130 Chapter 6 ■ Security Assessment and Testing (Domain 6)
- In a response to a Request for Proposal, Susan receives an SSAE 18 SOC 1 report. If she
wants a report that includes operating effectiveness detail, what should Susan ask for as
follow-up and why?
A. A SOC 2 Type II report, because Type I does not cover operating effectiveness
B. A SOC 1 Type I report, because SOC 2 does not cover operating effectiveness
C. A SOC 2 Type I report, because SOC 2 Type II does not cover operating effectiveness
D. A SOC 3 report, because SOC 1 and SOC 2 reports are outdated - During a wireless network penetration test, Susan runs aircrack-ng against the network
using a password file. What might cause her to fail in her password-cracking efforts?
A. Use of WPA2 encryption
B. Running WPA2 in Enterprise mode
C. Use of WEP encryption
D. Running WPA2 in PSK mode - A zero-day vulnerability is announced for the popular Apache web server in the middle of
a workday. In Jacob’s role as an information security analyst, he needs to quickly scan his
network to determine what servers are vulnerable to the issue. What is Jacob’s best route
to quickly identify vulnerable systems?
A. Immediately run Nessus against all of the servers to identify which systems are
vulnerable.
B. Review the CVE database to find the vulnerability information and patch
information.
C. Create a custom IDS or IPS signature.
D. Identify affected versions and check systems for that version number using an auto-
mated scanner. - What type of testing is used to ensure that separately developed software modules properly
exchange data?
A. Fuzzing
B. Dynamic testing
C. Interface testing
D. API checksums - Which of the following is not a potential problem with active wireless scanning?
A. Accidently scanning apparent rogue devices that actually belong to guests
B. Causing alarms on the organization’s wireless IPS
C. Scanning devices that belong to nearby organizations
D. Misidentifying rogue devices