2.5.7 Practice Questions Flashcards
Hannah is working on the scope of work with her client. During the planning, she discovers that some of the servers are cloud-based servers. Which of the following should she do?
answer
Get a non-disclosure agreement.
Add the cloud host to the scope of work.
Tell the client she can’t perform the test.
Not worry about this fact and test the servers.
Add the cloud host to the scope of work.
Explanation
Since Hannah is in the planning stage, she will need to add the cloud host to the scope of work. Cloud-based systems require some extra steps before penetration testing can begin.
During an authorized penetration test, Michael discovered his client’s financial records. Which of the following should he do?
answer
Sell the records to a competitor.
Continue digging and look for illegal activity.
Make a backup of the records for the client.
Ignore the records and move on.
Ignore the records and move on.
Explanation
During a penetration test, the ethical hacker will run across or gain access to highly sensitive data. This could include clients’ financial information, customer data, passwords, and more. In this situation, the hacker is expected to keep this information confidential and not view any more than is necessary for reporting purposes.
During a penetration test, Heidi runs into an ethical situation she’s never faced before and is unsure how to proceed. Which of the following should she do?
answer
Trust her instincts and do what she feels is right.
Ignore the situation and just move on.
Talk with her friend and do what they suggest.
Reach out to an attorney for legal advice.
Reach out to an attorney for legal advice.
Explanation
Whenever a penetration tester is unsure of how to proceed with a situation, a lawyer should be contacted to make sure no laws are broken.
What are the rules and regulations defined and put in place by an organization called?
answer
Corporate policies
Master service agreement
Scope of work
Rules of engagement
Corporate policies
Explanation
Corporate policies are the rules and regulations that are defined and put in place by an organization. As part of the risk assessment and penetration test, these policies should be reviewed and tested.
Which of the following is a common corporate policy that would be reviewed during a penetration test?
answer
Purchasing policy
Password policy
Meeting policy
Parking policy
Password policy
Explanation
The password policy will usually state how many and what types of characters a password should contain.
Listen to exam instructions
Which of the following policies would cover what you should do in case of a data breach?
answer
Password policy
Update frequency policy
Corporate data policy
Sensitive data handling policy
Sensitive data handling policy
Explanation
The policy for handling sensitive data should detail who has access to data, how data is secured, and what to do if an unauthorized person gains access to the data.
Yesenia was recently terminated from her position, where she was using her personal cell phone for business purposes. Upon termination, her phone was remotely wiped. Which of the following corporate policies allows this action?
answer
BYOD policy
Corporate policy
Update policy
Password policy
BYOD policy
Explanation
The BYOD (bring your own device policy must define the level of access employees have to company hardware and data and state clearly what happens on termination of employment.
During a penetration test, Mitch discovers the following on a client’s computer.
Instructions for creating a bomb
Emails threatening a public official
Maps to the officials home and office
Which of the following actions should he take?
answer
Ignore the files and continue with the penetration test.
Delete the files and continue with the penetration test.
Stop the test, inform the client, and let them handle it.
Immediately stop the test and report the finding to the authorities.
Immediately stop the test and report the finding to the authorities.
Explanation
If, during the scope of the penetration test, the hacker discovers evidence of illegal activity, they are legally obligated to report the evidence to the appropriate authorities.
Heather is working for a cybersecurity firm based in Florida. She will be conducting a remote penetration test for her client, who is based in Utah. Which state’s laws and regulations will she need to adhere to?
answer
Both companies will need to adhere to Florida’s laws.
A lawyer should be consulted on which laws to adhere to and both parties agree.
Both companies will need to adhere to Utah’s laws.
Heather will adhere to Florida’s laws, and the client will adhere to Utah’s laws.
A lawyer should be consulted on which laws to adhere to and both parties agree.
Explanation
The laws that govern computer usage and hacking can vary from state to state.
United States Code Title 18, Chapter 47, Section 1029 deals with which of the following?
answer
Fraud and related activity involving electronic mail.
Fraud and related activity regarding identity theft.
Fraud and related activity involving computers.
Fraud and related activity involving access devices.
Fraud and related activity involving access devices.
Explanation
U.S. federal laws
https://chat.openai.com/c/69841c43-17ea-404e-8e7b-35b5f2ece261
Which of the following best describes the Wassenaar Arrangement?
answer
A law that defines the security standards for any organization that handles cardholder information.
An agreement between 41 countries to enforce similar export controls for weapons, including intrusion software.
Standards that ensure medical information is kept safe and is only shared with the patient and medical professionals.
A law that defines how federal government data, operations, and assets are handled.
An agreement between 41 countries to enforce similar export controls for weapons, including intrusion software.
Explanation
Wassenaar Arrangement: is a big agreement among 41 countries that when it comes to selling or sending out weapons and certain technologies.
Which of the following best describes the rules of engagement document?
answer
Defines if the test will be a white box, gray box, or black box test and how to handle sensitive data.
Used as a last resort if the penetration tester is caught in the scope of their work.
A very detailed document that defines exactly what is going to be included in the penetration test.
A contract where parties agree to most of the terms that will govern future actions.
Defines if the test will be a white box, gray box, or black box test and how to handle sensitive data.
Explanation
The rules of engagement define if the test will be a white box, gray box, or black box test.
Which of the following best describes a master service agreement?
answer
Used as a last resort if the penetration tester is caught in the scope of their work.
A contract where parties agree to the terms that will govern future actions.
A very detailed document that defines exactly what is going to be included in the penetration test.
Defines if the test will be a white box, gray box, or black box test and how to handle sensitive data.
A contract where parties agree to the terms that will govern future actions.
Explanation
The master service agreement is a contract where parties agree to the terms that will govern future actions.
Which of the following best describes a non-disclosure agreement?
answer
A document that defines if the test will be a white box, gray box, or black box test and how to handle sensitive data.
A contract where parties agree to most of the terms that will govern future actions.
A very detailed document that defines exactly what is going to be included in the penetration test.
A common legal contract outlining confidential material that will be shared during the assessment.
A common legal contract outlining confidential material that will be shared during the assessment.
Explanation
A non-disclosure agreement (NDA) is a common legal contract that outlines confidential material or information that will be shared during the assessment and what restrictions are placed on it. This contract basically states that anything the tester finds cannot be shared except with the people specified in the document.
During a penetration test, Dylan is caught testing the physical security. Which document should Dylan have on his person to avoid being arrested?
answer
Master service agreement
Scope of work
Permission to test
Rules of engagement
Permission to test
Explanation
The permission to test is used as a last resort if the penetration tester is caught in the scope of their work. This get-out-of-jail-free card explains what the tester is doing and that his work is authorized.
