Chapter 6: Security Assessment and Testing (Domain 6) 375
- B. Security vulnerabilities can be created by misconfiguration, logical or functional design
or implementation issues, or poor programming practices. Fuzzing is a method of software
testing and is not a type of issue. Buffer overflows and race conditions are both caused by
logical or programming flaws, but they are not typically caused by misconfiguration or
functional issues. - C. Simply updating the version that an application provides may stop the vulnerability
scanner from flagging it, but it won’t fix the underlying issue. Patching, using
workarounds, or installing an application layer firewall or IPS can all help to remediate or
limit the impact of the vulnerability. - C. Saria’s social-engineering attack succeeded in persuading a staff member at the help
desk to change a password for someone who they not only couldn’t see, but who they
couldn’t verify actually needed their password reset. Black box and zero knowledge are
both terms describing penetration tests without information about the organization or
system, and help desk spoofing is not an industry term. - D. The menu shown will archive logs when they reach the maximum size allowed
(20 MB). These archives will be retained, which could fill the disk. Log data will not be
overwritten, and log data should not be lost when the data is archived. The question does
not include enough information to determine if needed information may not be logged. - C. Penetration tests are intended to help identify vulnerabilities, and exploiting them
is part of the process rather than a hazard. Application crashes; denial of service due to
system, network, or application failures; and even data corruption can all be hazards of
penetration tests. - B. NIST SP 800-53A is titled “Assessing Security and Privacy Controls in Federal
Information Systems and Organizations: Building Effective Assessment Plans,” and covers
methods for assessing and measuring controls.
NIST 800-12 is an introduction to computer security, 800-34 covers contingency
planning, and 800-86 is the “Guide to Integrating Forensic Techniques into Incident
Response.” - The security controls match with the categories as follows:
- TCP Connect: B. Completes a three-way handshake.
- TCP ACK: C. Sends a packet disguised as part of an active control.
- TCP SYN: A. Sends a request to open a new connection.
- Xmas: D. Sends a packet with the FIN, PSH, and URG flags set.
- B. Port 80 is used by the HTTP protocol for unencrypted web communications. If Kara
wishes to protect against eavesdropping, she should block this port and restrict web access
to encrypted HTTPS connections on port 443. - A. Port 22 is used by the Secure Shell (SSH) protocol for administrative connections. If
Kara wishes to restrict administrative connections, she should block access on this port.