During a port scan, Susan discovers a system running services on TCP and UDP 137-139 and TCP 445, as well as TCP 1433. What type of system is she likely to find if she connects to the machine?
Which of the following is a method used to design new software tests and to ensure the quality of tests?
During a port scan, Lauren found TCP port 443 open on a system. Which tool is best suited to scanning the service that is most likely running on that port?
What message logging standard is commonly used by network devices, Linux and Unix systems, and many other enterprise devices?
Alex wants to use an automated tool to fill web application forms to test for format string vulnerabilities. What type of tool should he use?
Susan needs to scan a system for vulnerabilities, and she wants to use an open source tool to test the system remotely. Which of the following tools will meet her requirements and allow vulnerability scanning?
NIST Special Publication 800-53A describes four major types of assessment objects that can be used to identify items being assessed. If the assessment covers IPS devices, which of the types of assessment objects is being assessed?
Jim has been contracted to perform a penetration test of a bank’s primary branch. In order to make the test as real as possible, he has not been given any information about the bank other than its name and address. What type of penetration test has Jim agreed to perform?
As part of a penetration test, Alex needs to determine if there are web servers that could suffer from the 2014 Heartbleed bug. What type of tool could he use, and what should he check to verify that the tool can identify the problem?
In a response to a Request for Proposal, Susan receives a SAS-70 Type 1 report. If she wants a report that includes operating effectiveness detail, what should Susan ask for as followup and why?
During a wireless network penetration test, Susan runs aircrack-ng against the network using a password file. What might cause her to fail in her password-cracking efforts?
Which type of SOC report is best suited to provide assurance to users about an organization’s security, availability, and the integrity of their service operations?
What type of testing is used to ensure that separately developed software modules properly exchange data?
Which of the following is not a potential problem with active wireless scanning?
Ben uses a fuzzing tool that develops data models and creates fuzzed data based on information about how the application uses data to test the application. What type of fuzzing is Ben doing?
Saria wants to log and review traffic information between parts of her network. What type of network logging should she enable on her routers to allow her to perform this analysis?
Jim has been contracted to conduct a gray box penetration test, and his clients have provided him with the following information about their networks so that he can scan them.
What problem will Jim encounter if he is contracted to conduct a scan from offsite?
Karen’s organization has been performing system backups for years but has not used the backups frequently. During a recent system outage, when administrators tried to restore from backups they found that the backups had errors and could not be restored. Which of the following options should Karen avoid when selecting ways to ensure that her organization’s backups will work next time?
Questions 19, 20, and 21 refer to the following scenario.
The company that Jennifer works for has implemented a central logging infrastructure, as shown in the following image. Use this diagram and your knowledge of logging systems to answer the following questions.
Jennifer needs to ensure that all Windows systems provide identical logging information to the SIEM. How can she best ensure that all Windows desktops have the same log settings?
During normal operations, Jennifer’s team uses the SIEM appliance to monitor for exceptions received via syslog. What system shown does not natively have support for syslog events?
What technology should an organization use for each of the devices shown in the diagram to ensure that logs can be time sequenced across the entire infrastructure?
During a penetration test, Danielle needs to identify systems, but she hasn’t gained sufficient access on the system she is using to generate raw packets. What type of scan should she run to verify the most open services?
During a port scan using nmap, Joseph discovers that a system shows two ports open that cause him immediate worry:
What services are likely running on those ports?
Saria’s team is working to persuade their management that their network has extensive vulnerabilities that attackers could exploit. If she wants to conduct a realistic attack as part of a penetration test, what type of penetration test should she conduct?
What method is commonly used to assess how well software testing covered the potential uses of a an application?
Testing that is focused on functions that a system should not allow are an example of what type of testing?
What type of monitoring uses simulated traffic to a website to monitor performance?
Which of the following vulnerabilities is unlikely to be found by a web vulnerability scanner?
Jim uses a tool that scans a system for available services, then connects to them to collect banner information to determine what version of the service is running. It then provides a report detailing what it gathers, basing results on service fingerprinting, banner information, and similar details it gathers combined with CVE information. What type of tool is Jim using?
Emily builds a script that sends data to a web application that she is testing. Each time the script runs, it sends a series of transactions with data that fits the expected requirements of the web application to verify that it responds to typical customer behavior. What type of transactions is she using, and what type of test is this?
What passive monitoring technique records all user interaction with an application or website to ensure quality and performance?
Earlier this year, the information security team at Jim’s employer identified a vulnerability in the web server that Jim is responsible for maintaining. He immediately applied the patch and is sure that it installed properly, but the vulnerability scanner has continued to flag the system as vulnerable even though Jim is sure the patch is installed. Which of the following options is Jim’s best choice to deal with the issue?
Angela wants to test a web browser’s handling of unexpected data using an automated tool. What tool should she choose?
STRIDE, which stands for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege, is useful in what part of application threat modeling?
Why should passive scanning be conducted in addition to implementing wireless security technologies like wireless intrusion detection systems?
During a penetration test, Lauren is asked to test the organization’s Bluetooth security. Which of the following is not a concern she should explain to her employers?
What term describes software testing that is intended to uncover new bugs introduced by patches or configuration changes?
Which of the tools cannot identify a target’s operating system for a penetration tester?
Susan needs to predict high-risk areas for her organization and wants to use metrics to assess risk trends as they occur. What should she do to handle this?
What major difference separates synthetic and passive monitoring?
Chris uses the standard penetration testing methodology shown here. Use this methodology and your knowledge of penetration testing to answer the following questions about tool usage during a penetration test.
What task is the most important during Phase 1, Planning?
Which of the following tools is most likely to be used during discovery?
Which of these concerns is the most important to address during planning to ensure the reporting phase does not cause problems?
What four types of coverage criteria are commonly used when validating the work of a code testing suite?
As part of his role as a security manager, Jacob provides the following chart to his organization’s management team. What type of measurement is he providing for them?
What does using unique user IDs for all users provide when reviewing logs?
Which of the following is not an interface that is typically tested during the software testing process?
What protocol is used to handle vulnerability management data?
Misconfiguration, logical and functional flaws, and poor programming practices are all causes of what type of issue?
Which of the following strategies should not be used to handle a vulnerability identified by a vulnerability scanner?
During a penetration test Saria calls her target’s help desk claiming to be the senior assistance to an officer of the company. She requests that the help desk reset the officer’s password because of an issue with his laptop while traveling and persuades them to do so. What type of attack has she successfully completed?
In this image, what issue may occur due to the log handling settings?
Which of the following is not a hazard associated with penetration testing?
Which NIST special publication covers the assessment of security and privacy controls?
What type of port scanning is known as “half open” scanning?
Lauren is performing a review of a third-party service organization and wants to determine if the organization’s policies and procedures are effectively enforced over a period of time. What type of industry standard assessment report should she request?
Jim is working with a penetration testing contractor who proposes using Metasploit as part of her penetration testing effort. What should Jim expect to occur when Metasploit is used?
During a third-party audit, Jim’s company receives a finding that states, “The administrator should review backup success and failure logs on a daily basis, and take action in a timely manner to resolve reported exceptions.” What is the biggest issue that is likely to result if Jim’s IT staff need to restore from a backup?
Jim is helping his organization decide on audit standards for use throughout their international organization. Which of the following is not an IT standard that Jim’s organization is likely to use as part of its audits?
Which of the following best describes a typical process for building and implementing an Information Security Continuous Monitoring program as described by NIST Special Publication 800-137?
Lauren’s team conducts regression testing on each patch that they release. What key performance measure should they maintain to measure the effectiveness of their testing?
Which of the following types of code review is not typically performed by a human?
Susan is the lead of a Quality Assurance team at her company. They have been tasked with the testing for a major release of their company’s core software product. Use your knowledge of code review and testing to answer the following three questions.
Susan’s team of software testers are required to test every code path, including those that will only be used when an error condition occurs. What type of testing environment does her team need to ensure complete code coverage?
As part of the continued testing of their new application, Susan’s quality assurance team has designed a set of test cases for a series of black box tests. These functional tests are then run, and a report is prepared explaining what has occurred. What type of report is typically generated during this testing to indicate test metrics?
As part of their code coverage testing, Susan’s team runs the analysis in a nonproduction environment using logging and tracing tools. Which of the following types of code issues is most likely to be missed during testing due to this change in the operating environment?
What step should occur after a vulnerability scan finds a critical vulnerability on a system?
Kathleen is reviewing the code for an application. She first plans the review, conducts an overview session with the reviewers and assigns roles, and then works with the reviewers to review materials and prepare for their roles. Next, she intends to review the code, rework it, and ensure that all defects found have been corrected.
What type of review is Kathleen conducting?
Danielle wants to compare vulnerabilities she has discovered in her data center based on how exploitable they are, if exploit code exists, as well as how hard they are to remediate. What scoring system should she use to compare vulnerability metrics like these?
During a port scan of his network, Alex finds that a number of hosts respond on TCP ports 80, 443, 515, and 9100 in offices throughout his organization. What type of devices is Alex likely discovering?
Nikto, Burp Suite, and Wapiti are all examples of what type of tool?
During an nmap scan, what three potential statuses are provided for a port?
Which of the following is not a method of synthetic transaction monitoring?
Susan needs to ensure that the interactions between the components of her e-commerce application are all handled properly. She intends to verify communications, error handling, and session management capabilities throughout her infrastructure. What type of testing is she planning to conduct?
Jim is designing his organization’s log management systems and knows that he needs to carefully plan to handle the organization’s log data. Which of the following is not a factor that Jim should be concerned with?
Jim has contracted with a software testing organization that uses automated testing tools to validate software. He is concerned that they may not completely test all statements in his software. What measurement should he ask for in their report to provide information about this?
When a Windows system is rebooted, what type of log is generated?
During a review of access logs, Alex notices that Danielle logged into her workstation in New York at 8 a.m. daily, but that she was recorded as logging into her department’s main web application shortly after 3 a.m. daily. What common logging issue has Alex likely encountered?
What type of vulnerability scan accesses configuration information from the systems it is run against as well as information that can be accessed via services available via the network?
Ben’s organization has begun to use STRIDE to assess their software, and has identified threat agents and the business impacts that these threats could have. Now they are working to identify appropriate controls for the issues they have identified. Use the STRIDE model to answer the following three questions.
Ben’s development team needs to address an authorization issue, resulting in an elevation of privilege threat. Which of the following controls is most appropriate to this type of issue?
Ben’s team is attempting to categorize a transaction identification issue that is caused by use of a symmetric key shared by multiple servers. What STRIDE category should this fall into?
Ben wants to prevent or detect tampering with data. Which of the following is not an appropriate solution?
Which NIST document covers the creation of an Information Security Continuous Monitoring (ISCM)?
Which of the following is not an issue when using fuzzing to find program faults?
What term describes an evaluation of the effectiveness of security controls performed by a third party?
During a port scan, Ben uses nmap’s default settings and sees the following results. Use this information to answer the following three questions.
If Ben is conducting a penetration test, what should his next step be after receiving these results?
Based on the scan results, what OS was the system that was scanned most likely running?
Ben’s manager expresses concern about the coverage of his scan. Why might his manager have this concern?
What technique relies on reviewing code without running it?
Saria needs to write a request for proposal for code review and wants to ensure that the reviewers take the business logic behind her organization’s applications into account. What type of code review should she specify in the RFP?
What type of diagram used in application threat modeling includes malicious users as well as descriptions like mitigates and threatens?
What is the first step that should occur before a penetration test is performed?
What international framework was SSAE-16 based on?
During a penetration test of her organization, Kathleen’s IPS detects a port scan that has the URG, FIN, and PSH flags set and produces an alarm. What type of scan is the penetration tester attempting?
Nmap is an example of what type of tool?
What type of vulnerabilities will not be found by a vulnerability scanner?
MITRE’s CVE database provides what type of information?
A zero-day vulnerability is announced for the popular Apache web server in the middle of a workday. In Jacob’s role as an information security analyst, he needs to quickly scan his network to determine what servers are vulnerable to the issue. What is Jacob’s best route to quickly identify vulnerable systems?
NIST Special Publication 800-115, the Technical Guide to Information Security Testing and Assessment, provides NIST’s process for penetration testing. Using this image as well as your knowledge of penetration testing, answer the following questions.
Which of the following is not a part of the discovery phase?
NIST specifies four attack phase steps: gaining access, escalating privileges, system browsing, and installing additional tools. Once attackers install additional tools, what phase will a penetration tester typically return to?
Which of the following is not a typical part of a penetration test report?