CSSLP Question #229: Real Exam Question with Answer & Explanation

Question

Which of the following test methods has the objective to test the IT system from the viewpoint of a threat-source and to identify potential failures in the IT system protection schemes?

Options

• ASecurity Test and Evaluation (ST&E)
• BPenetration testing
• CAutomated vulnerability scanning tool
• DOn-site interviews

Explanation

Penetration testing is a security assessment method that simulates real-world attacks from a threat-source's perspective to uncover vulnerabilities and identify weaknesses in an IT system's protection schemes. This method provides a realistic evaluation of a system's resilience against malicious activities.

Common mistakes.

• A. Security Test and Evaluation (ST&E) is a broader process of systematically examining and testing a system's security features and controls to ensure they meet specified security requirements, but it's not exclusively from a threat-source's perspective.
• C. Automated vulnerability scanning tools identify known vulnerabilities in systems by scanning for signatures or common misconfigurations, but they do not actively exploit vulnerabilities or simulate a threat-source's thought process or methodology.
• D. On-site interviews are a qualitative method used to gather information from personnel about security policies, procedures, and perceptions, but they do not directly test technical system protection schemes from an adversarial perspective.

Concept tested. Security testing - Penetration testing

Reference. https://csrc.nist.gov/publications/detail/sp/800-115/final

No community discussion yet for this question.