CHAPTER SUMMARY

Testing in various forms is an important tool for identifying vulnerabilities and security gaps in an organization’s IT infrastructure. Ideally, a testing plan should include both intrusive and nonintrusive testing methods, as each will provide a different view on the infrastructure. For the protection of the testers, intrusive tests should be conducted only with the full approval of upper management as well as legal documentation of that support.

Once security testing is complete, a detailed report of the testers’ findings as well as recommendations for remediation will be an invaluable guide for improving the overall security of an organization’s IT infrastructure.

KEY CONCEPTS AND TERMS

Analysis and reporting

Automated testing

Backdoor

Blue team

Boundary conditions

Bugtraq

Clean-up

Code injection

Common Criteria

Gap analysis

Get out of jail free card

Hardening

Host discovery

Integration testing

Intrusive testing methods

Load testing

Nessus

Nmap

Nonintrusive testing methods

Open Vulnerability Assessment Scanner (OpenVAS)

Penetration attempt

Penetration testing

Port scanning

Red team

Tiger team

Unit testing

Vulnerability detection

CHAPTER 12 ASSESSMENT

  1. It is necessary to consider security issues during every phase of the software development life cycle.
    1. True
    2. False
  2. What occurs during the sunset phase of a security system’s life cycle?
    1. Electronic media is wiped clean.
    2. Paper documentation is shredded or archived.
    3. Old equipment is destroyed or disposed of in a secure manner.
    4. All of the above
  3. Which of the following are primary activities for an information security team? (Select two.)
    1. Researching new exploits
    2. Monitoring/incident handling
    3. Testing
    4. Upgrading security systems
  4. Port scanning is an example of ____________ testing.
  5. Penetration testing is an example of _______________ testing.
  6. Which of the following tests is the most accurate way to test security incident response?
    1. Open
    2. Blind
    3. Double-blind
    4. Automated
  7. Gap analysis in which domain focuses primarily on the effectiveness of an organization’s training program?
    1. User
    2. Workstation
    3. LAN
    4. LAN-to-WAN
    5. WAN
    6. System/Application
    7. Remote Access
  8. A web application security scanner is a good tool to use when testing which domain?
    1. User
    2. Workstation
    3. LAN
    4. LAN-to-WAN
    5. WAN
    6. Remote Access
  9. Penetration testing is a risky operation for both the organization and the testers.
    1. True
    2. False
  10. Which penetration testing team may be composed of systems administrators in other departments of an organization?
    1. Red
    2. Blue
    3. Tiger
    4. Orange
  11. Which penetration testing team is composed of systems administrators who defend the network and respond to the activities of the penetration testers?
    1. Red
    2. Blue
    3. Tiger
    4. Orange
  12. Which penetration testing team is given no prior knowledge of the IT infrastructure and uses the same tools and strategies that an actual attacker would use?
    1. Red
    2. Blue
    3. Tiger
    4. Orange
  13. The clean-up phase of a penetration test is the responsibility of which individual or group?
    1. Systems administrator
    2. Upper management
    3. Penetration testing team
    4. Help desk
  14. A penetration test report should include which of the following? (Select three.)
    1. Description of gaps and risk exposures found during the test
    2. List of passwords uncovered by the penetration testing team
    3. Remediation plans for closing security gaps
    4. Cost analysis and solution prioritization based on risk exposure
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.220.94.156