374 Appendix ■ Answers
4 0. C. Passive monitoring only works after issues have occurred because it requires actual
traffic. Synthetic monitoring uses simulated or recorded traffic and thus can be used to
proactively identify problems. Both synthetic and passive monitoring can be used to detect
functionality issues.- B. Getting authorization is the most critical element in the planning phase. Permission,
and the “get out of jail free card” that demonstrates that organizational leadership is
aware of the issues that a penetration test could cause, is the first step in any penetration
test. Gathering tools and building a lab, as well as determining what type of test will be
conducted, are all important, but nothing should happen without permission. - C. Discovery can include both active and passive discovery. Port scanning is commonly
done during discovery to assess what services the target provides, and nmap is one of
the most popular tools used for this purpose. Nessus and Nikto might be used during
the vulnerability scanning phase, and john, a password cracker, can be used to recover
passwords during the exploitation phase. - B. Penetration test reports often include information that could result in additional
exposure if they were accidentally released or stolen. Therefore, determining how
vulnerability data should be stored and sent is critical. Problems with off-limits targets are
more likely to result in issues during the vulnerability assessment and exploitation phase,
and reports should not be limited in length but should be as long as they need to be to
accomplish the goals of the test. - B. Code coverage testing most frequently requires that every function has been called,
that each statement has been executed, that all branches have been fully explored, and that
each condition has been evaluated for all possibilities. API, input, and loop testing are not
common types of code coverage testing measures. - B. Time to remediate a vulnerability is a commonly used key performance indicator
for security teams. Time to live measures how long a packet can exist in hops, business
criticality is a measure used to determine how important a service or system is to an
organization, and coverage rates are used to measure how effective code testing is. - D. Unique user IDs provide accountability when paired with auditable logs to provide
that a specific user took any given action. Confidentiality, availability, and integrity can be
provided through other means like encryption, systems design, and digital signatures. - B. Application programming interfaces (APIs), user interfaces (UIs), and physical
interfaces are all important to test when performing software testing. Network interfaces
are not a part of the typical list of interfaces tested in software testing. - C. The Common Vulnerabilities and Exposures (CVE) database provides a consistent
reference for identifying security vulnerabilities. The Open Vulnerability and Assessment
Language (OVAL) is used to describe the security condition of a system. The Extensible
Configuration Checklist Description Format (XCCDF) is used to create security checklists
in a standardized fashion. The Script Check Engine (SCE) is designed to make scripts
interoperable with security policy definitions.