CISSP Domain 6: Security Assessment and Testing

We are at our annual corporate IT security training event and we are talking about social engineering. Which of these are types of social engineering? (Select all that apply).

- Consensus - Vishing - Urgency - Whale phishing

While penetration testing is often very helpful in improving our security posture and finding vulnerabilities. They can at times also mean nothing, why is that?

- We do not act on their report. - The test is only as good as the tester. If they are no good, we have no clue how vulnerable we are. - We give them too narrow parameters and because of this they can't do a real penetration test.

Which phase could a penetration tester go to after they are finished with one of the "System browsing" phases? (Select all that apply).

- discovery - install additional tools

Depending on the type of software and where we are in the software development lifecycle, we would do different types of tests. Which of these are COMMON types of tests we would do at the end of the development lifecycle? (Select all that apply).

- integration testing - installation testing - component interface testing - operational acceptance testing

Before we engage the penetration testers we want to hire, we need to build a SOW (Statement Of Work ). Who needs to be involved in building it?

- our legal department - senior management - IT Security

We are using social engineering, which of these are effective types of social engineering?

- urgency - intimidation - authority

As part of a security assessment we are having an external company do penetration testing. What do we call a penetration test where the tester has full admin level knowledge about our organization and IT infrastructure? (Select all that apply).

- white box - crystal box - clear box

In which operating systems can an attacker elevate their privileges to gain root or administrator privileges?

- windows - linux - MacOS

We want penetration testers to prove they can get to our sensitive documents, but we do not want them to access any of them. What could we use for them to prove they reached their target?

A dummy file is created and it is their target

We have hired a penetration tester, and she has been given partial knowledge of our organization and infrastructure. Which access level would that emulate?

A normal employee

At the end of our software development project, we are doing interface testing. What are we testing?

All interfaces exposed by the application.

A penetration tester is calling an employee. They tell the employee they need to give them the information they are asking for, because the caller is the CEO's executive assistant. What is this an example of?

Authority

When we implement centralized logging, we want it to be:

Automated, secure and administrators should have limited access

What would be a reason to do misuse case testing on our software?

Because attackers do not act like normal users, we need to test against that.

In software testing, we are doing synthetic transaction. What does that mean?

Build scripts and tools that would simulate normal user activity

You mentioned a vishing attack to a colleague and the director from HR heard it. He stops you and asks you what that is. Which of these could be an answer?

Calling our dispatch and trying to get information through social engineering

A team of penetration testers, with full physical access to our facility, have found Protected Health Information (PHI) hard copies laying around. Which of our policies are our employees NOT following?

Clean desk policy

What would a penetration testing Statement Of Work (SOW) NOT include?

Complete and accurate employee Protected Health Information (PHI)

In software testing, component interface testing would test what?

Data handling passed between different units or subsystems

Which of these is NOT a normal phase of a white hat hacker's strategy?

Deleting their tracks, the audit files and logs

We have a contract with some penetration testers. In which phase would the tester look for vulnerabilities and design the attack?

Discovery

When an attacker is wardriving. what do they do?

Driving around trying to gain access to unsecured or weak security wireless access points

We have a company doing a penetration test for us. In which phase would the tester try to gain higher level access, and ultimately, if they can, admin access?

Escalate privileges

We are doing different types of audits in our organization. Who would perform a structured audit?

External auditors

To ensure our compliance with a certain standard, we have a structured audit. What would that entail?

External auditors comes in

When a penetration tester is doing a white box penetration test, they have how much knowledge?

Full knowledge and privileges access to systems

We want to implement a solution to prove our logs has not been altered. Which of these could be an option we would consider?

Hashing

In our software code testing, one of the coders is mentioning the test coverage analysis. What is she talking about?

How much of the code was tested in relation to the entire application

We have finished our initial software development and we are doing our software testing. In integration testing, we would test what?

Interfaces between components against the software design

To ensure our compliance before we pay for a structured audit, we want to do an "unstructured" audit. What would that entail?

Internal auditors looking for flaws

In our software testing, we are doing a black box testing. How much information would we have?

Just the software, no source code

Which of these would we NOT look at a security assessment?

KPI

We have hired an IT security firm to do penetration testing on our organization. Which of these could be something they would use?

Kali Linux

Which of these is NOT a common problem organizations face regarding audit record management?

Logs are reviewed regularly and in a timely fashion.

There are many pitfalls when we work with the audit record management in our organization. Which of these is NOT one of those common problems?

Logs are stored on a central secure server

As part of our software testing, we are performing regression testing. What does that mean?

Lost or missing features after major code changes

If we are doing a vulnerability scan, it would normally show us all these, EXCEPT which?

Malware

We have hired a team of penetration testers to audit our network for vulnerabilities. During a test, one of the testers discovers a real attack underway. What should the tester do?

Notify the organization immediately

An attacker has discovered one of the SSIDs in our organization. They plan to use the information in their initial attack, what have they discovered?

Our wireless

What could a vulnerability scan possibly help us find?

Outdated software, missing patches and system misconfigurations.

When a penetration tester is doing gray box testing, how much knowledge would they have about our organization and our IT infrastructure?

Partial knowledge; user or vendor access level.

As part of our software testing, we are doing static software testing. What are we doing?

Passively test the code, but not run it

We are doing security audits and we test against published standards. Which of these is NOT one of the standards we would test against?

RBAC

Penetration testers have been looking for vulnerabilities for some weeks. What would be the FINAL stage of a penetration test?

Reporting

Which type of audit could we use to ensure our employees are following our policies?

Review user logs

What would be one of the EASIEST ways to confirm if our access control mechanics are working?

Reviewing security audit logs

After a security audit and penetration testing, we were notified about some security issues on all our switches. We chose not to implement the recommended mitigations this year because it was deemed too expensive. If our switches are compromised who is responsible?

Senior management

We have discovered an employee has installed a rogue access point to get wireless at his desk. The wireless was compromised, and we have lost the Personally Identifiable Information (PII) of over 10,000 customers. What could we have done to prevent this other than training and awareness?

Shut all unused switch ports down

As part of our annual security audit we hired a pen testing company. What could be some of the tools they would use?

Social engineering

When an attacker is using intimidation and threats, it is a type of?

Social engineering

Which low tech or no tech attack can often be just as successful as very technical attacks?

Social engineering

An attacker, using social engineering, could use all of these EXCEPT which?

Spear fishing

In our software testing, before the release, we are doing fuzz testing. What would that entail?

Submit random malformed input to crash the software or elevate privileges.

A new network administrator is asking questions about a security audit we are having done. What would you explain to her it is?

Testing against a published standard

One of the distinct phases of software testing is installation testing. What are we testing in this phase?

That the software installs correctly on the customers hardware

What do we need to ensure is synchronized for our audit logs to be admissible in court?

The clocks of all systems in an organization should be connected to multiple synchronized NTP servers, to ensure all clocks are synchronized. If logs have another timestamp than the real time, they are not usable in a trial. NTP

In our software testing we are doing, "unit testing", what are we testing?

The functionality of a specific section of code

Penetration testers have found a vulnerability on some of our switches. The vulnerability is an exploitable, who would patch the switch?

The network team

Our senior leadership has decided to do a double-blind penetration test. What does that mean?

The security and network team is not aware it is happening. The testers have no knowledge of our organization.

In our software testing, we are doing a white box test, how much information do we have?

The software, source code, data structures and variables.

What does SOC2 type 1 report on?

The suitability of the design of controls

What does SOC2 type 2 report on?

The sustainability of the design AND operating effectiveness of controls.

On a vulnerability scan, some of the vulnerabilities came up as LOW. What could be the reason for them showing as LOW?

The vulnerability is there, but it is not exploitable or if it is exploitable impact is negligible

Why would we use an RTM (Requirements Traceability Matrix) in software testing?

To map requirements to the testing plan

Why would we choose to delete a user account after the employee leaves the organization?

User's privacy protection

What could be used to provide audit log integrity during an attack?

Using WORM media for audit logs.

Which type of testing will look for weaknesses but does NOT exploit them?

Vulnerability scans

When a penetration tester is trying to gain sensitive information from an employee with social engineering. Which type of access control type is she testing?

administrative

In our software testing we are using fuzz testing. Which type of testing is that?

black box

which of these would be a form of penetration testing?

black box testing would be a form of penetration testing

When we talk about the different types of hackers, which of them would be skilled and malicious?

black hat

Why would we choose to go with an internal audit over a 3rd party audit?

cost

As part of her regular duties, Jane is reviewing our logs. When she does that, it is which type of a control?

detective

When we are reviewing our audit logs, it is which type of a control?

detective

What would we NOT look at in a security assessment?

employee performance

What is another term we could use for penetration testing?

ethical hacking

In a penetration test, in which phase would the tester try to get onto our network?

gaining access

Which type of hacker is skilled and often alerts companies to vulnerabilities before publishing them?

gray hat

In which type of software testing do we progressively test larger and larger groups of software components until the software works as a whole?

integration testing

In which form of software testing do we test the connections between the different systems and components?

interface testing

Prior to an external structured audit, we would often do an 'unstructured' audit. Who would perform that?

internal auditors

A pen tester is calling one of our employees. The pen tester explains to the employee the company will be hit with a lawsuit if he won't do what he is told. Which type of social engineering is the pen tester using?

intimidation

In our fuzz testing, we analyze data and change the fuzz input iteratively. What is this called?

mutation fuzzing

What do we often uncover in our vulnerability scans?

open ports that should not be

Very technical hacking attempts can be exceedingly difficult to pull off. Low tech or no-tech attacks like social engineering can often be successful. Why is that?

people want to be helpful

The team of pen testers we have hired, is trying to gain access to our facility by trying to find an open door or window. What type of access control are they testing?

physical

Penetration testers with full physical access to our facility have found Protected Health Information (PHI) hard copies laying around. Which of our policies are our employees NOT following?

print policy

We have tested our software and we have found over 10,000 flaws. What should our next steps be?

rate them on likelihood of exploit and impact and address the critical issues.

After we have applied a patch to our software, which type of test should we use?

regression testing

We have hired a penetration testing company to find security flaws in our organization. They are at the enumeration phase, what are they doing?

scanning

A penetration tester calls an employee and explains that if they act now, they can save 50% off on certain software, but if they wait until tomorrow, the savings will be lost. What is this an example of?

scarcity

We are wanting to hire outside penetration testers. Who in our organization would set the goals for the penetration test?

senior management

When an attacker is using intimidation, it is a form of what?

social engineering

We have hired an external company to do a penetration test. In which phase would the tester look around on our network, try to find new attack vectors, or maybe go back to the discovery phase?

system browsing

When a penetration tester is trying to gain access to sensitive information from one of our servers, she is testing which type of access control?

technical

When we do our dynamic software testing, how are we testing?

test the code while executing it

In our software testing we are using synthetic transactions. What is a key characteristic of those?

they simulate real traffic

there are a lot of challenges with audit record management. Which of these is not one of them?

we are storing logs and alerts for too long

In a penetration test, we are giving the tester detailed knowledge of our environments. Which type of penetration testing is she performing?

white box

Which type of hacker is skilled and non-malicious?

white hat