CISSP - Security Assessment and Testing Mock

Which phase could a penetration tester go to after they are finished with one of the "System browsing" phases? (Select all that apply).

Options are :

  • Gaining access.
  • Install additional tools. (Correct)
  • Discovery. (Correct)
  • Escalate privileges.

Answer : Install additional tools. Discovery.

Explanation After system browsing, the pen tester would either try to install additional tools or go back to the discovery/planning phase.

A penetration tester is calling one of our employees, and they are talking about friends they have in common. The penetration tester then asks for help from the employee. This is which type of social engineering?

Options are :

  • Intimidation.
  • Familiarity. (Correct)
  • Authority.
  • Scarcity.

Answer : Familiarity.

Explanation Social engineering uses people skills to bypass security controls. Familiarity (Have a common ground, or build it) - Knowing something about the victim ahead of time and then reference it can raises chances of a successful attack drastically. People want to be helpful, if they feel like they know you they want to even more. Often successful with vishing and in-person social engineering.

In our software testing we are using fuzz testing. Which type of testing is that?

Options are :

  • Black box. (Correct)
  • White box.
  • Gray box.
  • Penetration testing.

Answer : Black box.

Explanation Fuzzing (Fuzz Testing) – A black box testing that submits random, malformed data as inputs into software programs to determine if they will crash.

Penetration testers have found a vulnerability on some of our switches. The vulnerability is an exploitable, who would patch the switch?

Options are :

  • The security team.
  • The penetration testers.
  • The network team. (Correct)
  • The server team.

Answer : The network team.

Explanation Penetration testers are only there to provide a report, they don't fix or alter anything. As the security team we do not update switches, that is the responsibility of the networking team.

We have hired a team of penetration testers to audit our network for vulnerabilities. During a test, one of the testers discovers a real attack underway. What should the tester do?

Options are :

  • Stop the attacker, cut off access.
  • Shut the system down to prevent further damage.
  • Nothing, he was hired to test, nothing else.
  • Notify the organization immediately. (Correct)

Answer : Notify the organization immediately.

Explanation The tester should never act or fix anything on our network, if they notice an attack they need to let us know right away so we can act on it.

We have hired an external company to do a penetration test. In which phase would the tester look around on our network, try to find new attack vectors, or maybe go back to the discovery phase?

Options are :

  • Gaining access.
  • Escalate privileges.
  • System browsing. (Correct)
  • Discovery.

Answer : System browsing.

Explanation System Browsing: Gain additional access, often back to discovery again with our new knowledge level and access.

In our software code testing, one of the coders is mentioning the test coverage analysis. What is she talking about?

Options are :

  • How much of the code was tested in relation to the entire application. (Correct)
  • The amount of errors in the code.
  • Each pair of input parameters to a system.
  • All interfaces exposed by the application.

Answer : How much of the code was tested in relation to the entire application.

Explanation Test Coverage Analysis: Identifies the how much of the code was tested in relation to the entire application.

We have finished our initial software development and we are doing our software testing. In integration testing, we would test what?

Options are :

  • Interfaces between components against the software design. (Correct)
  • The functionality of a specific section of code.
  • Processes and security alerts when encountering errors.
  • Data handling passed between different units or subsystems.

Answer : Interfaces between components against the software design.

Explanation Integration testing: Seeks to verify the interfaces between components against a software design. Integration testing works to expose defects in the interfaces and interaction between integrated components/modules. Progressively larger groups of software components are tested until the software works as a system.

When a penetration tester is doing a white box penetration test, they have how much knowledge?

Options are :

  • Full knowledge and privileges access to systems. (Correct)
  • All of these.
  • No knowledge other than what is publicly available.
  • Partial knowledge, user or vendor access level.

Answer : Full knowledge and privileges access to systems.

Explanation White box (Crystal/Clear) Pen testing: (Full Knowledge): The attacker has knowledge of the internal network and access to it like a privileged employee would. Normally Administrator access employee with full knowledge of our environment.

Why would we choose to go with an internal audit over a 3rd party audit?

Options are :

  • For compliance.
  • To ensure it is professional and complete.
  • To get the full picture of our organization.
  • Cost. (Correct)

Answer : Cost.

Explanation Internal audits are much cheaper than external audits, but they are also not as complete, accredited or can be for compliance.

One of the distinct phases of software testing is installation testing. What are we testing in this phase?

Options are :

  • interfaces between components in the software.
  • That the software installs correctly on the customers hardware. (Correct)
  • Processes and security alerts when encountering errors.
  • Lost or missing features after major code changes.

Answer : That the software installs correctly on the customers hardware.

Explanation Installation testing: Assures that the system is installed correctly and working at actual customer's hardware.

Which low tech or no tech attack can often be just as successful as very technical attacks?

Options are :

  • Worms.
  • Social engineering. (Correct)
  • Trojans.
  • DDOS.

Answer : Social engineering.

Explanation Social engineering can often be just as successful as more technical attacks, people want to be helpful.

What would a penetration testing Statement Of Work (SOW) NOT include?

Options are :

  • Time frames.
  • Rules of engagement.
  • Complete and accurate employee PHI. (Correct)
  • IP ranges.

Answer : Complete and accurate employee PHI.

Explanation Penetration Testing (Pen Testing) have very clear rules of engagement defined in a SOW (Statement Of Work). Which IP ranges, time frame, tools, POC, how to test, what to test.

To ensure our compliance before we pay for a structured audit, we want to do an "unstructured" audit. What would that entail?

Options are :

  • External auditors comes in.
  • Testing against a published standard.
  • Internal auditors looking for flaws. (Correct)
  • Internal IT Security employees double checking their work.

Answer : Internal auditors looking for flaws.

Explanation Unstructured audits: Internal auditors to improve our security and find flaws; often done before an external audit.

A new network administrator is asking questions about a security audit we are having done. What would you explain to her it is?

Options are :

  • Internal auditors looking for flaws.
  • External auditors comes in.
  • Testing against a published standard. (Correct)
  • Internal IT Security employees double checking their work.

Answer : Testing against a published standard.

Explanation Security audit: A test against a published standard. Purpose is to validate/verify that an organization meets the requirements as stated in the published standard.

Which of these is NOT a common problem organizations face regarding audit record management?

Options are :

  • Logs are not standardized or viewable by a SIEM.
  • Audit logs and audit trails are not stored for a long enough time period.
  • Logs are reviewed regularly and in a timely fashion. (Correct)
  • Log are not reviewed on a regular and timely basis.

Answer : Logs are reviewed regularly and in a timely fashion.

Explanation Centralized storage is not a problem, that is good. Security Audit Logs (Audit trail): Audit record management typically faces five distinct problems: Log are not reviewed on a regular and timely basis. Audit logs and audit trails are not stored for a long enough time period. Logs are not standardized or viewable by correlation toolsets - they are only viewable from the system being audited. Log entries and alerts are not prioritized. Audit records are only reviewed for the bad stuff.

An attacker has discovered one of the SSIDs in our organization. They plan to use the information in their initial attack, what have they discovered?

Options are :

  • Our switches.
  • Our servers.
  • Our wireless. (Correct)
  • Our firewall.

Answer : Our wireless.

Explanation SSIDs are the names of our wireless access points, if an attacker has that it is likely that is the next target. SSIDs are easy to discover.

In our software testing, if we are doing a white box test, how much information would we have?

Options are :

  • User logs, access entries and project plan.
  • Just the software, no source code.
  • A version of the software, but only the cripple ware version.
  • The software, source code, data structures and variables. (Correct)

Answer : The software, source code, data structures and variables.

Explanation White box software testing: The tester has full access to program source code, data structures, variables, etc.

What does SOC2 type 1 report on?

Options are :

  • How resilient our systems are and how often we can expect exploits with our current settings.
  • The suitability of the design AND operating effectiveness of controls.
  • The future state of our controls and countermeasures.
  • The suitability of the design of controls. (Correct)

Answer : The suitability of the design of controls.

Explanation SOC 2 Type 1 report on management’s description of a service organization’s system and the suitability of the design of controls.

In a penetration test, we are giving the tester detailed knowledge of our environments. Which type of penetration testing is she performing?

Options are :

  • White box. (Correct)
  • Gray box.
  • Full box.
  • Black box.

Answer : White box.

Explanation White box (Crystal/Clear) Pen testing: (Full Knowledge): The attacker has knowledge of the internal network and access to it like a privileged employee would. Normally Administrator access employee with full knowledge of our environment.

What do we often uncover in our vulnerability scans?

Options are :

  • None of these.
  • Open ports that should not be. (Correct)
  • Attacks.
  • Unauthorized users.

Answer : Open ports that should not be.

Explanation Vulnerability scanning/testing: A vulnerability scanner tool is used to scan a network or system for a list of predefined vulnerabilities such as system misconfiguration, outdated software, or a lack of patching. It is very important to understand the output from a vulnerability scan, they can be 100's of pages for some systems, and how do the vulnerabilities map to Threats and Risks (Risk = Threat x Vulnerability). When we understand the true Risk, we can then plan our mitigation.

We want penetration testers to prove they can get to our sensitive documents, but we do not want them to access any of them. What could we use for them to prove they reached their target?

Options are :

  • None of these.
  • They would copy the file, send it to us but not access it.
  • A dummy file is created and it is their target. (Correct)
  • There is no way to do this.

Answer : A dummy file is created and it is their target.

Explanation Often a dummy file is made and it is the target they should try to reach, if they can see/access/alter the file they have been successful.

When a penetration tester is doing gray box testing, how much knowledge would they have about our organization and our IT infrastructure?

Options are :

  • Partial knowledge; user or vendor access level. (Correct)
  • All of these.
  • Full knowledge and privileges; access to systems.
  • No knowledge other than what is publicly available.

Answer : Partial knowledge; user or vendor access level.

Explanation Gray (Grey) box (Partial Knowledge) Pentesting: The attacker has limited knowledge; is a normal user, vendor, or someone with limited environment knowledge.

What would we NOT look at in a security assessment?

Options are :

  • Employee performance. (Correct)
  • Security audits.
  • Penetration tests.
  • Change management.

Answer : Employee performance.

Explanation Security Assessments: A full picture approach to assessing how effective our access controls are, they have a very broad scope. We would not look at Employee performance. Security assessments often span multiple areas, and can use some or all of these components: Policies, procedures, and other administrative controls. Assessing the real world-effectiveness of administrative controls. Change management. Architectural review. Penetration tests. Vulnerability assessments. Security audits.

As part of a security assessment we are having an external company do penetration testing. What do we call a penetration test where the tester has full admin level knowledge about our organization and IT infrastructure? (Select all that apply).

Options are :

  • White box. (Correct)
  • Full box.
  • Crystal box. (Correct)
  • Gray box.
  • Black box.
  • Clear box. (Correct)

Answer : White box. Crystal box. Clear box.

Explanation White box (Crystal/Clear) Pen testing: (Full Knowledge). The attacker has knowledge of the internal network and access to it like a privileged employee would. Normally Administrator access employee with full knowledge of our environment. There is no full box, gray is partial knowledge and black is no knowledge.

As part of her regular duties, Jane is reviewing our logs. When she does that, it is which type of a control?

Options are :

  • Detective. (Correct)
  • Deterrent.
  • Administrative.
  • Preventative.

Answer : Detective.

Explanation Security Audit Logs: Reviewing security audit logs in an IT system is one of the easiest ways to verify that access control mechanisms are working as intended. Reviewing audit logs is primarily a detective control. Centralized Logging: Should be automated, secure and even administrators should have limited access. Often a central repository is hashed and never touched, and a secondary copy is analyzed to ensure integrity. Logs should have a retention policy to ensure we are compliant and we keep the logs as long as we need them.

When an attacker is using intimidation, it is a form of what?

Options are :

  • Social engineering. (Correct)
  • Reverse psychology.
  • Brute force attack.
  • Proper management.

Answer : Social engineering.

Explanation Social engineering uses people skills to bypass security controls. Intimidation (If you don't bad thing happens) - Virus on the network, credit card compromised, lawsuit against your company, intimidation is most effective with impersonation and vishing attacks.

Penetration testers with full physical access to our facility have found Personally Identifiable Health Information (PHI) hard copies laying around. Which of our policies are our employees NOT following?

Options are :

  • Wireless policy.
  • Shred policy.
  • Print policy. (Correct)
  • BYOD policy.

Answer : Print policy.

Explanation Print policy requires employees to pick up prints as they are printed. Often PHI or PII is left on a printer for hours.

When an attacker is wardriving. what do they do?

Options are :

  • Use a modem to call different numbers, looking for an answer with a modem carrier tone.
  • Disrupt our wireless access points by transmitting noise on the wireless channels we use.
  • Calling our dispatch trying to get information through social engineering.
  • Driving around trying to gain access to unsecured or weak security wireless access points. (Correct)

Answer : Driving around trying to gain access to unsecured or weak security wireless access points.

Explanation Wardriving is searching for Wi-Fi wireless networks by a person in a moving vehicle, using a laptop or smartphone.

Which type of audit could we use to ensure our employees are following our policies?

Options are :

  • Review user logs. (Correct)
  • White box testing.
  • Self reviews.
  • Review management.

Answer : Review user logs.

Explanation We would want to review user logs to see if they are following our policies.

In software testing, component interface testing would test what?

Options are :

  • Processes and security alerts when encountering errors.
  • Interfaces between components against the software design.
  • Data handling passed between different units or subsystems. (Correct)
  • The functionality of a specific section of code.

Answer : Data handling passed between different units or subsystems.

Explanation Component interface testing: Testing can be used to check the handling of data passed between various units, or subsystem components, beyond full integration testing between those units.

What could a vulnerability scan possibly help us find?

Options are :

  • System misconfigurations, missing patches and a list of threats.
  • Missing patches, outdated software and users accessing files they shouldn't.
  • Outdated software, missing patches and system misconfigurations. (Correct)
  • Missing patches, outdated software and high utilization on a resource.

Answer : Outdated software, missing patches and system misconfigurations.

Explanation A vulnerability scanner tool is used to scan a network or system for a list of predefined vulnerabilities such as system misconfiguration, outdated software, or a lack of patching.

Our senior leadership has decided to do a double-blind penetration test. What does that mean?

Options are :

  • The security and network team is aware it is happening. The testers have no knowledge of our organization.
  • The security and network team is not aware it is happening. The testers have no knowledge of our organization. (Correct)
  • The security team is aware it is happening, the networking team is not.
  • The testers have no knowledge of our organization.

Answer : The security and network team is not aware it is happening. The testers have no knowledge of our organization.

Explanation Double blind is closer to a real attack, the testers are black box (zero knowledge), and the network and security teams are not aware this is a pen test or when it is happening.

In our software testing we are using synthetic transactions. What is a key characteristic of those?

Options are :

  • They execute the code and inputs malformed information.
  • They simulate real traffic. (Correct)
  • They are real traffic.
  • They test the code without executing it.

Answer : They simulate real traffic.

Explanation Synthetic Transactions/monitoring - Building scripts or tools that simulate normal user activity in an application.

We have implemented a backup solution and we need to test if it is working. How could we do that?

Options are :

  • Restore and check the backup compared to what was supposed to have been backed up.
  • Open a backed up file and a live file and compare the two (use a live file that has not been changed since the backup).
  • All of these. (Correct)
  • Restore data from a backup and check the data integrity.

Answer : All of these.

Explanation We should test our backups on a regular basis and test on different media, backup types and different storage policies. Not only are we confirming the backups are happening like they are supposed to, we are also training staff so they know exactly what to do when we need to restore from backup.

In our software testing, we are doing a black box testing. How much information would we have?

Options are :

  • User logs, access entries and project plan.
  • A version of the software, but only the cripple ware version.
  • Just the software, no source code. (Correct)
  • The software, source code, data structures and variables.

Answer : Just the software, no source code.

Explanation Black box software testing: The tester has no details, just the software, they then test for functionality and security flaws.

Which of these would be a form of penetration testing?

Options are :

  • Black box testing by a white hat. (Correct)
  • White box by a black hat.
  • Black box testing by a gray hat.
  • White box by a gray hat.

Answer : Black box testing by a white hat.

Explanation Penetration testing is always done by white hats, the testing type may be white, gray or black box.

There are many pitfalls when we work with the audit record management in our organization. Which of these is NOT one of those common problems?

Options are :

  • Logs are stored on a central secure server. (Correct)
  • Audit logs and audit trails are not stored for a long enough time period.
  • Log are not reviewed on a regular and timely basis.
  • Logs are not standardized or viewable by a SIEM.

Answer : Logs are stored on a central secure server.

Explanation Centralized storage is not a problem, that is good. Security Audit Logs (Audit trail): Audit record management typically faces five distinct problems: Log are not reviewed on a regular and timely basis. Audit logs and audit trails are not stored for a long enough time period. Logs are not standardized or viewable by correlation toolsets - they are only viewable from the system being audited. Log entries and alerts are not prioritized. Audit records are only reviewed for the bad stuff.

We are doing different types of audits in our organization. Who would perform a structured audit?

Options are :

  • Internal auditors.
  • External auditors. (Correct)
  • Senior management.
  • IT security staff.

Answer : External auditors.

Explanation Structured audits (3rd party): External auditors there to validate compliance, they are experts and the audit adds credibility. Can also be a knowledge transfer for the organization, required annually in many organizations.

Why would we choose to delete a user account after the employee leaves the organization?

Options are :

  • Accountability traceability for events discovered later.
  • Retention policy.
  • User’s privacy protection. (Correct)
  • Regulations.

Answer : User’s privacy protection.

Explanation We would want to keep accounts deactivated when they leave, the only reason to delete the accounts would be if required by law or regulation, which would be in place to protect their privacy.

A penetration tester calls an employee and explains that if they act now, they can save 50% off on certain software, but if they wait until tomorrow, the savings will be lost. What is this an example of?

Options are :

  • Familiarity.
  • Authority.
  • Scarcity. (Correct)
  • Intimidation.

Answer : Scarcity.

Explanation Social engineering uses people skills to bypass security controls. Scarcity (if you don't act now, it is too late) - New iPhone out, only 200 available. Often effective with phishing and Trojan attacks.

Which type of hacker is skilled and often alerts companies to vulnerabilities before publishing them?

Options are :

  • Script kiddie.
  • White hat.
  • Gray hat. (Correct)
  • Black hat.

Answer : Gray hat.

Explanation Gray/Grey Hat hackers: They are somewhere between the white and black hats, they often alert the company so they can fix the flaw, if the company does nothing they then publish it flaw.

We have tested our software and we have found over 10,000 flaws. What should our next steps be?

Options are :

  • Leave them alone, 10,000 is too many to fix.
  • Rate them on likelihood of exploit and impact and address all the issues.
  • Rate them on likelihood of exploit and impact and address the critical issues. (Correct)
  • Fix them all.

Answer : Rate them on likelihood of exploit and impact and address the critical issues.

Explanation Now that we have completed our tests, just like on our log reviews, we need to use it and analyze the data we got from the testing. It can be huge amounts of data, and we need to prioritize what we act on first, what is acceptable and what is not. Think of the qualitative risk analysis, if it is low likelihood and low impact we may leave it alone and focus on higher priority items.

We have discovered an employee has installed a rogue access point to get wireless at his desk. The wireless was compromised, and we have lost the PII of over 10,000 customers. What could we have done to prevent this other than training and awareness?

Options are :

  • Proper patch management.
  • Shut all unused switch ports down. (Correct)
  • Hidden our SSID.
  • Port scans.

Answer : Shut all unused switch ports down.

Explanation We can do many things to prevent rogue access points. If we have plenty of coverage, there rarely is a need for them. Good technical controls could include shutting unused ports, mac-sticky, scans for wireless, and traffic monitoring.

Which of these is NOT a normal phase of a white hat hacker's strategy?

Options are :

  • Escalate privileges.
  • Discovery, finding the vulnerabilities.
  • Installing additional tools as they gain more access and higher privileges.
  • Deleting their tracks, the audit files and logs. (Correct)

Answer : Deleting their tracks, the audit files and logs.

Explanation White hat hackers use many of the same tools and approaches that black hats would, but they do not delete their tracks, audit files or logs.

At the end of our software development project, we are doing interface testing. What are we testing?

Options are :

  • Each pair of input parameters to a system.
  • The amount of errors in the code.
  • How much of the code was tested in relation to the entire application.
  • All interfaces exposed by the application. (Correct)

Answer : All interfaces exposed by the application.

Explanation Interface Testing – testing of all interfaces exposed by the application.

While penetration testing is often very helpful in improving our security posture and finding vulnerabilities. They can at times also mean nothing, why is that?

Options are :

  • All of these. (Correct)
  • We give them too narrow parameters and because of this they can't do a real penetration test.
  • The test is only as good as the tester. If they are no good, we have no clue how vulnerable we are.
  • We do not act on their report.

Answer : All of these.

Explanation Penetration testing is only as good as the tester, only really useful if they are allowed to actually do their job, and we have to act on the report, otherwise it is just lip service.

As part of our software testing, we are doing static software testing. What are we doing?

Options are :

  • Passively test the code, but not run it. (Correct)
  • Test the code while executing it.
  • Build scripts and tools that would simulate normal user activity.
  • Submit random malformed input to crash the software or elevate privileges.

Answer : Passively test the code, but not run it.

Explanation Static testing - Passively testing the code, it is not running. This is walkthroughs, syntax checking, and code reviews. Looks at the raw source code itself looking for evidence of known insecure practices, functions, libraries, or other characteristics having been used in the source code.

In which type of software testing do we progressively test larger and larger groups of software components until the software works as a whole?

Options are :

  • Unit testing.
  • Reference checking.
  • Penetration testing.
  • Integration testing. (Correct)

Answer : Integration testing.

Explanation Integration testing: Seeks to verify the interfaces between components against a software design. Integration testing works to expose defects in the interfaces and interaction between integrated components/modules. Progressively larger groups of software components are tested until the software works as a system.

In our software testing, before the release, we are doing fuzz testing. What would that entail?

Options are :

  • Passively test the code, but not run it.
  • Test the code while executing it.
  • Build scripts and tools that would simulate normal user activity.
  • Submit random malformed input to crash the software or elevate privileges. (Correct)

Answer : Submit random malformed input to crash the software or elevate privileges.

Explanation Fuzzing (Fuzz testing): Testing that provides a lot of different inputs, to try to cause unauthorized access or for the application to enter unpredictable state or crash. If the program crashes or hangs the fuzz test failed. The Fuzz tester can enter values into the script or use pre-compiled random or specific values. Mutating fuzzing – The tester analyses real info and modify it iteratively.

What could be used to provide audit log integrity during an attack?

Options are :

  • Using WORM media for audit logs. (Correct)
  • Local logging accessible with administrator privileges.
  • Centralized logging pushed every hour.
  • Localized logging with push to a centralized server every 24 hours.

Answer : Using WORM media for audit logs.

Explanation WORM (Write Once - Read Many) is media you can't erase the content once it is written without destroying the media.

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions