Home > Articles

  • Print
  • + Share This
This chapter is from the book

This chapter is from the book

Answers and Explanations

  1. c. With a blind test, the testing team knows an attack is coming and has limited knowledge of the network systems and devices and publicly available information. A target test occurs when the testing team and the organization’s security team are given maximum information about the network and the type of attack that will occur. A physical test is not a type of penetration test. It is a type of vulnerability assessment. A double-blind test is like a blind test except that the organization’s security team does not know an attack is coming.

  2. d. NIST SP 800-92 does not include any information regarding auditors. So the “Choose auditors with security experience” option is NOT a guideline according to NIST SP 800-92.

  3. a, b, c, d. According to NIST SP 800-92, log management functions should include general functions (log parsing, event filtering, and event aggregation), storage (log rotation, log archival, log reduction, log conversion, log normalization, log file integrity checking), log analysis (event correlation, log viewing, log reporting), and log disposal (log clearing).

  4. b. The two ways of collecting logs using security information and event management (SIEM) products, according to NIST SP 800-92, are agentless and agent-based.

  5. a. Real user monitoring (RUM) captures and analyzes every transaction of every application or website user.

  6. d. Misuse case testing is also known as negative testing.

  7. b. The steps in an ISCM program, according to NIST SP 800-137, are

    1. Define an ISCM strategy.

    2. Establish an ISCM program.

    3. Implement an ISCM program and collect the security-related information required for metrics, assessments, and reporting.

    4. Analyze the data collected, report findings, and determine the appropriate responses.

    5. Respond to findings.

    6. Review and update the monitoring program.

  8. a. The steps in an ISCM program, according to NIST SP 800-137, are

    1. Define an ISCM strategy.

    2. Establish an ISCM program.

    3. Implement an ISCM program and collect the security-related information required for metrics, assessments, and reporting.

    4. Analyze the data collected, report findings, and determine the appropriate responses.

    5. Respond to findings.

    6. Review and update the monitoring program.

  9. c. The following are guidelines for internal, external, and third-party audits:

    • At minimum, perform annual audits to establish a security baseline.

    • Determine your organization’s objectives for the audit and share them with the auditors.

    • Set the ground rules for the audit, including the dates/times of the audit, before the audit starts.

    • Choose auditors who have security experience.

    • Involve business unit managers early in the process.

    • Ensure that auditors rely on experience, not just checklists.

    • Ensure that the auditor’s report reflects risks that the organization has identified.

    • Ensure that the audit is conducted properly.

    • Ensure that the audit covers all systems and all policies and procedures.

    • Examine the report when the audit is complete.

  10. d. SOC 3 is the only SOC report that should be shared with the general public.

  11. a. The steps in performing a penetration test are as follows:

    1. Document information about the target system or device.

    2. Gather information about attack methods against the target system or device. This includes performing port scans.

    3. Identify the known vulnerabilities of the target system or device.

    4. Execute attacks against the target system or device to gain user and privileged access.

    5. Document the results of the penetration test and report the findings to management, with suggestions for remedial action.

  12. b. In black-box testing, or zero-knowledge testing, the testing team is provided with no knowledge regarding the organization’s network. In white-box testing the testing team goes into the testing process with a deep understanding of the application or system. In gray-box testing the testing team is provided more information than in black-box testing, while not as much as in white-box testing. Gray-box testing has the advantage of being nonintrusive while maintaining the boundary between developer and tester. Physical testing reviews facility and perimeter protections.

  13. d. Fuzz testing is a dynamic testing tool that provides input to the software to test the software’s limits and discover flaws. The input provided can be randomly generated by the tool or specially created to test for known vulnerabilities. Interface testing evaluates whether an application’s systems or components correctly pass data and control to one another. It verifies whether module interactions are working properly and errors are handled correctly. Static testing analyzes software security without actually running the software. This is usually provided by reviewing the source code or compiled application. Test coverage analysis uses test cases that are written against the application requirements specifications.

  14. a, b, c, d. Security professionals should consider the following factors when performing security testing:

    • Impact

    • Difficulty

    • Time needed

    • Changes that could affect the performance

    • System risk

    • System criticality

    • Security test availability

    • Information sensitivity level

    • Likelihood of technical failure or misconfiguration

  15. a. Operating system fingerprinting is the process of using some method to determine the operating system running on a host or a server. By identifying the OS version and build number, a hacker can identify common vulnerabilities of that OS using readily available documentation from the Internet. A network discovery scan examines a range of IP addresses to determine which ports are open. This type of scan only shows a list of systems on the network and the ports in use on the network. It does not actually check for any vulnerabilities. By using key performance and risk indicators of security process data, organizations better identify when security risks are likely to occur. Key performance indicators allow organizations to determine whether levels of performance are below or above established norms. Key risk indicators allow organizations to identify whether certain risks are more or less likely to occur. Organizations should conduct internal, external, and third-party audits as part of any security assessment and testing strategy.

  • + Share This
  • 🔖 Save To Your Account