CISSP Chapter 15: Security Assessment and Testing
When using nmap, the ________ flag is typically used, which makes the command report detailed output of results.
-vv
What are the 3 types of interfaces that should be tested during the software development process?
APIs, UIs, and physical interfaces
____________ ensure that users only retain authorized permissions and that unauthorized modifications do not occur. May be a function of information security management or internal auditors.
Account management reviews
How often does PCI DSS require web vulnerability scanning?
Annually (or after any change to a web application)
_______________ offer a standardized way for code modules to interact and may be exposed to the outside world through web services. Developers must test them to ensure that they enforce all security requirements
Application Programming Interfaces (APIs)
_____________ scans can help reduce false positive/negative reports and give better accuracy in general. In this approach, the scanner has read-only access to the servers being scanned and can use this access to read configuration information from the target system and use that information when analyzing vulnerability testing reports.
Authenticated
__________ Box Penetration Testing does not provide attackers with any information prior to the attack. This simulates an external attacker trying to gain access to information about the business and technical environment before engaging in an attack.
Black
__________________ is the foundation of software assessment programs. Also known as "peer review", it is simply when developers other than the one who wrote the code for some software review it for defects. This may result in approval of an application's move into a production environment, or they may send the code back to the original developer with recommendations for rework of issues detected during the review
Code review
What is on TCP port 53?
DNS
______________ evaluates the security of software in a runtime environment and is often the only option for organizations deploying applications written by someone else. For example, the use of web application scanning tools to detect the presence of cross-site scripting, SQL injection, or other flaws in web applications.
Dynamic testing
__________ audits are performed by an outside auditing firm. These audits have a high degree of external validity (more than internal audits) because there is zero chance of a conflict of interest.
External
What is on TCP port 21?
FTP
The most formal code review process is called ________________
Fagan inspections
________________ are far more dangerous false outputs of network vulnerability scans. This is when the scanner misses a vulnerability and fails to alert the administrator to the presence of a dangerous situation.
False negatives
_____________ is a specialized dynamic testing technique that provides many different types of input to software to stress its limits and find previously undetected flaws.
Fuzz testing
_____________ develops data models and creates new fuzzed input based on an understanding of the types of data used by the program. • Zzuf is a common tool that automates the process of fuzzing.
Generational (Intelligent) Fuzzing
_____________ Box Penetration Testing is also known as partial knowledge testing gives testers partial knowledge of the systems they target. Common when black box results are desired by costs/time constraints make it not possible.
Gray
What is on TCP port 1720?
H.323
What is on TCP port 80?
HTTP
What is on port TCP 443?
HTTPS
______________ is important in the development of complex software systems. It assesses the performance of modules against the interface specifications to ensure that they will work together properly when all of the development efforts are complete.
Interface testing
___________ audits are performed by an organization's internal audit staff and are typically intended for internal audiences. The staff doing these normally have a reporting line that is completely independent of the functions they evaluate.
Internal
What are the 2 main types of audits?
Internal and External
________________ is a tool commonly used by penetration testers to automatically execute exploits against targeted systems.
Metasploit
What is on TCP port 1433?
Microsoft SQL Server
_______________ takes previous input values from actual operation of the software and manipulates (or mutates) it to create fuzzed input. It might alter the characters of the content, append strings to the end of the content, or perform other data manipulation techniques.
Mutation (Dumb) Fuzzing
What are the 2 categorizes of fuzz testing?
Mutation (dumb) fuzzing and Generational (intelligent) fuzzing
What is on port TCP 123?
NTP
_________________ is a type of vulnerability scanning that uses a variety of techniques to scan a range of IP addresses, searching for systems with open network ports. They don't probe for vulnerabilities, but provide a report showing the systems detected on a network and the list of ports that are exposed through the network and server firewalls that lie on the network path between the scanner and the scanned system.
Network discovery scanning
What are the 3 types of vulnerability scans?
Network discovery scans, network vulnerability scans, and web vulnerability scans
__________________ go deeper than network discovery scans. They detect open ports and continue on to probe a targeted system or network for the presence of known vulnerabilities. These tools contain databases of thousands of known vulnerabilities, along with tests they can perform to identify whether a system is susceptible to each vulnerability in the system's database.
Network vulnerability scans
What is on TCP port 1521?
Oracle
What is on port TCP 110?
POP3
What is on TCP port 1723?
PPTP
_________________ is the act of actually trying to exploit systems/applications based on the vulnerabilities of a scan for the purpose of reporting and improving the systems/applications.
Penetration testing
_________________ exist in some applications that manipulate machinery, logic controllers, or other objects in the physical world. Software testers should pay careful attention to physical interfaces because of the potential consequences if they fail.
Physical interfaces
What are the 6 stepf of Fagan Inspections?
Planning/Overview/Preparation/Inspection/Rework/Follow-up (POPIRF)
What is on TCP port 3389?
RDP
What is on TCP port 25?
SMTP
What is on TCP port 22?
SSH
_____________ can be used in an environment where you couldn't possibly test every single user account.
Sampling
Security ______________are comprehensive reviews of the security of a system, application, or other tested environment. During this, a trained information security professional performs a risk assessment that identifies vulnerabilities in the tested environment that may allow a compromise and makes recommendations for remediation, as needed.
Security assessments
______________ packages play an important role in conducting log reviews by automatic much of the process.
Security incident and event management (SIEM)
Security ________________ verify that a control is functioning properly. These tests include automated scans, tool-assisted penetration tests and manual attempts to undermine security.
Security tests
_____________ evaluates the security of software without running it by analyzing either the source code or the compiled application. Usually involves the use of automated tools designed to detect common software flaws, like buffer overflow.
Static testing
___________________ is a network discovery scanning technique that sends a packet with the ACK flag sent, indicating that it is part of an open connection.
TCP ACK Scanning
________________ is a network discovery scanning technique that opens a full connection (rather than a half-open one) to the remote system on the specified port. This scan type is used when the user running the scan does not have the necessary permissions to run a half-open scan.
TCP Connect Scanning
______________ is a network discovery scanning technique that sends a single packet to each scanned port with the SYN flag set. This indicates a request to open a new connection. If the scanner receives a response that has the SYN and ACK flags set, this indicates that the system is moving to the second phase in the TPC handshake and that the port is open. This technique is also known as "half-open" scanning.
TCP SYN Scanning
What is on TCP port 23?
Telnet
What is the formula for test coverage?
Test Coverage = Number of Use Cases tested/Total Number of Use Cases
___________________ include GUIs and command-line interfaces. They provide end users with the ability to interact with the software.
User Interfaces (UIs)
_______________ automatically probe systems, applications, and networks, looking for weaknesses that may be exploited by an attacker.
Vulnerability scans
_____________ are special-purpose tools that scour web applications for known vulnerabilities. They often play an important role in any security testing program because they may discover flaws not visible to network vulnerability scanners.
Web vulnerability scanners
_____________ Box Penetration Testing provides attackers with detailed information about the systems they target. This bypasses many of the reconnaissance steps that normally precede attacks, shortening the time of the attack and increasing the likelihood that it will find security flaws.
White
What are the 3 kinds of penetration tests?
White box, gray box, black box
_______________ is a network discovery scanning technique that sends a packet with the FIN, PSH, an URG flags set. The setting of many flags is the defining characteristic of this type of technique.
Xmas Scanning
Security __________ use many of the same techniques followed during security assessments, but MUST be performed by an independent group. These are evaluations performed with the purpose of demonstrating the effectiveness of controls to a third party.
audits
The process of slightly manipulating in input in the process of fuzz testing is called ________________.
bit flipping
Auditors generally have __________________ (completely free) access to all information within an organization and security staff should comply with those requests, consulting with management as needed.
carte blanche
When nmap says a port is _____________, the port is accessible on the remote system, meaning that the firewall is allowing access, but there is no application accepting connections on that port.
closed
In some cases, the scanner may not have enough information to conclusively determine that a vulnerability exists and it reports a vulnerability when there really isn't a problem. This is known as a _______________.
false positive
When nmap says a port is _____________, it means nmap is unable to determine whether a port is open or closed because a firewall is interfering with the connection attempt.
filtered
Software testers use a process known as ______________ to evaluate the vulnerability of their software to risks created by users creating the software.
misuse/abuse case testing
The most common tool used for network discovery scanning is an open source tool called __________
nmap
When nmap says a port is _________, that means the port is open on the remote system and there is an application that is actively accepting connections on that port.
open
Dynamic software testing may include the use of ____________ transactions to verify system performance. These are scripted transactions with known expected results.
synthetic
Software testing professionals often conduct a _______________ to estimate the degree of testing conducted against the new software.
test coverage analysis
By default, network vulnerability scanners run ________________ scans. This means that they test the target systems without having passwords or other special information that would grant the scanner special privileges.
unauthenticated