Chapter 6: Security Assessment and Testing (Domain 6) 373
or banner information and may flag patched versions if the software provider does not
update the information they see. Uninstalling and reinstalling the patch will not change
this. Changing the version information may not change all of the details that are being
flagged by the scanner and may cause issues at a later date. Reviewing the vulnerability
information for a workaround may be a good idea but should not be necessary if the
proper patch is installed; it can create maintenance issues later.- B. zzuf is the only fuzzer on the list, and zzuf is specifically designed to work with tools
like web browsers, image viewers, and similar software by modifying network and file
input to application. Nmap is a port scanner, Nessus is a vulnerability scanner, and Nikto
is a web server scanner. - C. An important part of application threat modeling is threat categorization. It helps to
assess attacker goals that influence the controls that should be put in place. The other
answers all involve topics that are not directly part of application threat modeling. - A. Passive scanning can help identify rogue devices by capturing MAC address vendor
IDs that do not match deployed devices, by verifying that systems match inventories of
organizationally owned hardware by hardware address, and by monitoring for rogue
SSIDs or connections.
Scripted attacks are part of active scanning rather than passive scanning, and active
scanning is useful for testing IDS or IPS systems, whereas passive scanning will not be
detected by detection systems. Finally, a shorter dwell time can actually miss trouble-
some traffic, so balancing dwell time versus coverage is necessary for passive wireless
scanning efforts. - D. Bluetooth active scans can determine both the strength of the PIN and what security
mode the device is operating in. Unfortunately, Bluetooth scans can be challenging due to
the limited range of Bluetooth and the prevalence of personally owned Bluetooth enabled
devices. Passive Bluetooth scanning only detects active connections and typically requires
multiple visits to have a chance of identifying all devices. - D. Regression testing, which is a type of functional or unit testing, tests to ensure that
changes have not introduced new issues. Nonregression testing checks to see whether a
change has had the effect it was supposed to, smoke testing focuses on simple problems
with impact on critical functionality, and evolution testing is not a software testing
technique. - D. Nmap, Nessus, and Nikto all have OS fingerprinting or other operating system
identification capabilities. sqlmap is designed to perform automated detection and testing
of SQL injection flaws and does not provide OS detection. - C. Key risk indicators are used to tell those in charge of risk management how risky an
activity is and how much impact changes are having on that risk profile. Identifying key
risk indicators and monitoring them can help to identify high-risk areas earlier in their
lifecycle. Yearly risk assessments may be a good idea, but only provide a point-in-time
view, whereas penetration tests may miss out on risks that are not directly security related.
Monitoring logs and events using a SIEM device can help detect issues as they occur but
won’t necessarily show trends in risk.