CompTIA PenTest+ Certification Practice Exam Chapter 1 (Total Sem Online Material) Flashcards
You are asked to perform penetration testing of a web application from the perspective of an insider threat as both an end user and an application administrator. What is the minimum level of access to environment assets required? A.Privileged-level access B.User-level access C.Restricted access D.Limited access
A.Privileged-level access
Explanation:
Because the client has requested testing of the web application in question from both the user and administrator contexts, the best-fit answer in this case is privileged-level access because a valid account will be required for scans of the application in the context of an administrative user.
B, C, and D are incorrect.
B is incorrect because user-level access will not meet the client’s specific request for testing as both a user and an administrator because end users are generally not granted administrative rights.
C is incorrect because restricted access is a nonsense term here, as it seems related to the topic at hand without being a relevant term in the context of the question.
D is incorrect because limited access provides nothing to the tester beyond initial connectivity to the target in question; because the client requires testing in the context of both a user and an administrator, this cannot be correct.
Of the following options, which would the best indicator that a client has requested a red team penetration test?
A.The client is a private aerospace company. B.The client has requested an assessment with a longer-than-typical duration conducted in a manner consistent with a nation-state-backed threat. C.The client requires all penetration testers to be U.S. citizens. D.The client has requested that testing take place outside of standard business hours.
B.The client has requested an assessment with a longer-than-typical duration conducted in a manner consistent with a nation-state-backed threat.
Explanation:
The request for an assessment that lasts longer than is typical and is to be conducted in a manner consistent with an attack from a nation-state-backed threat actor indicates that the client has requested a red team assessment.
A, C, and D are incorrect. A is incorrect because the client’s status as a major aerospace corporation has no bearing on the type of assessment they require in a vacuum of further information.
C is incorrect because the requirement that all penetration testers be U.S. citizens is expected when compliance with export control regulations is a factor in the assessment.
D is incorrect because the request that testing take place outside of standard business hours has no impact on the requirement to emulate the tactics and techniques of a nation-state-level threat.
Which stage of threat modeling consists of matching up known threats, threat actors, and vulnerabilities to the relevant parts of an organization’s architecture, according to Microsoft’s published guidance on threat modeling?
A.Document the threats
B.Identify threats
C.Architecture overview
D.Decompose the application
A.Document the threats
Explanation:
The definition provided best describes the fifth step of Microsoft’s threat modeling process—the documentation of threats. This step consists of matching threats, threat actors, and vulnerabilities to possible targets within the organization’s own architecture.
B, C, and D are incorrect. B is incorrect because identifying threats is the fourth step in Microsoft’s threat modeling process and is marked by the categorization of external and internal threats to an organization. The determination of where threats are found, how they can be exploited, and the identification of agents capable of exploiting them are crucial steps that can greatly aid the process of bolstering an organization’s defense posture. C is incorrect because an architecture overview is the second step in the process and is defined by a granular analysis of the various technologies in use in an organization’s architecture as well as the method by which they are implemented. Architecture overview is a critical step in threat modeling, as it makes the identification of threats much more manageable later in the process. D is incorrect because decomposing the application is the third step and consists of a granular breakdown and analysis of the technologies used by an organization, marked by scrutiny of entry points (such as network ports or protocols) and trust boundaries between interconnected systems. The goal in this step is to develop a security profile that categorizes areas of the architecture that may be susceptible to a general type of vulnerability. Refer to Microsoft’s guidance on improving web application security at https://msdn.microsoft.com/en-us/library/ff648644.aspx for further details on their threat modeling process.
This document plainly states the guidelines and constraints to be observed during the execution of a penetration test, and it clearly lays out what systems are and are not authorized for testing. It may be delivered as part of the SOW or as its own separate document. A.Master service agreement (MSA) B.Nondisclosure agreement (NDA) C.Statement of work (SOW) D.Rules of engagement (ROE)
D.Rules of engagement (ROE)
Explanation:
The rules of engagement are the concrete guidelines and limitations to be observed during the execution of a penetration test. One of the most critical components of a properly defined ROE are explicit declarations of what is or is not authorized for testing; these declarations may be by explicit hostname, network or subnet range, or could possibly change during the period of an engagement, depending on the level of access gained by the penetration testing team.
A, B, and C are incorrect. A is incorrect because a master service agreement is a contract between two or more parties that lays out the granular details of future transactions and agreements. This typically addresses conditions such as (but not limited to) payment terms and scheduling, intellectual property ownership, and allocation of risk. B is incorrect because a nondisclosure agreement is a confidentiality agreement that serves to protect the competitive advantage of a business by ensuring the security of its proprietary information and intellectual property. C is incorrect because the statement of work is a provision found in an MSA that outlines the project-specific work to be executed by a service vendor for an organization. It typically addresses details such as (but not limited to) the purpose of the project, its scope of work, and the period of performance.
Which of the following is not commonly regulated with a standard baseline requirement in a framework such as HIPAA or FISMA? A.Key management B.Confidentiality C.Password complexity D.Data isolation
B.Confidentiality
Explanation:
Although confidentiality is a key driver of information security practices as part of the CIA triad (that is, confidentiality, integrity, and availability), it is not a specific security practice with a minimum baseline prescribed by regulatory frameworks. Rather, confidentiality is one of the results of properly implemented baseline security measures such as those required by HIPAA or FISMA.
A, C, and D are incorrect. Key management, password complexity, and data isolation are all components of regulatory frameworks with standard baseline requirements and are therefore incorrect answers.
You have been contracted for a penetration test by a major online retailer. The client requires a third-party security assessment to provide confirmation that they are adhering to PCI DSS guidelines. What type of penetration test has been requested by this client?
A.Compliance-based
B.Red box
C.Goals-based
D.Red team
A.Compliance-based
Explanation:
An online retailer requiring confirmation of adherence to PCI DSS guidelines requires a compliance-based penetration test.
B, C, and D are incorrect. B is incorrect because red box is a term intentionally designed to mislead; this answer is a nonsense term, derived from the black/white/gray box terms used to define penetration test methodologies. Be careful with answers such as this one. C is incorrect because a goals-based assessment is more strategic in nature and focuses on the penetration tester(s) working to achieve a specific desired outcome. D is incorrect because a red team assessment is one in which the penetration tester(s) attempt to emulate a real-world attack on a target environment. This is typically accomplished through the use of tactics, techniques, and procedures known to be employed by advanced persistent threats, or APTs.
Which of the following are advantages of first-party hosting in a penetration test? (Choose two.)
A.Ease of monitoring penetration test activities
B.Ease of access to target systems
C.No requirement for third-party authorization
D.No requirement to adhere to third-party acceptable use policies
C.No requirement for third-party authorization
D.No requirement to adhere to third-party acceptable use policies
Explanation:
C and D are correct because when everything is contained in first-party facilities and on first-party hardware, a penetration tester needs neither third-party authorization nor to adhere to a third-party acceptable use policy when conducting a penetration test.
A and B are incorrect. A is incorrect because the ability to track the activities of a penetration tester is going to be dependent on an organization’s security posture and the personnel it has assigned to defending its networks (the blue team) or facilities (security personnel). B is incorrect because the ease of access to target systems is dependent on the robustness of a target network or system as well as the access mechanism granted to the penetration tester to conduct their penetration test, such as a VPN connection or SSH entry point.
Which of the following items are typically addressed in a statement of work? (Choose two.) A.Intellectual property rights B.Deliverables schedule C.Period of performance D.Product warranties
B.Deliverables schedule
C.Period of performance
Explanation:
A deliverables schedule and period of performance are items typically defined in a statement of work, or SOW. Other items typically detailed in an SOW include (but are not limited to) any applicable industry standards, payment scheduling (likely derived from the overarching MSA), and other special requirements such as travel or required certifications and clearances.
A and D are incorrect because intellectual property rights and product warranties are typically defined in a master service agreement (MSA). Other items detailed in an MSA include (but are not limited to) payment terms and scheduling, dispute resolution practices, and allocation of risk.
A request from a client that you “take a look” at some additional server configurations after the terms of the penetration test have already been laid out in a contract is an example of what? A.Compliance-based testing B.Threat modeling C.Scope creep D.Target selection
C.Scope creep
Explanation:
Scope creep is the addition to or modification of an agreed-upon, contracted target scope within an SOW. Scope creep can seem innocuous or even flattering—“Wow, they want me to do more work for them!”—but you must bear in mind that as a penetration tester, you are providing a service. Bakers do not make extra cupcakes for customers simply because they’re asked nicely—they expect to be paid for the goods and services they provide. Similarly, a penetration tester should expect compensation for the service they provide an organization. If asked to provide a service beyond that agreed upon in the MSA or SOW, feel free to request further compensation to do so, or decline the request.
A, B, and D are incorrect. A is incorrect because compliance-based testing gauges an organization’s implementation and adherence to a given set of security standards—that is, a regulatory compliance framework—defined for a given environment. Examples of such regulatory compliance frameworks include Payment Card Industry (PCI), Health Insurance Portability and Accountability Act (HIPAA), and Federal Information Security Management Act (FISMA). B is incorrect because threat modeling is the process by which risks associated with an organization’s information systems are identified, quantified, and addressed. D is incorrect because target selection is a process performed during the scoping phase of an engagement; it Is how the hosts, systems, and networks subject to a penetration test are identified and defined.
You have been contracted for a penetration test, and the client has requested that you focus on attempting to gain system-level access to their domain controllers. What type of penetration test has been requested? A.Compliance-based B.Red team C.Red box D.Goals-based
D.Goals-based
Explanation:
The client in this scenario has requested a goals-based penetration test; this is known from the specific request that you, the penetration tester, work to obtain system-level access to the environment’s domain controllers.
A, B, and C are incorrect. A is incorrect because a compliance-based test is marked by a requirement for adherence to a specific regulatory framework. Because no such framework has been addressed or hinted at in this scenario, this option may be ruled out. B is incorrect because a red team assessment is generally conducted in a manner consistent with the real-world operation of an advanced persistent threat, or APT. Additionally, it is marked by a longer duration than other types of assessment, and potentially imposes much greater risk and expense to an organization. C is incorrect because red box testing is a nonsense term designed to intentionally mislead; this incorrect answer plays on the black/gray/white box terms used to define methodology. Close reading of the questions will assist you in weeding out incorrect answers such as this one.
While developing an SOW with a client in the United States, you are informed that any penetration testers who will be engaging in testing activity on a specific range of subnets are required by law to be U.S. citizens. Which of the following is the most likely reason for this limitation?
A.Export control restriction
B.Company policy
C.Recent network-based attacks from outside of the United States
D.Local government regulation
A.Export control restriction
Explanation:
Export controls in the United States regulate and restrict the release of information deemed critical to foreign policy or national security to non-U.S. citizens. This information could be nearly anything: software, manufactured products, performed services, and other technologies are possible candidates for export control. In the given example, it would be reasonable to conclude that the subnet in question houses or passes data that is subject to export control restriction.
B, C, and D are incorrect. B is incorrect because company policies are unlikely to result in an arbitrary limitation on a service provider’s nationality; while there are varying degrees of conscientiousness demonstrated by the leadership of different companies, all are ultimately concerned with their financial bottom line at the end of the day. A company’s policy is therefore unlikely to be concerned with something as arbitrary as an employee or contractor’s nationality over their ability to perform the work required. C is incorrect because network attack attempts are a concern regardless of their nation of origin, and so would not necessitate an arbitrary restriction on an employee or contractor’s nationality. D is incorrect because local government regulations are often legitimate concerns but would not be applicable when discussing nationality requirements; that necessarily implies a national-level regulation.
What is the function of an organization’s legal department in relation to a penetration test?
A.Ensuring that legal and contractual commitments are upheld by all parties involved in the penetration test
B.Identifying weaknesses within the security support structure of an organization and simulating attacks applicable to the organization’s threat profile
C.Conducting the penetration test within confinements of the ROE and other contractual documents
D.Providing accounts and access to organizational systems as required for the assessment
A.Ensuring that legal and contractual commitments are upheld by all parties involved in the penetration test
Explanation:
Of the options listed, an organization’s legal department would be expected to ensure adherence to legal and contractual obligations by all parties involved in the engagement. The legal team may also have a role to play in providing written authorization for the penetration test, depending on the organization.
B, C, and D are incorrect. B is incorrect because identifying security weaknesses would be the responsibility of both organizational security personnel and the IT department. C is incorrect because executing a penetration test is the purview of the penetration tester(s). D is incorrect because the provisioning of accounts and access required for the execution of the penetration test would be managed by the organization’s IT department.
You have been contracted for a penetration test by a private aerospace corporation. The client has requested that you begin your assessment of their environment with no information that cannot be obtained via open source methods beyond a list of in-scope networks and subnets. What testing methodology is most likely desired by this client? A.Black box B.White box C.Gray box D.Red team
A.Black box
Explanation:
The client desires black box testing in this case, as they have requested that you, the penetration tester, begin with little to no knowledge about the environment in question, beyond that which is obtainable through open source intelligence sources and a list of in-scope networks and subnets.
B, C, and D are incorrect. B is incorrect because white box testing is marked by the tester beginning with a significantly high volume of information about the environment. C is incorrect because gray box testing occupies a middle ground between black box and white box testing; because the client has requested that you have no information that cannot be publicly obtained, gray box testing may be ruled out as well. D is incorrect because red team testing is a type of test, rather than a testing methodology, and is therefore an incorrect answer. Close reading of the questions will greatly aid you in your efforts to weed out incorrect answers such as this one.
The last step in threat modeling (per Microsoft’s threat modeling process) is:
A.Document the threats B.Identify assets C.Rate the threats D.Architecture overview
C.Rate the threats
Explanation:
Rating the threats is the last step in Microsoft’s threat modeling framework. Rating threats is often very subjective to the client and the type of environment, but threats are usually assigned a general threat value, such as high, medium, or low. This may be accompanied by a numeric value derived from a simple formula, such as Risk = (Probability) * (Damage Potential).
A, B, and D are incorrect. A is incorrect because documenting threats is the fifth step in Microsoft’s threat modeling framework, and it consists of matching threats, threat actors, and vulnerabilities to possible targets within the organization’s own architecture. B is incorrect because identifying assets is the first step, consisting of the definition of any organizational assets that are important to the successful execution of business functions or practices. D is incorrect because an architecture overview is the second step, and it is defined by a granular analysis of the various technologies in use in an organization’s architecture as well as the method by which they are implemented. Architecture overview is a critical step in threat modeling, as it makes the identification of threats much more manageable later in the process.
Which contractual document would detail acceptable times for testing activity for penetration testers?
A.Written authorization letter B.Master service agreement C.Rules of engagement D.Nondisclosure agreement
C.Rules of engagement
Explanation:
Of the given options, acceptable times for testing activities would be detailed in the rules of engagement (ROE) document.
A, B, and D are incorrect. A is incorrect because a written authorization letter is a document typically (but not always) provided as part of the ROE for a penetration test, explicitly stating the client organization’s authorization of the assessment to be conducted. This document is a mission-critical piece of legal protection for a penetration tester; without it, one could theoretically be exposed to laws that criminalize the unauthorized access of computer systems—for example, the Computer Fraud and Abuse Act (CFAA) in the United States. B is incorrect because the master service agreement (MSA) is a contract between two or more parties that lays out the granular details of future transactions and agreements such as (but not limited to) payment terms and scheduling, intellectual property ownership, and allocation of risk. D is incorrect because a nondisclosure agreement (NDA) is a confidentiality agreement that protects the proprietary information and intellectual property of a business.