CISSP Oicial (ISC)2 Practice Tests

NEXT

PREV

Chapter 5 Identity and Access Management (Domain 5)

Chapter 7 Security Options (Domain 7)

Chapter 6
Security Assessment and Testing (Domain 6)
1.Duringaportscan,SusandiscoversasystemrunningservicesonTCP
andUDP137139andTCP445,aswellasTCP1433.Whattypeofsystem
isshelikelytofindifsheconnectstothemachine?
1.ALinuxemailserver
2.AWindowsSQLserver
3.ALinuxfileserver
4.AWindowsworkstation

2.Whichofthefollowingisamethodusedtodesignnewsoftwaretestsand
toensurethequalityoftests?
1.Codeauditing
2.Staticcodeanalysis
3.Regressiontesting
4.Mutationtesting

3.Duringaportscan,LaurenfoundTCPport443openonasystem.Which
toolisbestsuitedtoscanningtheservicethatismostlikelyrunningon
thatport?
1.zzuf
2.Nikto
3.Metasploit
4.sqlmap

4.Whatmessageloggingstandardiscommonlyusedbynetworkdevices,
LinuxandUnixsystems,andmanyotherenterprisedevices?
1.Syslog
2.Netlog
3.Eventlog
4.RemoteLogProtocol(RLP)

5.Alexwantstouseanautomatedtooltofillwebapplicationformstotest
forformatstringvulnerabilities.Whattypeoftoolshouldheuse?
1.Ablackbox
2.Abruteforcetool
3.Afuzzer
4.Astaticanalysistool

6.Susanneedstoscanasystemforvulnerabilities,andshewantstousean
opensourcetooltotestthesystemremotely.Whichofthefollowingtools
willmeetherrequirementsandallowvulnerabilityscanning?
1.Nmap
2.OpenVAS

Enjoy Safari? Subscribe Today

3.MBSA
4.Nessus

7.NISTSpecialPublication80053Adescribesfourmajortypesof
assessmentobjectsthatcanbeusedtoidentifyitemsbeingassessed.If
theassessmentcoversIPSdevices,whichofthetypesofassessment
objectsisbeingassessed?
1.Aspecification
2.Amechanism
3.Anactivity
4.Anindividual

8.Jimhasbeencontractedtoperformapenetrationtestofabanksprimary
branch.Inordertomakethetestasrealaspossible,hehasnotbeen
givenanyinformationaboutthebankotherthanitsnameandaddress.
WhattypeofpenetrationtesthasJimagreedtoperform?
1.Acrystalboxpenetrationtest
2.Agrayboxpenetrationtest
3.Ablackboxpenetrationtest
4.Awhiteboxpenetrationtest

9.Aspartofapenetrationtest,Alexneedstodetermineifthereareweb
serversthatcouldsufferfromthe2014Heartbleedbug.Whattypeoftool
couldheuse,andwhatshouldhechecktoverifythatthetoolcanidentify
theproblem?
1.Avulnerabilityscanner,toseewhetherthescannerhasasignatureor
testfortheHeartbleedCVEnumber
2.Aportscanner,toseewhetherthescannerproperlyidentifiesSSL
connections
3.Avulnerabilityscanner,toseewhetherthevulnerabilityscannerdetects
problemswiththeApachewebserver
4.Aportscanner,toseewhethertheportscannersupportsTLSconnections

10.InaresponsetoaRequestforProposal,SusanreceivesaSAS70Type1
report.Ifshewantsareportthatincludesoperatingeffectivenessdetail,
whatshouldSusanaskforasfollowupandwhy?
1.AnSAS70TypeII,becauseTypeIonlycoversasinglepointintime
2.AnSOCType1,becauseTypeIIdoesnotcoveroperatingeffectiveness
3.AnSOCType2,becauseTypeIdoesnotcoveroperatingeffectiveness
4.AnSAC70type3,becauseTypes1and2areoutdatedandnolonger
accepted

11.Duringawirelessnetworkpenetrationtest,Susanrunsaircrackng
againstthenetworkusingapasswordfile.Whatmightcausehertofailin
herpasswordcrackingefforts?
1.UseofWPA2encryption
2.RunningWPA2inEnterprisemode
3.UseofWEPencryption
4.RunningWPA2inPSKmode

12.WhichtypeofSOCreportisbestsuitedtoprovideassurancetousers
aboutanorganizationssecurity,availability,andtheintegrityoftheir
serviceoperations?
1.AnSOC1Type2report
2.AnSOC2report
3.AnSOC3report
4.AnSOC1Type1report

13.Whattypeoftestingisusedtoensurethatseparatelydevelopedsoftware
modulesproperlyexchangedata?
1.Fuzzing
2.Dynamictesting
3.Interfacetesting
4.APIchecksums

Enjoy Safari? Subscribe Today

14.Whichofthefollowingisnotapotentialproblemwithactivewireless
scanning?
1.Accidentlyscanningapparentroguedevicesthatactuallybelongto
guests
2.CausingalarmsontheorganizationswirelessIPS
3.Scanningdevicesthatbelongtonearbyorganizations
4.Misidentifyingroguedevices

15.Benusesafuzzingtoolthatdevelopsdatamodelsandcreatesfuzzeddata
basedoninformationabouthowtheapplicationusesdatatotestthe
application.WhattypeoffuzzingisBendoing?
1.Mutation
2.Parametric
3.Generational
4.Derivative

16.Sariawantstologandreviewtrafficinformationbetweenpartsofher
network.Whattypeofnetworkloggingshouldsheenableonherrouters
toallowhertoperformthisanalysis?
1.Auditlogging
2.Flowlogging
3.Tracelogging
4.Routelogging

17.Jimhasbeencontractedtoconductagrayboxpenetrationtest,andhis
clientshaveprovidedhimwiththefollowinginformationabouttheir
networkssothathecanscanthem.
1.Datacenter:10.10.10.0/24
2.Sales:10.10.11.0/24
3.Billing:10.10.12.0/24
4.Wireless:192.168.0.0/16
WhatproblemwillJimencounterifheiscontractedtoconductascan
fromoffsite?
1.TheIPrangesaretoolargetoscanefficiently.
2.TheIPaddressesprovidedcannotbescanned.
3.TheIPrangesoverlapandwillcausescanningissues.
4.TheIPaddressesprovidedareRFC1918addresses.

18.Karensorganizationhasbeenperformingsystembackupsforyearsbut
hasnotusedthebackupsfrequently.Duringarecentsystemoutage,
whenadministratorstriedtorestorefrombackupstheyfoundthatthe
backupshaderrorsandcouldnotberestored.Whichofthefollowing
optionsshouldKarenavoidwhenselectingwaystoensurethather
organizationsbackupswillworknexttime?
1.Logreview
2.MTDverification
3.Hashing
4.Periodictesting
Questions19,20,and21refertothefollowingscenario.
ThecompanythatJenniferworksforhasimplementedacentrallogging
infrastructure,asshowninthefollowingimage.Usethisdiagramand
yourknowledgeofloggingsystemstoanswerthefollowingquestions.

Enjoy Safari? Subscribe Today

19.JenniferneedstoensurethatallWindowssystemsprovideidentical
logginginformationtotheSIEM.Howcanshebestensurethatall
Windowsdesktopshavethesamelogsettings?
1.Performperiodicconfigurationaudits.
2.UseGroupPolicy.
3.UseLocalPolicy.
4.DeployaWindowssyslogclient.

20.Duringnormaloperations,JennifersteamusestheSIEMapplianceto
monitorforexceptionsreceivedviasyslog.Whatsystemshowndoesnot
nativelyhavesupportforsyslogevents?
1.Enterprisewirelessaccesspoints
2.Windowsdesktopsystems
3.Linuxwebservers
4.Enterprisefirewalldevices

21.Whattechnologyshouldanorganizationuseforeachofthedevices
showninthediagramtoensurethatlogscanbetimesequencedacross
theentireinfrastructure?
1.Syslog
2.NTP
3.Logsync
4.SNAP

22.Duringapenetrationtest,Danielleneedstoidentifysystems,butshe
hasntgainedsufficientaccessonthesystemsheisusingtogenerateraw
packets.Whattypeofscanshouldsheruntoverifythemostopen
services?
1.ATCPconnectscan
2.ATCPSYNscan
3.AUDPscan
4.AnICMPscan

23.Duringaportscanusingnmap,Josephdiscoversthatasystemshowstwo
portsopenthatcausehimimmediateworry:
1.21/open
2.23/open
Whatservicesarelikelyrunningonthoseports?
1.SSHandFTP
2.FTPandTelnet
3.SMTPandTelnet
4.POP3andSMTP

24.Sariasteamisworkingtopersuadetheirmanagementthattheirnetwork
hasextensivevulnerabilitiesthatattackerscouldexploit.Ifshewantsto
conductarealisticattackaspartofapenetrationtest,whattypeof
penetrationtestshouldsheconduct?
1.Crystalbox
2.Graybox
3.Whitebox
4.Blackbox

25.Whatmethodiscommonlyusedtoassesshowwellsoftwaretesting
coveredthepotentialusesofaanapplication?
1.Atestcoverageanalysis
2.Asourcecodereview
3.Afuzzanalysis
4.Acodereviewreport

26.Testingthatisfocusedonfunctionsthatasystemshouldnotallowarean
exampleofwhattypeoftesting?
1.Usecasetesting

Enjoy Safari? Subscribe Today

2.Manualtesting

3.Misusecasetesting

4.Dynamictesting

27.Whattypeofmonitoringusessimulatedtraffictoawebsitetomonitor
performance?
1.Loganalysis
2.Syntheticmonitoring
3.Passivemonitoring
4.Simulatedtransactionanalysis

28.Whichofthefollowingvulnerabilitiesisunlikelytobefoundbyaweb
vulnerabilityscanner?
1.Pathdisclosure
2.Localfileinclusion
3.Racecondition
4.Bufferoverflow

29.Jimusesatoolthatscansasystemforavailableservices,thenconnects
tothemtocollectbannerinformationtodeterminewhatversionofthe
serviceisrunning.Itthenprovidesareportdetailingwhatitgathers,
basingresultsonservicefingerprinting,bannerinformation,and
similardetailsitgatherscombinedwithCVEinformation.Whattypeof
toolisJimusing?
1.Aportscanner
2.Aservicevalidator
3.Avulnerabilityscanner
4.Apatchmanagementtool

30.Emilybuildsascriptthatsendsdatatoawebapplicationthatsheis
testing.Eachtimethescriptruns,itsendsaseriesoftransactionswith
datathatfitstheexpectedrequirementsofthewebapplicationtoverify
thatitrespondstotypicalcustomerbehavior.Whattypeoftransactionsis
sheusing,andwhattypeoftestisthis?
1.Synthetic,passivemonitoring
2.Synthetic,usecasetesting
3.Actual,dynamicmonitoring
4.Actual,fuzzing

31.Whatpassivemonitoringtechniquerecordsalluserinteractionwithan
applicationorwebsitetoensurequalityandperformance?
1.Client/servertesting
2.Realusermonitoring
3.Syntheticusermonitoring
4.Passiveuserrecording

32.Earlierthisyear,theinformationsecurityteamatJimsemployer
identifiedavulnerabilityinthewebserverthatJimisresponsiblefor
maintaining.Heimmediatelyappliedthepatchandissurethatit
installedproperly,butthevulnerabilityscannerhascontinuedtoflagthe
systemasvulnerableeventhoughJimissurethepatchisinstalled.
WhichofthefollowingoptionsisJimsbestchoicetodealwiththeissue?
1.Uninstallandreinstallthepatch.
2.Asktheinformationsecurityteamtoflagthesystemaspatchedandnot
vulnerable.
3.Updatetheversioninformationinthewebserversconfiguration.
4.Reviewthevulnerabilityreportandusealternateremediation
instructionsiftheyareprovided.

33.Angelawantstotestawebbrowsershandlingofunexpecteddatausing
anautomatedtool.Whattoolshouldshechoose?
1.Nmap
2.zzuf
3.Nessus
4.Nikto

Enjoy Safari? Subscribe Today

34.STRIDE,whichstandsforSpoofing,Tampering,Repudiation,

InformationDisclosure,DenialofService,ElevationofPrivilege,is

usefulinwhatpartofapplicationthreatmodeling?
1.Vulnerabilityassessment
2.Misusecasetesting
3.Threatcategorization
4.Penetrationtestplanning

35.Whyshouldpassivescanningbeconductedinadditiontoimplementing
wirelesssecuritytechnologieslikewirelessintrusiondetectionsystems?
1.Itcanhelpidentifyroguedevices.
2.Itcantestthesecurityofthewirelessnetworkviascriptedattacks.
3.Theirshortdwelltimeoneachwirelesschannelcanallowthemto
capturemorepackets.
4.TheycanhelptestwirelessIDSorIPSsystems.

36.Duringapenetrationtest,Laurenisaskedtotesttheorganizations
Bluetoothsecurity.Whichofthefollowingisnotaconcernsheshould
explaintoheremployers?
1.Bluetoothscanningcanbetimeconsuming.
2.Manydevicesthatmaybescannedarelikelytobepersonaldevices.
3.Bluetoothpassivescansmayrequiremultiplevisitsatdifferenttimesto
identifyalltargets.
4.BluetoothactivescanscantevaluatethesecuritymodeofBluetooth
devices.

37.Whattermdescribessoftwaretestingthatisintendedtouncovernew
bugsintroducedbypatchesorconfigurationchanges?
1.Nonregressiontesting
2.Evolutiontesting
3.Smoketesting
4.Regressiontesting

38.Whichofthetoolscannotidentifyatargetsoperatingsystemfora
penetrationtester?
1.Nmap
2.Nessus
3.Nikto
4.sqlmap

39.Susanneedstopredicthighriskareasforherorganizationandwantsto
usemetricstoassessrisktrendsastheyoccur.Whatshouldshedoto
handlethis?
1.Performyearlyriskassessments.
2.Hireapenetrationtestingcompanytoregularlytestorganizational
security.
3.Identifyandtrackkeyriskindicators.
4.MonitorlogsandeventsusingaSIEMdevice.

40.Whatmajordifferenceseparatessyntheticandpassivemonitoring?
1.Syntheticmonitoringonlyworksafterproblemshaveoccurred.
2.Passivemonitoringcannotdetectfunctionalityissues.
3.Passivemonitoringonlyworksafterproblemshaveoccurred.
4.Syntheticmonitoringcannotdetectfunctionalityissues.

41.Chrisusesthestandardpenetrationtestingmethodologyshownhere.
Usethismethodologyandyourknowledgeofpenetrationtestingto
answerthefollowingquestionsabouttoolusageduringapenetration
test.

Enjoy Safari? Subscribe Today

WhattaskisthemostimportantduringPhase1,Planning?
1.Buildingatestlab
2.Gettingauthorization
3.Gatheringappropriatetools
4.Determiningifthetestiswhite,black,orgraybox

42.Whichofthefollowingtoolsismostlikelytobeusedduringdiscovery?
1.Nessus
2.john
3.Nmap
4.Nikto

43.Whichoftheseconcernsisthemostimportanttoaddressduringplanning
toensurethereportingphasedoesnotcauseproblems?
1.WhichCVEformattouse
2.Howthevulnerabilitydatawillbestoredandsent
3.Whichtargetsareofflimits
4.Howlongthereportshouldbe

44.Whatfourtypesofcoveragecriteriaarecommonlyusedwhenvalidating
theworkofacodetestingsuite?
1.Input,statement,branch,andconditioncoverage
2.Function,statement,branch,andconditioncoverage
3.API,branch,bounds,andconditioncoverage
4.Bounds,branch,loop,andconditioncoverage

45.Aspartofhisroleasasecuritymanager,Jacobprovidesthefollowing
charttohisorganizationsmanagementteam.Whattypeofmeasurement
isheprovidingforthem?

1.Acoverageratemeasure
2.Akeyperformanceindicator
3.Atimetolivemetric
4.Abusinesscriticalityindicator

46.WhatdoesusinguniqueuserIDsforallusersprovidewhenreviewing
logs?

Enjoy Safari? Subscribe Today

1.Confidentiality

2.Integrity
3.Availability
4.Accountability

47.Whichofthefollowingisnotaninterfacethatistypicallytestedduring
thesoftwaretestingprocess?
1.APIs
2.Networkinterfaces
3.UIs
4.Physicalinterfaces

48.Whatprotocolisusedtohandlevulnerabilitymanagementdata?
1.VML
2.SVML
3.SCAP
4.VSCAP

49.Misconfiguration,logicalandfunctionalflaws,andpoorprogramming
practicesareallcausesofwhattypeofissue?
1.Fuzzing
2.Securityvulnerabilities
3.Bufferoverflows
4.Raceconditions

50.Whichofthefollowingstrategiesshouldnotbeusedtohandlea
vulnerabilityidentifiedbyavulnerabilityscanner?
1.Installapatch.
2.Useaworkaroundfix.
3.Updatethebannerorversionnumber.
4.UseanapplicationlayerfirewallorIPStopreventattacksagainstthe
identifiedvulnerability.

51.DuringapenetrationtestSariacallshertargetshelpdeskclaimingtobe
theseniorassistancetoanofficerofthecompany.Sherequeststhatthe
helpdeskresettheofficerspasswordbecauseofanissuewithhislaptop
whiletravelingandpersuadesthemtodoso.Whattypeofattackhasshe
successfullycompleted?
1.Zeroknowledge
2.Helpdeskspoofing
3.Socialengineering
4.Blackbox

52.Inthisimage,whatissuemayoccurduetotheloghandlingsettings?

1.Logdatamaybelostwhenthelogisarchived.
2.Logdatamaybeoverwritten.
3.Logdatamaynotincludeneededinformation.
4.Logdatamayfillthesystemdisk.

Enjoy Safari? Subscribe Today

53.Whichofthefollowingisnotahazardassociatedwithpenetration
testing?
1.Applicationcrashes
2.Denialofservice
3.Exploitationofvulnerabilities
4.Datacorruption

54.WhichNISTspecialpublicationcoverstheassessmentofsecurityand
privacycontrols?
1.80012
2.80053A
3.80034
4.80086

55.Whattypeofportscanningisknownashalfopenscanning?
1.TCPConnect
2.TCPACK
3.TCPSYN
4.Xmas

56.Laurenisperformingareviewofathirdpartyserviceorganizationand
wantstodetermineiftheorganizationspoliciesandproceduresare
effectivelyenforcedoveraperiodoftime.Whattypeofindustrystandard
assessmentreportshouldsherequest?
1.SSAE16SOC1TypeI
2.SAS70TypeI
3.SSAE16SOC1TypeII
4.SAS70TypeII

57.Jimisworkingwithapenetrationtestingcontractorwhoproposesusing
Metasploitaspartofherpenetrationtestingeffort.WhatshouldJim
expecttooccurwhenMetasploitisused?
1.Systemswillbescannedforvulnerabilities.
2.Systemswillhaveknownvulnerabilitiesexploited.
3.Serviceswillbeprobedforbufferoverflowandotherunknownflaws.
4.Systemswillbetestedforzerodayexploits.

58.Duringathirdpartyaudit,Jimscompanyreceivesafindingthatstates,
Theadministratorshouldreviewbackupsuccessandfailurelogsona
dailybasis,andtakeactioninatimelymannertoresolvereported
exceptions.WhatisthebiggestissuethatislikelytoresultifJimsIT
staffneedtorestorefromabackup?
1.Theywillnotknowifthebackupssucceededorfailed.
2.Thebackupsmaynotbeproperlylogged.
3.Thebackupsmaynotbeusable.
4.Thebackuplogsmaynotbeproperlyreviewed.

59.Jimishelpinghisorganizationdecideonauditstandardsforuse
throughouttheirinternationalorganization.Whichofthefollowingisnot
anITstandardthatJimsorganizationislikelytouseaspartofitsaudits?
1.COBIT
2.SSAE16
3.ITIL
4.ISO27002

60.Whichofthefollowingbestdescribesatypicalprocessforbuildingand
implementinganInformationSecurityContinuousMonitoringprogram
asdescribedbyNISTSpecialPublication800137?
1.Define,establish,implement,analyzeandreport,respond,review,and
update
2.Design,build,operate,analyze,respond,review,revise
3.Prepare,detectandanalyze,contain,respond,recover,report
4.Define,design,build,monitor,analyze,react,revise

Enjoy Safari? Subscribe Today

61.Laurensteamconductsregressiontestingoneachpatchthatthey
release.Whatkeyperformancemeasureshouldtheymaintainto
measuretheeffectivenessoftheirtesting?
1.Timetoremediatevulnerabilities
2.Ameasureoftherateofdefectrecurrence
3.Aweightedrisktrend
4.Ameasureofthespecificcoverageoftheirtesting

62.Whichofthefollowingtypesofcodereviewisnottypicallyperformedby
ahuman?
1.Softwareinspections
2.Codereview
3.Staticprogramanalysis
4.Softwarewalkthroughs
SusanistheleadofaQualityAssuranceteamathercompany.Theyhave
beentaskedwiththetestingforamajorreleaseoftheircompanyscore
softwareproduct.Useyourknowledgeofcodereviewandtestingto
answerthefollowingthreequestions.

63.Susansteamofsoftwaretestersarerequiredtotesteverycodepath,
includingthosethatwillonlybeusedwhenanerrorconditionoccurs.
Whattypeoftestingenvironmentdoesherteamneedtoensurecomplete
codecoverage?
1.Whitebox
2.Graybox
3.Blackbox
4.Dynamic

64.Aspartofthecontinuedtestingoftheirnewapplication,Susansquality
assuranceteamhasdesignedasetoftestcasesforaseriesofblackbox
tests.Thesefunctionaltestsarethenrun,andareportisprepared
explainingwhathasoccurred.Whattypeofreportistypicallygenerated
duringthistestingtoindicatetestmetrics?
1.Atestcoveragereport
2.Apenetrationtestreport
3.Acodecoveragereport
4.Alinecoveragereport

65.Aspartoftheircodecoveragetesting,Susansteamrunstheanalysisina
nonproductionenvironmentusingloggingandtracingtools.Whichof
thefollowingtypesofcodeissuesismostlikelytobemissedduring
testingduetothischangeintheoperatingenvironment?
1.Improperboundschecking
2.Inputvalidation
3.Aracecondition
4.Pointermanipulation

66.Whatstepshouldoccurafteravulnerabilityscanfindsacritical
vulnerabilityonasystem?
1.Patching
2.Reporting
3.Remediation
4.Validation

67.Kathleenisreviewingthecodeforanapplication.Shefirstplansthe
review,conductsanoverviewsessionwiththereviewersandassigns
roles,andthenworkswiththereviewerstoreviewmaterialsandprepare
fortheirroles.Next,sheintendstoreviewthecode,reworkit,and
ensurethatalldefectsfoundhavebeencorrected.
WhattypeofreviewisKathleenconducting?
1.Adynamictest
2.Faganinspection
3.Fuzzing
4.ARothParkerreview

Enjoy Safari? Subscribe Today

68.Daniellewantstocomparevulnerabilitiesshehasdiscoveredinherdata
centerbasedonhowexploitabletheyare,ifexploitcodeexists,aswellas
howhardtheyaretoremediate.Whatscoringsystemshouldsheuseto
comparevulnerabilitymetricslikethese?
1.CSV
2.NVD
3.VSS
4.CVSS

69.Duringaportscanofhisnetwork,Alexfindsthatanumberofhosts
respondonTCPports80,443,515,and9100inofficesthroughouthis
organization.WhattypeofdevicesisAlexlikelydiscovering?
1.Webservers
2.Fileservers
3.Wirelessaccesspoints
4.Printers

70.Nikto,BurpSuite,andWapitiareallexamplesofwhattypeoftool?
1.Webapplicationvulnerabilityscanners
2.Codereviewtools
3.Vulnerabilityscanners
4.Portscanners

71.Duringannmapscan,whatthreepotentialstatusesareprovidedfora
port?
1.Open,unknown,closed
2.Open,closed,andfiltered
3.Available,denied,unknown
4.Available,unavailable,filtered

72.Whichofthefollowingisnotamethodofsynthetictransaction
monitoring?
1.Databasemonitoring
2.Trafficcaptureandanalysis
3.Usersessionmonitoring
4.Websiteperformancemonitoring

73.Susanneedstoensurethattheinteractionsbetweenthecomponentsof
herecommerceapplicationareallhandledproperly.Sheintendsto
verifycommunications,errorhandling,andsessionmanagement
capabilitiesthroughoutherinfrastructure.Whattypeoftestingisshe
planningtoconduct?
1.Misusecasetesting
2.Fuzzing
3.Regressiontesting
4.Interfacetesting

74.Jimisdesigninghisorganizationslogmanagementsystemsandknows
thatheneedstocarefullyplantohandletheorganizationslogdata.
WhichofthefollowingisnotafactorthatJimshouldbeconcernedwith?
1.Thevolumeoflogdata
2.Alackofsufficientlogsources
3.Datastoragesecurityrequirements
4.Networkbandwidth

75.Jimhascontractedwithasoftwaretestingorganizationthatuses
automatedtestingtoolstovalidatesoftware.Heisconcernedthatthey
maynotcompletelytestallstatementsinhissoftware.What
measurementshouldheaskforintheirreporttoprovideinformation
aboutthis?
1.Ausecasecount
2.Atestcoveragereport
3.Acodecoveragereport

Enjoy Safari? Subscribe Today

4.Acodereviewreport

76.WhenaWindowssystemisrebooted,whattypeoflogisgenerated?
1.Error
2.Warning
3.Information
4.Failureaudit

77.Duringareviewofaccesslogs,AlexnoticesthatDanielleloggedintoher
workstationinNewYorkat8a.m.daily,butthatshewasrecordedas
loggingintoherdepartmentsmainwebapplicationshortlyafter3a.m.
daily.WhatcommonloggingissuehasAlexlikelyencountered?
1.Inconsistentlogformatting
2.Modifiedlogs
3.Inconsistenttimestamps
4.Multiplelogsources

78.Whattypeofvulnerabilityscanaccessesconfigurationinformationfrom
thesystemsitisrunagainstaswellasinformationthatcanbeaccessed
viaservicesavailableviathenetwork?
1.Authenticatedscans
2.Webapplicationscans
3.Unauthenticatedscans
4.Portscans
BensorganizationhasbeguntouseSTRIDEtoassesstheirsoftware,and
hasidentifiedthreatagentsandthebusinessimpactsthatthesethreats
couldhave.Nowtheyareworkingtoidentifyappropriatecontrolsforthe
issuestheyhaveidentified.UsetheSTRIDEmodeltoanswerthe
followingthreequestions.

79.Bensdevelopmentteamneedstoaddressanauthorizationissue,
resultinginanelevationofprivilegethreat.Whichofthefollowing
controlsismostappropriatetothistypeofissue?
1.Auditingandloggingisenabled.
2.RBACisusedforspecificoperations.
3.Datatypeandformatchecksareenabled.
4.Userinputistestedagainstawhitelist.

80.Bensteamisattemptingtocategorizeatransactionidentificationissue
thatiscausedbyuseofasymmetrickeysharedbymultipleservers.What
STRIDEcategoryshouldthisfallinto?
1.Informationdisclosure
2.Denialofservice
3.Tampering
4.Repudiation

81.Benwantstopreventordetecttamperingwithdata.Whichofthe
followingisnotanappropriatesolution?
1.Hashes
2.Digitalsignatures
3.Filtering
4.Authorizationcontrols

82.WhichNISTdocumentcoversthecreationofanInformationSecurity
ContinuousMonitoring(ISCM)?
1.NISTSP800137
2.NISTSP80053a
3.NISTSP800145
4.NISTSP80050

83.Whichofthefollowingisnotanissuewhenusingfuzzingtofindprogram
faults?
1.Theyoftenfindonlysimplefaults.
2.Fuzztestingbugsareoftensevere.
3.Fuzzersmaynotfullycoverthecode.

Enjoy Safari? Subscribe Today

4.Fuzzerscantreproduceerrors.

84.Whattermdescribesanevaluationoftheeffectivenessofsecurity
controlsperformedbyathirdparty?
1.Asecurityassessment
2.Apenetrationtest
3.Asecurityaudit
4.Asecuritytest
Duringaportscan,Benusesnmapsdefaultsettingsandseesthe
followingresults.Usethisinformationtoanswerthefollowingthree
questions.

85.IfBenisconductingapenetrationtest,whatshouldhisnextstepbeafter
receivingtheseresults?
1.Connecttothewebserverusingawebbrowser.
2.ConnectviaTelnettotestforvulnerableaccounts.
3.Identifyinterestingportsforfurtherscanning.
4.Usesqlmapagainsttheopendatabases.

86.Basedonthescanresults,whatOSwasthesystemthatwasscannedmost
likelyrunning?
1.WindowsDesktop
2.Linux
3.Networkdevice
4.WindowsServer

87.Bensmanagerexpressesconcernaboutthecoverageofhisscan.Why
mighthismanagerhavethisconcern?
1.BendidnottestUDPservices.
2.Bendidnotdiscoverportsoutsidethewellknownports.
3.BendidnotperformOSfingerprinting.
4.Bentestedonlyalimitednumberofports.

88.Whattechniquereliesonreviewingcodewithoutrunningit?
1.Fuzzing
2.Blackboxanalysis
3.Staticanalysis
4.Grayboxanalysis

89.Sarianeedstowritearequestforproposalforcodereviewandwantsto
ensurethatthereviewerstakethebusinesslogicbehindher
organizationsapplicationsintoaccount.Whattypeofcodereviewshould
shespecifyintheRFP?
1.Static
2.Fuzzing
3.Manual
4.Dynamic

90.Whattypeofdiagramusedinapplicationthreatmodelingincludes

Enjoy Safari? Subscribe Today

malicioususersaswellasdescriptionslikemitigatesandthreatens?

1.Threattrees
2.STRIDEcharts
3.Misusecasediagrams
4.DREADdiagrams

91.Whatisthefirststepthatshouldoccurbeforeapenetrationtestis
performed?
1.Datagathering
2.Portscanning
3.Gettingpermission
4.Planning

92.WhatinternationalframeworkwasSSAE16basedon?
1.ISO27001
2.SAS70
3.SOX
4.ISAE3402

93.Duringapenetrationtestofherorganization,KathleensIPSdetectsa
portscanthathastheURG,FIN,andPSHflagssetandproducesan
alarm.Whattypeofscanisthepenetrationtesterattempting?
1.ASYNscan
2.ATCPflagscan
3.AnXmasscan
4.AnACKscan

94.Nmapisanexampleofwhattypeoftool?
1.Vulnerabilityscanner
2.Webapplicationfuzzer
3.Networkdesignandlayout
4.Portscanner

95.Whattypeofvulnerabilitieswillnotbefoundbyavulnerabilityscanner?
1.Localvulnerabilities
2.Servicevulnerabilities
3.Zerodayvulnerabilities
4.Vulnerabilitiesthatrequireauthentication

96.MITREsCVEdatabaseprovideswhattypeofinformation?
1.Currentversionsofsoftware
2.Patchinginformationforapplications
3.Vulnerabilityinformation
4.Alistofcostsversuseffortrequiredforcommonprocesses

97.AzerodayvulnerabilityisannouncedforthepopularApachewebserver
inthemiddleofaworkday.InJacobsroleasaninformationsecurity
analyst,heneedstoquicklyscanhisnetworktodeterminewhatservers
arevulnerabletotheissue.WhatisJacobsbestroutetoquicklyidentify
vulnerablesystems?
1.ImmediatelyrunNessusagainstalloftheserverstoidentifywhich
systemsarevulnerable.
2.ReviewtheCVEdatabasetofindthevulnerabilityinformationandpatch
information.
3.CreateacustomIDSorIPSsignature.
4.Identifyaffectedversionsandchecksystemsforthatversionnumber
usinganautomatedscanner.
NISTSpecialPublication800115,theTechnicalGuidetoInformation
SecurityTestingandAssessment,providesNISTsprocessfor
penetrationtesting.Usingthisimageaswellasyourknowledgeof
penetrationtesting,answerthefollowingquestions.

Enjoy Safari? Subscribe Today

98.Whichofthefollowingisnotapartofthediscoveryphase?
1.HostnameandIPaddressinformationgathering
2.Serviceinformationcapture
3.Dumpsterdiving
4.Privilegeescalation

99.NISTspecifiesfourattackphasesteps:gainingaccess,escalating
privileges,systembrowsing,andinstallingadditionaltools.Once
attackersinstalladditionaltools,whatphasewillapenetrationtester
typicallyreturnto?
1.Discovery
2.Gainingaccess
3.Escalatingprivileges
4.Systembrowsing

100.Whichofthefollowingisnotatypicalpartofapenetrationtestreport?
1.Alistofidentifiedvulnerabilities
2.Allsensitivedatathatwasgatheredduringthetest
3.Riskratingsforeachissuediscovered
4.Mitigationguidanceforissuesidentified

NEXT

PREV

Recommended
/ Queue
HistoryManagement
/ Topics / Tutorials
/ Settings
/ Blog / Get the App / Sign Out
Chapter 5 Identity
and/ Access
(Domain
5)
2016 Safari. Terms of Service / Privacy Policy

Enjoy Safari? Subscribe Today

Chapter 7 Security Options (Domain 7)