Quix9 - D6 - 50Q

During a penetration test, Lauren is asked to test the organization’s Bluetooth security. Which of the following is not a concern she should explain to her employers?

What term describes software testing that is intended to uncover new bugs introduced by patches or configuration changes?

Which of the tools cannot identify a target’s operating system for a penetration tester?

Susan needs to predict high-risk areas for her organization and wants to use metrics to assess risk trends as they occur. What should she do to handle this?

What major difference separates synthetic and passive monitoring?

Chris uses the standard penetration testing methodology shown here. Use this methodology and your knowledge of penetration testing to answer questions about tool usage during a penetration test. What task is the most important during Phase 1, Planning?

Chris uses the standard penetration testing methodology shown here. Use this methodology and your knowledge of penetration testing to answer questions about tool usage during a penetration test. Which of the following tools is most likely to be used during discovery?

Chris uses the standard penetration testing methodology shown here. Use this methodology and your knowledge of penetration testing to answer questions about tool usage during a penetration test. Which of these concerns is the most important to address during planning to ensure that the reporting phase does not cause problems?

What four types of coverage criteria are commonly used when validating the work of a code testing suite?

As part of his role as a security manager, Jacob provides the following chart to his organization’s management team. What type of measurement is he providing for them?

What does using unique user IDs for all users provide when reviewing logs?

Which of the following is not an interface that is typically tested during the software testing process?

Alan’s organization uses the Security Content Automation Protocol (SCAP) to standardize its vulnerability management program. Which component of SCAP can Alan use to reconcile the identity of vulnerabilities generated by different security assessment tools?

Misconfiguration, logical and functional flaws, and poor programming practices are all causes of what common security issue?

Which of the following strategies is not a reasonable approach for remediating a vulnerability identified by a vulnerability scanner?

During a penetration test Saria calls her target’s help desk claiming to be the senior assistant to an officer of the company. She requests that the help desk reset the officer’s password because of an issue with his laptop while traveling and persuades them to do so. What type of attack has she successfully completed?

In this image, what issue may occur due to the log handling settings?

Which of the following is not a hazard associated with penetration testing?

Which NIST special publication covers the assessment of security and privacy controls?

If Kara’s primary concern is preventing eavesdropping attacks, which port should she block?

If Kara’s primary concern is preventing administrative connections to the server, which port should she block?

During a third-party audit, Jim’s company receives a finding that states, “The administrator should review backup success and failure logs on a daily basis, and take action in a timely manner to resolve reported exceptions.” What is the biggest issue that is likely to result if Jim’s IT staff need to restore from a backup?

Jim is helping his organization decide on audit standards for use throughout their international organization. Which of the following is not an IT standard that Jim’s organization is likely to use as part of its audits?

Which of the following best describes a typical process for building and implementing an Information Security Continuous Monitoring program as described by NIST Special Publication 800-137?

Lauren’s team conducts regression testing on each patch that they release. What key performance measure should they maintain to measure the effectiveness of their testing?

Which of the following types of code review is not typically performed by a human?

Susan is the lead of a Quality Assurance team at her company. The team has been tasked with the testing for a major release of their company’s core software product. Susan’s team of software testers are required to test every code path, including those that will only be used when an error condition occurs. What type of testing environment does her team need to ensure complete code coverage?

Susan is the lead of a Quality Assurance team at her company. The team has been tasked with the testing for a major release of their company’s core software product. As part of the continued testing of their new application, Susan’s quality assurance team has designed a set of test cases for a series of black box tests. These functional tests are then run, and a report is prepared explaining what has occurred. What type of report is typically generated during this testing to indicate test metrics?

Susan is the lead of a Quality Assurance team at her company. The team has been tasked with the testing for a major release of their company’s core software product. As part of their code coverage testing, Susan’s team runs the analysis in a non-production environment using logging and tracing tools. Which of the following types of code issues is most likely to be missed during testing due to this change in the operating environment?

Robin recently conducted a vulnerability scan and found a critical vulnerability on a server that handles sensitive information. What should Robin do next?

Kathleen is reviewing the code for an application. She first plans the review, conducts an overview session with the reviewers and assigns roles, and then works with the reviewers to review materials and prepare for their roles. Next, she intends to review the code, rework it, and ensure that all defects found have been corrected. What type of review is Kathleen conducting?

Danielle wants to compare vulnerabilities she has discovered in her data center based on how exploitable they are, if exploit code exists, and how hard they are to remediate. What scoring system should she use to compare vulnerability metrics like these?

During a port scan of his network, Alex finds that a number of hosts respond on TCP ports 80, 443, 515, and 9100 in offices throughout his organization. What type of devices is Alex likely discovering?

Nikto, Burp Suite, and Wapiti are all examples of what type of tool?

Jim is working with a penetration testing contractor who proposes using Metasploit as part of her penetration testing effort. What should Jim expect to occur when Metasploit is used?

Susan needs to ensure that the interactions between the components of her e-commerce application are all handled properly. She intends to verify communications, error handling, and session management capabilities throughout her infrastructure. What type of testing is she planning to conduct?

Jim is designing his organization’s log management systems and knows that he needs to carefully plan to handle the organization’s log data. Which of the following is not a factor that Jim should be concerned with?

Ken is having difficulty correlating information from different security teams in his organization. Specifically, he would like to find a way to describe operating systems in a consistent fashion. What SCAP component can assist him?

When a Windows system is rebooted, what type of log is generated?

During a review of access logs, Alex notices that Danielle logged into her workstation in New York at 8 a.m. daily but that she was recorded as logging into her department’s main web application shortly after 3 a.m. daily. What common logging issue has Alex likely encountered?

What type of vulnerability scan accesses configuration information from the systems it is run against as well as information that can be accessed via services available via the network?

Ben’s organization has begun to use STRIDE to assess its software and has identified threat agents and the business impacts that these threats could have. Now they are working to identify appropriate controls for the issues they have identified. Ben’s development team needs to address an authorization issue, resulting in an elevation of privilege threat. Which of the following controls is most appropriate to this type of issue?

Ben’s organization has begun to use STRIDE to assess its software and has identified threat agents and the business impacts that these threats could have. Now they are working to identify appropriate controls for the issues they have identified. Ben’s team is attempting to categorize a transaction identification issue that is caused by use of a symmetric key shared by multiple servers. What STRIDE category should this fall into?

Ben’s organization has begun to use STRIDE to assess its software and has identified threat agents and the business impacts that these threats could have. Now they are working to identify appropriate controls for the issues they have identified. Ben wants to prevent or detect tampering with data. Which of the following is not an appropriate solution?

Chris is troubleshooting an issue with his organization’s SIEM reporting. After analyzing the issue, he believes that the timestamps on log entries from different systems are inconsistent. What protocol can he use to resolve this issue?

Ryan is considering the use of fuzz testing in his web application testing program. Which one of the following statements about fuzz testing should Ryan consider when making his decision?

Ken is designing a testing process for software developed by his team. He is designing a test that verifies that every line of code was executed during the test. What type of analysis is Ken performing?

During a port scan, Ben uses nmap’s default settings and sees the following results. If Ben is conducting a penetration test, what should his next step be after receiving these results?

During a port scan, Ben uses nmap’s default settings and sees the following results. Based on the scan results, what operating system (OS) was the system that was scanned most likely running?

During a port scan, Ben uses nmap’s default settings and sees the following results. Ben’s manager expresses concern about the coverage of his scan. Why might his manager have this concern?