Software Testing Techniques and Cybersecurity Concepts, Exams of Information and Communications Technology (ICT)

A wide range of software testing techniques, including performance testing, load testing, stress testing, and volume testing, as well as various error-checking methods such as sequence checks, limit checks, and logical relationship checks. It also discusses different types of system testing, including alpha testing, beta testing, and parallel testing. Additionally, the document delves into cybersecurity concepts, including different types of attacks like smurf attacks, ping floods, and teardrop attacks, as well as security measures like firewalls, virtual private networks (vpns), and digital envelopes. A comprehensive overview of both software testing and cybersecurity, making it a valuable resource for students, professionals, and anyone interested in these topics.

Typology: Exams

2023/2024

Available from 07/27/2024

paul-kamau-2
paul-kamau-2 🇺🇸

4

(7)

5.4K documents

1 / 15

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
CISA Exam 122 Questions and Terms 122 Questions with
Verified Answers
COBIT Framework - CORRECT ANSWER Framework developed by ISACA to support
EGIT by providing a framework to ensure that IT is aligned with the business, IT
enables the business and maximizes benefits, IT resources are used responsibly,
and IT risk is managed appropriately.
(ISO)/International Electrotechnical Commission (IEC) 27000 series - CORRECT
ANSWER A set of best practices that provides guidance to organizations
implementing and maintaining information security programs.
Information Technology Infrastructure Library (ITIL®) - CORRECT ANSWER
Framework developed by the UK Office of Government Commerce (OGC), in
partnership with the IT Service Management Forum, and is a detailed framework
with hands-on information regarding how to achieve successful operational
service management of IT.
ISO/IEC 38500:2015 - CORRECT ANSWER Information Technology - Governance of
IT for the organization provides guiding principles for members of governing
bodies of organizations on the effective, efficient and acceptable use of IT
ISO/IEC 20000 - CORRECT ANSWER a specification for service management that is
aligned with ITIL's service management framework. It is divided into two parts
ISO 3100:2018 - CORRECT ANSWER Risk management—Guidelines provides
guidelines on and a common approach to risk management for organizations.
There are four methods used to estimate the cost of an information system
acquisition and development project: - CORRECT ANSWER 1. Analogous
estimating
2. Parametric estimating
3. Bottom-up estimating
4. Actual costs
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff

Partial preview of the text

Download Software Testing Techniques and Cybersecurity Concepts and more Exams Information and Communications Technology (ICT) in PDF only on Docsity!

CISA Exam 122 Questions and Terms 122 Questions with

Verified Answers

COBIT Framework - CORRECT ANSWER Framework developed by ISACA to support EGIT by providing a framework to ensure that IT is aligned with the business, IT enables the business and maximizes benefits, IT resources are used responsibly, and IT risk is managed appropriately. (ISO)/International Electrotechnical Commission (IEC) 27000 series - CORRECT ANSWER A set of best practices that provides guidance to organizations implementing and maintaining information security programs. Information Technology Infrastructure Library (ITIL®) - CORRECT ANSWER Framework developed by the UK Office of Government Commerce (OGC), in partnership with the IT Service Management Forum, and is a detailed framework with hands-on information regarding how to achieve successful operational service management of IT. ISO/IEC 38500:2015 - CORRECT ANSWER Information Technology - Governance of IT for the organization provides guiding principles for members of governing bodies of organizations on the effective, efficient and acceptable use of IT ISO/IEC 20000 - CORRECT ANSWER a specification for service management that is aligned with ITIL's service management framework. It is divided into two parts ISO 3100:2018 - CORRECT ANSWER Risk management—Guidelines provides guidelines on and a common approach to risk management for organizations. There are four methods used to estimate the cost of an information system acquisition and development project: - CORRECT ANSWER 1. Analogous estimating

  1. Parametric estimating
  2. Bottom-up estimating
  3. Actual costs

Analogous Estimating - CORRECT ANSWER The project manager can develop the estimated cost for a new project by taking reference from prior projects. This is the quickest estimation technique. Parametric Estimating - CORRECT ANSWER The project manager looks at the same past data that were used in analogous estimating and leverages statistical data (estimated employee hours, materials costs, technology, etc.) to develop the estimate. This approach is more accurate than analogous estimation. Bottom-Up Estimating - CORRECT ANSWER The cost of each activity in the project is estimated to the greatest detail (i.e., starting at the bottom), and then all the costs are added to arrive at the cost estimate of the entire project. The most accurate estimate, this is the most time-consuming approach. Actual Costs - CORRECT ANSWER Takes an extrapolation from the actual costs that were incurred on the same system during past projects. Debugging tools fall into three categories: - CORRECT ANSWER 1. Logic Path Monitors

  1. Memory Dumps
  2. Output Analyzers Logic Path Monitors - CORRECT ANSWER Provide clues on logic errors to the programmer. Memory Dumps - CORRECT ANSWER Provide clues on inconsistencies in data or parameter values to the programmer. Output Analyzers - CORRECT ANSWER Help to check results of program execution for accuracy. UAT - CORRECT ANSWER Testing from business users that focuses on functional aspects of the application Alpha Testing - CORRECT ANSWER An early version of application system submitted to users for testing

Limit Check - CORRECT ANSWER Data should not exceed a predetermined amount. For example, payroll checks should not exceed US $4,000. If a check exceeds US $4,000, the data would be rejected for further verification/authorization. Range Check - CORRECT ANSWER Data should be within a predetermined range of values. Validity Check - CORRECT ANSWER Programmed checking of the data validity in accordance with predetermined criteria. Reasonableness Check - CORRECT ANSWER Input data are matched to predetermined reasonable limits or occurrence rates. Table Lookups - CORRECT ANSWER Input data comply with predetermined criteria maintained in a computerized table of possible values. Existence Check - CORRECT ANSWER Data are entered correctly and agree with valid predetermined criteria. Key Verification - CORRECT ANSWER The keying process is repeated by a separate individual using a machine that compares the original keystrokes to the repeated keyed input. Check Digit - CORRECT ANSWER A numeric value that has been calculated mathematically is added to data to ensure that the original data have not been altered or an incorrect, but valid, value substituted. This control is effective in detecting transposition and transcription errors. Completeness Check - CORRECT ANSWER A field should always contain data rather than zeros or blanks. A check of each byte of that field should be performed to determine that some form of data, not blanks or zeros, is present. Duplicate Check - CORRECT ANSWER New transactions are matched to those previously input to ensure that they have not already been entered.

Logical Relationship Check - CORRECT ANSWER If a particular condition is true, then one or more additional conditions or data input relationships may be required to be true and consider the input valid. Redundancy Check - CORRECT ANSWER A common error-detection where a transmitted block of data containing one or more records or messages is checked for the number of characters or patterns of bits contained in it. Parity Check - CORRECT ANSWER A general hardware control that helps to detect data errors when data are read from memory or communicated from one computer to another. A 1-bit digit (either 0 or 1) is added to a data item to indicate whether the sum of that data item's bit is odd or even. When the parity bit disagrees with the sum of the other bits, the computer reports an error. ACID principle for Data Integrity in Online Transaction Processing Systems - CORRECT ANSWER 1. Atomicity

  1. Consistency
  2. Isolation
  3. Durability Atomicity - CORRECT ANSWER From a user perspective, a transaction is either completed in its entirety (i.e., all relevant database tables are updated) or not at all. If an error or interruption occurs, all changes made up to that point are backed out. Consistency - CORRECT ANSWER All integrity conditions in the database are maintained with each transaction, taking the database from one consistent state into another consistent state. Isolation - CORRECT ANSWER Each transaction is isolated from other transactions, so each transaction accesses only data that are part of a consistent database state. Durability - CORRECT ANSWER If a transaction has been reported back to a user as complete, the resulting changes to the database survive subsequent hardware or software failures.

Incremental Backup - CORRECT ANSWER This type of backup scheme copies the files and folders that changed or are new since the last incremental or full backup. If you have a full backup on day 1, your incremental backup on day 2 will copy only the changes from day 1 to day 2. On day 3, it will copy only the changes from day 2 to day 3, and so on. This is a faster method of backup and requires less media capacity, but it requires that all backup sets restore all changes since a full backup, and restoration will take more time. Differential Backup - CORRECT ANSWER This type of backup copies all files and folders that have been added or changed since a full backup was performed. This type of backup is faster and requires less media capacity than a full backup and requires only the last full and differential backup sets to make a full restoration. It also requires less time to restore than incremental backups, but it is slower and requires more media capacity than incremental backups because data that are backed up are cumulative. A Business Continuity Plan should include the following sub-plans: - CORRECT ANSWER 1. Continuity of Operations Plan

  1. Disaster Recovery Plan
  2. Business Resumption Plan Desk-based evaluation/paper test - CORRECT ANSWER A paper walk-through of the plan, involving major players in the plan's execution who reason out what might happen in a particular type of service disruption. Preparedness Test - CORRECT ANSWER Usually a localized version of a full test, wherein actual resources are expended in the simulation of a system crash. Full Operational Test - CORRECT ANSWER This is one step away from an actual service disruption. The organization should have tested the plan well on paper and locally before endeavoring to completely shut down operations. Business Continuity Test Types - CORRECT ANSWER 1. Desk-based evaluation/paper test
  3. Preparedness Test
  4. Full operational test

Short Term Power Interruption Control (Sags, Spikes, Surges) - CORRECT ANSWER Surge Protector Intermediate Term Power Interruption Control (Few Seconds to 30 Mins) - CORRECT ANSWER uninterruptible power supply (UPS) devices Long Term Power Interruption Control (Few Hours to Several Days) - CORRECT ANSWER Alternate Power Generators Total Flooding - CORRECT ANSWER Systems working under this principle apply an extinguishing agent to a three-dimensional enclosed space in order to achieve a concentration of the agent (volume percent of the agent in air) adequate to extinguish the fire. Local Application (Extinguishing Agent) - CORRECT ANSWER Systems working under this principle apply an extinguishing agent directly onto a fire (usually a two- dimensional area), or into the three-dimensional region immediately surrounding the substance or object on fire The main difference between local application and total flooding designs - CORRECT ANSWER the absence of physical barriers enclosing the fire space in the local application design. Baseband Communication - CORRECT ANSWER The signals are directly injected on the communication link (no modulation or shift in the range of frequencies of the signal). Generally, only one communication channel is available at any a time (half-duplex), although fullduplex modems are now available. Broadband Communication - CORRECT ANSWER Different carrier frequencies defined within the available band can carry analog signals, such as those generated by image processors or a data modem, as if they were placed on separate baseband channels. Network Standards - CORRECT ANSWER 1. Interoperability

  1. Availability
  2. Flexibility
  3. Maintainability

Network Layer - CORRECT ANSWER Including IP address, router, firewall - This layer creates a virtual circuit between the transport layer on the local device and the transport layer on the remote device. This is the layer of the stack that understands IP addresses and is responsible for routing and forwarding. Transport Layer - CORRECT ANSWER Including TCP and UDP - This layer provides reliable and transparent transfer of data between end points, end-toend error recovery and flow control. This layer ensures that all of the data sent to it by the session layer are successfully received by the remote system's transport layer. Session Layer - CORRECT ANSWER Including RPC, SQL, Network File System - This layer controls the dialogs (sessions) between computers. It establishes, manages and terminates the connections between the local and remote application layers. All conversations, data exchanges and dialogs between the application layers are managed by the session layer. Presentation Layer - CORRECT ANSWER Including JPEG, MPEG, MP3, GIF - this layer transforms data to provide a standard interface for the application layer and provides common communication services, such as encryption, text compression and reformatting Application Layer - CORRECT ANSWER Including FTP, SSH, Telnet, HTTP - This layer provides a standard interface for applications that must communicate with devices on the network (e.g., print files on a network-connected printer, send an email or store data on a file server). Thus, this layer provides an interface to the network. Star Topology - CORRECT ANSWER Of the physical topologies that have been commonly used—which is the only one used to any great extent in new construction. Repeaters - CORRECT ANSWER physical layer devices that extend the range of a network or connect two separate network segments together. Repeaters receive signals from one network segment and amplify (regenerate) the signal to compensate for signals (analog or digital) that are distorted due to a reduction of signal strength during transmission (i.e., attenuation).

Hubs - CORRECT ANSWER physical layer devices that serve as the center of a star- topology network or a network concentrator. These can be active (if they repeat signals sent through them) or passive (if they merely split signals). Bridges - CORRECT ANSWER data link layer devices that were developed to connect LANs or create two separate LAN or WAN network segments from a single segment to reduce collision domains. Layer 2 Switches - CORRECT ANSWER data link level devices that can divide and interconnect network segments and help to reduce collision domains in Ethernet- based networks. Routers - CORRECT ANSWER similar to bridges and switches in that they link two or more physically separate network segments. The network segments linked by this method however, remain logically separate and can function as independent networks. Layer 3 Switches - CORRECT ANSWER These switches enable the concept of establishing a VLAN. Gateways - CORRECT ANSWER Devices that are protocol converters. Typically, they connect and convert between LANs and the mainframe, or between LANs and the Internet, at the application layer of the OSI reference model. Depending on the type m, the operation occurs at various OSI layers. The most common form is a systems network architecture (SNA) gateway, converting between a TCP/IP, NetBios or Inter-network Packet Exchange (IPX) session (terminal emulator) and the mainframe. Modems (modulator/demodulator) - CORRECT ANSWER Data communications equipment (DCE) devices that make it possible to use analog lines (generally, the public telephone network) as transmission media for digital networks. Multiplexors - CORRECT ANSWER physical layer devices used when a physical circuit has more bandwidth capacity than required by individual signals. Point-to-Point Protocol (PPP) - CORRECT ANSWER This protocol works in the data link layer and provides a single, preestablished WAN communication path from

Packet-Filtering Firewall - CORRECT ANSWER First generation, worked on headers. Vulnerable to IP spoofing, source routing specifications, and miniature fragment attacks. Application Firewall - CORRECT ANSWER There are two of these types of systems —application-level and circuit-level. They provide greater protection capabilities than packet filtering routers. These systems allow information to flow between systems but do not allow the direct exchange of packets. They work at the application level of the OSI model. Stateful Inspection Firewall - CORRECT ANSWER This system keeps track of the destination IP address of each packet that leaves the organization's internal network. Whenever the response to a packet is received, its record is referenced to ascertain and ensure that the incoming message is in response to the request that went out from the organization. Firewall Types - CORRECT ANSWER 1. Packet-Filtering

  1. Application-Level
  2. Stateful Inspection Firewall Implementations - CORRECT ANSWER 1. Screened-Host
  3. Dual-Homed
  4. Screened-Subnet (DMZ) Screened-Host Firewall - CORRECT ANSWER Utilizing a packet-filtering router and a bastion host, this approach implements basic network layer security (packet filtering) and application server security (proxy services). An intruder in this configuration has to penetrate two separate systems. Dual-Homed Firewall - CORRECT ANSWER This is a firewall system that has two or more network interfaces, each of which is connected to a different network. In a firewall configuration, this type of system usually acts to block or filter some or all of the traffic trying to pass between the networks. This is a more restrictive form of a screened-host firewall system. Screened-Subnet Firewall (DMZ) - CORRECT ANSWER Utilizing two packet-filtering routers and a bastion host, this approach creates the most secure firewall system

because it supports networkand application-level security while defining a separate, small, isolated network for an organization's public servers, bastion host information servers and modem pools. Digital Envelope - CORRECT ANSWER Similar to a digital signature, this is an electronic "container" that can be used to protect data or a message through the use of encryption and data authentication. The message is first encoded using symmetric encryption and then the code to decode the message is secured using public key encryption. This provides a more convenient option for encryption. Digital Signature - CORRECT ANSWER A piece of information, a digitized form of signature, that provides sender authenticity, message integrity and nonrepudiation. A digital signature is generated using the sender's private key or applying a one-way hash function. Digital Certificate - CORRECT ANSWER The resulting document from a Certification Authority (CA) from which any signed document is considered automatically authentic by the sender and the recipient. In the first place, this trusted party identifies the holder of a public key (the subject) and then signs this public key while appending details of the subject's identity. Certification Authority (CA) - CORRECT ANSWER As well as issuing new certificates, this party maintains a list of compromised certificates (i.e., those whose private key has been leaked or lost) called the certificate revocation list (CRL). Registration Authority (RA) - CORRECT ANSWER The individual institution that validates an entity's proof of identity and ownership of a key pair. Smurf Attack - CORRECT ANSWER Occurs when misconfigured network devices allow packets to be sent to all hosts on a particular network via the broadcast address of the network Ping Flood - CORRECT ANSWER Occurs when the target system is overwhelmed with ping packets