Skip to content

Page419

Chapter 7: Domain 6: Security Assessment and Testing

  1. What process involves building scripts or tools that simulate activities normally performed in an application?
    A. Test coverage analysis
    B. Misuse case testing
    C. Synthetic transactions
    D. Penetration test

Correct Answer and Explanation: C. Answer C is correct; synthetic transactions involve building scripts or tools that simulate activities normally performed in an application.

Incorrect Answers and Explanations: A, B, and D. Answers A, B, and D are incorrect. Test coverage analysis seeks to determine the percentage of an application that has been tested. Misuse case testing is designed to simulate abnormal user behavior. A penetration test is designed to determine if an attacker can penetrate an organization.

  1. What security metric is used to measure availability?
    A. Key Uptime Indicator
    B. Key Risk Indicator
    C. Key Performance Indicator
    D. Key Response Indicator

Correct Answer and Explanation: C. Answer C is correct; Key Performance Indicator (KPI) may be used to measure availability.

Incorrect Answers and Explanations: A, B, and D. Answers A, B, and D are incorrect. Key Risk Indicators (KRIs) are used to measure risk. Key Uptime Indicator and Key Response Indicator are distracters that are not valid Common Body of Knowledge terms.

  1. What process is designed to automate penetration tests, and is often run 24/7/365?
    A. Misuse case testing
    B. Synthetic transactions
    C. Breach attack simulation
    D. Test coverage analysis

Correct Answer and Explanation: C. Answer C is correct; Breach Attack Simulations (BAS) automate penetration tests, and often run 24/7/365.

Incorrect Answers and Explanations: A, B, and D. Answers A, B, and D are incorrect. Misuse case testing is designed to simulate abnormal user behavior. Synthetic transactions are designed to simulate normal behavior. Test coverage analysis seeks to determine the percentage of an application that has been tested.

  1. What type of penetration test begins with no external or trusted information, and begins the attack with public information only?
    A. Full knowledge
    B. Partial knowledge
    C. Grey box
    D. Zero knowledge

Correct Answer and Explanation: D. Answer D is correct; a zero knowledge test begins with no external or trusted information and begins the attack with public information only.

Incorrect Answers and Explanations: A, B, and C. Answers A, B, and C are incorrect. A full-knowledge test (also called crystal-box) provides internal information to the penetration tester, including network diagrams, policies and procedures, and sometimes reports from previous penetration testers. Grey box is not a valid term on the exam. Partial-knowledge tests are in between zero and full knowledge: the penetration tester receives some limited trusted information.

  1. What type of assessment would best demonstrate an organization’s compliance with PCI-DSS (Payment Card Industry Data Security Standard)?
    A. Audit
    B. Penetration test
    C. Security assessment
    D. Vulnerability assessment

Correct Answer and Explanation: A. Answer A is correct; an audit is used to verify compliance with a published specification.

Incorrect Answers and Explanations: B, C, and D. Answers B, C, and D are incorrect. A penetration test is designed to determine if an attacker can penetrate an organization. A security assessment is a holistic approach to assessing the effectiveness of access control. A vulnerability assessment is designed to discover poor configurations and missing patches in an environment.