Chap 2 - Planning and Scoping Penetration Tests

Question 1

What term describes a document created to define project‐specific activities, deliverables, and timelines based on an existing contract?

• NDA
• MSA
• SOW
• MOD

Answer 1

SOW

A statement of work covers the working agreement between two parties and is used in addition to an existing contract or master services agreement (MSA). An NDA is a nondisclosure agreement, and the acronym MOD was made up for this question.

Question 2

Maria wants to build a penetration testing process for her organization and intends to start with an existing standard or methodology. Which of the following is not suitable for that purpose?

• ISSAF
• OSSTM
• PTES
• ATT&CK

Answer 2

ATT&CK

PTES, OSSTMM, and ISSAF are all penetration testing methodologies or standards. MITRE’s ATT&CK framework describes adversary tactics and techniques but does not outline how to perform a penetration test.

Question 3

ISSAF

Answer 3

The Information System Security Assessment Framework (ISSAF) is a comprehensive methodology (outdated and no longer maintained) designed to guide professionals in conducting thorough security assessments of information systems. Here are the key aspects of ISSAF:

Structure and Phases
* ISSAF divides the penetration testing process into three main phases:

1. Planning and Preparation: This phase involves defining the scope, obtaining necessary permissions, and preparing the environment for the assessment356.
2. Assessment: This phase includes the actual testing, which encompasses various activities such as vulnerability analysis, exploitation, and assessment of different security aspects like network, host, application, database, and social engineering
3. Reporting, Clean-up, and Destroying Artefacts: This final phase involves documenting the findings, providing detailed reports, and ensuring that all testing artifacts are properly cleaned up and destroyed

Comprehensive Testing
* ISSAF is designed to test all security aspects, including: Physical Security, Personnel Security, Technical Security; Specific areas like network security, host security, application security, database security, and social engineering

Risk-Based Approach: ISSAF emphasizes a risk-based approach to security testing, focusing on the areas of greatest risk to the organization. This ensures that the most critical vulnerabilities are identified and addressed first

Flexibility and Customization: The framework is flexible and adaptable, allowing organizations to customize it according to their specific needs. It can be tailored to fit various environments, from small businesses to large enterprises26.

Tools and Resources: ISSAF links individual penetration testing steps with specific tools, providing a comprehensive guide on how to use these tools effectively. It also offers security guidelines, training materials, and testing tools to help organizations improve their security posture

Reporting: The framework stresses the importance of comprehensive reporting. Reports can be tailored for different stakeholders and include detailed information about the vulnerabilities discovered, along with recommendations for remediation

Current Status: Although ISSAF is a valuable resource, it is no longer actively maintained, which means it may become increasingly outdated as new technologies and threats emerge

Question 4

OSSTM

Answer 4

The Open Source Security Testing Methodology Manual (OSSTMM) is a comprehensive, peer-reviewed framework designed to guide security testing and analysis. Here are the key aspects of OSSTMM:

Maintenance and Development: OSSTMM is developed and maintained by the Institute for Security and Open Methodologies (ISECOM), an open community dedicated to security research, certifications, and providing practical security awareness256.

Core Principles
* Open Source: OSSTMM is an open-source project, allowing anyone to access, use, and improve it. This fosters a community-driven approach to security testing3.
* Structured Methodology: It provides a systematic and precise way of conducting security tests, ensuring that all critical areas are covered. This includes planning, implementation, and documentation phases35.
* Comprehensive Security Testing: OSSTMM covers various aspects of security, including physical, human, wireless, telecommunications, and data network security124.

Testing Channels
The methodology is organized around five key testing channels:
1. Human Security: Assessing security in human interactions and communications.
2. Physical Security: Testing tangible aspects of security requiring physical effort.
3. Wireless Communications: Examining electronic signals and communications.
4. Telecommunications: Evaluating digital and analog telecommunications networks.
5. Data Networks: Testing electronic systems and networks used for communication124.

Methodology and Process
* Preparation: Defining the scope, understanding the system’s context, identifying the risk surface, and obtaining legal permission.
* Evaluation: Auditing controls and procedures, enumerating and scanning systems, and assessing the current security posture.
* Testing: Active probing for vulnerabilities, exploits, and weaknesses.
Reporting: Documenting test findings, vulnerabilities, and recommending remedial measures.
Optimization: Validating fixes, retesting if necessary, and ensuring continuous improvement5.

Certification and Training: ISECOM offers certifications for both professionals and organizations. Professional certifications include roles such as Professional Security Tester, Professional Security Analyst, and Certified Trust Analyst. Organizational certifications cover infrastructure and products

Reporting and Metrics: OSSTMM emphasizes the use of the Security Test Audit Report (STAR) for reporting. It also focuses on providing measurable and accurate results, including operational security metrics and trust analysis

Continuous Improvement: The methodology stresses the importance of continuous improvement, ensuring that security testing is an ongoing process that adapts to the changing threat landscape

Question 5

PTES

Answer 5

The Penetration Testing Execution Standard (PTES) is a comprehensive framework designed to standardize and guide the process of conducting penetration tests. Here are the key components and objectives of PTES:

Objectives
The primary goal of PTES is to provide a standardized methodology for penetration testing, ensuring that tests are thorough, consistent, and effective. It helps organizations understand what to expect from a penetration test and guides them in scoping and negotiating successful projects

Phases of PTES
PTES is structured into seven distinct phases:
1. Pre-Engagement Interactions: This phase involves the initial communication between the client and the penetration testing team. It includes activities such as finalizing the scope of the project, reviewing the Rules of Engagement, and ensuring all necessary approvals and documentation are in place
2. Intelligence Gathering: During this phase, information about the target system is gathered from external sources using Open-Source Intelligence (OSINT) techniques. This includes data from social media, official records, and other publicly available sources
3. Threat Modeling: This phase involves identifying potential threats and vulnerabilities, and defining countermeasures to mitigate them. It helps in optimizing network security by understanding which assets are most likely to be targeted and what resources might be used to attack them
4. Vulnerability Analysis: In this phase, the penetration testers discover and validate vulnerabilities that could be exploited by attackers. This involves identifying risks that could allow unauthorized access to the system or application
5. Exploitation: Here, the testers attempt to exploit the identified vulnerabilities to gain unauthorized access to the target system. This phase simulates real-world attack scenarios to assess the effectiveness of existing security measures
6. Post-Exploitation: After gaining access, the testers maintain control over the target system and collect data. This phase involves activities such as privilege escalation, lateral movement, and data exfiltration
7. Reporting: The final phase involves documenting the entire process and presenting the findings in a report that is understandable to the client. The report outlines the security posture of the target system, highlights vulnerabilities, and provides recommendations for remediation146.

Benefits and Purpose
PTES provides a consistent framework for penetration testers to follow, ensuring that all aspects of a penetration test are covered. It helps in raising the quality of penetration testing services and gives businesses a clear understanding of what to expect from a penetration test

Question 6

During a penetration test scoping discussion, Charles is asked to test the organization’s SaaS‐based email system. What concern should he bring up?

• Cloud‐based systems require more time and effort.
• Determining the scope will be difficult due to the size of cloud‐hosted environments.
• Cloud service providers do not typically allow testing of their services.
• Testing cloud services is illegal.

Answer 6

Cloud service providers do not typically allow testing of their services.

Cloud service providers don’t typically allow testing to be conducted against their services. Charles may recommend that the company ask for third‐party security audit information instead. Cloud systems and large environments can be difficult to scope and may require more time, but the primary issue here is the ability to even legitimately conduct the assessment that is being requested.

Question 7

During a penetration test, Alex discovers that he is unable to scan a server that he was able to successfully scan earlier in the day from the same IP address. What has most likely happened?

• His IP address was whitelisted.
• The server crashed.
• The network is down.
• His IP address was blacklisted.

Answer 7

His IP address was blacklisted.

The IP address or network that Alex is sending his traffic from was most likely blacklisted as part of the target organization’s defensive practices. A whitelist would allow him in, and it is far less likely that the server or network has gone down.

Question 8

What does an MSA typically include?

• The terms that will govern future agreements
• Mutual support during assessments
• Microservices architecture
• The minimum service level acceptable

Answer 8

The terms that will govern future agreements

A master service agreement (MSA) is a contract that defines the terms under which future work will be completed. Specific work is then typically handled under a statement of work (SOW)

Question 9

While performing an on‐site penetration test, Cassandra plugs her laptop into an accessible network jack. When she attempts to connect, however, she does not receive an IP address and gets no network connectivity. She knows that the port was working previously. What technology has her target most likely deployed?

• Jack whitelisting
• Jack blacklisting
• NAC
• 802.15

Answer 9

NAC

The organization that Cassandra is testing has likely deployed network access control (NAC). Her system will not have the proper NAC client installed, and she will be unable to access that network jack without authenticating and having her system approved by the NAC system.

Question 10

NAC

Answer 10

Network Access Control

NAC is a method to secure and control access to network resources based on a defined security policy. It restricts access to network resources to only those devices and users that comply with the organization’s security policies

Components: NAC solutions typically include several key components:
* Policy Server: Defines and manages access control policies, storing rules for user and device access
* Authentication Server: Verifies user and device identities using passwords, certificates, or other authentication methods
* Access Control Enforcement Points (ACEPs): Deployed at strategic points in the network infrastructure to enforce access policies by permitting or blocking access
* Network Visibility & Monitoring Tools: Monitor network connections, generate logs, alerts, and reports to help administrators identify and respond to security incidents2.
Integration Interfaces: Enable NAC solutions to work with existing network infrastructure and security systems

Types of NAC - There are two primary types of NAC:
* Pre-admission NAC: Evaluates access attempts before granting access to the network. It ensures that only authorized and compliant devices and users are allowed to enter the network5611.
* Post-admission NAC: Applies after a device has already been granted network access. It re-authenticates users trying to access different parts of the network and restricts lateral movement to limit potential damage from cyber attacks

Question 11

What type of penetration test is not aimed at identifying as many vulnerabilities as possible and instead focuses on vulnerabilities that specifically align with the goals of gaining control of specific systems or data?

• An objectives‐based assessment
• A compliance‐based assessment
• A black‐team assessment
• A red‐team assessment

Answer 11

An objectives‐based assessment

An objectives‐based assessment specifically targets goals like gaining access to specific systems or data. A compliance‐based assessment is conducted as part of compliance efforts and will focus on whether systems are properly secured or meet standards. A red‐team assessment is intended to simulate an actual attack or penetration, and testers will focus on finding ways in and maximizing access rather than comprehensively identifying and testing all the vulnerabilities and flaws that they can find. Black‐team assessments are not a commonly used penetration testing term.

Question 12

Red-Team Assessment

Answer 12

A red team assessment is a comprehensive and advanced type of security evaluation designed to test an organization’s cybersecurity defenses by simulating real-world attack scenarios. Here are the key aspects of a red team assessment:

Objectives
* The primary goal of a red team assessment is to mimic the tactics, techniques, and procedures (TTPs) of real-world attackers to evaluate an organization’s security posture and identify potential vulnerabilities
* The assessment aims to achieve specific objectives, such as gaining access to sensitive data, compromising critical network components, or deploying malware, all while simulating the actions of advanced persistent threats or insider attacks369.

Methodology
* Red team assessments involve highly skilled and specialized professionals known as “red teamers” who have extensive experience in ethical hacking, penetration testing, and simulating real-world cyber threats
* The process typically includes several phases:

1. Information Gathering: Red teamers use active reconnaissance and open-source intelligence (OSINT) to gather information about the organization, its staff, facilities, and security controls29.
   Attack Planning and Execution: The red team plans and executes a simulated attack, using various tactics such as social engineering, phishing, physical access breaches, and exploiting technical vulnerabilities to gain access to the target systems or data
2. Privilege Escalation and Persistence: Once access is gained, the red team attempts to escalate privileges and maintain persistence within the environment, simulating how real attackers would operate
3. Reporting and Remediation: After the assessment, the red team compiles a detailed report outlining the findings, the steps taken to reproduce the attack, and recommendations for remediation and improving the organization’s security posture369.

Scope
* Red team assessments are not limited to technical vulnerabilities; they also test physical security, employee resistance to social engineering, and overall organizational security processes
* Unlike traditional penetration tests, red team assessments are often more stealthy, can extend over a longer period, and may involve multiple stages to make the attack less obvious

Question 13

Black-Team Assessment

Answer 13

A Black Team assessment, in the context of cybersecurity and physical security, is distinct from the more commonly known Red Team assessments. Here are the key points about Black Team assessments:

Focus on Physical Security
Black Teams are primarily focused on physical security assessments rather than purely technical or network-based attacks. They simulate rogue physical intrusions, targeting the physical aspects of an organization’s security

Covert Operations
Black Teams operate covertly, often without the knowledge of the organization’s security personnel or other teams. This secrecy is akin to “black ops” in military terminology, where the operations are not attributable to the organization conducting them

Scope and Methodology
The scope of a Black Team assessment includes physical sites, buildings, and staff. They test the physical security measures in place, such as access controls, surveillance systems, and the overall physical defenses of the organization. This can involve attempts to gain unauthorized access to facilities, tamper with physical security devices, or compromise staff through social engineering tactics

Combination with Red Teams
In some cases, Black Teams can work in conjunction with Red Teams to create a more comprehensive and realistic attack scenario. For example, a Red Team might gain network access, which then facilitates the Black Team’s physical intrusion by disabling security cameras or unlocking doors

Objectives
The primary objective of a Black Team assessment is to identify vulnerabilities in the physical security of an organization and to test the effectiveness of its physical security controls and response mechanisms

Question 14

During an on‐site penetration test, what scoping element is critical for wireless assessments when working in shared buildings?

• Encryption type
• Wireless frequency
• SSIDs
• Preshared keys

Answer 14

SSIDs

Knowing the SSIDs that are in scope is critical when working in shared buildings. Penetrating the wrong network could cause legal or even criminal repercussions for a careless penetration tester!

Question 15

During a penetration test specifically scoped to a single web application, Chris discovers that the web server also contains a list of passwords to other servers at the target location. After he notifies the client, they ask him to use them to validate those servers, and he proceeds to test those passwords against the other servers. What has occurred?

• Malfeasance
• Known environment testing
• Scope creep
• Target contraction

Answer 15

Scope creep

Scope creep occurs when additional items are added to the scope of an assessment. Chris has gone beyond the scope of the initial assessment agreement. This can be expensive for clients or may cost Chris income if the additional time and effort is not accounted for in an addendum to his existing contract.

Question 16

Lucas has been hired to conduct a penetration test of an organization that processes credit cards. His work will follow the recommendations of the PCI DSS. What type of assessment is Lucas conducting?

• An objectives‐based assessment
• A red‐team assessment
• A black‐team assessment
• A compliance‐based assessment

Answer 16

A compliance‐based assessment

The PCI DSS standard is an industry standard for compliance for credit card processing organizations. Thus, Lucas is conducting a compliance‐based assessment.

Question 17

The company that Ian is performing a penetration test for uses a wired network for their secure systems and does not connect it to their wireless network. What environmental consideration should Ian note if he is conducting a partial knowledge penetration test?

• He needs to know the IP ranges in use for the secure network.
• He needs to know the SSIDs of any wireless networks.
• Physical access to the network may be required.
• Physical access a nearby building may be required.

Answer 17

Physical access to the network may be required.

Access to a wired network can require physical access, which could be provided as part of a partial knowledge penetration test. In an unknown environment test, Ian might have to identify a way to compromise a system connected to the network remotely or to gain physical access to the building where the systems are. Knowing the IP ranges or the SSIDs of wireless networks is not required for this type of test. IP ranges can be determined once he is connected, and the test specifically notes that wired networks are not connected.

Question 18

Charles has completed the scoping exercise for his penetration test and has signed the agreement with his client. Whose signature should be expected as the counter signature?

• The information security officer
• The project sponsor
• The proper signing authority
• An administrative assistant

Answer 18

The proper signing authority

While the ISO or the sponsor may be the proper signing authority, it is important that Charles verify that the person who signs actually is the organization’s proper signing authority. That means this person must have the authority to commit the organization to a penetration test. Unfortunately, it isn’t a legal term, so Charles may have to do some homework with his project sponsor to ensure that this happens correctly.

Question 19

Elaine wants to ensure that the limitations of her red‐team penetration test are fully explained. Which of the following are valid disclaimers for her agreement? (Choose two.)

• Risk tolerance
• Point‐in‐time
• Comprehensiveness
• Impact tolerance

Answer 19

• Point‐in‐time
• Comprehensiveness

Both the comprehensiveness of the test and the limitation that it is only relevant at the point in time it is conducted are appropriate disclaimers for Elaine to include. The risk and impact tolerance of the organization being assessed should be used to define the scope and rules of engagement for the assessment.

Question 20

Jen wants to conduct a penetration test and includes mobile application testing. Which standard or methodology is most likely to be useful for her efforts?

• NIST
• OWASP
• KALI
• ISSAF

Answer 20

OWASP

The Open Web Application Standards Project provides mobile application testing guidelines as part of their documentation, making it the best option on this list for Jen. NIST provides high‐level guidance about what tests should include, KALI is a security‐focused Linux distribution, and ISSAF is a dated penetration testing standard.

Question 21

What type of assessment most closely simulates an actual attacker’s efforts?

• A red‐team assessment with a zero knowledge strategy
• A goals‐based assessment with a full knowledge strategy
• A red‐team assessment with a full knowledge strategy
• A compliance‐based assessment with a zero knowledge strategy

Answer 21

A red‐team assessment with a zero knowledge strategy

A red‐team assessment with zero knowledge will attempt a penetration test as though they were actual attackers who do not have prior or insider knowledge of the organization. Full knowledge assessments provide more knowledge than attackers can be expected to have, and goals‐based assessments target specific systems or elements of an organization rather than the broader potential attack surface that actual attackers may target.