Copy and Edit

Quix9 - D6 - 50Q

Description

100 RedBlue Test Quiz on Quix9 - D6 - 50Q, created by Requiemdust Sheena on 13/05/2020.
Requiemdust Sheena
Quiz by Requiemdust Sheena, updated more than 1 year ago
Requiemdust Sheena
Created by Requiemdust Sheena almost 4 years ago
262
0
1

Resource summary

Question 1

Question
During a penetration test, Lauren is asked to test the organization’s Bluetooth security. Which of the following is not a concern she should explain to her employers?
Answer
  • A. Bluetooth scanning can be time-consuming.
  • B. Many devices that may be scanned are likely to be personal devices.
  • C. Bluetooth passive scans may require multiple visits at different times to identify all targets.
  • D. Bluetooth active scans can’t evaluate the security mode of Bluetooth devices.

Question 2

Question
What term describes software testing that is intended to uncover new bugs introduced by patches or configuration changes?
Answer
  • A. Nonregression testing
  • B. Evolution testing
  • C. Smoke testing
  • D. Regression testing

Question 3

Question
Which of the tools cannot identify a target’s operating system for a penetration tester?
Answer
  • A. Nmap
  • B. Nessus
  • C. Nikto
  • D. sqlmap

Question 4

Question
Susan needs to predict high-risk areas for her organization and wants to use metrics to assess risk trends as they occur. What should she do to handle this?
Answer
  • A. Perform yearly risk assessments.
  • B. Hire a penetration testing company to regularly test organizational security.
  • C. Identify and track key risk indicators.
  • D. Monitor logs and events using a SIEM device.

Question 5

Question
What major difference separates synthetic and passive monitoring?
Answer
  • A. Synthetic monitoring only works after problems have occurred.
  • B. Passive monitoring cannot detect functionality issues.
  • C. Passive monitoring only works after problems have occurred.
  • D. Synthetic monitoring cannot detect functionality issues.

Question 6

Question
Chris uses the standard penetration testing methodology shown here. Use this methodology and your knowledge of penetration testing to answer questions about tool usage during a penetration test. What task is the most important during Phase 1, Planning?
Image:
36 (binary/octet-stream)
Answer
  • A. Building a test lab
  • B. Getting authorization
  • C. Gathering appropriate tools
  • D. Determining if the test is white, black, or gray box

Question 7

Question
Chris uses the standard penetration testing methodology shown here. Use this methodology and your knowledge of penetration testing to answer questions about tool usage during a penetration test. Which of the following tools is most likely to be used during discovery?
Image:
36 (binary/octet-stream)
Answer
  • A. Nessus
  • B. john
  • C. Nmap
  • D. Nikto

Question 8

Question
Chris uses the standard penetration testing methodology shown here. Use this methodology and your knowledge of penetration testing to answer questions about tool usage during a penetration test. Which of these concerns is the most important to address during planning to ensure that the reporting phase does not cause problems?
Image:
36 (binary/octet-stream)
Answer
  • A. Which CVE format to use
  • B. How the vulnerability data will be stored and sent
  • C. Which targets are off-limits
  • D. How long the report should be

Question 9

Question
What four types of coverage criteria are commonly used when validating the work of a code testing suite?
Answer
  • A. Input, statement, branch, and condition coverage
  • B. Function, statement, branch, and condition coverage
  • C. API, branch, bounds, and condition coverage
  • D. Bounds, branch, loop, and condition coverage

Question 10

Question
As part of his role as a security manager, Jacob provides the following chart to his organization’s management team. What type of measurement is he providing for them?
Image:
37 (binary/octet-stream)
Answer
  • A. A coverage rate measure
  • B. A key performance indicator
  • C. A time to live metric
  • D. A business criticality indicator

Question 11

Question
What does using unique user IDs for all users provide when reviewing logs?
Answer
  • A. Confidentiality
  • B. Integrity
  • C. Availability
  • D. Accountability

Question 12

Question
Which of the following is not an interface that is typically tested during the software testing process?
Answer
  • A. APIs
  • B. Network interfaces
  • C. UIs
  • D. Physical interfaces

Question 13

Question
Alan’s organization uses the Security Content Automation Protocol (SCAP) to standardize its vulnerability management program. Which component of SCAP can Alan use to reconcile the identity of vulnerabilities generated by different security assessment tools?
Answer
  • A. OVAL
  • B. XCCDF
  • C. CVE
  • D. SCE

Question 14

Question
Misconfiguration, logical and functional flaws, and poor programming practices are all causes of what common security issue?
Answer
  • A. Fuzzing
  • B. Security vulnerabilities
  • C. Buffer overflows
  • D. Race conditions

Question 15

Question
Which of the following strategies is not a reasonable approach for remediating a vulnerability identified by a vulnerability scanner?
Answer
  • A. Install a patch.
  • B. Use a workaround fix.
  • C. Update the banner or version number.
  • D. Use an application layer firewall or IPS to prevent attacks against the identified vulnerability.

Question 16

Question
During a penetration test Saria calls her target’s help desk claiming to be the senior assistant to an officer of the company. She requests that the help desk reset the officer’s password because of an issue with his laptop while traveling and persuades them to do so. What type of attack has she successfully completed?
Answer
  • A. Zero knowledge
  • B. Help desk spoofing
  • C. Social engineering
  • D. Black box

Question 17

Question
In this image, what issue may occur due to the log handling settings?
Image:
38 (binary/octet-stream)
Answer
  • A. Log data may be lost when the log is archived.
  • B. Log data may be overwritten.
  • C. Log data may not include needed information.
  • D. Log data may fill the system disk.

Question 18

Question
Which of the following is not a hazard associated with penetration testing?
Answer
  • A. Application crashes
  • B. Denial of service
  • C. Exploitation of vulnerabilities
  • D. Data corruption

Question 19

Question
Which NIST special publication covers the assessment of security and privacy controls?
Answer
  • A. 800-12
  • B. 800-53A
  • C. 800-34
  • D. 800-86

Question 20

Question
If Kara’s primary concern is preventing eavesdropping attacks, which port should she block?
Answer
  • A. 22
  • B. 80
  • C. 443
  • D. 1433

Question 21

Question
If Kara’s primary concern is preventing administrative connections to the server, which port should she block?
Answer
  • A. 22
  • B. 80
  • C. 443
  • D. 1433

Question 22

Question
During a third-party audit, Jim’s company receives a finding that states, “The administrator should review backup success and failure logs on a daily basis, and take action in a timely manner to resolve reported exceptions.” What is the biggest issue that is likely to result if Jim’s IT staff need to restore from a backup?
Answer
  • A. They will not know if the backups succeeded or failed.
  • B. The backups may not be properly logged.
  • C. The backups may not be usable.
  • D. The backup logs may not be properly reviewed.

Question 23

Question
Jim is helping his organization decide on audit standards for use throughout their international organization. Which of the following is not an IT standard that Jim’s organization is likely to use as part of its audits?
Answer
  • A. COBIT
  • B. SSAE-18
  • C. ITIL
  • D. ISO 27002

Question 24

Question
Which of the following best describes a typical process for building and implementing an Information Security Continuous Monitoring program as described by NIST Special Publication 800-137?
Answer
  • A. Define, establish, implement, analyze and report, respond, review, and update
  • B. Design, build, operate, analyze, respond, review, revise
  • C. Prepare, detect and analyze, contain, respond, recover, report
  • D. Define, design, build, monitor, analyze, react, revise

Question 25

Question
Lauren’s team conducts regression testing on each patch that they release. What key performance measure should they maintain to measure the effectiveness of their testing?
Answer
  • A. Time to remediate vulnerabilities
  • B. A measure of the rate of defect recurrence
  • C. A weighted risk trend
  • D. A measure of the specific coverage of their testing

Question 26

Question
Which of the following types of code review is not typically performed by a human?
Answer
  • A. Software inspections
  • B. Code review
  • C. Static program analysis
  • D. Software walkthroughs

Question 27

Question
Susan is the lead of a Quality Assurance team at her company. The team has been tasked with the testing for a major release of their company’s core software product. Susan’s team of software testers are required to test every code path, including those that will only be used when an error condition occurs. What type of testing environment does her team need to ensure complete code coverage?
Answer
  • A. White box
  • B. Gray box
  • C. Black box
  • D. Dynamic

Question 28

Question
Susan is the lead of a Quality Assurance team at her company. The team has been tasked with the testing for a major release of their company’s core software product. As part of the continued testing of their new application, Susan’s quality assurance team has designed a set of test cases for a series of black box tests. These functional tests are then run, and a report is prepared explaining what has occurred. What type of report is typically generated during this testing to indicate test metrics?
Answer
  • A. A test coverage report
  • B. A penetration test report
  • C. A code coverage report
  • D. A line coverage report

Question 29

Question
Susan is the lead of a Quality Assurance team at her company. The team has been tasked with the testing for a major release of their company’s core software product. As part of their code coverage testing, Susan’s team runs the analysis in a non-production environment using logging and tracing tools. Which of the following types of code issues is most likely to be missed during testing due to this change in the operating environment?
Answer
  • A. Improper bounds checking
  • B. Input validation
  • C. A race condition
  • D. Pointer manipulation

Question 30

Question
Robin recently conducted a vulnerability scan and found a critical vulnerability on a server that handles sensitive information. What should Robin do next?
Answer
  • A. Patching
  • B. Reporting
  • C. Remediation
  • D. Validation

Question 31

Question
Kathleen is reviewing the code for an application. She first plans the review, conducts an overview session with the reviewers and assigns roles, and then works with the reviewers to review materials and prepare for their roles. Next, she intends to review the code, rework it, and ensure that all defects found have been corrected. What type of review is Kathleen conducting?
Answer
  • A. A dynamic test
  • B. Fagan inspection
  • C. Fuzzing
  • D. A Roth-Parker review

Question 32

Question
Danielle wants to compare vulnerabilities she has discovered in her data center based on how exploitable they are, if exploit code exists, and how hard they are to remediate. What scoring system should she use to compare vulnerability metrics like these?
Answer
  • A. CSV
  • B. NVD
  • C. VSS
  • D. CVSS

Question 33

Question
During a port scan of his network, Alex finds that a number of hosts respond on TCP ports 80, 443, 515, and 9100 in offices throughout his organization. What type of devices is Alex likely discovering?
Answer
  • A. Web servers
  • B. File servers
  • C. Wireless access points
  • D. Printers

Question 34

Question
Nikto, Burp Suite, and Wapiti are all examples of what type of tool?
Answer
  • A. Web application vulnerability scanners
  • B. Code review tools
  • C. Vulnerability scanners
  • D. Port scanners

Question 35

Question
Jim is working with a penetration testing contractor who proposes using Metasploit as part of her penetration testing effort. What should Jim expect to occur when Metasploit is used?
Answer
  • A. Systems will be scanned for vulnerabilities.
  • B. Systems will have known vulnerabilities exploited.
  • C. Services will be probed for buffer overflow and other unknown flaws.
  • D. Systems will be tested for zero-day exploits.

Question 36

Question
Susan needs to ensure that the interactions between the components of her e-commerce application are all handled properly. She intends to verify communications, error handling, and session management capabilities throughout her infrastructure. What type of testing is she planning to conduct?
Answer
  • A. Misuse case testing
  • B. Fuzzing
  • C. Regression testing
  • D. Interface testing

Question 37

Question
Jim is designing his organization’s log management systems and knows that he needs to carefully plan to handle the organization’s log data. Which of the following is not a factor that Jim should be concerned with?
Answer
  • A. The volume of log data
  • B. A lack of sufficient log sources
  • C. Data storage security requirements
  • D. Network bandwidth

Question 38

Question
Ken is having difficulty correlating information from different security teams in his organization. Specifically, he would like to find a way to describe operating systems in a consistent fashion. What SCAP component can assist him?
Answer
  • A. CVE
  • B. CPE
  • C. CWE
  • D. OVAL

Question 39

Question
When a Windows system is rebooted, what type of log is generated?
Answer
  • A. Error
  • B. Warning
  • C. Information
  • D. Failure audit

Question 40

Question
During a review of access logs, Alex notices that Danielle logged into her workstation in New York at 8 a.m. daily but that she was recorded as logging into her department’s main web application shortly after 3 a.m. daily. What common logging issue has Alex likely encountered?
Answer
  • A. Inconsistent log formatting
  • B. Modified logs
  • C. Inconsistent timestamps
  • D. Multiple log sources

Question 41

Question
What type of vulnerability scan accesses configuration information from the systems it is run against as well as information that can be accessed via services available via the network?
Answer
  • A. Authenticated scans
  • B. Web application scans
  • C. Unauthenticated scans
  • D. Port scans

Question 42

Question
Ben’s organization has begun to use STRIDE to assess its software and has identified threat agents and the business impacts that these threats could have. Now they are working to identify appropriate controls for the issues they have identified. Ben’s development team needs to address an authorization issue, resulting in an elevation of privilege threat. Which of the following controls is most appropriate to this type of issue?
Answer
  • A. Auditing and logging is enabled.
  • B. Role-based access control is used for specific operations.
  • C. Data type and format checks are enabled.
  • D. User input is tested against a whitelist.

Question 43

Question
Ben’s organization has begun to use STRIDE to assess its software and has identified threat agents and the business impacts that these threats could have. Now they are working to identify appropriate controls for the issues they have identified. Ben’s team is attempting to categorize a transaction identification issue that is caused by use of a symmetric key shared by multiple servers. What STRIDE category should this fall into?
Answer
  • A. Information disclosure
  • B. Denial of service
  • C. Tampering
  • D. Repudiation

Question 44

Question
Ben’s organization has begun to use STRIDE to assess its software and has identified threat agents and the business impacts that these threats could have. Now they are working to identify appropriate controls for the issues they have identified. Ben wants to prevent or detect tampering with data. Which of the following is not an appropriate solution?
Answer
  • A. Hashes
  • B. Digital signatures
  • C. Filtering
  • D. Authorization controls

Question 45

Question
Chris is troubleshooting an issue with his organization’s SIEM reporting. After analyzing the issue, he believes that the timestamps on log entries from different systems are inconsistent. What protocol can he use to resolve this issue?
Answer
  • A. SSH
  • B. FTP
  • C. TLS
  • D. NTP

Question 46

Question
Ryan is considering the use of fuzz testing in his web application testing program. Which one of the following statements about fuzz testing should Ryan consider when making his decision?
Answer
  • A. Fuzzers only find complex faults.
  • B. Testers must manually generate input.
  • C. Fuzzers may not fully cover the code.
  • D. Fuzzers can’t reproduce errors.

Question 47

Question
Ken is designing a testing process for software developed by his team. He is designing a test that verifies that every line of code was executed during the test. What type of analysis is Ken performing?
Answer
  • A. Branch coverage
  • B. Condition coverage
  • C. Function coverage
  • D. Statement coverage

Question 48

Question
During a port scan, Ben uses nmap’s default settings and sees the following results. If Ben is conducting a penetration test, what should his next step be after receiving these results?
Image:
39 (binary/octet-stream)
Answer
  • A. Connect to the web server using a web browser.
  • B. Connect via Telnet to test for vulnerable accounts.
  • C. Identify interesting ports for further scanning.
  • D. Use sqlmap against the open databases.

Question 49

Question
During a port scan, Ben uses nmap’s default settings and sees the following results. Based on the scan results, what operating system (OS) was the system that was scanned most likely running?
Image:
39 (binary/octet-stream)
Answer
  • A. Windows Desktop
  • B. Linux
  • C. Network device
  • D. Windows Server

Question 50

Question
During a port scan, Ben uses nmap’s default settings and sees the following results. Ben’s manager expresses concern about the coverage of his scan. Why might his manager have this concern?
Image:
39 (binary/octet-stream)
Answer
  • A. Ben did not test UDP services.
  • B. Ben did not discover ports outside the “well-known ports.”
  • C. Ben did not perform OS fingerprinting.
  • D. Ben tested only a limited number of ports.
Show full summary Hide full summary

Want to create your own Quizzes for free with GoConqr? Learn more.

Similar

Segunda Guerra Mundial 1939-1945
miminoma
Pythagorean Theorem Quiz
Selam H
10 Mind Mapping Strategies for Teachers
Andrea Leyden
Cell Structure
daniel.praecox
Developmental Psychology - Freud, Little Hans (1909)
Robyn Chamberlain
Hitler and the Nazi Party (1919-23)
Adam Collinge
The Five Minute Lesson Plan Template
tom.roche_
How the European Union Works
Sarah Egan
2PR101 1. test - 5. část
Nikola Truong
SFDC App Builder 1 (176-200ish)
Connie Woolard
Microbiology MCQs 3rd Year Final- PMU
Med Student
Browse Library