CompTIA CompTIA Security+ JK0-022 Questions & Answers

• Question 121:

  A quality assurance analyst is reviewing a new software product for security, and has complete access to the code and data structures used by the developers. This is an example of which of the following types of testing?

  A. Black box

  B. Penetration

  C. Gray box

  D. White box

  Correct Answer: D

  White box testing is the process of testing an application when you have detailed knowledge of the inner workings of the application. White-box testing (also known as clear box testing, glass box testing, transparent box testing, and structural testing) is a method of testing software that tests internal structures or workings of an application, as opposed to its functionality (i.e. black-box testing). In white-box testing an internal perspective of the system, as well as programming skills, are used to design test cases. The tester chooses inputs to exercise paths through the code and determine the appropriate outputs. This is analogous to testing nodes in a circuit, e.g. in-circuit testing (ICT). White-box testing can be applied at the unit, integration and system levels of the software testing process. Although traditional testers tended to think of white-box testing as being done at the unit level, it is used for integration and system testing more frequently today. It can test paths within a unit, paths between units during integration, and between subsystems during a systemlevel test.

  Incorrect Answers:

  A: Black-box testing is a method of software testing that examines the functionality of an application without peering into its internal structures or workings. This method of test can be applied to virtually every level of software testing: unit, integration, system and acceptance. It typically comprises most if not all higher level testing, but can also dominate unit testing as well. Specific knowledge of the application's code/internal structure and programming knowledge in general is not required. The tester is aware of what the software is supposed to do but is not aware of how it does it. For instance, the tester is aware that a particular input returns a certain, invariable output but is not aware of how the software produces the output in the first place. In this question, the tester has complete access to the code and data structures providing the tester with detailed knowledge of the inner workings of the application. Therefore, this answer is incorrect.

  B: Penetration testing (also called pen testing) is the practice of testing a computer system, network or Web application to find vulnerabilities that an attacker could exploit. Pen tests can be automated with software applications or they can be performed manually. Either way, the process includes gathering information about the target before the test (reconnaissance), identifying possible entry points, attempting to break in (either virtually or for real) and reporting back the findings. The main objective of penetration testing is to determine security weaknesses. A pen test can also be used to test an organization's security policy compliance, its employees' security awareness and the organization's ability to identify and respond to security incidents. Penetration tests are used to test the security controls of a system or application. They are not used specifically for general application testing. Therefore, this answer is incorrect.

  C: Gray box testing, also called gray box analysis, is a strategy for software debugging in which the tester has limited knowledge of the internal details of the program. A gray box is a device, program or system whose workings are partially understood. Gray box testing can be contrasted with black box testing, a scenario in which the tester has no knowledge or access to the internal workings of a program, or white box testing, a scenario in which the internal particulars are fully known. Gray box testing is commonly used in penetration tests. Gray box testing is considered to be non-intrusive and unbiased because it does not require that the tester have access to the source code. With respect to internal processes, gray box testing treats a program as a black box that must be analyzed from the outside. During a gray box test, the person may know how the system components interact but not have detailed knowledge about internal program functions and operation. A clear distinction exists between the developer and the tester, thereby minimizing the risk of personnel conflicts. In this question, the tester has complete access to the code and data structures providing the tester with detailed knowledge of the inner workings of the application. Therefore, this answer is incorrect.

  References: http://en.wikipedia.org/wiki/White-box_testing http://en.wikipedia.org/wiki/Black-box_testing http://searchsoftwarequality.techtarget.com/definition/penetration-testing http://searchsoftwarequality.techtarget.com/definition/gray-box

• Question 122:

  Matt, the Chief Information Security Officer (CISO), tells the network administrator that a security company has been hired to perform a penetration test against his network. The security company asks Matt which type of testing would be most beneficial for him. Which of the following BEST describes what the security company might do during a black box test?

  A. The security company is provided with all network ranges, security devices in place, and logical maps of the network.

  B. The security company is provided with no information about the corporate network or physical locations.

  C. The security company is provided with limited information on the network, including all network diagrams.

  D. The security company is provided with limited information on the network, including some subnet ranges and logical network diagrams.

  Correct Answer: B

  The term black box testing is generally associated with application testing. However, in this question the term is used for network testing. Black box testing means testing something when you have no knowledge of the inner workings.

  Black-box testing is a method of software testing that examines the functionality of an application without peering into its internal structures or workings. This method of test can be applied to virtually every level of software testing: unit,

  integration, system and acceptance. It typically comprises most if not all higher level testing, but can also dominate unit testing as well. Specific knowledge of the application's code/internal structure and programming knowledge in general is

  not required. The tester is aware of what the software is supposed to do but is not aware of how it does it. For instance, the tester is aware that a particular input returns a certain, invariable output but is not aware of how the software

  produces the output in the first place.

  Incorrect Answers:

  A: In this answer, the tester is given detailed information about the inner workings of the network. Testing the network with detailed knowledge of the network would be considered a white-box test. Black box testing means testing something

  when you have no knowledge of the inner workings. Therefore, this answer is incorrect.

  C: In this answer, the tester is given some information but not detailed information about the inner workings of the network. Testing the network with limited knowledge of the network would be considered a gray-box test. Black box testing

  means testing something when you have no knowledge of the inner workings.

  Therefore, this answer is incorrect.

  D: In this answer, the tester is given some information but not detailed information about the inner workings of the network. Testing the network with limited knowledge of the network would be considered a gray-box test. Black box testing

  means testing something when you have no knowledge of the inner workings.

  Therefore, this answer is incorrect.

  References: http://en.wikipedia.org/wiki/Black-box_testing

• Question 123:

  The security consultant is assigned to test a client's new software for security, after logs show targeted attacks from the Internet. To determine the weaknesses, the consultant has no access to the application program interfaces, code, or data structures. This is an example of which of the following types of testing?

  A. Black box

  B. Penetration

  C. Gray box

  D. White box

  Correct Answer: A

  Black-box testing is a method of software testing that examines the functionality of an application without peering into its internal structures or workings. This method of test can be applied to virtually every level of software testing: unit, integration, system and acceptance. It typically comprises most if not all higher level testing, but can also dominate unit testing as well. Specific knowledge of the application's code/internal structure and programming knowledge in general is not required. The tester is aware of what the software is supposed to do but is not aware of how it does it. For instance, the tester is aware that a particular input returns a certain, invariable output but is not aware of how the software produces the output in the first place.

  Incorrect Answers:

  B: Penetration testing (also called pen testing) is the practice of testing a computer system, network or Web application to find vulnerabilities that an attacker could exploit. Pen tests can be automated with software applications or they can be performed manually. Either way, the process includes gathering information about the target before the test (reconnaissance), identifying possible entry points, attempting to break in (either virtually or for real) and reporting back the findings. The main objective of penetration testing is to determine security weaknesses. A pen test can also be used to test an organization's security policy compliance, its employees' security awareness and the organization's ability to identify and respond to security incidents. Penetration tests are used to test the security controls of a system or application. They are not used specifically for general application testing. Therefore, this answer is incorrect.

  C: Gray box testing, also called gray box analysis, is a strategy for software debugging in which the tester has limited knowledge of the internal details of the program. A gray box is a device, program or system whose workings are partially understood. Gray box testing can be contrasted with black box testing, a scenario in which the tester has no knowledge or access to the internal workings of a program, or white box testing, a scenario in which the internal particulars are fully known. Gray box testing is commonly used in penetration tests. Gray box testing is considered to be non-intrusive and unbiased because it does not require that the tester have access to the source code. With respect to internal processes, gray box testing treats a program as a black box that must be analyzed from the outside. During a gray box test, the person may know how the system components interact but not have detailed knowledge about internal program functions and operation. A clear distinction exists between the developer and the tester, thereby minimizing the risk of personnel conflicts. This question is asking about testing the application without any knowledge of the internal mechanisms. Therefore, this answer is incorrect.

  D: White-box testing (also known as clear box testing, glass box testing, transparent box testing, and structural testing) is a method of testing software that tests internal structures or workings of an application, as opposed to its functionality

  (i.e. black-box testing). In white-box testing an internal perspective of the system, as well as programming skills, are used to design test cases. The tester chooses inputs to exercise paths through the code and determine the appropriate outputs. This is analogous to testing nodes in a circuit, e.g. in-circuit testing (ICT). White-box testing can be applied at the unit, integration and system levels of the software testing process. Although traditional testers tended to think of white-box testing as being done at the unit level, it is used for integration and system testing more frequently today. It can test paths within a unit, paths between units during integration, and between subsystems during a systemlevel test. This question is asking about testing the application without any knowledge of the internal mechanisms. Therefore, this answer is incorrect.

  References: http://en.wikipedia.org/wiki/Black-box_testing http://searchsoftwarequality.techtarget.com/definition/penetration-testing http://searchsoftwarequality.techtarget.com/definition/gray-box http://en.wikipedia.org/wiki/ White-box_testing

• Question 124:

  A process in which the functionality of an application is tested without any knowledge of the internal mechanisms of the application is known as:

  A. Black box testing

  B. White box testing

  C. Black hat testing

  D. Gray box testing

  Correct Answer: A

  Black-box testing is a method of software testing that examines the functionality of an application without peering into its internal structures or workings. This method of test can be applied to virtually every level of software testing: unit, integration, system and acceptance. It typically comprises most if not all higher level testing, but can also dominate unit testing as well. Specific knowledge of the application's code/internal structure and programming knowledge in general is not required. The tester is aware of what the software is supposed to do but is not aware of how it does it. For instance, the tester is aware that a particular input returns a certain, invariable output but is not aware of how the software produces the output in the first place.

  Incorrect Answers:

  B: White-box testing (also known as clear box testing, glass box testing, transparent box testing, and structural testing) is a method of testing software that tests internal structures or workings of an application, as opposed to its functionality

  (i.e. black-box testing). In white-box testing an internal perspective of the system, as well as programming skills, are used to design test cases. The tester chooses inputs to exercise paths through the code and determine the appropriate

  outputs. This is analogous to testing nodes in a circuit, e.g. in-circuit testing (ICT). White-box testing can be applied at the unit, integration and system levels of the software testing process. Although traditional testers tended to think of white-

  box testing as being done at the unit level, it is used for integration and system testing more frequently today. It can test paths within a unit, paths between units during integration, and between subsystems during a systemlevel test. This

• Question 125:

  The Quality Assurance team is testing a new third party developed application. The Quality team does not have any experience with the application. Which of the following is the team performing?

  A. Grey box testing

  B. Black box testing

  C. Penetration testing

  D. White box testing

  Correct Answer: B

  Black-box testing is a method of software testing that examines the functionality of an application without peering into its internal structures or workings. This method of test can be applied to virtually every level of software testing: unit, integration, system and acceptance. It typically comprises most if not all higher level testing, but can also dominate unit testing as well. Specific knowledge of the application's code/internal structure and programming knowledge in general is not required. The tester is aware of what the software is supposed to do but is not aware of how it does it. For instance, the tester is aware that a particular input returns a certain, invariable output but is not aware of how the software produces the output in the first place.

  Incorrect Answers:

  A: Gray box testing, also called gray box analysis, is a strategy for software debugging in which the tester has limited knowledge of the internal details of the program. A gray box is a device, program or system whose workings are partially understood. Gray box testing can be contrasted with black box testing, a scenario in which the tester has no knowledge or access to the internal workings of a program, or white box testing, a scenario in which the internal particulars are fully known. Gray box testing is commonly used in penetration tests. Gray box testing is considered to be non-intrusive and unbiased because it does not require that the tester have access to the source code. With respect to internal processes, gray box testing treats a program as a black box that must be analyzed from the outside. During a gray box test, the person may know how the system components interact but not have detailed knowledge about internal program functions and operation. A clear distinction exists between the developer and the tester, thereby minimizing the risk of personnel conflicts. The question states that the Quality team does not have any experience with the application. Therefore, this answer is incorrect.

  C: Penetration testing (also called pen testing) is the practice of testing a computer system, network or Web application to find vulnerabilities that an attacker could exploit. Pen tests can be automated with software applications or they can be performed manually. Either way, the process includes gathering information about the target before the test (reconnaissance), identifying possible entry points, attempting to break in (either virtually or for real) and reporting back the findings. The main objective of penetration testing is to determine security weaknesses. A pen test can also be used to test an organization's security policy compliance, its employees' security awareness and the organization's ability to identify and respond to security incidents. Penetration tests are used to test the security controls of a system or application. It is not used specifically for general application testing. Therefore, this answer is incorrect.

  D: White-box testing (also known as clear box testing, glass box testing, transparent box testing, and structural testing) is a method of testing software that tests internal structures or workings of an application, as opposed to its functionality

  (i.e. black-box testing). In white-box testing an internal perspective of the system, as well as programming skills, are used to design test cases. The tester chooses inputs to exercise paths through the code and determine the appropriate outputs. This is analogous to testing nodes in a circuit, e.g. in-circuit testing (ICT). White-box testing can be applied at the unit, integration and system levels of the software testing process. Although traditional testers tended to think of white-box testing as being done at the unit level, it is used for integration and system testing more frequently today. It can test paths within a unit, paths between units during integration, and between subsystems during a systemlevel test. The question states that the Quality team does not have any experience with the application. Therefore, this answer is incorrect.

  References: http://en.wikipedia.org/wiki/Black-box_testing http://searchsoftwarequality.techtarget.com/definition/gray-box http://searchsoftwarequality.techtarget.com/definition/penetration-testing http://en.wikipedia.org/wiki/ White-box_testing

• Question 126:

  Joe a company's new security specialist is assigned a role to conduct monthly vulnerability scans across the network. He notices that the scanner is returning a large amount of false positives or failed audits. Which of the following should Joe recommend to remediate these issues?

  A. Ensure the vulnerability scanner is located in a segmented VLAN that has access to the company's servers

  B. Ensure the vulnerability scanner is configured to authenticate with a privileged account

  C. Ensure the vulnerability scanner is attempting to exploit the weaknesses it discovers

  D. Ensure the vulnerability scanner is conducting antivirus scanning

  Correct Answer: A

  The vulnerability scanner is returning false positives because it is trying to scan servers that it doesn't have access to; for example, servers on the Internet. We need to ensure that the local network servers only are scanned. We can do this by locating the vulnerability scanner in a segmented VLAN that has access to the company's servers.

  A false positive is an error in some evaluation process in which a condition tested for is mistakenly found to have been detected. In spam filters, for example, a false positive is a legitimate message mistakenly marked as UBE --unsolicited bulk email, as junk email is more formally known. Messages that are determined to be spam -- whether correctly or incorrectly -- may be rejected by a server or client-side spam filter and returned to the sender as bounce e-mail. One problem with many spam filtering tools is that if they are configured stringently enough to be effective, there is a fairly high chance of getting false positives. The risk of accidentally blocking an important message has been enough to deter many companies from implementing any anti-spam measures at all. False positives are also common in security systems. A host intrusion prevention system (HIPS), for example, looks for anomalies, such as deviations in bandwidth, protocols and ports. When activity varies outside of an acceptable range for example, a remote application attempting to open a normally closed port -- an intrusion may be in progress. However, an anomaly, such as a sudden spike in bandwidth use, does not guarantee an actual attack, so this approach amounts to an educated guess and the chance for false positives can be high. False positives contrast with false negatives, which are results indicating mistakenly that some condition tested for is absent.

  Incorrect Answers:

  B: The vulnerability scanner should not be configured to authenticate with a privileged account. This is not required for a successful scan and is not the cause of the false positives and failed audits. Therefore, this answer is incorrect.

  C: The vulnerability scanner should not be attempting to exploit the weaknesses it discovers. It should just log the weaknesses. Attempting to exploit weaknesses is performed in a penetration test. This is not the job of a vulnerability scanner. Therefore, this answer is incorrect.

  D: The vulnerability scanner should not be conducting antivirus scanning. This is not the job of a vulnerability scanner and is not the cause of the false positives and failed audits. Therefore, this answer is incorrect.

  References: http://whatis.techtarget.com/definition/false-positive

• Question 127:

  Which of the following is an example of a false positive?

  A. Anti-virus identifies a benign application as malware.

  B. A biometric iris scanner rejects an authorized user wearing a new contact lens.

  C. A user account is locked out after the user mistypes the password too many times.

  D. The IDS does not identify a buffer overflow.

  Correct Answer: A

  A false positive is an error in some evaluation process in which a condition tested for is mistakenly found to have been detected. In spam filters, for example, a false positive is a legitimate message mistakenly marked as UBE --unsolicited bulk email, as junk email is more formally known. Messages that are determined to be spam -- whether correctly or incorrectly -- may be rejected by a server or client-side spam filter and returned to the sender as bounce e-mail. One problem with many spam filtering tools is that if they are configured stringently enough to be effective, there is a fairly high chance of getting false positives. The risk of accidentally blocking an important message has been enough to deter many companies from implementing any anti-spam measures at all. False positives are also common in security systems. A host intrusion prevention system (HIPS), for example, looks for anomalies, such as deviations in bandwidth, protocols and ports. When activity varies outside of an acceptable range for example, a remote application attempting to open a normally closed port -- an intrusion may be in progress. However, an anomaly, such as a sudden spike in bandwidth use, does not guarantee an actual attack, so this approach amounts to an educated guess and the chance for false positives can be high. False positives contrast with false negatives, which are results indicating mistakenly that some condition tested for is absent.

  Incorrect Answers:

  B: If an authorized user is wearing a new contact lens, the biometric iris scanner would not recognize it and would correctly deny access. This is not a false positive. Therefore, this answer is incorrect.

  C: If a user mistypes their password too many times and an account lockout policy is configured, the account would correctly be locked if the policy condition (number of failed login attempts) is met. This is not a false positive. Therefore, this answer is incorrect.

  D: If an IDS (intrusion detection system) does not identify a buffer overflow, this is not a false positive. A `positive' result would be the IDS recognizing the buffer overflow. A false positive would be the IDS identifying something as a buffer overflow when a buffer overflow doesn't exist. Therefore, this answer is incorrect.

  References: http://whatis.techtarget.com/definition/false-positive

• Question 128:

  Which of the following is BEST utilized to identify common misconfigurations throughout the enterprise?

  A. Vulnerability scanning

  B. Port scanning

  C. Penetration testing

  D. Black box

  Correct Answer: A

  A vulnerability scan is the process of scanning the network and/or I.T. infrastructure for threats and vulnerabilities. The threats and vulnerabilities are then evaluated in a risk assessment and the necessary actions taken to resolve and

  vulnerabilities. A vulnerability scan scans for known weaknesses such as missing patches or security updates.

  A vulnerability scan is the automated process of proactively identifying security vulnerabilities of computing systems in a network in order to determine if and where a system can be exploited and/or threatened. While public servers are

  important for communication and data transfer over the Internet, they open the door to potential security breaches by threat agents, such as malicious hackers.

  Vulnerability scanning employs software that seeks out security flaws based on a database of known flaws, testing systems for the occurrence of these flaws and generating a report of the findings that an individual or an enterprise can use to

  tighten the network's security.

  Incorrect Answers:

  B: A port scanner is typically a software application used to scan a system such as a computer or firewall for open ports. A malicious user would attempt to access a system through an open port. A security administrator would compare the

  list of open ports against a list of ports that need to be open so that unnecessary ports can be closed thus reducing the vulnerability of the system. A port scanner is not used for a general scan of common misconfigurations on multiple

  systems.

  Therefore, this answer is incorrect.

  C: Penetration testing (also called pen testing) is the practice of testing a computer system, network or Web application to find vulnerabilities that an attacker could exploit. Pen tests can be automated with software applications or they can be

  performed manually. Either way, the process includes gathering information about the target before the test (reconnaissance), identifying possible entry points, attempting to break in (either virtually or for real) and reporting back the findings.

  The main objective of penetration testing is to determine security weaknesses. A pen test can also be used to test an organization's security policy compliance, its employees' security awareness and the organization's ability to identify and

  respond to security incidents. Penetration testing is used to test the security controls on an individual system; it is not used for a general scan of common misconfigurations on multiple systems. Therefore, this answer is incorrect.

  D: Black-box testing is a method of software testing that examines the functionality of an application without peering into its internal structures or workings. This method of test can be applied to virtually every level of software testing: unit,

  integration, system and acceptance. It typically comprises most if not all higher level testing, but can also dominate unit testing as well. Black-box testing is used for testing applications. It is not used to common misconfigurations in a network.

  Therefore, this answer is incorrect.

  References:

  http://www.webopedia.com/TERM/V/vulnerability_scanning.html http://searchsoftwarequality.techtarget.com/definition/penetration-testing

• Question 129:

  A company is looking to improve their security posture by addressing risks uncovered by a recent penetration test. Which of the following risks is MOST likely to affect the business on a day-to-day basis?

  A. Insufficient encryption methods

  B. Large scale natural disasters

  C. Corporate espionage

  D. Lack of antivirus software

  Correct Answer: D

  The most common threat to computers is computer viruses. A computer can become infected with a virus through day-to-day activities such as browsing web sites or emails. As browsing and opening emails are the most common activities performed by all users, computer viruses represent the most likely risk to a business.

  Incorrect Answers:

  A: Insufficient encryption methods do not represent the most likely risk to a business. While some weaker encryption methods are still used today, it still takes some determined effort to decrypt the data. This is not something that would happen on a day-to-day basis. Therefore, this answer is incorrect.

  B: Large scale natural disasters obviously are bad for computer networks. However, they're pretty rare. They certainly don't happen on a day-to-day basis. Computers becoming infected with a virus are much more common. Therefore, this answer is incorrect.

  C: Corporate espionage is a risk to any business. However, it doesn't happen on a day-to-day basis. Computers becoming infected with a virus are much more common. Therefore, this answer is incorrect.

• Question 130:

  Which of the following tests a number of security controls in the least invasive manner?

  A. Vulnerability scan

  B. Threat assessment

  C. Penetration test

  D. Ping sweep

  Correct Answer: A

  Vulnerability scanning has minimal impact on network resource due to the passive nature of the scanning. A vulnerability scan is the process of scanning the network and/or I.T. infrastructure for threats and vulnerabilities. The threats and

  vulnerabilities are then evaluated in a risk assessment and the necessary actions taken to resolve and vulnerabilities. A vulnerability scan scans for known weaknesses such as missing patches or security updates.

  A vulnerability scan is the automated process of proactively identifying security vulnerabilities of computing systems in a network in order to determine if and where a system can be exploited and/or threatened. While public servers are

  important for communication and data transfer over the Internet, they open the door to potential security breaches by threat agents, such as malicious hackers.

  Vulnerability scanning employs software that seeks out security flaws based on a database of known flaws, testing systems for the occurrence of these flaws and generating a report of the findings that an individual or an enterprise can use to

  tighten the network's security.

  Incorrect Answers:

  B: A threat assessment is the assessment of all threats to a business, not just those related to IT. It is not used to test security controls in a network. Therefore, this answer is incorrect.

  C: Penetration testing (also called pen testing) is the practice of testing a computer system, network or Web application to find vulnerabilities that an attacker could exploit. Pen tests can be automated with software applications or they can be performed manually. Either way, the process includes gathering information about the target before the test (reconnaissance), identifying possible entry points, attempting to break in (either virtually or for real) and reporting back the findings. The main objective of penetration testing is to determine security weaknesses. A pen test can also be used to test an organization's security policy compliance, its employees' security awareness and the organization's ability to identify and respond to security incidents. Penetration is considered `active' because you are actively trying to circumvent the system's security controls to gain access to the system as opposed to vulnerability scanning which is considered passive and therefore the least invasive. Therefore, this answer is incorrect.

  D: A ping sweep is the process of sending ICMP ping requests to all IP addresses in an IP subnet to see which addresses map to live hosts. It is not used to test security controls in a network. Therefore, this answer is incorrect.

  References:

  http://www.webopedia.com/TERM/V/vulnerability_scanning.html http://searchsoftwarequality.techtarget.com/definition/penetration-testing