Exam Essentials |
757 |
assessments, penetration tests, software testing, audits, and security management tasks designed to validate controls. Every organization should have a security assessment and testing program defined and operational.
Conduct vulnerability assessments and penetration tests. Vulnerability assessments use automated tools to search for known vulnerabilities in systems, applications, and networks. These flaws may include missing patches, misconfigurations, or faulty code that expose the organization to security risks. Penetration tests also use these same tools but supplement them with attack techniques where an assessor attempts to exploit vulnerabilities and gain access to the system. Vulnerability management programs take the results of these tests as inputs and then implement a risk management process for identified vulnerabilities.
Perform software testing to validate code moving into production. Software testing techniques verify that code functions as designed and does not contain security flaws. Code review uses a peer review process to formally or informally validate code before deploying it in production. Interface testing assesses the interactions between components and users with API testing, user interface testing, and physical interface testing.
Understand the difference between static and dynamic software testing. Static software testing techniques, such as code reviews, evaluate the security of software without running it by analyzing either the source code or the compiled application. Dynamic testing evaluates the security of software in a runtime environment and is often the only option for organizations deploying applications written by someone else.
Explain the concept of fuzzing. Fuzzing uses modified inputs to test software performance under unexpected circumstances. Mutation fuzzing modifies known inputs to generate synthetic inputs that may trigger unexpected behavior. Generational fuzzing develops inputs based on models of expected inputs to perform the same task.
Perform security management tasks to provide oversight to the information security program. Security managers must perform a variety of activities to retain proper oversight of the information security program. Log reviews, particularly for administrator activities, ensure that systems are not misused. Account management reviews ensure that only authorized users retain access to information systems. Backup verification ensures that the organization’s data protection process is functioning properly. Key performance and risk indicators provide a high-level view of security program effectiveness.
Conduct or facilitate internal and third-party audits. Security audits occur when a third party performs an assessment of the security controls protecting an organization’s
information assets. Internal audits are performed by an organization’s internal staff and are intended for management use. External audits are performed by a third-party audit firm and are generally intended for the organization’s governing body.
Collect security process data. Many components of the information security program generate data that is crucial to security assessment processes. These components include the account management process, management review and approval, key performance and risk indicators, backup verification data, training and awareness metrics, and the data generated by disaster recovery and business continuity programs.
758 Chapter 15 ■ Security Assessment and Testing
Written Lab
1.Describe the difference between TCP SYN scanning and TCP connect scanning.
2.What are the three port status values returned by the nmap network discovery scanning tool?
3.What is the difference between static and dynamic code testing techniques?
4.What is the difference between mutation fuzzing and generational fuzzing?
Review Questions |
759 |
Review Questions
1.Which one of the following tools is used primarily to perform network discovery scans?
A.Nmap
B.OpenVAS
C.Metasploit Framework
D.lsof
2.Adam recently ran a network port scan of a web server running in his organization. He ran the scan from an external network to get an attacker’s perspective on the scan. Which one of the following results is the greatest cause for alarm?
A.80/open
B.22/filtered
C.443/open
D.1433/open
3.Which one of the following factors should not be taken into consideration when planning a security testing schedule for a particular system?
A.Sensitivity of the information stored on the system
B.Difficulty of performing the test
C.Desire to experiment with new testing tools
D.Desirability of the system to attackers
4.Which one of the following is not normally included in a security assessment?
A.Vulnerability scan
B.Risk assessment
C.Mitigation of vulnerabilities
D.Threat assessment
5.Who is the intended audience for a security assessment report?
A.Management
B.Security auditor
C.Security professional
D.Customers
6.Wendy is considering the use of a vulnerability scanner in her organization. What is the proper role of a vulnerability scanner?
A.They actively scan for intrusion attempts.
B.They serve as a form of enticement.
C.They locate known security holes.
D.They automatically reconfigure a system to a more secured state.
760 Chapter 15 ■ Security Assessment and Testing
7.Alan ran a nmap scan against a server and determined that port 80 is open on the server. What tool would likely provide him the best additional information about the server’s purpose and the identity of the server’s operator?
A.SSH
B.Web browser
C.Telnet
D.Ping
8.What port is typically used to accept administrative connections using the SSH utility?
A.20
B.22
C.25
D.80
9.Which one of the following tests provides the most accurate and detailed information about the security state of a server?
A.Unauthenticated scan
B.Port scan
C.Half-open scan
D.Authenticated scan
10.What type of network discovery scan only uses the first two steps of the TCP handshake?
A.TCP connect scan
B.Xmas scan
C.TCP SYN scan
D.TCP ACK scan
11.Matthew would like to test systems on his network for SQL injection vulnerabilities. Which one of the following tools would be best suited to this task?
A.Port scanner
B.Network vulnerability scanner
C.Network discovery scanner
D.Web vulnerability scanner
12.Badin Industries runs a web application that processes e-commerce orders and handles credit card transactions. As such, it is subject to the Payment Card Industry Data Security Standard (PCI DSS). The company recently performed a web vulnerability scan of the application and it had no unsatisfactory findings. How often must Badin rescan the application?
A.Only if the application changes
B.At least monthly
C.At least annually
D.There is no rescanning requirement.
Review Questions |
761 |
13.Grace is performing a penetration test against a client’s network and would like to use a tool to assist in automatically executing common exploits. Which one of the following security tools will best meet her needs?
A.nmap
B.Metasploit Framework
C.OpenVAS
D.Nikto
14.Paul would like to test his application against slightly modified versions of previously used input. What type of test does Paul intend to perform?
A.Code review
B.Application vulnerability review
C.Mutation fuzzing
D.Generational fuzzing
15.Users of a banking application may try to withdraw funds that don’t exist from their account. Developers are aware of this threat and implemented code to protect against it. What type of software testing would most likely catch this type of vulnerability if the developers have not already remediated it?
A.Misuse case testing
B.SQL injection testing
C.Fuzzing
D.Code review
16.What type of interface testing would identify flaws in a program’s command-line interface?
A.Application programming interface testing
B.User interface testing
C.Physical interface testing
D.Security interface testing
17.During what type of penetration test does the tester always have access to system configuration information?
A.Black-box penetration test
B.White-box penetration test
C.Gray-box penetration test
D.Red-box penetration test
18.What port is typically open on a system that runs an unencrypted HTTP server?
A.22
B.80
C.143
D.443
762 Chapter 15 ■ Security Assessment and Testing
19.Robert recently completed a SOC engagement for a customer and is preparing a report that describes his firm’s opinion on the suitability and effectiveness of security controls after evaluating them over a six-month period. What type of report is he preparing?
A.Type I
B.Type II
C.Type III
D.Type IV
20.What information security management task ensures that the organization’s data protection requirements are met effectively?
A.Account management
B.Backup verification
C.Log review
D.Key performance indicators
■■7.5 Apply resource protection
■■7.5.1 Media management
■■7.5.2 Media protection techniques
■■7.8 Implement and support patch and vulnerability management
■■7.9 Understand and participate in change management processes
■■7.15 Address personnel safety and security concerns
■■7.15.1Travel
■■7.15.2 Security training and awareness
■■7.15.3 Emergency management
■■7.15.4 Duress
Domain 8: Software Development Security
■■8.4 Assess security impact of acquired software
■■8.4.4 Managed services (e.g., Software as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS))