Page420

  1. What type of test provides internal information to the penetration tester, including network diagrams, policies and procedures, and sometimes reports from previous penetration testers?
    A. Full knowledge
    B. Partial knowledge
    C. Grey box
    D. Zero knowledge

Correct Answer and Explanation: A. Answer A is correct; a full-knowledge test provides internal information to the penetration tester, including network diagrams, policies and procedures, and sometimes reports from previous penetration testers.

Incorrect Answers and Explanations: B, C, and D. Answers B, C, and D are incorrect. Partial-knowledge tests are in between zero and full knowledge: the penetration tester receives some limited trusted information. Grey box is not a valid term on the exam. A zero knowledge test begins with no external or trusted information, and begins the attack with public information only.

  1. What can be used to ensure software meets the customer’s operational requirements?
    A. Integration testing
    B. Installation testing
    C. Acceptance testing
    D. Unit testing

Correct Answer and Explanation: C. Answer C is correct; acceptance testing is designed to ensure the software meets the customer’s operational requirements.

Incorrect Answers and Explanations: A, B, and D. Answers A, B, and D are incorrect. Integration testing tests multiple software components as they are combined into a working system. Installation testing tests software as it is installed and first operated. Unit Testing is a low-level test of software components, such as functions, procedures, or objects.

  1. What term describes a no-tech or low-tech method that uses the human mind to bypass security controls?
    A. Fuzzing
    B. Social engineering
    C. War dialing
    D. Zero knowledge test

Correct Answer and Explanation: B. Answer B is correct; social engineering is a no-tech or low-tech method that uses the human mind to bypass security controls.

Incorrect Answers and Explanations: A, C, and D. Answers A, C, and D are incorrect. Fuzzing is a type of black box testing that enters random malformed data as inputs into software programs to determine if they will crash. War dialing uses a modem to dial a series of phone numbers, looking for an answering modem carrier tone. A zero knowledge penetration test begins with no external or trusted information, and begins the attack with public information only.

  1. What term describes a black box testing method that seeks to identify and test all unique combinations of software inputs?
    A. Combinatorial software testing
    B. Dynamic Application Security Testing
    C. Misuse case testing
    D. Static Application Security Testing

Correct Answer and Explanation: A. Answer A is correct; combinatorial software testing is a black box testing method that seeks to identify and test all unique combinations of software inputs.

Incorrect Answers and Explanations: B, C, and D. Answers B, C, and D are incorrect. Dynamic Application Security Testing tests code while executing it. Misuse case testing formally models how security impact could be realized by an adversary abusing the application. Static Application Security Testing tests the code passively; the code is not running. This includes walkthroughs, syntax checking, and code reviews.

  1. What term describes a holistic approach for determining the effectiveness of access control, and has a broad scope?
    A. Security assessment
    B. Security audit
    C. Penetration test
    D. Vulnerability assessment

Correct Answer and Explanation: A. Answer A is correct; a security assessment is a holistic approach for determining the effectiveness of access control, and has a broad scope.

Incorrect Answers and Explanations: B, C, and D. Answers B, C, and D are incorrect. A security audit verifies compliance with an information security framework. A penetration test is designed to determine if an attacker can penetrate an organization. A vulnerability assessment is designed to discover poor configurations and missing patches in an environment.

Use the following scenario to answer questions 11 through 14:
You are the CISO of a large bank and have hired a company to provide an overall security assessment, and also provide a penetration test of your organization. Your goal is to determine overall information security effectiveness. You are specifically interested in determining if theft of financial data is possible.

Your bank has recently deployed a custom-developed three-tier web application that allows customers to check balances, make transfers, and deposit checks by taking a photo with their smartphone and then uploading the check image. In addition to a traditional browser interface, your company has developed a smartphone app for both Apple iOS and Android devices.

The contract has been signed, and both scope and rules of engagement have been agreed upon. A 24/7 operational IT contact at the bank has been made available in case of any unexpected developments during the penetration test, including potential accidental disruption of services.