03- Penetration Testing Quiz Flashcards
Find the wrong statement about penetration testing.
A. It is an unintentional attack
B. Pen-testing is used for security assessment
C. Pen testing improves the security of the system
D. Pen testing does discovers security weaknesses
Answer: A
A pentest is an intentional attack on a system using the pen testing skills to improve the defense strategy.
Which stage does not verify or try to exploit the vulnerability, just lists and ranks the identified
weaknesses.
C. Vulnerability assessment
D. Vulnerability scan
Answer: B
Vulnerability scan is the next step after the first discovery. This stage does not verify or try to exploit the vulnerability, it just
lists and ranks the identified weaknesses.
Penetration testing
a. can evaluate the security of system or network
b. cannot be used to identify the vulnerabilities left undetected by automated vulnerability
scanners
c. is an unauthorized attempt to exploit a computer system
d.. determines the critical vulnerabilities
Answer: A and D
Penetration testing exploits the vulnerabilities of a system or network to improve the security of the system. Pentesting can
identify the insecure areas of the system or network that can be used by an attacker to gain unauthorized access to the system.
Nexpose and GFI are tools that try to match conditions found on the target system with known
vulnerabilities, and can find new vulnerabilities.
True
False
Answer: False
Nexpose, Nessus and GFI are tools that try to match conditions found on the target system with known vulnerabilities, but they
lack the ability to find new vulnerabilities. These tools count on a database to identify the existence of certain weaknesses.
A vulnerability scan tries to verify the vulnerabilities found with little or no user interaction.
True
False
Answer: False
The last phase, or vulnerability assessment, tries to verify the vulnerabilities found and is done with little or no user interaction.
Question 1 Which step is essential for the organization to be compliant with certain ISOs or other certification bodies? A. Security audit B. Vulnerability assessment C. Code reviews
Answer: C
It can analyze specific web applications or internal software. It is the essential step for the organization to be compliant with
certain ISOs or other certification bodies.
______ testing aims to exploit identified vulnerabilities to check what information is exposed to the
outside world.
Internal
External
Answer: B
External testing aims to exploit identified vulnerabilities to check what information is exposed to the outside world.
What remains the same in both internal and external testing?
A. The target
B. The attacker
Answer: A
The target remains the same in both the internal and external testing.
Which attack can be much more devastating?
A. External attacks
B. Internal attacks
Answer: B
Internal attackers have the full understanding of which systems are important within a network and where it is located.
__________ saves time and resources, but is not accurate or professional.
A. Automated pentesting
B. Manual testing
Answer: A
You can easily use different tools to automate pentesting, to save your time and resources, but it is not accurate or
professional.
Manual testing requires: A. less planning B. a schedule C. an attack design D. automated tools
Answer: B and C
A skilled manual tester will always plan and schedule everything in advance. An experienced pen tester will always prepare an
attack design and schedule it.
Identify the benefits of using automated tools. A. Faster B. Computerized C. Accurate D. In-depth coverage
Answer: A and B
The testing carried out with automated tools is faster when compared to manual ones. Automated tools are fully computerized,
whereas manual testing depends entirely on the skill of the tester.
Identify the disadvantages of using automated tools. A. Fast B. Dependency on the vendor’s database C. Only tests technical flow D. Computerized
Answer: B and C
Automated tools work based on the information provided in the database, and the decreased chances of being updated to the
latest threats affects the efficiency of the test. The automated testing only tests the technical flow, whereas the manual testing
tests for both technical and business/logic flow.
What are the disadvantages of manual testing?
A. Awareness to new attack vendors
B. Tests for both technical and business/logic flow
C. Does not cover the entire system
D. Slow
Answer: C and D
Only automated testing is able to cover every bit of the system, whereas the manual testing fails to do so. The manual testing is
slow when compared to automated testing.
Pick out the merits of manual testing. A. Dependency on the skill of the tester B. Accuracy C. Possibility of forgetting D. Familiarity with new threats
Answer: B and D
The automated tools lack accuracy. The automated tools depend on the database of the vendor, which may not be updated.