Which of the following is an example of reconciliation testing?
AReviewing and re-approving employee access to sensitive systems, confirming that users still require the access based on their current job responsibilities
BVerifying that access rights of all active user accounts in the company’s HR system match the records in the identity management database
CVerifying that access to privileged accounts is reviewed annually to ensure that only authorized personnel retain such access
DChecking regularly that user accounts with access to customer data still need this access, ensuring that unneeded privileges are removed
0
Question 2
0
Question 3
0
Question 4
0
Question 5
0
That's the end of the Preview
This exam has 40 community-verified practice questions. Create a free account to access all questions, comments, and explanations.
Which of the following is an example of testing a firewall?
AEnsuring that when queried, the system returns data masked or replaced with random characters, verifying that sensitive data is protected from unauthorized users
BUsing a tool to scan the network and identify open ports, ensuring that only the necessary ports are open and that all other ports are properly blocked
CVerifying that the access of the system to the right roles is restricted, services are open only when needed, and application updates are properly monitored
DUsing “brute force” or “dictionary” attacks to attempt to get plain data from obfuscated data, and performing reverse-engineering of byte code
Which of the following correctly describes the relationship between information sensitivity and security testing?
AA popular e-commerce website requires rigorous stress testing, whereas a small personal blog may only need basic testing of login security mechanisms.
BA financial application storing customer data requires encryption validation, whereas a public news app may require basic security measures.
CA public forum website requires high-level integrity testing whereas an online banking platform primarily needs availability testing to ensure users can log in anytime.
DA hospital’s health record system requires minimal security testing since doctors primarily need availability, while a messaging app needs extensive testing to protect conversations.
A tester used rainbow tables to perform a brute-force attack to discover user passwords. What kind of testing is it?
ATesting the authentication mechanism
BTesting the accounting mechanism
CTesting the authorization mechanism
DTesting the system hardening mechanism
A company implements a policy where employees are only granted access to the specific systems and data necessary for their role, ensuring no user has more access than needed. The company also requires employees to use their password, and a time-based one-time passcode sent to their mobile device or an authenticator app, to access their internal systems. To safeguard against potential cyber threats, each employee’s laptop, mobile device, and tablet are equipped with security software that continuously monitors signs of suspicious activity, such as malware or unauthorized access attempts.
Which of the following Zero Trust concepts is MISSING from this scenario?
ASecurity monitoring of device endpoints
BMicro-segmentation
CMulti-factor authentication
D“Least privilege access” principle
Question 6
0
Question 7
Question 8
Question 9
Question 10
Question 11
Question 12
Question 13
Question 14
Question 15
Question 16
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ad
Want a break from the ads?
Become a Supporter and enjoy a completely ad-free experience, plus unlock Learn Mode, Exam Mode, AstroTutor AI, and more.
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
ElectricCars is a multinational automotive manufacturer specializing in designing and producing electric vehicles. The company must comply with three standards regarding the manufacturing process: ISO/SAE 21434 for automotive cybersecurity engineering, GDPR (General Data Protection Regulation), and UN Regulation No. 155 (Uniform provisions concerning the approval of vehicles regarding cyber security and cyber security management system).
Compliance with these regulations requires:
secure data storage and communication within vehicles and between vehicles and backend systems emergency procedures to handle cybersecurity breaches affecting production, vehicles in operation, or customer data transparent reporting mechanisms to regulators and customers in case of incidents
Which of the following is a security test that is a consequence of the compliance requirement?
ASimulate a data breach and test the notification process to members of the development team, ensuring clear communication and legal compliance
BConduct performance testing on production systems to test response protocols, including isolating infected systems, notifying stakeholders, and restoring operations
CTrying to gam unauthorized access to offices or secure areas of automotive dealerships, where sensitive customer or vehicle data might be stored
DRegularly test the integrity and reliability of backup systems for critical data, including production logs, customer information, and vehicle firmware versions
Which of the following is an advantage of using open-source software (OSS) in the context of security testing?
AData protection is typically stronger in OSS than in closed source software.
BTypically, there are fewer attack vectors for OSS than for closed software.
CMitigating vulnerabilities is easier due to the availability of source code.
DLess people are involved in identifying vulnerabilities and fixing defects.
Which TWO of the following security tests of a mobile banking application are examples of static security testing? (Choose two.)
AReview of the source code of the application to identify vulnerabilities such as hardcoded passwords or insecure cryptographic functions.
BRuntime vulnerability scanning while the application is running on a test server, looking for vulnerabilities such as data leakage during user transactions.
CPenetration testing by simulating real-world attacks on the bank’s live web application, attempting to exploit session hijacking.
DScanning, with a tool, the application’s source code for security flaws like buffer overflows or improper authentication mechanisms.
EUsing a tool to interact with the application in a running state to scan for vulnerabilities such as cross-site scripting by sending inputs and analyzing responses.
You test a system that sends documents with sensitive data between users. One of the risks is that if an attacker gains access to such a document, they can read its content. What kind of testing verifies a mechanism that protects documents from being read by unauthorized persons?
AConformance testing of digital signatures
BConformance testing of public key encryption
CCode reviews aiming to detect SQL injection
DBrute force testing using rainbow tables
Which of the following is a characteristic of an effective security test environment?
AThe test environment should not contain test management and test automation tools
BAll tools needed to execute and report security tests should be part of a test environment
CThe test environment should not be isolated from the production environment
DProduction data should be used for the test environment to reflect the target environment
As a security tester, you defined the following test prioritization:
In which activity of the security test process was this action performed?
ASecurity test analysis
BSecurity test implementation
CSecurity test planning
DSecurity test design
Which of the following correctly describes the role of security testing in the context of security audits?
AReviewing the adherence to GDPR policies by examining documented procedures for handling user consent and verifying logs for compliance with data access restrictions.
BValidating that encryption protocols in an online payment gateway are properly implemented and effective in securing customer credit card information during transactions.
CEvaluating the cloud service provider’s recovery plan by reviewing documented backup policies and procedures and verifying records of regular backup tests.
DChecking the effectiveness of installed firewall rules in a corporate network by reviewing logs to ensure that unauthorized access attempts were blocked according to the security policy.
Which of the following is an example of a security test at a component test level?
AAccess control testing, which verifies that users can only access data and functionalities appropriate to their roles and permissions.
BVerifying that a component correctly interacts with the database to handle potentially malicious input safely.
CVerifying that a method correctly handles potentially malicious input by using parameterized queries to prevent SQL injection.
DA penetration test that simulates real-world attacks to identify vulnerabilities in the system’s defenses.
You have been asked to perform end-to-end testing for online payment processing and to focus on security tests to validate the secure transmission of payment details (e.g., enforcing HTTPS), proper encryption of sensitive data (e.g., credit card numbers) and adherence to compliance standards like PCI DSS.
Which of the following end-to-end security tests validates one of the above-mentioned requirements?
AVerifying that the system complies with the CWE, CVE, and CAPEC standards
BVerifying the security of Wi-Fi networks by identifying vulnerabilities such as weak encryption
CVerifying that all payment data is transmitted over HTTPS using strong encryption protocols
DVerifying that the system correctly obfuscates sensitive data such as credit card numbers
Your company is launching a new web-based e-commerce platform where customers can create accounts, browse products, and make purchases. As the platform will be integrated with payment gateways and handle sensitive customer information (like personal data and credit card details), your security team is concerned about potential vulnerabilities that attackers could exploit. To ensure robust security, you want to perform security tests to assess and mitigate the most common and critical web application security risks.
Which of the following will be MOST BENEFICIAL to your team for achieving this goal?
AISO 27000
BOWASP
CCWE
DCVE
What is the name of a group of implementable, replicable, and transferable tasks that optimize the efficiency or effectiveness of the business discipline or process to which it contributes?
