Chap 11 - Reporting and Communication Flashcards
Tom recently conducted a penetration test for a company that is regulated under PCI DSS. Two months after the test, the client asks for a letter documenting the test results for its compliance files. What type of report is the client requesting?
A. Executive summary
B. Penetration testing report
C. Written testimony
D. Attestation of findings
Attestation of findings
An attestation of findings is a certification provided by the penetration testers to document that they conducted a test and the results for compliance purposes.
Wendy is reviewing the results of a penetration test and learns that her organization uses the same local administrator password on all systems. Which one of the following tools can help her resolve this issue?
A. LAPS
B. Nmap
C. Nessus
D. Metasploit
LAPS
The Local Administrator Password Solution (LAPS) from Microsoft provides a method for randomizing local administrator account credentials through integration with Active Directory.
LAPS
LAPS (Local Administrator Password Solution) is a Microsoft tool used to securely manage and randomize the local administrator password for Windows systems. It provides a mechanism for storing these passwords securely in Active Directory (AD), ensuring they are unique for each system and can only be accessed by authorized users. This helps mitigate the risk of widespread compromise due to shared or weak passwords
Which one of the following is not a normal communication trigger for a penetration test?
A. Discovery of a critical finding
B. Completion of a testing stage
C. Documentation of a new test
D. Identification of prior compromise
Documentation of a new test
The three common triggers for communication during a penetration test are the completion of a testing stage, the discovery of a critical finding, and the identification of indicators of prior compromise.
What are some common triggers for communication during a Pentest?
Common triggers for communication during a penetration test include the following scenarios:
- Discovery of Indicators of Compromise (IoC): When testers identify signs of a prior or ongoing security breach.
- Scope Creep: If activities are required that go beyond the defined scope of the test.
- Critical Vulnerabilities Found: When critical vulnerabilities or exploits are identified that might require immediate attention.
- System Instability: If testing causes system or network disruptions.
- Completion of Major Test Phases: Providing progress updates upon completing key stages, such as reconnaissance or exploitation.
Gary ran an Nmap scan of a system and discovered that it is listening on port 22 despite the fact that it should not be accepting SSH connections. What finding should he report?
A. Shared local administrator credentials
B. Unnecessary open services
C. SQL injection vulnerability
D. No multifactor authentication
Unnecessary open services
The only conclusion that Gary can draw from this information is that the server is offering unnecessary services because it is listening for SSH connections when it should not be supporting that service.
Tom’s organization currently uses password‐based authentication and would like to move to multifactor authentication. Which one of the following is an acceptable second factor?
A. Security question
B. PIN
C. Smartphone app
D. Passphrase
Smartphone app
Passphrases, security questions, and PINs are all examples of knowledge‐based authentication and would not provide multifactor authentication when paired with a password, another knowledge‐based factor. Smartphone apps are an example of “something you have” and are an acceptable alternative.
Which one of the following items is not appropriate for the executive summary of a penetration testing report?
A. Description of findings
B. Statement of risk
C. Plain language
D. Technical detail
Technical detail
An executive summary should be written in a manner that makes it accessible to the layperson. It should not contain technical detail.
Which one of the following activities is not commonly performed during the post‐engagement cleanup phase?
A. Remediation of vulnerabilities
B. Removal of shells
C. Removal of tester‐created credentials
D. Removal of tools
Remediation of vulnerabilities
Vulnerability remediation is a follow‐on activity and is not conducted as part of the test. The testers should, however, remove any shells or other tools installed during testing as well as remove any accounts or credentials that they created.
Who is the most effective person to facilitate a lessons learned session after a penetration test?
A. Team leader
B. CIO
C. Third party
D. Client
Third party
The most effective way to conduct a lessons learned session is to ask a neutral third party to serve as the facilitator, allowing everyone to express their opinions freely.
Which one of the following is not an example of an operational control that might be implemented to remediate an issue discovered during a penetration test?
A. Job rotation
B. Time‐of‐day login restrictions
C. Network segmentation
D. User training
Network segmentation
Network segmentation is an example of a technical control. Time‐of‐day restrictions, job rotation, and user training are all examples of operational controls.
Operational Controls
Operational controls are practices that enhance personnel security through the implementation of standard procedures
- User Training and Awareness: Educating users on security best practices and potential threats.
- Incident Response Planning: Establishing procedures to detect, respond to, and recover from security incidents.
- Change Management Processes: Ensuring all changes to systems and applications are documented, reviewed, and approved.
- Access Controls: Implementing policies for granting, reviewing, and revoking user access to systems and data.
- Backup and Recovery Plans: Maintaining regular backups and ensuring recovery procedures are in place for critical data and systems.
- Monitoring and Logging: Capturing system and network activity to detect and analyze potential security events.
- Patch Management: Keeping systems up to date with the latest security updates and patches.
- Physical Security Measures: Controlling access to facilities and sensitive equipment
Technical Controls
Involve using software or hardware to enforce security, such as firewalls, intrusion detection systems, and encryption mechanisms
- Firewalls: Controlling inbound and outbound network traffic based on security rules.
- Intrusion Detection and Prevention Systems (IDS/IPS): Monitoring and blocking suspicious activities.
- Encryption: Protecting data at rest and in transit using cryptographic techniques.
- Antivirus and Anti-malware Software: Detecting and mitigating malicious software.
- Access Control Systems: Enforcing user authentication and authorization mechanisms.
- Data Loss Prevention (DLP): Preventing unauthorized sharing or exfiltration of sensitive data.
- Secure Configurations: Applying hardening standards to systems and applications.
- Network Segmentation: Dividing a network into segments to limit unauthorized access.
- Logging and Monitoring Tools: Capturing and analyzing events for anomalies or breaches.
- Vulnerability Scanners: Identifying and reporting potential weaknesses in systems.
When should system hardening activities take place?
A. When the system is initially built
B. When the system is initially built and periodically during its life
C. When the system is initially built and when it is decommissioned
D. When the system is initially built, periodically during its life, and when it is decommissioned
When the system is initially built and periodically during its life
System hardening should take place when a system is initially built and periodically during its life. There is no need to harden a system prior to decommissioning because it is being shut down at that point.
