Page277

Use the following scenario to answer questions 11 through 14:
You are the CISO of a large bank and have hired a company to provide an overall security assessment, and also provide a penetration test of your organization. Your goal is to determine overall information security effectiveness. You are specifically interested in determining if theft of financial data is possible.

Your bank has recently deployed a custom-developed three-tier web application that allows customers to check balances, make transfers, and deposit checks by taking a photo with their smartphone and then uploading the check image. In addition to a traditional browser interface, your company has developed a smartphone app for both Apple iOS and Android devices.

The contract has been signed, and both scope and rules of engagement have been agreed upon. A 24/7 operational IT contact at the bank has been made available in case of any unexpected developments during the penetration test, including potential accidental disruption of services.

  1. Assuming the penetration test is successful, what is the best way for the penetration testing firm to demonstrate the risk of theft of financial data?
    A. Instruct the penetration testing team to conduct a thorough vulnerability assessment of the server containing financial data
    B. Instruct the penetration testing team to download financial data, redact it, and report accordingly
    C. Instruct the penetration testing team that they may only download financial data via an encrypted and authenticated channel
    D. Place a harmless “flag” file in the same location as the financial data, and inform the penetration testing team to download the flag

  2. What type of penetration test will result in the most efficient use of time and hourly consultant expenses?
    A. Automated knowledge
    B. Full knowledge
    C. Partial knowledge
    D. Zero knowledge

  3. You would like to have the security firm test the new web application, but have decided not to share the underlying source code. What type of test could be used to help determine the security of the custom web application?
    A. Secure compiler warnings
    B. Fuzzing
    C. Static testing
    D. White box testing

  4. During the course of the penetration test, the testers discover signs of an active compromise of the new custom-developed three-tier web application. What is their best course of action?
    A. Attempt to contain and eradicate the malicious activity
    B. Continue the test
    C. Quietly end the test, immediately call the operational IT contact, and escalate the issue
    D. Shut the server down

  5. Drag and drop: Which of the following statements about Syslog are true? Drag and drop all correct answers from left to right.