Testing in various forms is an important tool for identifying vulnerabilities and security gaps in an organization’s IT infrastructure. Ideally, a testing plan should include both intrusive and nonintrusive testing methods, as each will provide a different view on the infrastructure. For the protection of the testers, intrusive tests should be conducted only with the full approval of upper management as well as legal documentation of that support.
Once security testing is complete, a detailed report of the testers’ findings as well as recommendations for remediation will be an invaluable guide for improving the overall security of an organization’s IT infrastructure.
It is necessary to consider security issues during every phase of the software development life cycle.
True
False
What occurs during the sunset phase of a security system’s life cycle?
Electronic media is wiped clean.
Paper documentation is shredded or archived.
Old equipment is destroyed or disposed of in a secure manner.
All of the above
Which of the following are primary activities for an information security team? (Select two.)
Researching new exploits
Monitoring/incident handling
Testing
Upgrading security systems
Port scanning is an example of ____________ testing.
Penetration testing is an example of _______________ testing.
Which of the following tests is the most accurate way to test security incident response?
Open
Blind
Double-blind
Automated
Gap analysis in which domain focuses primarily on the effectiveness of an organization’s training program?
User
Workstation
LAN
LAN-to-WAN
WAN
System/Application
Remote Access
A web application security scanner is a good tool to use when testing which domain?
User
Workstation
LAN
LAN-to-WAN
WAN
Remote Access
Penetration testing is a risky operation for both the organization and the testers.
True
False
Which penetration testing team may be composed of systems administrators in other departments of an organization?
Red
Blue
Tiger
Orange
Which penetration testing team is composed of systems administrators who defend the network and respond to the activities of the penetration testers?
Red
Blue
Tiger
Orange
Which penetration testing team is given no prior knowledge of the IT infrastructure and uses the same tools and strategies that an actual attacker would use?
Red
Blue
Tiger
Orange
The clean-up phase of a penetration test is the responsibility of which individual or group?
Systems administrator
Upper management
Penetration testing team
Help desk
A penetration test report should include which of the following? (Select three.)
Description of gaps and risk exposures found during the test
List of passwords uncovered by the penetration testing team
Remediation plans for closing security gaps
Cost analysis and solution prioritization based on risk exposure