CompTIA Pentest+ Chapter 1 Questions Flashcards
Select the stakeholders that are typically involved in a pentest engagement (Choose two) A.Users B.Executive management C.Pentesters D.Human Resources
B.Executive management
C.Pentesters
Explanation:
During a pentest there are many stakeholders that might be interested in the findings and success of the engagement.
Typically, this group is made up of executive management, contracting or legal department, security personnel, IT department and pentesters
The impact analysis is a key aspect of requirements management and the formal approach to assessing the pros and cons of pursuing a course of action.
Select two areas of concern that help support a pentest engagement activity.
A.Organizational budget
B.Target selection
C.Technical constraints
D.FISMA
A.Organizational budget
C.Technical constraints
An organization is defining the scope of a pentest and would like to see the vulnerabilities from both outside and inside of the network.
They are willing to share some information with the service vendor who will conduct the pentest, but would like to see how much information a vendor can discover on their own in a given time frame.
Which type of methodology would be best suited for this organization to use in order to accomplish this objective? A.White box testing B.Gray box testing C.Black box testing D.Red team testing
B.Gray box testing
During the threat modeling process, the organization finds that they are mostly concerned about a persistent group of actors with sophisticated abilities.
Which type of threat actor is this organization mostly concerned with?
A.Penteser
B.Hacktivist
C.Insider Threat
D.APT
D.APT
Use the following scenario to answer the next two questions.
A security group is quantifying the risk associated with a certain threat in the organization.
The probability of the threat is 6 and the potential damage is 5.
Using the proper formula to rate the risk of a threat, what is the risk level for this type of threat?
A.11
B.33
C.30
D.45
C.30
This risk is likely to be prioritized as \_\_\_\_\_ priority A.Medium B.Low C.High D.Urgent
B.Low
Custom systems hosted in third-party environments, such as those offered through a cloud service provider (CSP), may require additional approvals for pentesting.
Which testing document might reflect this approval?
A.SOW
B.RoE
C.MSA
D.Scope
B.RoE
Explanation:
Cloud service providers like AWS require prior authorization to conduct a pentest in there third-party environment.
This approval will most likely be found in the RoE, which defines the constraints regarding the execution of the pentest
Whitelisting and blacklisting are access control mechanisms that can be implemented in all of the following except \_\_\_\_\_\_\_ A.Network firewalls B.Application firewalls C.SSIDs D.Spam Filters E.Virus scanning software
C.SSIDs
Explanation:
Service set identifiers (SSIDs) are names given uniquely identify a wireless network and cannot implement either whitelisting or blacklisting
A master service agreement (MSA) is an over-arching contract that can include a statement of work that describes specific project work activities.
In which section of the SOW will you find the project work activities?
A.Scope of work
B.Deliverables schedule
C.Special requirements
D.Acceptance criteria
A.Scope of work
Explanation:
The scope of work identifies the work activities related to the project
Written authorization that gives the pentest team the authority to proceed with an engagement can be found in which document? A.MSA B.RoE C.SOW D.MBA
B.RoE
Explanation:
The rules of engagement document can be found in the SOW or can be a separate article.
This document outlines the provisions for the engagement and how the execution of the pentest may proceed.
After receiving written authorization in the RoE, the pentest team may proceed with the authority to test.
