CompTIA Pentest+ Chapter 12 Questions Flashcards

1
Q
While drafting the pentest report, your team asked for your input on what topics should be included in the executive summary. Your team has identified a few of those topics. Which of the following topics should not be in the executive summary? (Select two.) 
A.Timeline 
B.Technical details 
C.References 
D.Methodology 
E.Observations
A

B.Technical details
C.References

Explanation:
The executive summary provides high-level details concerning the pentest and the findings. Typically, only high-level or critical findings are talked about in this section, with little to no technical details that are
not required for the audience to understand the problems. References are used to address other areas of research and accompany the findings and are not included in the executive summary.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q
2.The methodology covers testing activities documented in the \_\_\_\_\_\_\_\_\_\_. 
A.MSA 
B.NDA 
C.SOW 
D.None of the above
A

C.SOW

Explanation:
The SOW is the statement of work, which identifies the scope of work and testing activities to be completed during the pentest. The MSA is the master service agreement that addresses high-level requirements for a contract. The NDA is a nondisclosure agreement that protects a business’s competitive advantage by
protecting its proprietary information and intellectual property.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q
The five Ws formula is an effective writing strategy that can help a customer comprehend how a finding transpired. Which one of the following is not one of the five Ws? 
A.Why 
B.Who 
C.When 
D.What 
E.Were 
F.None of the above
A

E.Were

Explanation:
The five Ws consist of What, When, Why, Where, and Who. Were is not one of the five Ws. However, Where is one of the five Ws and describes where the event or testing activity took place.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q
A risk rating helps organizations prioritize remediation efforts and can be determined using the threat modeling formula. Which formula can be used to assess the risk of a potential finding? 
A.Probability * Risk = Damage Potential 
B.Risk = Probability * Damage Potential 
C.Probability = Risk * Damage Potential 
D.Damage Potential * Risk = Probability
A

B.Risk = Probability * Damage Potential

Explanation:
The following is the correct threat modeling formula that takes into consideration probability and damage potential, given certain environmental conditions: Risk = Probability * Damage Potential

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q
What effective methods can ensure the secure delivery of the customer’s pentest? (Select two.) 
A.Encrypted file 
B.Encrypted file system 
C.Email 
D.Encrypted email
A

A.Encrypted file
D.Encrypted email

Explanation:
The delivery method for the report should be agreed to by all parties identified in the RoE. The delivery method may include encrypting the report and using a secure transport mechanism like encrypted email to deliver it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q
Which command would you type in the Metasploit console to kill all active sessions with remote targets? 
A.sessions -k 
B.sessions -K 
C.kill -9 
D.kill sessions
A

B.sessions -K

Explanation:
Metasploit modules follow a fairly constant practice of removing anything added to the disk that was not already there. This makes things a little easier and provides some level of assurance when you execute sessions -K to kill all sessions through the Metasploit console.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q
The pentest team has come to you and asked what they should do with the remaining draft copies of the report. Which document would you suggest the team reference for proper report handling instructions? 
A.SOW
B.RoE 
C.SLA 
D.MSA
A

B.RoE

Explanation:
Once the customer has provided confirmation of successful delivery and extraction of the report, the pentest team should consider storing a single digital copy of the report in an encrypted vault to prevent against unauthorized disclosure. All remaining digital or written
copies of the report should be marked for proper disposal and deletion, based on agreed-upon methods outlined in the RoE.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q
During the pentest, the customer calls to ask if your team was responsible for bringing down the external-facing web server. You consult with your team, and during the time the web server was shut down, the team was working on internal testing of another segment of the network. You respond to the customer with detailed notes and times of when and where the testing was occurring during the web server outage. The customer just found out that one of the developers on his team accidentally rebooted the production web server instead of the development web server. This process is known as \_\_\_\_\_\_\_\_\_\_. 
A.De-escalation 
B.Communication path 
C.Deconfliction
D.Situational Awareness
A

C.Deconfliction

Explanation:
C. Communication with the customer provides the ability for deconfliction of schedules and discrepancies with system outages. The pentester may become the scapegoat if things start breaking or failing in the network, which could actually just be another administrator rebooting a host or making undocumented changes to the system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly