Quix9 - D6 - 50Q

Beschreibung

100 RedBlue Test Quiz am Quix9 - D6 - 50Q, erstellt von Requiemdust Sheena am 13/05/2020.
Requiemdust Sheena
Quiz von Requiemdust Sheena, aktualisiert more than 1 year ago
Requiemdust Sheena
Erstellt von Requiemdust Sheena vor mehr als 4 Jahre
388
0

Zusammenfassung der Ressource

Frage 1

Frage
During a penetration test, Lauren is asked to test the organization’s Bluetooth security. Which of the following is not a concern she should explain to her employers?
Antworten
  • A. Bluetooth scanning can be time-consuming.
  • B. Many devices that may be scanned are likely to be personal devices.
  • C. Bluetooth passive scans may require multiple visits at different times to identify all targets.
  • D. Bluetooth active scans can’t evaluate the security mode of Bluetooth devices.

Frage 2

Frage
What term describes software testing that is intended to uncover new bugs introduced by patches or configuration changes?
Antworten
  • A. Nonregression testing
  • B. Evolution testing
  • C. Smoke testing
  • D. Regression testing

Frage 3

Frage
Which of the tools cannot identify a target’s operating system for a penetration tester?
Antworten
  • A. Nmap
  • B. Nessus
  • C. Nikto
  • D. sqlmap

Frage 4

Frage
Susan needs to predict high-risk areas for her organization and wants to use metrics to assess risk trends as they occur. What should she do to handle this?
Antworten
  • A. Perform yearly risk assessments.
  • B. Hire a penetration testing company to regularly test organizational security.
  • C. Identify and track key risk indicators.
  • D. Monitor logs and events using a SIEM device.

Frage 5

Frage
What major difference separates synthetic and passive monitoring?
Antworten
  • A. Synthetic monitoring only works after problems have occurred.
  • B. Passive monitoring cannot detect functionality issues.
  • C. Passive monitoring only works after problems have occurred.
  • D. Synthetic monitoring cannot detect functionality issues.

Frage 6

Frage
Chris uses the standard penetration testing methodology shown here. Use this methodology and your knowledge of penetration testing to answer questions about tool usage during a penetration test. What task is the most important during Phase 1, Planning?
Antworten
  • A. Building a test lab
  • B. Getting authorization
  • C. Gathering appropriate tools
  • D. Determining if the test is white, black, or gray box

Frage 7

Frage
Chris uses the standard penetration testing methodology shown here. Use this methodology and your knowledge of penetration testing to answer questions about tool usage during a penetration test. Which of the following tools is most likely to be used during discovery?
Antworten
  • A. Nessus
  • B. john
  • C. Nmap
  • D. Nikto

Frage 8

Frage
Chris uses the standard penetration testing methodology shown here. Use this methodology and your knowledge of penetration testing to answer questions about tool usage during a penetration test. Which of these concerns is the most important to address during planning to ensure that the reporting phase does not cause problems?
Antworten
  • A. Which CVE format to use
  • B. How the vulnerability data will be stored and sent
  • C. Which targets are off-limits
  • D. How long the report should be

Frage 9

Frage
What four types of coverage criteria are commonly used when validating the work of a code testing suite?
Antworten
  • A. Input, statement, branch, and condition coverage
  • B. Function, statement, branch, and condition coverage
  • C. API, branch, bounds, and condition coverage
  • D. Bounds, branch, loop, and condition coverage

Frage 10

Frage
As part of his role as a security manager, Jacob provides the following chart to his organization’s management team. What type of measurement is he providing for them?
Antworten
  • A. A coverage rate measure
  • B. A key performance indicator
  • C. A time to live metric
  • D. A business criticality indicator

Frage 11

Frage
What does using unique user IDs for all users provide when reviewing logs?
Antworten
  • A. Confidentiality
  • B. Integrity
  • C. Availability
  • D. Accountability

Frage 12

Frage
Which of the following is not an interface that is typically tested during the software testing process?
Antworten
  • A. APIs
  • B. Network interfaces
  • C. UIs
  • D. Physical interfaces

Frage 13

Frage
Alan’s organization uses the Security Content Automation Protocol (SCAP) to standardize its vulnerability management program. Which component of SCAP can Alan use to reconcile the identity of vulnerabilities generated by different security assessment tools?
Antworten
  • A. OVAL
  • B. XCCDF
  • C. CVE
  • D. SCE

Frage 14

Frage
Misconfiguration, logical and functional flaws, and poor programming practices are all causes of what common security issue?
Antworten
  • A. Fuzzing
  • B. Security vulnerabilities
  • C. Buffer overflows
  • D. Race conditions

Frage 15

Frage
Which of the following strategies is not a reasonable approach for remediating a vulnerability identified by a vulnerability scanner?
Antworten
  • A. Install a patch.
  • B. Use a workaround fix.
  • C. Update the banner or version number.
  • D. Use an application layer firewall or IPS to prevent attacks against the identified vulnerability.

Frage 16

Frage
During a penetration test Saria calls her target’s help desk claiming to be the senior assistant to an officer of the company. She requests that the help desk reset the officer’s password because of an issue with his laptop while traveling and persuades them to do so. What type of attack has she successfully completed?
Antworten
  • A. Zero knowledge
  • B. Help desk spoofing
  • C. Social engineering
  • D. Black box

Frage 17

Frage
In this image, what issue may occur due to the log handling settings?
Antworten
  • A. Log data may be lost when the log is archived.
  • B. Log data may be overwritten.
  • C. Log data may not include needed information.
  • D. Log data may fill the system disk.

Frage 18

Frage
Which of the following is not a hazard associated with penetration testing?
Antworten
  • A. Application crashes
  • B. Denial of service
  • C. Exploitation of vulnerabilities
  • D. Data corruption

Frage 19

Frage
Which NIST special publication covers the assessment of security and privacy controls?
Antworten
  • A. 800-12
  • B. 800-53A
  • C. 800-34
  • D. 800-86

Frage 20

Frage
If Kara’s primary concern is preventing eavesdropping attacks, which port should she block?
Antworten
  • A. 22
  • B. 80
  • C. 443
  • D. 1433

Frage 21

Frage
If Kara’s primary concern is preventing administrative connections to the server, which port should she block?
Antworten
  • A. 22
  • B. 80
  • C. 443
  • D. 1433

Frage 22

Frage
During a third-party audit, Jim’s company receives a finding that states, “The administrator should review backup success and failure logs on a daily basis, and take action in a timely manner to resolve reported exceptions.” What is the biggest issue that is likely to result if Jim’s IT staff need to restore from a backup?
Antworten
  • A. They will not know if the backups succeeded or failed.
  • B. The backups may not be properly logged.
  • C. The backups may not be usable.
  • D. The backup logs may not be properly reviewed.

Frage 23

Frage
Jim is helping his organization decide on audit standards for use throughout their international organization. Which of the following is not an IT standard that Jim’s organization is likely to use as part of its audits?
Antworten
  • A. COBIT
  • B. SSAE-18
  • C. ITIL
  • D. ISO 27002

Frage 24

Frage
Which of the following best describes a typical process for building and implementing an Information Security Continuous Monitoring program as described by NIST Special Publication 800-137?
Antworten
  • A. Define, establish, implement, analyze and report, respond, review, and update
  • B. Design, build, operate, analyze, respond, review, revise
  • C. Prepare, detect and analyze, contain, respond, recover, report
  • D. Define, design, build, monitor, analyze, react, revise

Frage 25

Frage
Lauren’s team conducts regression testing on each patch that they release. What key performance measure should they maintain to measure the effectiveness of their testing?
Antworten
  • A. Time to remediate vulnerabilities
  • B. A measure of the rate of defect recurrence
  • C. A weighted risk trend
  • D. A measure of the specific coverage of their testing

Frage 26

Frage
Which of the following types of code review is not typically performed by a human?
Antworten
  • A. Software inspections
  • B. Code review
  • C. Static program analysis
  • D. Software walkthroughs

Frage 27

Frage
Susan is the lead of a Quality Assurance team at her company. The team has been tasked with the testing for a major release of their company’s core software product. Susan’s team of software testers are required to test every code path, including those that will only be used when an error condition occurs. What type of testing environment does her team need to ensure complete code coverage?
Antworten
  • A. White box
  • B. Gray box
  • C. Black box
  • D. Dynamic

Frage 28

Frage
Susan is the lead of a Quality Assurance team at her company. The team has been tasked with the testing for a major release of their company’s core software product. As part of the continued testing of their new application, Susan’s quality assurance team has designed a set of test cases for a series of black box tests. These functional tests are then run, and a report is prepared explaining what has occurred. What type of report is typically generated during this testing to indicate test metrics?
Antworten
  • A. A test coverage report
  • B. A penetration test report
  • C. A code coverage report
  • D. A line coverage report

Frage 29

Frage
Susan is the lead of a Quality Assurance team at her company. The team has been tasked with the testing for a major release of their company’s core software product. As part of their code coverage testing, Susan’s team runs the analysis in a non-production environment using logging and tracing tools. Which of the following types of code issues is most likely to be missed during testing due to this change in the operating environment?
Antworten
  • A. Improper bounds checking
  • B. Input validation
  • C. A race condition
  • D. Pointer manipulation

Frage 30

Frage
Robin recently conducted a vulnerability scan and found a critical vulnerability on a server that handles sensitive information. What should Robin do next?
Antworten
  • A. Patching
  • B. Reporting
  • C. Remediation
  • D. Validation

Frage 31

Frage
Kathleen is reviewing the code for an application. She first plans the review, conducts an overview session with the reviewers and assigns roles, and then works with the reviewers to review materials and prepare for their roles. Next, she intends to review the code, rework it, and ensure that all defects found have been corrected. What type of review is Kathleen conducting?
Antworten
  • A. A dynamic test
  • B. Fagan inspection
  • C. Fuzzing
  • D. A Roth-Parker review

Frage 32

Frage
Danielle wants to compare vulnerabilities she has discovered in her data center based on how exploitable they are, if exploit code exists, and how hard they are to remediate. What scoring system should she use to compare vulnerability metrics like these?
Antworten
  • A. CSV
  • B. NVD
  • C. VSS
  • D. CVSS

Frage 33

Frage
During a port scan of his network, Alex finds that a number of hosts respond on TCP ports 80, 443, 515, and 9100 in offices throughout his organization. What type of devices is Alex likely discovering?
Antworten
  • A. Web servers
  • B. File servers
  • C. Wireless access points
  • D. Printers

Frage 34

Frage
Nikto, Burp Suite, and Wapiti are all examples of what type of tool?
Antworten
  • A. Web application vulnerability scanners
  • B. Code review tools
  • C. Vulnerability scanners
  • D. Port scanners

Frage 35

Frage
Jim is working with a penetration testing contractor who proposes using Metasploit as part of her penetration testing effort. What should Jim expect to occur when Metasploit is used?
Antworten
  • A. Systems will be scanned for vulnerabilities.
  • B. Systems will have known vulnerabilities exploited.
  • C. Services will be probed for buffer overflow and other unknown flaws.
  • D. Systems will be tested for zero-day exploits.

Frage 36

Frage
Susan needs to ensure that the interactions between the components of her e-commerce application are all handled properly. She intends to verify communications, error handling, and session management capabilities throughout her infrastructure. What type of testing is she planning to conduct?
Antworten
  • A. Misuse case testing
  • B. Fuzzing
  • C. Regression testing
  • D. Interface testing

Frage 37

Frage
Jim is designing his organization’s log management systems and knows that he needs to carefully plan to handle the organization’s log data. Which of the following is not a factor that Jim should be concerned with?
Antworten
  • A. The volume of log data
  • B. A lack of sufficient log sources
  • C. Data storage security requirements
  • D. Network bandwidth

Frage 38

Frage
Ken is having difficulty correlating information from different security teams in his organization. Specifically, he would like to find a way to describe operating systems in a consistent fashion. What SCAP component can assist him?
Antworten
  • A. CVE
  • B. CPE
  • C. CWE
  • D. OVAL

Frage 39

Frage
When a Windows system is rebooted, what type of log is generated?
Antworten
  • A. Error
  • B. Warning
  • C. Information
  • D. Failure audit

Frage 40

Frage
During a review of access logs, Alex notices that Danielle logged into her workstation in New York at 8 a.m. daily but that she was recorded as logging into her department’s main web application shortly after 3 a.m. daily. What common logging issue has Alex likely encountered?
Antworten
  • A. Inconsistent log formatting
  • B. Modified logs
  • C. Inconsistent timestamps
  • D. Multiple log sources

Frage 41

Frage
What type of vulnerability scan accesses configuration information from the systems it is run against as well as information that can be accessed via services available via the network?
Antworten
  • A. Authenticated scans
  • B. Web application scans
  • C. Unauthenticated scans
  • D. Port scans

Frage 42

Frage
Ben’s organization has begun to use STRIDE to assess its software and has identified threat agents and the business impacts that these threats could have. Now they are working to identify appropriate controls for the issues they have identified. Ben’s development team needs to address an authorization issue, resulting in an elevation of privilege threat. Which of the following controls is most appropriate to this type of issue?
Antworten
  • A. Auditing and logging is enabled.
  • B. Role-based access control is used for specific operations.
  • C. Data type and format checks are enabled.
  • D. User input is tested against a whitelist.

Frage 43

Frage
Ben’s organization has begun to use STRIDE to assess its software and has identified threat agents and the business impacts that these threats could have. Now they are working to identify appropriate controls for the issues they have identified. Ben’s team is attempting to categorize a transaction identification issue that is caused by use of a symmetric key shared by multiple servers. What STRIDE category should this fall into?
Antworten
  • A. Information disclosure
  • B. Denial of service
  • C. Tampering
  • D. Repudiation

Frage 44

Frage
Ben’s organization has begun to use STRIDE to assess its software and has identified threat agents and the business impacts that these threats could have. Now they are working to identify appropriate controls for the issues they have identified. Ben wants to prevent or detect tampering with data. Which of the following is not an appropriate solution?
Antworten
  • A. Hashes
  • B. Digital signatures
  • C. Filtering
  • D. Authorization controls

Frage 45

Frage
Chris is troubleshooting an issue with his organization’s SIEM reporting. After analyzing the issue, he believes that the timestamps on log entries from different systems are inconsistent. What protocol can he use to resolve this issue?
Antworten
  • A. SSH
  • B. FTP
  • C. TLS
  • D. NTP

Frage 46

Frage
Ryan is considering the use of fuzz testing in his web application testing program. Which one of the following statements about fuzz testing should Ryan consider when making his decision?
Antworten
  • A. Fuzzers only find complex faults.
  • B. Testers must manually generate input.
  • C. Fuzzers may not fully cover the code.
  • D. Fuzzers can’t reproduce errors.

Frage 47

Frage
Ken is designing a testing process for software developed by his team. He is designing a test that verifies that every line of code was executed during the test. What type of analysis is Ken performing?
Antworten
  • A. Branch coverage
  • B. Condition coverage
  • C. Function coverage
  • D. Statement coverage

Frage 48

Frage
During a port scan, Ben uses nmap’s default settings and sees the following results. If Ben is conducting a penetration test, what should his next step be after receiving these results?
Antworten
  • A. Connect to the web server using a web browser.
  • B. Connect via Telnet to test for vulnerable accounts.
  • C. Identify interesting ports for further scanning.
  • D. Use sqlmap against the open databases.

Frage 49

Frage
During a port scan, Ben uses nmap’s default settings and sees the following results. Based on the scan results, what operating system (OS) was the system that was scanned most likely running?
Antworten
  • A. Windows Desktop
  • B. Linux
  • C. Network device
  • D. Windows Server

Frage 50

Frage
During a port scan, Ben uses nmap’s default settings and sees the following results. Ben’s manager expresses concern about the coverage of his scan. Why might his manager have this concern?
Antworten
  • A. Ben did not test UDP services.
  • B. Ben did not discover ports outside the “well-known ports.”
  • C. Ben did not perform OS fingerprinting.
  • D. Ben tested only a limited number of ports.
Zusammenfassung anzeigen Zusammenfassung ausblenden

ähnlicher Inhalt

Politik von Bismarck
fio xxx
Gemischte Klausur- und sonstige Fragen
Bibische
Integralrechnung
vincent.wegas
Order-to-Cash Geschäftsprozess
zok42.com
Kurvendiskussion bei gebrochen rationalen Funktionen
berit.krondorf
Vetie - Tierzucht & Genetik - S II
Fioras Hu
Österreichische Geschichte ll Mesner (ÖG 2)
Selma Tahirovic
Vetie Tierhygiene-Quiz 2013
Carolina Heide
Vetie Pharma 2015
Anna Auferkamp
Vetie AVO 2016
Johanna Müller
Vetie - Pharma Übungsfragen 2019
E. König