to restore from backups they found that the backups had errors and could not be re stored. Which of the following options should Karen avoid when selecting ways to ensure her organization's backups will work next time?
MTD verification Karen can't use MTD verification because MTD is the Maximum Tolerable Downtime. Verifying it will only tell her how long systems can be offline without significant business impact. Reviewing logs, using hashing to verify that the logs are intact, and performing periodic test are all valid ways to verify that the backups are working properly.
Saria needs to write a request for proposal for code review and wants to ensuer that the reviewers take the busineess logic behin her organization's applications into account. What type of code review should she specify in RFP?
Manual Manual code review, which is performed by humans who review code line by line, is the best option when it is important to understand the context and business logic in the code. Fuzzing, dynamic, and static code review can all find bugs that manual code review might not, but won't take the intent of the programmers into account.
Which NIST special publication covers the assessment of security privacy controls?
NIST SP 800-53A is titled "Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans" and covers methods for assessing and measuring controls.
Which of the following is not an interface that is typically tested during the software testing process?
Network interfaces Application programming interfaces (APIs), user interfaces (UIs), and physical interfaces are all important to test when performing software testing. Network interfaces are not a part of of the typical list of interfaces tested in software testing.
During a port scan, Lauren found TCP port 443 open on a system. Which tool is best suited to scanning the services that is most likely running on that port
Nikto TCP port 443 normally indicates an HTTPS server. Nikto is useful for vulnerability scanning web servers and applications and is the best choice listed for a web server. Metaspoit includes some scanning functionality but is not a purpose-built tool for vulnerabilty scanning. Metasploit penetration testing software zzuf is a fuzzing tool and isn't relevant for vulnerability scans, whereas sqlmap is a SQL injection testing tool.
Which of the following tools is most likely to be used during discovery?
Nmap Discovery can include both active and passive discovery. Port scanning is commonly done during discovery to asses what services the target provides, and nmap is one of the most popular tools used for this purpose. Nessus and Nikto might be used during the vulnerability scanning phase, and john, a password cracker, can be used to recover passwords during the exploitation phase. Nmap (Network Mapper) is a security scanner, originally written by Gordon Lyon used to discover hosts and services on a computer network, thus building a "map" of the network.
Susan needs to scan a system for vulnerabilities, and she wants to use an open source tool to test the system remotely. Which of the following tools will meet her requirements and allow vulnerability scanning?
OpenVAS OpenVAS is an open source vulnerability scanning tool that will provide Susan with a report of vulnerabilities that it can identify from a remote, network-based scan. Nmap is an open source port scanner. Both Microsoft Baseline Security Analyzer (MBSA) and Nessus are closed source tools, although Nessus was originally open source.
What major difference separates synthetic and passive monitoring?
Passive monitoring only works after problems have occurred. Passive monitoring only works after issues have occurred because it requires actual traffic. Synthetic monitoring uses simulated or recorded traffic, and thus can be used to proactively identify problems. Both synthetic and passive monitoring can be used to detect functionality issues.
Nmap is an edxample of what type of tool?
Port scanner Nmap is a very popular open source port scanner. While port scanners can be used to partially map a network, and its name stands for network mapper, it is not a network design tool.
During a port scan of his network, Alex finds that a number of hosts respond on TCP ports 80, 443, 515 and 9100 in offices throughout his organization. What type of device is Alex likely discovering?
Printers Network-enableed printers often provided services via TCP 515 and 9100, and have both nonsecure and secure web enabled managment interfaces on TCP 80 aqnd 443. Web servers, access points, and file serves would not typically provide services on the LPR and LPD ports (515 and 9100)
Which of the following vulnerabilities is unlikely to be found by a web vulnerability scanner?
Race condition Path disclosures, local file inclusions, and buffer overflows are all vulnerabilities that may be found by a web vulnerability scanner, but race conditions that take advantage of timing issues tend to be found either by code analysis or using automated tools that specifically test for race conditions as part of software testing.
What passive monitoring technique records all users interaction with an application or website to ensure quality of performance?
Real User Monitoring (RUM) is a passive monioring technique that requires user monitoring technique that records user interaction with an application or system to ensure performance and proper aplication behavior. RUM is often used as part of apredeployment process using the actual user interface.
During wireless network penetration test, Susan runs aircrack-ng against the network using a password file. What might cause her to fail in her password-cracking efforts?
Running WPA-2 in Enterprise mode WPA2 enterprise uses RADIUS authentication for users rather than a preshared key. This means a password attack is more likely to fail as password attempts for a given user may result in account lock out. WPA2 encryption will not stop a password attack, and WPA2's preshared key mode is specifically targeted by password attacks that attempt to find the key. Not only is WEP encryption outdated, but it can also frequently be cracked quickly by tools like aircrack-ng
What protocol is used to handle vulnerability management of data?
SCAP The Security Content Automation Protocol (SCAP) is a community sourced specification for security flaw and security configuration information and is defined in NIST-800-126.
Lauren is performing a review of a third-party service organization and wants to determine if the organizations policies and procedures are effectively enforced over a period of time. What type of industry standard assessment report should she request?
SSAE 16 SOC 1 Type 1 SOC 1 reports are prepared according to the statement on standards for attestation engagments, or SSAE number 16 (typically shortened to SSAE-16). An SOC 1 Type 1 report validates policies and procedures at a point in time, wheres SOC 1 Type II reports cover a period of time of at least six months. SOC 1 reports replaced SAS 70 reports in 2011, meaning that a current report should be an SSAE-16 SOC 1 report.
STRIDE
STRIDE is a threat classification model developed by Microsoft for thinking about computer security threats.[1] It provides a mnemonic for security threats in six categories.[2] The threat categories are: Spoofing of user identity Tampering Repudiation Information disclosure (privacy breach or data leak) Denial of service (D.o.S) Elevation of privilege
In response to a Request for Proposal, Susan receives a SAS-70 type 1 report. If she wants a report that includes operating effectiveness detail, what should Susan ask for as follow up and why?
Service Organization Control (SOC) reports replaced SAS-70 reports in 2010. A type 1 report only covers a point in time, so Susan needs an SOC Type 2 report to have the information she requires to make a design and operating effectiveness decision based on the report. SAS 70 (Statement on Auditing Standards No. 70: Service Organizations) was an authoritative auditing standard that was developed by the American Institute of Certified Public Accountants (AICPA) Also known as the Statement on Standards for Attestation Engagements (SSAE) 16, the SOC 1 report focuses on a service organization's controls that are likely to be relevant to an audit of a user entity's (customer's) financial statements. The SOC 2 report focuses on a business's non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system, as opposed to SOC 1/SSAE 16 which is focused on the financial reporting controls.
Which of the following types of code review is not typically performed by a human?
Static program analysis Static program reviews are typically performed by an automated tool. Program understanding, program comprehension, code review, software inspections and software walkthroughs are all human-centric-methods for reviewing code.
What type of monitoring uses simulated traffic to a website to monitor performance?
Synthetic monitoring Synthetic monitoring uses emulated or record transactions to monitor for performance changes in response time, functionality, or other performance monitors. Passive monitoring uses a span port or other method to copy traffic and monitor it in real time. Span port is also called mirroring port. Log analysis is typically performed against actual log data but can be performed on simulated traffic to identify issues. Simulated transaction analysis is not an industry term.
Jim is working with a penetration testing contractor who proposes using Metasploit as part of her penetration testing effort. What should Jim expect to occur when Metasploit is used?
System will have known vulnerabilities exploited. Metasploit is an exploitation package that is designed to assist penetration testers. A tester using Metaspoit can exploit known vulnerabilities for which an exploit has been created or can create their own exploits using the tool.
What type of scanning is known as "half open" scanning
TCP SYN TCP SYN scans only open a conneciton halfway; they do not complete the TCP connection with an ACK, thus leaving the conneciton open. TCP connect scans complete the connection, whereas TCP ACK scans attempt to appear like an open conneciton. Xmas or Christmas tree, scans set the FIN,PSH, and URG flags, thereby "lighting up" the TCP packet.
During a third-party audit, Jim's company receives a finding that states, "The administrator should review backup success and failure logs on a daily basis, and take action in a timely manner to resolve reported exceptions." What is the biggest issue that is likely to result if Jim's IT staff need to restore from a back up.
The backups may not be usable The audit finding indicates that the backup administrator may not be monitoring backup logs and taking appropriate action based on what they report, thus resulting in potentially unusable backups. Issues with review, logging, or being aware of the success or failure of backups are less important than not having usable backups.
MITRE's CVE database provides what type of information?
The common Vulnerablities and Exposures (CVE) dictionary provides a central repository of security vulnerabilites and issues. Patching information for applications and software versions are sometimes managed using central patch management tools.
Which of the following is not a method of synthetic transactions monitoring?
User sessions monitoring User session monitoring is not a means of conducting synthetic performance monitoring. Synthetic performance monitoring uses scripted or recorded data, not actual user sessions. Traffic capture, database performance monitoring and website performance monitoring can all b used during synthetic performance monitoring efforts.
What step should occur after a vulnerability scan finds a critical vulnerability on a system?
Validation Once a vulnerability scanner identifies a potential problem, validation is necessary to verify that the issue exists. Reporting, patching, or other remediation actions can be conducted once the vulnerability has been confirmed.
During normal operations, Jennifer's team uses the SIEM appliance to monitor for exceptions received via syslog. What system shown does not natively have support for syslog events?
Windows Desktop Systems Windows desktop systems generate logs in the Windows native logging format. To send syslog events, Windows systems require a helper application or tool. Enterprise Wireless access points, firewalls and linux systems all typically support syslog
What type of testing is used to ensure that separately developed software modules properly exchange data?
interface testing Interface testing is used to ensure that software modules properly meet interface specifications and thus will properly exchange data. Dynamic testing tests software in a running environment, whereas fuzzing is a type of dynamic testing that feeds invalid input to running software to test error and input handling. API checksum are not a testing technique.
