Chapter 6: Security Assessment and Testing (Domain 6) 379
- D. Since a shared symmetric key could be used by any of the servers, transaction
identification problems caused by a shared key are likely to involve a repudiation issue. If
encrypted transactions cannot be uniquely identified by server, they cannot be proved to
have come from a specific server. - C. Filtering is useful for preventing denial of service attacks but won’t prevent tampering
with data. Hashes and digital signatures can both be used to verify the integrity of data,
and authorization controls can help ensure that only those with the proper rights can
modify the data. - D. The Network Time Protocol (NTP) allows the synchronization of system clocks
with a standardized time source. The Secure Shell (SSH) protocol provides encrypted
administrative connections to servers. The File Transfer Protocol (FTP) is used for data
exchange. Transport Layer Security (TLS) is an encryption process used to protect
information in transit over a network. - B. Fuzz testers are capable of automatically generating input sequences to test an
application. Therefore, testers do not need to manually generate input, although they
may do so if they wish. Fuzzers can reproduce errors (and thus, “fuzzers can’t reproduce
errors” is not an issue) but typically don’t fully cover the code—code coverage tools are
usually paired with fuzzers to validate how much coverage was possible. Fuzzers are often
limited to simple errors because they won’t handle business logic or attacks that require
knowledge from the application user. - D. Statement coverage tests verify that every line of code was executed during the
test. Branch coverage verifies that every if statement was executed under all if and else
conditions. Condition coverage verifies that every logical test in the code was executed
under all sets of inputs. Function coverage verifies that every function in the code was
called and returns results. - C. After scanning for open ports using a port scanning tool like nmap, penetration testers
will identify interesting ports and then conduct vulnerability scans to determine what
services may be vulnerable. This will perform many of the same activities that connecting
via a web server will and will typically be more useful than trying to manually test for
vulnerable accounts via Telnet. sqlmap would typically be used after a vulnerability
scanner identifies additional information about services, and the vulnerability scanner will
normally provide a wider range of useful information. - B. The system is likely a Linux system. The system shows X11, as well as login, shell, and
nfs ports, all of which are more commonly found on Linux systems than Windows systems
or network devices. This system is also very poorly secured; many of the services running
on it should not be exposed in a modern secure network.
8 7. D. Nmap only scans 1000 TCP and UDP ports by default, including ports outside the
0–1024 range of “well-known” ports. By using the defaults for nmap, Ben missed 64,535
ports. OS fingerprinting won’t cover more ports but would have provided a best guess of
the OS running on the scanned system.