[qdeck random=”false” align=”center” scroll=”false” hide_gotit=”true” gotit_active=”false” show_first=”front” style=”min-height: 500px !important; border-color: #ff6633 !important; width: 800px !important; border-width: 4px !important; border-style: solid !important; ” reshow_after=”50″ cards_to_show=”50″]
[h] CISSP Domain 06: Security Assessment and Testing.
[i] CISSP Domain 06
Domain 6 of the CISSP exam covers “Security Assessment and Testing.” It involves understanding and implementing various strategies and methodologies to ensure information systems are secure and compliant
Key Topics:
- Security assessments (vulnerability assessments, penetration testing, audits)
- Testing methodologies (black-box, white-box, grey-box)
- Security control testing (manual and automated methods)
- Log reviews and monitoring
- Internal and third-party audits
- Metrics and reporting
- Risk assessments
[start]
[q] What are the primary objectives of security assessment and testing?
[a] To verify the effectiveness of security controls, identify vulnerabilities, ensure compliance with policies and regulations, and support risk management.
[q] What is the difference between a vulnerability assessment and a penetration test?
[a] A vulnerability assessment identifies and prioritizes vulnerabilities in a system, whereas a penetration test actively exploits those vulnerabilities to determine the effectiveness of security defenses.
[q] What is a security audit?
[a] A security audit is a formal review and examination of security policies, procedures, and controls to ensure they meet specific standards and comply with regulations.
[q] Name three types of testing methodologies commonly used in security assessments.
[a] 1. White-box testing (full knowledge of the system),
2. Black-box testing (no knowledge of the system),
3. Gray-box testing (partial knowledge of the system).
[q] What is static code analysis?
[a] Static code analysis is the examination of software code for security flaws without executing the program. It helps identify coding errors, vulnerabilities, and non-compliance with coding standards.
[q] What is dynamic analysis, and how does it differ from static analysis?
[a] Dynamic analysis involves testing the software while it’s running to identify security issues during execution. Unlike static analysis, which examines code without execution, dynamic analysis can detect runtime vulnerabilities.
[q] What is fuzz testing (fuzzing)?
[a] Fuzz testing is a technique used to identify vulnerabilities by inputting unexpected, random, or invalid data into a program to see how it behaves and to find potential security weaknesses.
[q] What is the purpose of code review?
[a] A code review involves manually inspecting code to find errors, improve code quality, ensure adherence to coding standards, and identify security vulnerabilities.
[q] What is a Security Information and Event Management (SIEM) system?
[a] A SIEM system aggregates, analyzes, and correlates security event data from multiple sources to provide real-time monitoring, detection of threats, and support incident response.
[q] Describe the concept of continuous monitoring.
[a] Continuous monitoring involves ongoing observation and assessment of security controls, threats, and vulnerabilities to detect and respond to security incidents promptly.
[q] What is user activity monitoring (UAM)?
[a] User activity monitoring (UAM) tracks user actions, behavior, and events to detect potential misuse, anomalies, and insider threats.
[q] What is the difference between an internal and external security test?
[a] An internal test is performed within the network perimeter to assess security from an insider’s perspective, while an external test targets the network from outside to assess the exposure to external threats.
[q] What is an operational test and its purpose?
[a] An operational test evaluates the day-to-day security controls, processes, and procedures to ensure they are functioning as intended in the live environment.
[q] What is the role of a Red Team in security testing?
[a] A Red Team simulates real-world attack scenarios to test the effectiveness of an organization’s security posture and improve detection and response capabilities.
[q] What is meant by “false positives” and “false negatives” in security testing?
[a] A false positive is a security alert that incorrectly indicates a vulnerability or threat. A false negative is when a real vulnerability or threat is not detected by the security testing tool or process.
[q] What is regression testing in the context of security?
[a] Regression testing ensures that recent changes or patches to a system have not introduced new vulnerabilities or negatively affected existing security controls.
[q] What is the difference between authenticated and unauthenticated scanning?
[a] Authenticated scanning uses valid credentials to assess systems with elevated access, providing a more comprehensive security view. Unauthenticated scanning performs an assessment without special access, simulating an external attacker’s perspective.
[q] What is software composition analysis (SCA)?
[a] Software composition analysis (SCA) identifies and manages open-source components in software to detect known vulnerabilities, licensing issues, and ensure compliance with security policies.
[q] What are key elements of an effective vulnerability management program?
[a] 1. Asset discovery and prioritization,
2. Regular vulnerability scanning,
3. Risk assessment and prioritization,
4. Patch and remediation processes,
5. Reporting and documentation.
[q] What is the purpose of an attack surface review?
[a] An attack surface review identifies all the points where an attacker could potentially interact with a system, including exposed services, interfaces, and entry points, to minimize potential vulnerabilities.
[q] What is the goal of a security control assessment (SCA)?
[a] The goal of a Security Control Assessment (SCA) is to ensure that security controls are properly implemented, functioning as intended, and producing the desired level of security based on established policies and requirements.
[q] What is the primary difference between preventive and detective controls in testing?
[a] Preventive controls aim to stop security incidents before they occur (e.g., access controls, firewalls), while detective controls identify and alert on security events as they happen (e.g., intrusion detection systems, logs).
[q] What is continuous integration/continuous deployment (CI/CD) in security testing?
[a] CI/CD is a software development practice where code changes are automatically tested, integrated, and deployed frequently, incorporating security testing early and throughout the development cycle (DevSecOps).
[q] What is a blue team, and what is its role?
[a] A blue team is responsible for defending an organization’s information systems by identifying, responding to, and mitigating attacks during simulated exercises or actual incidents.
[q] What is the purpose of a post-test review (lessons learned) after security testing?
[a] A post-test review aims to discuss the results, identify what worked well or failed, and improve future security assessments and defenses based on lessons learned from the testing process.
[q] Define a control self-assessment (CSA).
[a] A Control Self-Assessment (CSA) is a process where business units evaluate their own controls, compliance, and risk, enabling quicker identification and remediation of security gaps.
[q] What is the difference between a qualitative and a quantitative risk assessment?
[a] A qualitative risk assessment evaluates risks based on subjective criteria like impact and likelihood (often using ratings like high/medium/low), while a quantitative risk assessment assigns numerical values to risks for more measurable results (e.g., annual loss expectancy).
[q] What is a bug bounty program?
[a] A bug bounty program is an initiative where organizations reward individuals (often ethical hackers) for identifying and reporting security vulnerabilities in their systems and applications.
[q] What is an information security baseline?
[a] An information security baseline is a minimum set of security standards and controls that must be implemented across the organization to ensure a consistent level of protection.
[q] What is security regression testing, and when is it used?
[a] ecurity regression testing is the process of retesting applications or systems after changes or patches to confirm that the updates have not introduced new security vulnerabilities or compromised existing controls.
[q] What is a test coverage analysis?
[a] Test coverage analysis is the process of measuring the extent to which testing activities have evaluated the security controls, code paths, and functionalities to ensure that no significant vulnerabilities remain unchecked.
[q] What is the difference between active and passive security testing?
[a] Active security testing involves interacting with the system (e.g., probing for vulnerabilities), while passive security testing collects and analyzes data without direct interaction to identify issues (e.g., reviewing logs, network traffic analysis).
[q] What is system hardening, and why is it important?
[a] System hardening is the process of securing a system by reducing its attack surface, such as disabling unnecessary services, closing unused ports, and applying patches. It’s crucial to minimize vulnerabilities and improve security posture.
[q] What is the purpose of a log review in security testing?
[a] Log reviews analyze recorded events from systems and applications to detect potential security incidents, policy violations, and operational issues that might indicate vulnerabilities or attacks.
[q] What are security orchestration, automation, and response (SOAR) tools?
[a] SOAR tools enable automated collection and response to security events by integrating various systems, streamlining workflows, and speeding up threat detection and response processes.
[q] What is the purpose of key performance indicators (KPIs) in security testing?
[a] KPIs in security testing measure the effectiveness and efficiency of security processes, controls, and activities, allowing organizations to track progress, identify areas for improvement, and ensure security objectives are being met.
[q] What is the purpose of a security test and evaluation (ST&E)?
[a] The purpose of Security Test and Evaluation (ST&E) is to validate the functionality, effectiveness, and efficiency of security controls in a system, ensuring they meet organizational security requirements.
[q] What is a purple team exercise?
[a] A purple team exercise is a collaboration between the red team (offensive security) and the blue team (defensive security) to improve an organization’s security by sharing insights, enhancing defense tactics, and increasing the effectiveness of both offensive and defensive measures.
[q] What is the significance of a Common Vulnerability Scoring System (CVSS) score?
[a] The CVSS score provides a standardized way to rate the severity of software vulnerabilities, helping organizations prioritize remediation efforts based on the potential impact and exploitability of the vulnerability.
[q] What is credentialed scanning?
[a] Credentialed scanning uses valid user credentials to access and scan a system, providing deeper insights into potential vulnerabilities by simulating an insider’s view of the system.
[q] What is configuration management testing, and why is it important?
[a] Configuration management testing verifies that systems are configured according to security policies and standards. It’s crucial for ensuring that systems are hardened, and deviations or misconfigurations are identified and corrected.
[q] What is a security assessment methodology (SAM)?
[a] A Security Assessment Methodology (SAM) is a structured approach for planning, executing, and documenting security assessments, ensuring consistency and effectiveness across different testing engagements.
[q] What is a static application security testing (SAST) tool, and what does it do?
[a] A SAST tool analyzes an application’s source code or binaries without executing it to identify vulnerabilities like code flaws, insecure practices, and compliance issues early in the development lifecycle.
[q] What is a runtime application self-protection (RASP) tool?
[a] A RASP tool integrates with an application to monitor, detect, and prevent attacks in real-time by analyzing application behavior and blocking malicious activities as they occur during execution.
[q] What is the significance of system and organization controls (SOC) reports?
[a] SOC reports provide third-party assurance regarding the controls at a service organization, demonstrating their adherence to security, availability, processing integrity, confidentiality, and privacy principles. SOC 2 is particularly relevant for cybersecurity.
[q] What is network mapping, and why is it conducted?
[a] Network mapping identifies and documents devices, connections, and topology within a network. It helps security teams understand the attack surface, manage assets, and plan effective defenses.
[q] Define “Threat Modeling.”
[a] Threat modeling is the process of identifying potential threats to a system, understanding how they could exploit vulnerabilities, and assessing their potential impact to prioritize security controls and mitigations.
[q] What is a “use case” in the context of security testing?
[a] In security testing, a use case is a scenario that describes a sequence of actions or interactions between users, systems, or components, which is then tested to identify potential security issues or vulnerabilities.
[q] What is a zero-day vulnerability?
[a] A zero-day vulnerability is a software flaw that is unknown to the vendor and, therefore, has no patch or fix available. Such vulnerabilities are highly sought after by attackers because they can be exploited before mitigation measures are in place.
[q] What is application whitelisting?
[a] Application whitelisting allows only approved applications to run on a system, helping prevent the execution of unauthorized or potentially malicious software.
[x] [restart]
[/qdeck]