Domain 2 Exam.
A minimum of 70% is required to pass.
#1. When penetration testers are doing black box testing, how much do they know about the target?
〇:The attacker knows nothing about the organization other than the information that is publicly available.
In black box testing (zero-knowledge), the attacker has no knowledge about the organization other than the publicly available information. The focus is on what the external attacker does. Therefore, the correct answer is “knows nothing about the organization other than the information that is publicly available.” The result will be
×:I know everything.
White box testing is testing to verify the operation of a program, which is done after knowing what is in the program.
×:I keep the product manual and retain privileged access.
A gray box test is a test that is performed by a pen tester to some extent, with the attacker having only limited knowledge of the program.
This is a white box test or gray box test.
×:The vendor retains an accessible level of information.
In a black box test, the attacker has no information in principle.
#2. What is the last step in the process after a penetration test has been properly conducted?
Penetration testing is an attempt to penetrate a system connected to a network. Penetration allows for any kind of manipulation and can bring the service itself to a halt. Therefore, the focus of testing is on penetration. The sequence is: planning, preliminary investigation, search for vulnerabilities, evaluation, attack, and reporting. Therefore, the correct answer is “report generation.
#3. What is the difference between interface testing and misuse case testing?
〇:Interface test is intended to verify correct operation in the correct state. Misuse case testing is intended to verify that problems occur in error conditions.
All applications must undergo interface testing to ensure proper function and use. They should undergo misuse case testing to determine if their intentional misuse could cause errors that would harm the confidentiality, integrity, and availability of the data to which the application provides access.
×:Interface test is intended to determine if a problem occurs in an error condition. Misuse case testing is intended to verify correct operation in the correct state.
While it may be possible to find incorrect behavior based on the assumption that the correct behavior occurs, the sentence is backwards in terms of the purpose of the test as well.
×:Interface testing is intended to check for proper usability. Misuse case testing monitors when errors occur.
Interfaces are not limited to usability. It is also a test for the API for server-to-server communication.
×:Interface testing and misuse case testing are essentially the same.
Essentially, the purpose of the test and the creation of an environment to achieve that purpose are different.
#4. When submitting a security report to management, which of the following elements is most important?
〇:A Comprehensive Executive Summary
No matter how technically comprehensive a report to management may be, it is not always desirable to be too informative; IT security professionals must understand that the risk to the enterprise from a data breach is only one of many concerns that senior management must understand and prioritize. C-level executives must be attentive to many risks and may have difficulty properly categorizing the often unfamiliar, highly technical threats. In short, the IT security professional’s primary job is to summarize the risks in as short a time as possible in a way that suits the management.
×:List of Threats, Vulnerabilities, and Likelihood of Occurrence
This is incorrect because it is not the most important element to report to management. Such a list is essential to a comprehensive security report, but providing it to senior management is unlikely to result in effective action without a skillful executive summary.
×:A comprehensive list of the probability and impact of expected adverse events
This is incorrect because it is not the most important element of the report to management. Such lists are important in technical reports, but summaries are critical to achieving risk mitigation goals.
×:A comprehensive list of threats, vulnerabilities, and likelihood of occurrence, a comprehensive list of the probability and impact of expected adverse events, and a written summary thereof to meet technical comprehensiveness
incorrect because it describes the most common and significant obstacles to reporting to management.
#5. What is code review?
〇:A review by another coder after the coder has completed coding.
A static code review is a review performed by another engineer to mitigate points that were not apparent to the author. Thus, the correct answer is “Reviewed by another coder after the coder’s coding is complete.” will be.
×:To allow coders to see each other’s coding and work in parallel.
Extreme programming (XP, extreme programming) is a flexible method of developing a program while discussing it in pairs. It is not code review.
×:Ensuring that proper transaction processing is applied before check-in.
This is a statement about database commitment.
×:Ensuring that the appropriate questions and answers exist.
The presence of appropriate question and answer may be part of what is performed during the code review, but it is not a description of the code review itself.
#6. I found out that the unit test will not be completed in time due to schedule. What should we do in terms of project management?
〇:Review the schedule.
Unit testing is testing to confirm that the developed module works as a stand-alone unit. Acceptance testing is testing to make sure that the customer who ordered the development actually uses it and is satisfied with it. Acceptance testing cannot take the place of unit testing. It is not upward compatible as a test, and the perspectives are different. Therefore, the correct answer is “Review the schedule.” The correct answer is “Review the schedule.
×:Unit testing is not performed for the sake of work efficiency.
It does not mean that unit tests are not performed.
×:Increase the number of items in the acceptance test for the unit test that could not be done.
The items that should have been done in the actual unit test are simply accounted for as acceptance tests, and the unit test is not considered to have been completed. This is an action that is close to concealment.
×:Report to your supervisor.
You are in charge of project management.
#7. Which of the following must be done before a penetration test is performed?
〇:Approval of the attack to the target organization
Permission must be obtained from the target organization for the attack during the planning phase. Even though it is a test, it takes an action that is similar to an attack. During the implementation, the target system cannot be updated, so approval must be obtained. We also need to understand the system to be penetrated in great detail, so that the information itself is not leaked to the outside world. Also, a successful intrusion will indicate that the system has been compromised. It is necessary to make an arrangement such as not waiting until a report is generated to inform the company of the situation. Therefore, the correct answer is “Approval of attack on the target organization.
×:Share the target organization’s design documents.
This is done as necessary. Although there are various design documents, detailed design documents such as detailed design documents and program design documents are generally not presented, but only the usage of the service and basic server configuration are generally shared.
×:Confirmation of OS version
As a rule, this is not done. Penetration testing is generally conducted from the investigation of the attack. In particular, there are few cases where the OS version is informed to the penetration tester.
×:Deployment of the attack tools to be used
It is not uncommon for attack tools to be deployed from the organization that possesses the system that is the target of the penetration. This in itself is an act of limiting the attack methods, as it does not constitute a realistic test.
#8. What is a synthetic transaction?
#9. We have confirmed that the program we developed is fine on the desk. However, we have been asked to actually run it. What kind of testing should be done?
〇:Dynamic Testing
Dynamic testing is testing that is performed by actually running the developed program. Compared to static testing, it is a practical test in which the program is actually run and checked. Therefore, the correct answer is “dynamic testing.
×:Static Testing
Static testing is testing that is performed without running the developed program.
×:White box testing
White box testing is a test to confirm the operation of a program after understanding the contents of the program.
×:Black box testing
Black box testing is testing to confirm that the program does not behave unexpectedly without understanding the contents of the program.
#10. What will be performed in regression testing as part of software testing?
〇:Check for errors caused by principal code modifications.
Regression testing finds defects after code changes have occurred. It looks for reduced or lost functionality, including old bugs. Therefore, the correct answer is: “Check for errors due to changes in the main code.” will be.
×:Install the developed software on the customer’s hardware.
This is not a test, but part of the release.
×:Checking the detection and processing when faced with a failure.
This is so-called troubleshooting and is accomplished by handing over the operational plan and procedures to the operations team.
×:Checking the interfaces of software components.
This is testing against the interface and is performed as part of the test items for internal and external coupling tests.
#11. Which of the following are important aspects of testing for B-to-C applications?
〇:Multiple major and used usages should be screened to make sure they work on the target browsers.
If the service is for BtoC, it is considered that more target users should be supported.
×:It should be checked if it works on a particular browser.
User cases that do not work on certain browsers may occur after release.
×:Confirm that it works on the most secure browser.
If it is secure, it is expected to work in the most restricted of browsers.
In reality, however, browser specifications also vary, including browser backs and terminals.
×:Make sure it works on OS-standard browsers.
Browsers are not just OS standard. In reality, end users also download and use their favorite browsers from app stores.
#12. Which of the following is true regarding security audits, vulnerability assessments, and penetration testing?
〇:Vulnerability assessments can help prioritize weaknesses that need to be addressed.
The most important aspect of an internal or third-party vulnerability assessment is that it can enumerate all potential vulnerabilities a company has and prioritize corrective actions.
×:Third-party security audits are only required if regulations require it.
Even if some organizations do not require an independent review, it can often help find minor weaknesses that might have been overlooked.
×:Vulnerability assessments and penetration tests are essentially the same.
A vulnerability assessment is wrong because it enumerates all weaknesses and ensures that countermeasures are properly prioritized. Penetration testing aims to examine the likelihood that a real-world attacker will exploit a given weakness to achieve a goal.
×:Internal assessments are of little value.
Internal audits of enterprise security are usually not sufficient and can be very beneficial when conducted in conjunction with third-party reviews. However, it can often help find minor weaknesses that may have been overlooked.
#13. You have developed an application using open source. How should you test it?
〇:Test with reference to OSSTMM.
OSSTMM (Open Source Security Testing Methodology Manual) is an open source penetration testing standard. Open source is basically free and has many amazing features. Because it is free and anyone can use it, there is a view that trust is low. However, there is nothing like it if you properly understand the risks. That is why we are trying to create a testing standard for open source to ensure trust. Therefore, the correct answer is: “Test with reference to OSSTMM.” will be “OSSTMM”.
×:Since open source is fully tested at the point of development, the testing process can be omitted.
Even if it is open source, you need to test it according to your own organization.
×:Secure contact information for the developer and conduct testing with both developers.
If you contact the open source developer, these responses will probably not go through.
Most open source developers are doing this in good faith and may be brazen about further pursuit from the organization.
×:Ask other organizations to share completed tests.
The process of getting test results that may be confidential from other organizations is unreasonable.
#14. When penetration testers are doing white box testing, how much do they know about the target?
#15. We have tested our software and found over 10,000 defects. What should the next step be?
〇:Calculate the potential impact for fatal errors.
Software testing is a must, but when that testing reveals numerous defects, it must be handled with care. Systems do not have the same concept as human forgetfulness, but it is not realistic to ask someone who scored 30 on this week’s test to score 100 on next week’s test.
Before any corrections can be made, the data taken from the test must be analyzed with the test completed, including log reviews. Priority must be given to determining what to implement first and what is acceptable and unacceptable. Think about qualitative risk analysis; if it is unlikely and has little impact, it can be left alone and focus on high priority items. Thus, the correct answer is, “Calculate the likelihood of impact for fatal errors.” will be.
×:Fix them all.
If many defects are found, it is likely that a lot of time will be taken to deal with their correction.
×:Leave them alone because of the huge number.
In principle, it is unacceptable to leave defects unattended.
×:Calculate the potential impact for all errors.
Performing an analysis for all errors can also be very work intensive.