CompTIA PenTest+ Practice Test Chapter 1 Planning and Scoping (Sybex: Panek, Crystal, Tracy) Flashcards

Question 1

Q

You have been asked to perform a penetration test for a medium-sized organization that sells after-market motorcycle parts online. What is the first task you should complete?

A.Research the organization’s product offerings. B.Determine the budget available for the test.
C.Identify the scope of the test.
D.Gain authorization to perform the test.

Answer

A

C.Identify the scope of the test.

Explanation:
The first step in the penetration testing process is to work with the client to clearly define the scope of the test. The scope determines what penetration testers will do and how their time will be spent. Researching the organization’s products is a task that will probably be done after the scope of work has been defined. Determining the budget and gaining authorization are subtasks that are usually completed as a part of the overall scoping process.

Question 2

Q

A consultant has been hired to perform a penetration test for an organization. The target of the test is the organization’s proprietary design documents. The aim is to circumvent security measures and gain unauthorized access to these documents. What type of assessment is being conducted in this scenario? 
A.Objective-based assessment 
B.Goal-based assessment
C.Compliance-based assessment 
D.Red team assessment

Answer

A

D.Red team assessment

Explanation:
Red team assessments are typically more targeted than normal penetration tests. The red team acts like an attacker, targeting sensitive data or systems with the goal of acquiring access. Goal-based or objective-based assessments are usually designed to assess the overall security of an organization.
Compliance-based assessments are designed to test compliance with specific laws.

Question 3

Q

A consultant has been hired to perform a penetration test for an organization in the healthcare industry. The target of the test is a public-facing self-service website that users can access to view their health records. The aim is to circumvent security measures and gain unauthorized access to this information. What type of assessment is being conducted in this scenario?

A.Objective-based assessment
B.Gray box assessment
C.Compliance-based assessment
D.White box assessment

Answer

A

C.Compliance-based assessment

Explanation:
Because patient records are protected by the HIPPA law in the United States, this is an example of a compliance assessment.
Compliance-based assessments are designed to test compliance with specific laws. Objective-based assessments are usually designed to assess the overall security of an organization.
Gray box and white box assessments identify the level of knowledge the attacker has of the organization.

Question 4

Q

A consultant has been hired to perform a penetration test for an organization in the healthcare industry. The target of the test is a public-facing self-service website that users can access to view their health records. The penetration tester has been given full knowledge of the organization’s underlying network. What type of test is being conducted in this example?

A.Goal-based assessment
B.Black box assessment
C.Objective-based assessment
D.White box assessment

Answer

A

D.White box assessment

Explanation:
A white box test is performed with full knowledge of the underlying technology, configuration, and settings of the target organization’s network. In a black box test, the testers are not provided with access to or information about the target environment. Goals-based or objective-based assessments are usually designed to assess the overall security of an organization.

Question 5

Q

In which type of penetration test does the tester have a limited amount of information about the target environment but is not granted full access?

A.Gray box assessment
B.Black box assessment
C.Compliance-based assessment
D.White box assessment

Answer

A

A.Gray box assessment

Explanation:
A gray box test may provide some information about the environment to the penetration testers without giving full access, credentials, or configuration details. A white box test is performed with full knowledge of the underlying network. In a black box test, the testers are not provided with access to or information about the target environment. Compliance-based assessments are designed to test compliance with specific laws.

Question 6

Q

Which type of penetration test best replicates the perspective of a real-world attacker?

A.Gray box assessment
B.Black box assessment
C.Objective-based assessment
D.White box assessment

Answer

A

B.Black box assessment

Explanation:
Black box tests are sometimes called zero knowledge tests because they replicate what a typical external attacker would encounter. Testers are not provided with any access or information. A white box test is performed with full knowledge of the underlying network. A gray box test may provide some information about the environment to the penetration testers without giving full access. Objective-based assessments are usually designed to assess the overall security of an organization.

Question 7

Q

A consultant has been hired by an organization to perform a penetration test. The target of the test is the organization’s HR database application. The tester has been given a desk, a computer connected to the organization’s network, and a network diagram. However, the tester has not been given any authentication credentials.
What type of test is being conducted in this scenario?

A.Compliance-based assessment
B.Black box assessment
C.Gray box assessment
D.White box assessment

Answer

A

C.Gray box assessment

Explanation:
A gray box test may provide some information about the environment to the penetration testers without giving full access, credentials, or configuration details. Compliance-based assessments are designed to test compliance with specific laws. In a black box test, the testers are not provided with access to or information about the target environment. A white box test is performed with full knowledge of the underlying network.

Question 8

Q

A consultant has been hired by an organization to perform a penetration test. The target of the test is the organization’s e-commerce website. The tester, located in a different city, will utilize several different penetration testing tools to analyze the site
and attack it. The tester does not have any information about the site or any authentication credentials.
What type of test is being conducted in this scenario?

A.White box assessment
B.Black box assessment
C.Objective-based assessment
D.Gray box assessment

Answer

A

B.Black box assessment

Explanation:
In a black box test, testers are not provided with any access to or information about the target. A white box test is performed with full knowledge of the underlying network. A gray box test may provide some information about the environment to the penetration testers without giving full access. Objective-based assessments are usually designed to assess the overall security of an organization.

Question 9

Q

A consultant has been hired by an organization to perform a penetration test. The target of the test is the organization’s internal firewalls. The tester has been given a desk, a computer connected to the organization’s network, and a network diagram. The tester has also been given authentication credentials with a fairly high level of access. What type of test is being conducted in this scenario?

A.Gray box assessment
B.Black box assessment
C.Goals-based assessment
D.White box assessment

Answer

A

D.White box assessment

Explanation:
A white box test is performed with full knowledge of the underlying technology, configuration, and settings of the target organization’s network. A gray box test may provide some information about the environment to the penetration testers without giving full access. In a black box test, the testers are not provided with access to or information about the target environment. Goals-based or objective-based assessments are usually designed to assess the overall security of an organization.

Question 10

Q

Which type of penetration test best focuses the tester’s time and efforts while still providing an approximate view of what a real attacker would see?

A.Gray box assessment
B.Black box assessment
C.Goals-based assessment
D.White box assessment

Answer

A

A.Gray box assessment

Explanation:
A gray box test is a blend of black box and white box testing. A gray box test usually provides limited information about the target to the penetration testers but does not provide full access, credentials, or configuration information. A gray box test can help focus penetration testers’ time and effort while also providing a more accurate view of what an attacker would actually encounter. In a black box test, the testers are not provided with access to or information about the target environment. Goals-based or objective-based assessments are usually designed to assess the overall security of an organization. A white box test is performed with full knowledge of the underlying network.

Question 11

Q

An attacker downloads the Low Orbit Ion Cannon from the Internet and then uses it to conduct a denial-of-service attack against a former employer’s website. What kind of attacker is this?

A.Script kiddie
B.Hacktivist
C.Organized crime
D.Nation-state

Answer

A

A.Script kiddie

Explanation:
A script kiddie is an individual who carries out an attack using code written by more advanced hackers. A hacktivist’s attacks are usually politically motivated. Organized crime actors are usually a highly organized group of cybercriminals whose main goal is to make a lot of money. A nation-state threat actor acts on behalf of a nation to inflict harm on a rival nation.`

Question 12

Q

An attacker carries out an attack against a government contractor in a neighboring country, with the goal of gaining access through the contractor to the rival country’s governmental network infrastructure. The government of the attacker’s own country is directing and funding the attack.
What type of threat actor is this?

A.Script kiddie
B.Hacktivist
C.Organized crime
D.Nation-state

Answer

A

D.Nation-state

Explanation:
A state-sponsored attacker usually operates under the direction of a government agency. The attacks are usually aimed at government contractors or even the government systems themselves. A script kiddie is an individual who carries out an attack using code written by more advanced hackers. A hacktivist’s attacks are usually politically motivated. An organized crime threat actor is a group of cybercriminals whose main goal is financial gain.

Question 13

Q

A group of hackers located in a former Soviet-bloc nation have banded together and released a ransomware app on the Internet. Their goal is to extort money in the form of crypto currency from their victims.
What kind of attacker is this?

A.Malicious insider
B.Hacktivist
C.Organized crime
D.Nation-state

Answer

A

C.Organized crime

Explanation:
An organized crime threat actor is a group of cybercriminals whose main goal is financial gain. Attacks carried out by organized crime groups can last a long time, are very well-funded, and are usually quite sophisticated. A malicious insider attack occurs when someone within the organization uses the credentials they have been legitimately given to carry out an attack. A hacktivist’s attacks are usually politically motivated. A nation-state threat actor acts on behalf of a nation to inflict harm on a rival nation.

Question 14

Q

An attacker who is a passionate advocate for brine shrimp attacks and defaces the website of a company that harvests brine shrimp and sells them as fish food.
What type of attacker is this?

A.Script kiddie
B.Hacktivist
C.Organized crime
D.Nation-state

Answer

A

B.Hacktivist

Explanation:
A hacktivist’s attacks are usually politically motivated, instead of financially motivated. Typically, they want to expose perceived corruption or gain attention for their cause. A script kiddie is an individual who carries out an attack using code written by more advanced hackers. An organized crime threat actor is a group of cybercriminals whose main goal is financial gain. A nation-state threat actor acts on behalf of a nation to inflict harm on a rival nation.

Question 15

Q

An employee has just received a very negative performance review from his manager. The employee feels the review was biased and the poor rating unjustified. In retaliation, the employee accesses confidential employee compensation information from an HR database server and posts it anonymously on Glassdoor.
What kind of attacker is this?

A.Script kiddie
B.Hacktivist
C.Organized crime
D.Malicious insider

Answer

A

D.Malicious insider

Explanation:
A malicious insider attack occurs when someone within the organization uses the credentials they have been legitimately given to carry out an attack. A script kiddie is an individual who carries out an attack using code written by more advanced hackers. A hacktivist’s attacks are usually politically motivated, instead of financially motivated. An organized crime threat actor is a group of cybercriminals whose main goal is financial gain.

Question 16

Q

Which of the following attackers are most likely to be able to carry out an advanced persistent threat (APT)? (Choose two.)

A.Malicious insider 
B.Script kiddie 
C.Hacktivist 
D.Organized crime 
E.Nation-state

Answer

A

D.Organized crime
E.Nation-state

Explanation:
An advanced persistent threat (APT) is a prolonged targeted attack in which the attacker gains access to a network and remains there undetected for an extended period of time. As such, only an organized crime or nation-state actor is likely to have the level of sophistication and the funds required to carry out such an attack. Script kiddies, hacktivists, and malicious insiders usually lack the technical expertise and/or the funds necessary to carry out an APT.

Question 17

Q

Which of the following entities are most likely to become the target of an advanced persistent threat (APT)? (Choose two.)

A.A government contractor 
B.A website offering lessons on search engine optimization (SEO) 
C.A multinational bank 
D.A dental practice 
E.A community college

Answer

A

A.A government contractor
C.A multinational bank

Explanation:
Advanced persistent threats (APTs) are typically aimed at high-value targets, such as governments, defense contractors, multinational organizations, and financial organizations. Online learning websites, dental practices, and even community colleges are typically not valuable enough as targets to warrant an APT.

Question 18

Q

Which threat actor is most likely to be motivated by a political cause?

A.Malicious insider
B.Hacktivist
C.Organized crime
D.Script kiddie

Answer

A

B.Hacktivist

Explanation:
A hacktivist’s attacks are usually politically motivated, instead of financially motivated. A malicious insider is usually motivated by either revenge or financial gain. An organized crime actor is most likely motivated by financial gain. A script kiddie may have a variety of motivations, such as notoriety.

Question 19

Q

Which threat actor is most likely to be motivated by a desire to gain attention?

A.Malicious insider
B.Script kiddie
C.Organized crime
D.Nation-state

Answer

A

B.Script kiddie

Explanation:
A script kiddie may have a variety of motivations. One of the most common is attention. They frequently brag about their exploits in online forums and social media. A malicious insider is usually motivated by either revenge or financial gain. An organized crime actor is most likely motivated by financial gain. A nation-state is most likely motivated by political or military goals.

Question 20

Q

Which type of penetration test usually provides the most thorough assessment in the least amount of time?

A.Gray box assessment
B.Black box assessment
C.Goals-based assessment
D.White box assessment

Answer

A

D.White box assessment

Explanation:
Because a white box assessment provides the penetration testers with extensive information about the target, it usually provides the most thorough assessment and typically requires the least amount of time to conduct. A gray box test is a blend of black box and white box testing. As such, it takes longer to conduct because more information must be discovered by the

Question 21

Q

You are performing research that will be used to define the scope of a penetration test that your company will perform for a client. What information must be included in your research? (Choose two.)

A.Why is the test being performed?
B.When was the last time a test was performed? C.What were the results of the last test performed? D.To whom should invoices be sent?
E.Who is the target audience for the test?

Answer

A

A.Why is the test being performed?
E.Who is the target audience for the test?

Explanation:
The scope document must specify, among other things, why the test is being performed and who the target audience is. The other options listed in this question may be included if necessary, but they are not required.

Question 22

Q

You are documenting the rules of engagement (ROE) for an upcoming penetration test.
Which elements must be included? (Choose two.)

A. A timeline for the engagement
B. A review of laws that specifically govern the target
C.A list of similar organizations that you have assessed in the past
D.A list of the target’s competitors
E.A detailed map of the target’s network

Answer

A

B. A review of laws that specifically govern the target
C.A list of similar organizations that you have assessed in the past

Explanation:
The rules of engagement (ROE) should always include the timeline for the engagement as well as a review of any laws that specifically govern the target to ensure you don’t break them. A list of other organizations that you have tested in the past or a list of the target organization’s competitors is unlikely to be specified in the rules of engagement. A detailed map of the target’s network will probably not be included in a black or gray box test.

Question 23

Q

You are documenting the rules of engagement (ROE) for an upcoming penetration test.
Which elements should you make sure to include? (Choose two.)

A.Detailed billing procedures
B.A list of out-of-scope systems
C.A list of in-scope systems
D.An approved process for notifying the target’s competitors about the engagement
E.Arbitration procedures for resolving disputes between you and the client

Answer

A

B.A list of out-of-scope systems
C.A list of in-scope systems

Explanation:
The ROE should identify which locations, systems, applications, or other potential targets are included in or excluded from the test. This should identify any third-party service providers that may be impacted by the test such as ISPs, cloud service providers, or security monitoring services. Billing and arbitration procedures will likely be addressed in the general contract between you and the client, not in the ROE. It is unlikely that the client will want you to notify their competitors that you are testing their security.

Question 24

Q

You are documenting the rules of engagement (ROE) for an upcoming penetration test.
Which elements should be considered? (Choose two.)

A. A list of IP addresses assigned to the systems you will use to conduct the test
B.How you will communicate the results of the test with the target
C.A list of penetration testing tools you will use during the test
D.A list of references from past clients for whom you have conducted penetration tests
E.A list of behaviors that are not allowed on the part of the target during the test

Answer

A

B.How you will communicate the results of the test with the target
E.A list of behaviors that are not allowed on the part of the target during the test

Explanation:
The ROE should specify when and how communications will occur between you and the client. Should you provide daily or weekly updates, or will you simply report when the test is complete? The ROE should also specify the behaviors allowed on the part of the target. For example, engaging in defensive behaviors such as shunning or blacklisting could limit the value of the test.

Question 25

Q

You are defining the rules of engagement (ROE) for an upcoming penetration test. During this process, you have defined off-limit times when you should not attack the target, a list of in-scope and out-of-scope systems, and data-handling requirements for the information you gather during the test. You also phoned one of the help-desk technicians at the target site and received verbal permission to conduct the test. You recorded the technician’s name and the date in the ROE document.
What did you do incorrectly in this scenario?

A.For privacy reasons, you should not have identified the internal technician by name in the ROE document.
B.Including “off-limits” times reduces the accuracy of the test.
C.The ROE should include written permission from senior management.
D.All systems should be potential targets during the test.
E.The target should not know how you are storing the information gathered during the test.

Answer

A

C.The ROE should include written permission from senior management.

Explanation:
Verbal permission is usually considered insufficient. Before beginning a penetration test, you must obtain a signed agreement from senior management giving you permission to conduct the test. This agreement will function as a “get out of jail free” card should your activities be reported to authorities.

Question 26

Q

You are defining the rules of engagement (ROE) for an upcoming penetration test. This will be a white box assessment. You have specified that the target may not employ shunning or blacklisting during the test. You have specified that the target must provide you with internal access to the network, a network map, and authentication credentials. You have also specified that applications provided by a SaaS service provider are off-limits during the test. What did you do incorrectly in this scenario?

A.The target should be allowed to use whatever means it chooses to defend itself.
B.Having detailed information about the internal network invalidates the results of the test.
C.All network resources should be subject to testing, including cloud-based resources.
D.Nothing. The ROE has been defined appropriately.

Answer

A

D.Nothing. The ROE has been defined appropriately.

Explanation:
The rules of engagement have been defined appropriately in this scenario. For example, it is quite appropriate to define what defensive behaviors the target is allowed to use during the test. Likewise, a white box test will likely include detailed information about the internal network. It’s also not uncommon for third-party service providers to be excluded from the test.

Question 27

Q

You are defining the rules of engagement (ROE) for an upcoming penetration test. This will be a black box assessment. The client has specified that they do not want the test to be conducted during peak times of the day, so you added “timeout” time frames to the document when testing will be suspended. You have specified that no communications will occur between you and the client until the end of the test when you submit your final test results. You have also specified that the target must provide you with internal access to the network, a network map, and authentication credentials. What did you do incorrectly in this scenario?

A.Having detailed information about the internal network invalidates the results of the test.
B.Pausing the assessment during peak times invalidates the results of the test.
C.Communications between the testers and the client should occur at regular intervals throughout the test. D.Nothing. The ROE has been defined appropriately.

Answer

A

A.Having detailed information about the internal network invalidates the results of the test.

Explanation:
Because this is a black box assessment, the testers should have no prior knowledge of the environment to be tested nor should they have special access to it. In essence, they should attack the client from the same perspective as a real attacker would. It is quite appropriate to pause testing during peak times to avoid disrupting their critical business operations. It’s also appropriate to communicate with the client only after the test is complete, especially on a black box assessment.

Question 28

Q

You own a small penetration testing consulting firm. You are worried that a client may sue you months or years after penetration testing is complete if their network is compromised by an exploit that didn’t exist when the test was conducted.
What should you do?

A.Insist that clients sign a nondisclosure agreement (NDA) prior to the test.
B.Include a disclaimer in the agreement indicating that the results are valid only at the point in time when the test was performed.
C.Include an arbitration clause in the agreement to prevent a lawsuit.
D.Insist that clients sign a statement of work (SOW) prior to the test.

Answer

A

B.Include a disclaimer in the agreement indicating that the results are valid only at the point in time when the test was performed.

Explanation:
The testing agreement should contain a disclaimer indicating that the test is valid only at the point in time that it is conducted and that the scope and methodology requested by the client can impact the comprehensiveness of the test. An NDA specifies
what each party in an agreement is allowed to disclose to third parties. An arbitration clause could still result in a settlement that goes against the pen test consultant. A SOW alone won’t protect you against this kind of lawsuit unless it contains a point-in-time clause, discussed earlier.

Question 29

Q

You own a small penetration testing consulting firm. You are worried that a client who requests a black box assessment may sue you after penetration testing is complete if their network is compromised by an exploit.
What should you do?

A.Insist that clients sign a purchase order prior to the test.
B.Insist that clients sign a master services agreement (MSA) prior to the test.
C.Include a disclaimer in the agreement indicating that the test methodology can impact the comprehensiveness of the test.
D.Refuse to perform black box tests.

Answer

A

C.Include a disclaimer in the agreement indicating that the test methodology can impact the comprehensiveness of the test.

Explanation:
The testing agreement or scope documentation should contain a disclaimer explaining that the scope and methodology requested by the client can impact the comprehensiveness of the test. For example, a white box test is more likely to discover hidden vulnerabilities than a black box test can. A purchase order is a binding agreement to purchase goods or services. An MSA is an agreement that defines terms that will govern future agreements. Black box tests can provide a unique perspective and should not be forsaken.

Question 30

Q

You are defining the rules of engagement (ROE) for an upcoming penetration test. You are working on the problem resolution section of the document. Which elements should be included in this section? (Choose two.)

A.Clearly defined problem escalation procedures
B.A timeline for the engagement
C.In-scope systems, applications, and service providers
D.Out-of-scope systems, applications, and service providers
E.Acknowledgment that penetration testing carries inherent risks

Answer

A

A.Clearly defined problem escalation procedures
E.Acknowledgment that penetration testing carries inherent risks

Explanation:
When documenting problem handling and resolution in a rules of engagement document, you should clearly define escalation procedures on both sides of the agreement to help minimize downtime for the target organization. You should also include verbiage that requires the client to acknowledge that penetration testing carries inherent risks. A timeline for the engagement, along with scoping information, is also included in the ROE, just not in the problem resolution section.

Question 31

Q

You work at a penetration testing consulting firm. An organization that you have not worked with previously calls and asks you to perform a black box assessment of its network. You agree on a price and scope over the phone. After quickly designing the test on paper, you begin execution later that afternoon. Was this test conducted properly?

A.Yes, proper penetration test planning and scoping procedures were followed.
B.No, new clients should be properly vetted before beginning an assessment.
C.No, a master service agreement (MSA) should be signed before testing begins.
D.No, the rules of engagement (ROE) for the test should be documented and signed by both parties.

Answer

A

D.No, the rules of engagement (ROE) for the test should be documented and signed by both parties.

Explanation:
The rules of engagement (ROE) should have been clearly defined and signed by both parties before the penetration test begins. Not having the ROE in place exposes your organization to potential litigation should something go wrong during the testing process. The vetting of a new client occurs during the process of scoping the test and creating the ROE document. An MSA defines terms that will govern future agreements.

Question 32

Q

You are arranging the terms of a penetration test with a new client. Which of the following is an appropriate way to secure legal permission to conduct the test?

A.Ask a member of senior management via email for permission to perform the test.
B.Ask a member of the IT staff over the phone for permission to perform the test.
C.Ask a member of the IT staff to sign a document granting you permission to perform the test.
D.Ask a member of senior management to sign a document granting you permission to perform the test.

Answer

A

D.Ask a member of senior management to sign a document granting you permission to perform the test.

Explanation:
Before conducting a penetration test, you must get written permission from the senior management of the target organization to perform the test. Getting permission verbally or via email is generally not acceptable. Getting permission from the IT staff is also generally not acceptable.

Question 33

Q

Which type of penetration test best simulates an outsider attack?

A.Black box
B.Gray box
C.White box
D.Blue box

Answer

A

A.Black box

Explanation:
In a black box penetration test, the tester has no prior knowledge of the target. Therefore, it best simulates what would happen during an attack from the outside. White-box and gray-box penetration tests allow the tester to have some degree of prior knowledge about the target.

Question 34

Q

You need to conduct a penetration test for a client that best assesses the target organization’s vulnerability to a malicious insider who has the network privileges of an average employee. Which type of test should you perform?

A.Gray box
B.White box
C.Black box
D.Red box

Answer

A

A.Gray box

Explanation:
In a gray box penetration test, the tester has partial knowledge of the target. This can be used to simulate a malicious insider attack conducted by an average employee. In a black box penetration test, the tester has no prior knowledge of the target. In a white box test, the tester has extensive knowledge of the target.

Question 35

Q

Which type of penetration test requires the most time and money to conduct?

A.White box
B.Gray box
C.Black box
D.Green box

Answer

A

C.Black box

Explanation:
Because the penetration tester has no knowledge of the target, a black box test takes the most time and money to conduct. In contrast, gray box and white box tests are usually must less expensive and take less time to conduct because the tester has some level of prior knowledge about the target.

Question 36

Q

A penetration tester uses a typical employee email account to send a phishing email exploit to managers and executives within the target organization. The goal is to see how many actually fall for the exploit and click the link in the message. What kind of penetration test is being performed in this scenario?

A.Black box
B.Gray box
C.White box
D.Red box

Answer

A

B.Gray box

Explanation:
Because the tester is using an internal email account (the kind used by a typical employee) to conduct the test, the tester is most likely performing a gray box test. In a black box test, the tester would have to use an external email account. In a white box test, the tester would likely use elevated privileges and access to conduct the test.

Question 37

Q

You work for a penetration testing firm. A client calls and asks you to perform an exhaustive test that deeply probes their infrastructure for vulnerabilities. What kind of test should you recommend?

A.Gray box
B.White box
C.Black box
D.Blue box

Answer

A

B.White box

Explanation:
Because the tester is given extensive internal access to the target network, a white box test usually provides the most exhaustive assessment. More time can be spent probing for deep vulnerabilities than is possible with a black or gray box test.

Question 38

Q

You are defining the rules of engagement (ROE) for an upcoming penetration test. This will be a white box assessment. This will be an internal test. No third parties may be involved. Which of the following resources could be considered in-scope for the assessment? (Choose two.)

A.Active Directory users
B.Password policies defined within Group Policy C.Microsoft Office 365 cloud applications
D.Google Docs
E.Microsoft Azure web servers

Answer

A

A.Active Directory users
B.Password policies defined within Group Policy

Explanation:
The scope of this engagement in this scenario is limited to the internal network infrastructure. Microsoft Office 365, Google Docs, and Microsoft Azure are all cloud-based services hosted by third parties and are therefore considered out of scope.

Question 39

Q

What is the most important step in the penetration testing planning and scoping process?

A.Obtaining written authorization from the client
B.Writing the rules of engagement (ROE)
C.Selecting a testing methodology
D.Defining in-scope and out-of-scope systems, applications, and service providers

Answer

A

A.Obtaining written authorization from the client

Explanation:
The most important step in the penetration testing planning and scoping process is to obtain written permission from the target to perform the test. Without written permission, you are considered a hacker and are subject to federal, state, and local laws regarding computer crime (such as U.S. Code, Title 18, Chapter 47, Sections 1029 and 1030).

Question 40

Q

Which of the following is a formal document that defines exactly what will be done during a penetration test?

A.Master service agreement (MSA)
B.Nondisclosure agreement (NDA)
C.Statement of work (SOW)
D.Purchase order (PO)

Answer

A

C.Statement of work (SOW)

Explanation:
The statement of work (SOW) is a formal document that defines the scope of the penetration test. It identifies exactly what will happen during the test. An MSA defines terms that will govern future agreements. An NDA specifies what each party in an agreement is allowed to disclose to third parties. A purchase order is a binding agreement to make a purchase from a vendor.

Question 41

Q

You work for a penetration testing firm. You go to dinner with a potential client. To demonstrate your organization’s technical expertise with penetration testing, you list several of your other clients by name and describe in detail various problems your assessments discovered at each one.
Which of the following was violated when you did this?

A.Statement of work (SOW)
B.Nondisclosure agreement (NDA)
C.Master service agreement (MSA)
D.Purchase order (PO)

Answer

A

B.Nondisclosure agreement (NDA)

Explanation:
A nondisclosure agreement (NDA) is a legal contract that defines what confidential information can be shared and what cannot be shared. In most penetration testing agreements, the NDA specifies that the tester may not reveal the results of the test to anyone other than the client itself. A SOW is a formal document that defines the scope of the penetration test. An MSA defines terms that will govern future agreements. A purchase order is a binding agreement to make a purchase from a vendor.

Question 42

Q

You work for a penetration testing firm. A potential client called about your services. After reviewing what your organization can do, the client decides to schedule a single black box test. If they are happy with the results, they may consider future tests. Which of the following will you likely ask the client to sign first?

A.Purchase order (PO)
B.Nondisclosure agreement (NDA)
C.Master service agreement (MSA)
D.Statement of work (SOW)

Answer

A

A.Purchase order (PO)

Explanation:
Most likely, you will ask the client to sign a purchase order. A purchase order is a binding agreement to make a purchase from a vendor. With a purchase order in place, your organization can justify spending time and money defining a SOW and an NDA for the engagement. Because the client is essentially “trying” your services, an MSA would not yet be required, although it may be in the future.

Question 43

Q

Which of the following is a contract where both parties agree to most of the terms that will govern future agreements?

A.Master service agreement (MSA)
B.Nondisclosure agreement (NDA)
C.Statement of work (SOW)
D.Purchase order (PO)

Answer

A

A.Master service agreement (MSA)

Explanation:
A master service agreement (MSA) is a contract where both parties agree to most of the terms that will govern future agreements. By defining these terms in an MSA, future agreements are much easier and faster to make. A purchase order is a binding agreement to make a purchase from a vendor. A SOW is a formal document that defines the scope of a penetration test. An NDA specifies what each party in an agreement is allowed to disclose to third parties.

Question 44

Q

You have been recently hired by a security firm to conduct penetration tests on clients.
Which agreements will your new employer most likely ask you to sign as a condition of employment? (Choose two.)

A.Master service agreement (MSA) 
B.Nondisclosure agreement (NDA) 
C.Statement of work (SOW) 
D.Purchase order (PO) 
E.Noncompete agreement

Answer

A

B.Nondisclosure agreement (NDA)
E.Noncompete agreement

Explanation:
As an employee of a security firm, you will likely to be asked by your employer to sign a nondisclosure agreement (NDA) and a noncompete agreement. The NDA specifies what each party in an agreement is allowed to disclose to third parties. Your employer likely doesn’t want you to reveal proprietary information to its competitors. The noncompete agreement requires you to agree to not work for a competitor or directly compete with your employer in a future job.

Question 45

Q

Your penetration testing consulting firm has been negotiating a contract with the U.S. federal government to run penetration tests against some of its systems. Which agreements will you be asked to sign instead of a statement of work (SOW)? (Choose two.)

A.Statement of objective (SOO)
B.Performance work statement (PWS)
C.Noncompete agreement
D.Purchase order (PO)

Answer

A

A.Statement of objective (SOO)
B.Performance work statement (PWS)

Explanation:
Alternatives to a SOW used by the U.S. federal government include a statement of objectives (SOO) and a performance work statement (PWS). Purchase orders and a noncompete agreements are not typically used as alternatives to a SOW.

Question 46

Q

You are defining the scope of an upcoming penetration test. Your client’s offices are located in a large office complex with many other tenants. The client has asked you to include the organization’s network in the test. Which parameters should be identified as in-scope? (Choose two.)

A.The IP addresses of public-facing web services owned by neighboring tenants
B.The IP address of perimeter security devices owned by neighboring tenants
C.Wireless SSIDs used by neighboring tenants D.Wireless SSIDs used by the client
E.IP address ranges used on the client’s internal network

Answer

A

D.Wireless SSIDs used by the client
E.IP address ranges used on the client’s internal network

Explanation:
If the client’s network itself is in scope, then you need to define the client’s wireless network SSIDs as in-scope. Defining the client’s IP address ranges as in-scope is also important. You must not target third parties, such as neighboring tenants or cloud service providers, without their written permission.

Question 47

Q

You have recently concluded a penetration test for a client, and now need to write up your final conclusions. What should you do?

A.Rely on your memory of what happened during the test to create the report.
B.Analyze the testers’ written log files.
C.Ask your fellow testers to email you the top three issues they discovered during the test.
D.Ask your client’s IT staff to email you the top three issues they noticed during the test.

Answer

A

B.Analyze the testers’ written log files.

Explanation:
It is important that all penetration testers keep carefully written logs of the actions they take during an assessment. These logs should identify what the tester did, when they did it, what system(s) they were using, what system(s) they were attacking, and what the results were. You should avoid relying upon tester or client memories alone. They tend to be faulty and incomplete.

Question 48

Q

A client has hired you to test the physical security of their facility. They have given you free rein to try to penetrate their facility using whatever method you want as long as it doesn’t harm anyone or damage the property. What type of assessment is being conducted in this scenario?

A.Goal-based
B.Pre-merger
C.Compliance-based
D.Supply chain

Answer

A

A.Goal-based

Explanation:
This is an example of a goal-based assessment. The goal is to verify the organization’s physical security using whatever means you desire. A premerger test is usually conducted on an organization prior to it merging with another. A compliance-based test is done to ensure that an organization remains in compliance with governmental regulations or corporate policies. A supply chain test involves testing an organization’s vendors.

Question 49

Q

One of your clients accepts credit cards from customers and uses its internal network and servers to process payments. The credit card companies each specify that the client must undergo regular penetration testing to ensure that its password policies, data isolation policies, access controls, and key management mechanisms adequately protect consumer credit card data.
What type of assessment is required in this scenario?

A.Goal-based
B.Compliance-based
C.Supply chain
D.Red team

Answer

A

B.Compliance-based

Explanation:
A compliance-based assessment is required in this scenario. This is a risk-based assessment that ensures policies or regulations are being followed appropriately. Most likely, the credit card companies will provide the organization with a checklist that the penetration tester will use to conduct the assessment. A goal-based assessment will specify a goal to be met by the test. A supply chain assessment involves testing an organization’s vendors. A red team assessment is usually conducted by internal testers to ensure an organization’s IT staff (the blue team) can adequately defend the network.

Question 50

Q

One of your clients was recently purchased by a large multinational organization. Before the purchase can be finalized, your client must be subjected to an extensive penetration test.
What kind of assessment is required in this scenario?

A.Objective-based
B.Pre-merger
C.Compliance-based
D.Supply chain

Answer

A

B.Pre-merger

Explanation:
Before two organizations merge, it is common for penetration tests to be conducted to identify any security vulnerabilities that need to be addressed before their networks are connected. An objective-based assessment is designed to test whether information can remain secure. A compliance-based test is done to ensure that an organization remains in compliance with governmental regulations or corporate policies. A supply chain test involves testing an organization’s vendors.

Question 51

Q

An organization’s network was recently hacked. The attackers first compromised the weak security used by one of the organization’s contractors. Then they used the contractor’s authentication credentials to gain access to the organization itself. Which type of penetration assessment could have prevented this?

A.Objective-based
B.Pre-merger
C.Goal-based
D.Supply chain

Answer

A

D.Supply chain

Explanation:
In a supply chain assessment, a penetration test is conducted on an organization’s vendors to ensure their networks are secure and can’t be used as a pivot point to compromise the organization itself. A goal-based assessment is designed to test a specific aspect of an organization’s security. A premerger test
is usually conducted on an organization prior to it merging with another.

Question 52

Q

You work on the security team for a large organization. Your team has been tasked with conducting an internal penetration test to verify whether your organization’s IT staff can adequately defend against it. What type of assessment is being used in this scenario?

A.Goal-based
B.Compliance-based
C.Supply chain
D.Red team

Answer

A

D.Red team

Explanation:
A red team assessment is usually conducted by internal testers to ensure an organization’s IT staff (the blue team) can adequately defend the network. A goal-based assessment is designed to test a specific aspect of an organization’s security. A supply chain test involves testing an organization’s vendors. A compliance-based test is performed to ensure that an organization remains in compliance with governmental regulations or corporate policies.

Question 53

Q

Which of the following tiers of adversaries ranks threat actors, generally speaking, from least threatening to most threatening?

A.Script kiddie, hacktivist, malicious insider, organized crime, nation-state
B.Script kiddie, malicious insider, hacktivist, organized crime, nation-state
C.Hacktivist, script kiddie, malicious insider, nation-state, organized crime
D.Nation-state, organized crime, malicious insider, hacktivist, script kiddie

Answer

A

A.Script kiddie, hacktivist, malicious insider, organized crime, nation-state

Explanation:
Generally speaking, if you were to rank threat actors into tiers from least threatening to most threatening, it would look something like the following: script kiddie > hacktivist > malicious insider > organized crime > nation-state.

Question 54

Q

One of your clients is a public advocacy group. Some of its political stances are very unpopular with several fringe activists, and they are concerned that a hacktivist may try to hijack their public-facing website. They have asked you to run a penetration test using the same tools and techniques that a typical hacktivist would have the technical aptitude and funds to use. What process has occurred in this scenario?

A.Due diligence
B.Risk acceptance
C.Threat modeling
D.Scope creep

Answer

A

C.Threat modeling

Explanation:
This is an example of threat modeling. Using threat modeling, you determine the type of threat you want to emulate during the penetration test. Then you use the same tools, techniques, and approaches that type of threat would typically use.

Question 55

Q

You are meeting with a new client to scope out the parameters of a future penetration test. During the course of the discussion, you ask the client if they are willing to accept the fact that a penetration test could cause service disruptions within their organization. The client responds affirmatively. What process has occurred in this scenario?

A.Risk acceptance
B.Due diligence
C.Threat modeling
D.Risk transfer

Answer

A

A.Risk acceptance

Explanation:
This is an example of risk acceptance. You have evaluated the client’s tolerance of the impacts a penetration test could bring to the organization. It is important that the client be ready and able to accept the fact that a penetration test could cause a network outage or a service disruption.

Question 56

Q

You are running a penetration test for a client. The original test calls for you to test the security of one of the client’s remote branch offices. The client called today and indicated that they are concerned about the security readiness of a second branch office. They insisted that you expand the penetration test to include this second site.
What process occurred in this scenario?

A.Due diligence
B.Risk acceptance
C.Threat modeling
D.Scope creep

Answer

A

D.Scope creep

Explanation:
This is an example of scope creep. Scope creep is the addition of additional parameters and/or targets to the scope of the assessment. This is a common occurrence and should be planned for in your initial scoping. For example, you and the client could agree on pricing and schedule adjustments that could be made if the scope of the test needs to expand.

Question 57

Q

A client has asked you to run a white box penetration test. Her organization has offices in the United Kingdom, Saudi Arabia, Pakistan, and Hong Kong. You load your penetration testing toolkit onto your laptop and travel to each office to run the assessment on-site. What did you do incorrectly in this scenario?

A.It may be illegal to transport some penetration testing software and hardware internationally.
B.A laptop doesn’t have sufficient computing power to effectively run a penetration test.
C.Travel costs can be reduced by running the assessment remotely from the tester’s home location.
D.Nothing. You did everything correctly.

Answer

A

A.It may be illegal to transport some penetration testing software and hardware internationally.

Explanation:
Many penetration testing tools may be covered by export restrictions. The United States prohibits the export of some types of software and hardware, including encryption tools. If you are traveling abroad with your penetration testing toolkit, you could be arrested if you have prohibited software or hardware in your possession.

Question 58

Q

A client has asked you to run a white box penetration test. Her organization has offices in the United States, Indonesia, Thailand, and Singapore. To avoid international transportation of your penetration testing software, you upload it to your Google Drive account. Then you travel to each site, download the software, and run it locally on your laptop. Did you handle your penetration testing software appropriately in this scenario?

A.Yes, using Google Drive to access the software internationally shields you from prosecution.
B.No, most foreign nations block access to Google Drive.
C.No, it is legal to transport most penetration testing software into these countries.
D.No, it is illegal to transport most penetration testing software internationally using the Internet.

Answer

A

D.No, it is illegal to transport most penetration testing software internationally using the Internet.

Explanation:
The laws and regulations that apply to penetration testing and penetration testers vary from state to state within the United States. That means you need to understand what laws apply to the work you’re doing. In this scenario, you need to check all federal, state, and local laws that apply to the assessment you plan to carry out. It is recommended that you retain the services of an attorney to keep yourself out of trouble.

Question 59

Q

You are asked to perform a penetration test for an organization with offices located in New York City, Los Angeles, and Fargo. Which cybersecurity laws and regulations do you need to check as you scope the assessment?

A.U.S. federal cybersecurity law
B.State cybersecurity laws in New York, California, and North Dakota
C.Local cybersecurity laws in each physical location D.Interpol regulations

Answer

A

D.Interpol regulations

Explanation:
The laws and regulations that apply to penetration testing and penetration testers vary from state to state within the United States. That means you need to understand what laws apply to the work you’re doing. In this scenario, you need to check all federal, state, and local laws that apply to the assessment you plan to carry out. It is recommended that you retain the services of an attorney to keep yourself out of trouble.

Question 60

Q

A client has asked you to run a white box penetration test. The goal is to assess the security of their web-based applications. These applications leverage the Simple Object Access Protocol (SOAP). During the scoping process, you determine that it would be helpful if you had access to the organization’s internal documentation for these applications. Which of the following should you ask your client for?

A.Web Services Description Language (WSDL) documentation
B.Software Development Kit (SDK) documentation C.Web Application Description Language (WADL) documentation
D.Application Programming Interface (API) documentation

Answer

A

A.Web Services Description Language (WSDL) documentation

Explanation:
Web Services Description Language (WSDL) is an XML-based interface definition language used for describing the functionality offered by a SOAP service.

Question 61

Q

A client has asked you to run a white box penetration test. The goal is to assess the security of their web-based applications. These applications are based on Representational State Transfer (REST) architecture. During the scoping process, you determine that it would be helpful if you had access to the organization’s internal documentation for these applications. Which of the following should you ask your client for?

A.Web Services Description Language (WSDL) documentation
B.Software Development Kit (SDK) documentation C.Web Application Description Language (WADL) documentation
D.Application Programming Interface (API) documentation

Answer

A

C.Web Application Description Language (WADL) documentation

Explanation:
The Web Application Description Language (WADL) is an XML-based machine-readable description of HTTP-based web services. As such, it is typically used with REST services instead of SOAP.

Question 62

Q

A client has asked you to run a white box penetration test. The goal is to assess the security of several PC applications that were written in-house using the C++ programming language. These applications are used on a day-to-day basis by employees to manage orders, inventory, and payouts. During the scoping process, you determine that it would be helpful if you had access to the organization’s internal software development documentation for these applications. Which of the following should you ask your client for? (Choose two.)

A.Simple Object Access Protocol (SOAP) documentation
B.Software Development Kit (SDK) documentation C.Web Application Description Language (WADL) documentation
D.Application Programming Interface (API) documentation

Answer

A

B.Software Development Kit (SDK) documentation
D.Application Programming Interface (API) documentation

Explanation:
Application programming interface (API) documentation describes how software components communicate. Software development kits (SDKs) also come with documentation. Organizations may create their own SDKs, use commercial SDKs, or use open source SDKs. Understanding which SDKs are in use and where they are can help a penetration tester test applications, especially those written in-house.

Question 63

Q

You are scoping a black box penetration test for a client. The goal is to see whether you can gain access to the information stored on an internal database server. Which information should the client provide you with prior to starting the test?

A.Architectural diagrams
B.Swagger document
C.XSD
D.Network diagrams

Answer

A

D.Network diagrams

Explanation:
A black box penetration test should simulate the view an external attacker would have of the network. Therefore, the tester should have little or no knowledge of the internal network.

Question 64

Q

You are scoping a white box penetration test for a client. The goal is to see whether you can gain access to confidential research data stored on an internal database server. You want to target an internally developed data collection application that the client’s end users use on a daily basis to catalog and store information in the database. Which information should the client provide you with prior to starting the test?

A.Architectural diagrams
B.Sample requests
C.XSD
D.All of the above

Answer

A

D.All of the above

Explanation:
In a white box test, you should have access to extensive internal documentation. Because an in-house developed application will be used as the attack vector, you should require the client to provide as much documentation about that application as possible. For example, you should ask for architectural diagrams, sample application requests, and the swagger document, as applicable.

Answer 65

A

C.Network diagrams
E.Facility maps

Explanation:

When requesting internal architectural diagrams as a part of a white box test, you should typically be supplied with documentation such as network diagrams and facility maps. You can use this information to map out the network topology and locate key infrastructure devices, such as switches, routers, and servers.

Answer 66

A

A.An in-house developed desktop application used to access the information stored in the database
D.An in-house developed web application used to generate reports using the information stored in the database

Explanation:
Sample application requests are typically used to test applications (desktop or web) that have been developed in-house. Applications developed in-house aren’t usually subjected to the same level of scrutiny as commercial applications, which make them possible attack vectors that can be exploited. Sample application requests aren’t generally required for commercial applications, such as Word, Excel, or Photoshop, because their weaknesses are already well-documented.

Answer 67

A

C.Enter completely unexpected data into the application.

Explanation:
Applications developed in-house aren’t usually subjected to the same level of scrutiny as commercial applications, which make them possible attack vectors that can be exploited. For example, when generating sample application requests, most penetration testers throw unexpected information at applications developed in-house to see how the application responds. For example, you may find that entering a very long text string into a field that is expecting only eight characters could generate a buffer overflow error. You could then use this
poor error handling behavior to insert and run malicious code on the web server hosting the application.

Answer 68

A

A.SOAP

Explanation:
The Simple Object Access Protocol (SOAP) is a messaging protocol specification that defines how structured information can be exchanged between web applications. SOAP project files can be created from Web Services Description Language (WSDL) files.

Answer 69

A

D.Swagger

Explanation:
Swagger is an open source framework designed to help developers design, build, document, and test Representational State Transfer (REST) web services. REST is an alternative to the SOAP protocol. In fact, REST has started to replace SOAP as the framework of choice in most modern web applications.

Answer 70

A

B.HTTP

Explanation:
The Representational State Transfer (REST) web application architecture is based on the Hypertext Transfer Protocol (HTTP).

Answer 71

A

A.Web Service Description Language (WSDL)

Explanation:
The Web Service Description Language (WSDL) is an XML-based interface definition language that is used to describe the functionality offered by a web application server, such as a SOAP server. WSDL doesn’t work well with the Representational State Transfer (REST) web application architecture, which has been slowly replacing SOAP over the years.

Answer 72

A

B.Web Application Description Language (WADL)

Explanation:
The Web Application Description Language (WADL) provides an XML-based description of HTTP-based web services running on a web application server. WADL is typically used with Representational State Transfer (REST) web services. WADL is an alternative to WSDL and is generally considered easier to use but also lacks the flexibility associated with WSDL.

Answer 73

A

B.XSD

Explanation:
The XLM Schema Definition (XSD) is a W3C specification that identifies how to define elements within an XML document.

Answer 74

A

D.All of the above

Explanation:
When conducting a white box penetration test, especially one that will target applications developed in-house, having the documentation for the SDK that was used to create the application can be very helpful. Data flow diagrams can also provide penetration testers with an understanding of how the target application communicates with other network services. Configuration files may contain account information, IP addresses, API keys, and possibly even passwords.

Answer 75

A

B.Whitelist the testers’ user accounts in their intrusion protection system (IPS).

D.Configure security exceptions that allow the penetration testers’ systems to bypass network access controls (NAC).

Explanation:
When running a white box assessment, you will usually want the client to white-list the testers’ user accounts in their IPS. This will prevent them from being blocked when they start probing defenses. They should also configure security exceptions that allow the penetration testers’ systems to bypass NAC security controls.

Answer 76

A

E.None of the above.

Explanation:
Because a black box test is being conducted in this scenario, the client’s network should be in “shields up” mode. The penetration testers should not have internal user accounts, nor should their systems be allowed to bypass NAC security controls. Certificate pinning should not be allowed.

Answer 77

A

A.Configure certificate pinning.

Explanation:
Normally, when NAC is implemented with IPSec, clients must meet company security policies before they are allowed to connect to the internal secure network. If they do, they are assigned a digital certificate that allows them to communicate with other systems on the internal secure network. To bypass NAC, certificate pinning can be used to assign a digital certificate to the testers’ systems without proving they are in compliance every time they connect.

Answer 78

A

A.Avoidance

Explanation:
This is an example of risk avoidance. By removing the door and filling in the wall with concrete, the client has completely removed the risk of the door being used by an attacker to gain unauthorized access to the facility.

Answer 79

A

C.Mitigation

Explanation:
This is an example of risk mitigation. Instead of completely removing the risk, the client has used a security guard as a countermeasure. The risk of unauthorized access still exists, but the use of the security guard controls that risk.

Answer 80

A

B.Transference

Explanation:
This is an example of risk transference. Rather than avoid the risk or mitigate the risk, the client has moved the risk to the third-party processor.

Answer 81

A

B.Transference

Explanation:
This is an example of risk transference. Rather than avoid the risk by moving to a new location or mitigate the risk with seismic upgrades to the facility, the client has moved the risk to the insurance company.

Answer 82

A

D.Acceptance

Explanation:
In this scenario, the client has determined that the risk is an acceptable one and will not take measures to control it. Typically, this happens when an organization determines that the cost of removing or controlling a risk exceeds the cost of a security incident arising from that risk.

Answer 83

A

B.Review the PCI-DSS requirements.

Explanation:
Because this is a compliance penetration test, you first need to access the PCI-DSS standards and review the requirements for the client to be considered “compliant.” Typically, the governing organization will publish checklists that you should use to assess compliance. These checklists will strongly influence the scope, budget, and schedule for the test.

Answer 84

A

A.Physical access to cardholder data is restricted. B.The cardholder data environment (CDE) is isolated from the rest of the network.

Explanation:
The Payment Card Industry Data Security Standard (PCI-DSS) is a set of security controls that businesses are required to implement to protect credit card data. For example, two of the requirements specify that the organization must restrict physical access to all cardholder data and that the CDE network be isolated from the rest of the network.

Answer 85

A

B.Encrypt the transmission of cardholder data.
E.Remove all default passwords from software and hardware devices.

Explanation:
The Payment Card Industry Data Security Standard (PCI-DSS) is a set of security controls that businesses are required to implement to protect credit card data. For example, two of the requirements specify that all cardholder data be encrypted before being transmitted on a network medium and that all default passwords be removed from hardware and software deployed.

Answer 86

A

A.Install and update antivirus software on all systems.

Explanation:
The Payment Card Industry Data Security Standard (PCI-DSS) is a set of security controls that businesses are required to implement to protect credit card data. For example, one of the requirements specifies that antivirus software be installed on all systems and that it must be updated regularly.

Answer 87

A

A.A password policy must be in place.

Explanation:
The Payment Card Industry Data Security Standard (PCI-DSS) is a set of security controls that businesses are required to implement to protect credit card data. For example, one of the requirements specifies that a strong password policy be in place within the organization.

Answer 88

A

A.Monitor all access to cardholder data
D.Restrict access to cardholder data on a need-to-know basis.

Explanation:
The Payment Card Industry Data Security Standard (PCI-DSS) is a set of security controls that businesses are required to implement to protect credit card data. For example, two of the requirements specify that the organization must monitor and audit all access to cardholder data and that access to that data must be restricted on a need-to-know basis.

Answer 89

A

A.GLBA

Explanation:
The Gramm-Leach-Bliley Act (GLBA) regulates how financial institutions handle customers’ personal information. For example, it requires companies to have a written information security plan in place that identifies processes and procedures intended to protect that information.

Answer 90

A

C.HIPPA

Explanation:
The Health Insurance Portability and Accountability Act of 1996 governs healthcare organizations. They must comply with the rules and regulations specified in the act, such as requiring a risk analysis and testing the organization’s security controls.

Answer 91

A

B.SARBOX

Explanation:
The Sarbanes-Oxley act sets standards for publicly traded U.S. companies with respect to security policies, standards, and controls. For example, it sets standards for network access, authentication, and security.

Answer 92

A

D.FIPS 140-2

Explanation:
FIPS 140-2 is a U.S. government security standard that certifies cryptographic modules.

Answer 93

A

C.No, you should have spent more time understanding the target audience before scoping the assessment.

Explanation:
In this scenario, insufficient time was spent getting to know the target audience for the penetration test. Time should have been spent with the client to learn about their organization, the goals of the test, and so on. Only then should the scope be created.

Answer 94

A

D.No, the confidentiality of the findings was not maintained.

Explanation:
In this scenario, the confidentiality of the findings was not maintained. The blog post revealed far too much information about the client. It may take the client weeks or even months to address the issues discovered in the assessment. By publishing the findings publicly, you exposed your client to potential attacks.

Answer 95

A

A.Should the test focus on a specific known vulnerability?
C.Should the test look for unknown vulnerabilities?

Explanation:
Part of the scoping process is to determine whether the penetration test will assess the organizations susceptibility to a specific known vulnerability or whether it should investigate unknown vulnerabilities. Because this is an external black box test, the client probably won’t provide user accounts or physical access to their facility.

Answer 96

A

C.Conduct an impact analysis with the new client and determine their tolerance to impact.

Explanation:
In this scenario, the best approach would be to conduct an impact analysis with the client and determine their tolerance to impact. Is the information to be gained by using the vulnerability scanner worth the potential risk? For some organizations, the risk may be worth the benefit. For others, it may not. Either way, the penetration tester should not use the tool until the impact analysis is complete and the client is aware of the risks.

Answer 97

A

B.A description of what kind of report will be provided to the client when the test is complete
C.A remediation timeline that provides an estimate of how long it will take to bring their systems into compliance

Explanation:
Most likely, the client will want to know what kind of report you are going to provide them with once the test is complete. They will also want to know how long it will take to remediate their systems as a result of the test.

Answer 98

A

B.A list of systems that are off-limits to testing

Explanation:
Typically, the technical constraints associated with a penetration test identify systems that can be tested and those that can’t be tested. For example, suppose the client uses automated robotic production equipment to make their products. This equipment is very expensive, and they may not want you to include it in the test.

Answer 99

A

C.Should the test be conducted on-site or from an off-site location?

Explanation:
Because this is a gray box penetration test, you should probably ask the client if they want the test performed on-site or if they want you to test from a remote off-site location. An on-site test would likely produce better results, but it would also cost more because the penetration testers would incur travel expenses. An off-site test would cost less because it wouldn’t require travel expenses, but it may produce lower quality results because the testers aren’t physically on-site.

Answer 100

A

B.Any external location

Explanation:
A black box test is designed to simulate an external attack. The penetration testers should have the same perspective that a typical external attacker would have. Therefore, they should be located in a similar manner, that is, in any external location.

Answer 101

A

A.They have contextual knowledge of the organization.
E.It’s usually less expensive than using an external contractor.

Explanation:
There are two major benefits of using internal teams to conduct penetration tests. First, they have contextual knowledge of the organization that can improve the effectiveness of the tests. Second, it’s usually less expensive to conduct testing using internal employees than it is to hire a penetration testing contractor. When the internal staff isn’t involved in a penetration test, they can work on other projects for the organization.

Answer 102

A

B.They are less biased than an internal team.
C.They have the independence required to perform a thorough test.

Explanation:
External penetration testing teams are hired for the express purpose of performing penetration tests. Because they aren’t directly employed by the organization, they tend to have a higher degree of independence. They don’t have to worry about upsetting a manager or director if vulnerabilities are discovered. In fact, they usually delight in such an event. Also, they tend to be less biased because they don’t participate in the design or ongoing maintenance of the organization’s network infrastructure.

Answer 103

A

C.They may feel that a vulnerability discovered may reflect poorly on them.
D.They may lack objectivity.

Explanation:
An internal penetration testing team may be too closely affiliated with the organization. For example, they may worry that a vulnerability discovered during a penetration test may reflect poorly on their team because they likely designed and continue to maintain the network being tested. This could cause a lack of objectivity when conducting penetration tests.

Answer 104

A

A.There is a potential conflict of interest if they also perform testing for one of your competitors.

C.They are usually more expensive than an internal team.

Explanation:
Using an external team of contractors to perform penetration testing has several drawbacks that should be considered. First, there could be a potential for a conflict of interest if they also perform penetration testing for one of your competitors. Second, they tend to be quite expensive.

Answer 105

A

C.A penetration tester must think like an adversary who might attack the system in the real world.

Explanation:
Penetration testers must take a different approach in their thinking. Instead of trying to defend against all possible threats, they only need to find a single vulnerability that they can exploit to achieve their goals. To find these vulnerabilities, they must think like an adversary who might attack the system in the real world. This approach is commonly known as adopting the hacker mind-set.

Answer 106

A

A.Preventing unauthorized access to information

Explanation:
Cybersecurity professionals use the well-known CIA triad model to describe the goals of information security. The letter C in CIA stands for confidentiality, which seeks to prevent unauthorized access to information or systems.

Answer 107

A

B.Preventing unauthorized modifications to information

Explanation:
Cybersecurity professionals use the well-known CIA triad model to describe the goals of information security. The letter I in CIA stands for integrity, which seeks to prevent unauthorized modification of information or systems.

Answer 108

A

C.Ensuring information remains available for authorized access

Explanation:
Cybersecurity professionals use the well-known CIA triad model to describe the goals of information security. The letter A in CIA stands for availability, which ensures that information remains available for authorized access.

Answer 109

A

A.Gaining unauthorized access to information

Explanation:
Attackers (and penetration testers) seek to undermine the goals of the CIA triad model using the corresponding goals of the DAD triad. The first D in DAD stands for disclosure, which refers to gaining unauthorized access to information or systems.

Answer 110

A

B.Making unauthorized changes to information

Explanation:
Attackers (and penetration testers) seek to undermine the goals of the CIA triad model using the corresponding goals of the DAD triad. The A in DAD stands for alteration, which refers to making unauthorized changes to information or systems.

Answer 111

A

C.Preventing the legitimate use of information

Explanation:
Attackers (and penetration testers) seek to undermine the goals of the CIA triad model using the corresponding goals of the DAD triad. The second D in DAD stands for denial, which refers to preventing the legitimate use of information or systems.

Answer 112

A

A.Disclosure

Explanation:
Penetration testers seek to undermine the goals of the CIA triad model using the corresponding goals of the DAD triad. The first D in DAD stands for disclosure, which refers to gaining unauthorized access to information or systems. In this scenario, Natasha has gained access to information within the backend database that she should not have access to.

Answer 113

A

C.Alteration

Explanation:
Attackers (and penetration testers) seek to undermine the goals of the CIA triad model using the corresponding goals of the DAD triad. The A in DAD stands for alteration, which refers to making unauthorized changes to information or systems. In this scenario, Kimberly has altered the authentication system by adding an unauthorized user account.

Answer 114

A

D.Denial

Explanation:
Attackers (and penetration testers) seek to undermine the goals of the CIA triad model using the corresponding goals of the DAD triad. The second D in DAD stands for denial, which refers to preventing the legitimate use of information or systems. In this scenario, Jessica has executed a denial of service (DoS) attack against the file server, denying legitimate access to it.

Answer 115

A

C.Alteration

Explanation;
Attackers (and penetration testers) seek to undermine the goals of the CIA triad model using the corresponding goals of the DAD triad. The A in DAD stands for alteration, which refers to making unauthorized changes to information or systems. In this scenario, Brittany has altered the employee pay accounting system.

Answer 116

A

C.Once a year
D.Whenever significant changes are made to the network infrastructure

Explanation:
The PCI-DSS standard requires that organizations that handle credit card processing conduct both internal and external penetration tests at least once per year. They can perform them more frequently, if desired, but they are not required to. These organizations must also conduct penetration testing after they make a significant change to the network infrastructure.

Answer 117

A

A.Planning and scoping

Explanation:
This discussion should have occurred during the planning and scoping phase. The penetration testing firm and the client should have agreed upon the rules to complete the assessment before the test began. This information should have been recorded in a written statement of work (SOW) that clearly identified the tools and techniques the penetration testers were allowed to use and the risks of using them.

Answer 118

A

D.SOW

Explanation:
A statement of work (SOW) is an agreement that should be defined during the planning and scoping phase of a penetration test. It contains a working agreement between the penetration tester and the client that identifies specific techniques, tools, activities, deliverables, and schedules for the test. It may be used in conjunction with an existing master services agreement (MSA).

Answer 119

A

D.White box

Explanation:
A white box penetration test provides complete access to the internal network, including configuration settings of key infrastructure devices such as routers, switches, access points, and servers. For this reason, white box tests are sometimes referred to as full-knowledge tests because they provide full access and visibility.

Answer 120

A

A.NDA

Explanation:
A nondisclosure agreement (NDA) is a legal agreement that protects information that a contractor may discover during a penetration test. It forbids the contractor from revealing such information to unauthorized parties.

Answer 121

A

C.Script kiddie

Explanation:
A script kiddie usually lacks the technical sophistication to mount an attack using their own tools. Instead, they typically download existing tools and run them. Because these tools are already known to the cybersecurity community, script kiddies generally pose less of a threat than the other types of actors in the adversary tier list.

Answer 122

A

D.APT

Explanation;
Advanced persistent threats (APTs) are often sponsored by nation-states and thus are very well funded and have access to high-end technical resources and knowledge. As such, an APT typically poses the greatest threat of all the actors on the adversary tier list.

Answer 123

A

D.Your laptop’s IP address got blacklisted.

Explanation:
In this scenario, your scans were detected by an intrusion protection system (IPS), and as a result, the IP address used by your laptop got put on a blacklist. Now, all the devices on the client’s network are dropping packets with the blacklisted IP address

Answer 124

A

A.Celebrate! This means the client wants to engage your firm for multiple engagements.

Explanation:
A master services agreement (MSA) defines general terms that will apply to multiple future agreements. Therefore, an MSA is essentially a contract that defines the terms under which future work will be completed. Specific projects governed by the MSA will be defined by a statement of work (SOW). The fact that the client wants to sign an MSA indicates that they probably want to use your firm for multiple engagements.

Answer 125

A

B.The client’s network access control (NAC) system has quarantined your laptop on a remediation network.

Explanation:
Most likely, the client has implemented a network access control (NAC) system. Your laptop didn’t meet the criteria required by NAC to connect to the secure network, so it was quarantined on an isolated remediation network where it can access a remediation server (the other host on the network) to come into compliance.

Answer 126

A

E.Red team penetration test

Explanation:
In this scenario, a red team penetration test is being conducted. A red team assessment usually has narrow objectives, rather than trying to comprehensively identify and test all possible vulnerabilities. A red team assessment may use a coordinated attack coming from many different vectors to achieve those objectives. The team may be allowed to use a wide variety of tools and techniques to accomplish this, including technological, physical, and social exploits.

Answer 127

A

D.You are attacking wireless networks that are out of scope.

Explanation:
Knowing which SSIDs are in scope is critical when conducting a penetration test within a shared facility with many tenants. Compromising the wrong wireless network is illegal and could result in prosecution and/or a lawsuit.

Answer 128

A

A.Organized crime
D.Nation-state actor

Explanation:
Organized crime and nation-state threat actors typically have access to extensive financial resources and technical expertise. This many times allows them to develop their own custom exploits that aren’t used by anyone else.

Answer 129

A

B.Malicious insider

Explanation:
A malicious insider is typically an employee or a contractor that has been legitimately granted a degree of access to an organization’s information and systems. The malicious insider exploits this trust and uses it to compromise the organization’s information or systems.

Answer 130

A

C.Script kiddie

Explanation:
A script kiddie usually lacks the technical sophistication to mount an attack using their own tools. Instead, they typically download existing tools and run them. Because these tools are already known to the cybersecurity community, script kiddies generally pose less of a threat than the other types of actors in the adversary tier list.

Answer 131

A

C.Scope creep

Explanation:
In this scenario, the client has asked you to go beyond the agreed-upon test scope. This is an example of scope creep, and it is a common occurrence in IT contracting. In this scenario, you could respond in one of two ways. First, you could simply reject the request as being out-of-scope. Alternatively, you could ask the client to include the email servers in an addendum to the existing contract for an additional fee.

Answer 132

A

A.Compliance-based assessment

Explanation:
The PCI -DSS standard is an industry standard for ensuring that organizations that process credit cards comply with certain security requirements. Because you are testing the client’s adherence to these requirements, you are conducting a compliance-based assessment.

Answer 133

A

C.Future technological changes could expose new vulnerabilities that are currently unknown.

Explanation:
The testing agreement should contain a disclaimer indicating that the test is valid only at the point in time that it is conducted because future technological changes could expose new vulnerabilities that are currently unknown. You can’t be held liable if new exploits or vulnerabilities appear a later point in time after the test is complete.

Answer 134

A

B.The rules of engagement and the type of assessment used could preclude some vulnerability from being discovered.

Explanation:
The amount of information uncovered in a penetration test is heavily dependent upon the rules of engagement and the type of assessment used. For example, a white box test usually provides more complete information than a black box test can. Likewise, if certain systems and devices are identified as out of scope, then any vulnerabilities they harbor will not be discovered. This language in the agreement is intended to protect you in the event a vulnerability is identified in an out-of-scope system after the test is complete.

Answer 135

A

A.Black box

Explanation:
A black box test is sometimes referred to as a zero knowledge assessment because the penetration testers have little or no knowledge of the client’s network. This type of assessment best emulates a real-world external attack.

Answer 136

A

B.Grey box

Explanation:
A gray box test is sometimes referred to as a partial knowledge assessment because the penetration testers have some knowledge of the client’s network, but they don’t have the full picture. This type of assessment best emulates a real-world malicious insider attack.

Answer 137

A

C.White box

Explanation:
A white box test is sometimes referred to as a full knowledge assessment because the penetration testers have full knowledge of the client’s network, including administrative access to all infrastructure devices and servers. This type of assessment usually provides the most comprehensive results because the testers do not need to spend time in discovery mode. They have all the information they need to immediately begin an extensive assessment.

Answer 138

A

A.Certificate pinning

Explanation:
Usually, when NAC is implemented with IPSec, network devices (such as desktops and laptops) must meet company security policies before they are allowed to connect to the internal secure network. If they do, they are assigned a digital certificate that allows them to communicate with other systems on the internal secure network. Otherwise, they are placed on an isolated remediation network until they come into compliance. To bypass NAC, certificate pinning can be used to assign a digital certificate to the testers’ systems without proving they are in compliance every time they connect.

Answer 139

A

A.The proper signing authority

Explanation:
The proper signing authority within the client’s organization is the only one person authorized to agree to the penetration test scope. Who this actually is will vary from organization to organization. Therefore, you need to verify that the person who signs the agreement is actually the appropriate signing authority for the organization. Don’t assume that a given individual is authorized based on their job title alone.

Answer 140

A

A.Assessing impact tolerance

Explanation:
In this example, you are assessing the client’s tolerance for impacts. By including this verbiage within the scope, you protect your organization from litigation if the penetration test truly does knock critical systems offline.

Answer 141

A

A.The target organization
D.The SaaS service provider

Explanation:
Because the test will include both the target organization’s network as well as service provided by the third-party SaaS provider, you must obtain written permission from both entities before performing the penetration test. Failure to obtain either one could expose you to prosecution and/or litigation.

Answer 142

A

B.They key management system they use to store encryption keys
E.Their router configurations

Explanation:
The scope of this engagement in this scenario is limited to the internal network infrastructure. The
organization’s ISP, Amazon Web Services, and their neighbor’s wireless networks are all owned by third parties and are therefore considered out of scope.

Answer 143

A

A.You will have limited network access.
C.You will have limited storage access.

Explanation;
Because this is a gray box test, you can expect to have limited network access and limited storage access. Essentially, you can expect to have a level of knowledge and access similar to what the average employee within the organization would have.

Answer 144

A

D.Rules of engagement (RoE)

Explanation:
The rules of engagement include the following: The timeline when testing will be conducted What locations, systems, applications, and other potential targets are to be included/excluded The data handling requirements for information gathered What behaviors to expect from the target What resources are committed to the test Any legal concerns that should be addressed The when/how communication will occur
Who to contact in case of events Who is permitted to engage in the penetration testing team

Answer 145

A

D.Nothing; they must do their own discovery.

Explanation:
Black box tests, sometimes called zero knowledge tests, are intended to replicate what an attacker would encounter. Testers are not provided with access to or information about an environment, and instead, they must gather information, discover vulnerabilities, and make their way through an infrastructure or systems as an attacker would.

Answer 146

A

C.Testing should focus on the discovery of potential security issues through all in-scope systems, not just on determining the effectiveness of active defenses such as the IPS.

Explanation:
Whitelisting testers in intrusion prevention systems (IPSs), web application firewalls (WAFs), and other security devices will allow them to perform their tests without being blocked. For a white box test, this means that testers won’t spend time waiting to be unblocked when security measures detect their efforts. Black box and red team tests are more likely to result in testers being blacklisted or blocked by security measures. In this scenario, the penetration tester should tell the client that testing should focus on the discovery of potential security issues through all in-scope systems and not just on

Location: 6920

determining the effectiveness of active defenses such as the IPS.

Answer 147

A

C.Samples of the Simple Object Access Protocol (SOAP) project files

Explanation:
SOAP is an API standard that relies on XML and related schemas. XML-based specifications are governed by XML Schema Definition (XSD) documents. Having a good reference of what a specific API supports can be valuable for a penetration tester. This question specifically asks about XML files, so the SOAP project files would be the most beneficial.

Answer 148

A

B.Company policies
E.Tolerance to impact

Explanation:
Knowing the company policies and their tolerance to impact are two of the most important items needed to know when planning for an engagement. The others are important, but this scenario is asking for the two most important. Cybersecurity professionals widely agree that vulnerability management is a critical component of any information security program, and for this reason, many organizations mandate vulnerability scanning in corporate policy, even if that is not a regulatory requirement. The risk and impact tolerance of the organization being assessed should be used to define the scope and rules of engagement for the assessment.

Answer 149

A

A.That the corporate systems must store passwords using the MD5 hashing algorithm

Explanation:
A company policy, also known as a corporate policy, is a documented set of guidelines, formulated after an analysis of all internal and external factors that can affect a firm’s objectives, operations, and plans. It is created by the company’s board of directors. Corporate policy lays down the company’s response to known and knowable situations and circumstances. It also determines the formulation and implementation of strategy and directs and restricts the plans, decisions, and actions of the company’s officers in achievement of its objectives. In this scenario, the corporate policy should be detailed and specific; hence, the corporate systems must store passwords using the MD5 hashing algorithm.

Answer 150

A

A.Any additional rates

Explanation:
Budgeting is a key factor of the business process of penetration testing. A budget is required to complete a penetration test and is determined by the scope of the test and the rules of engagement. For internal penetration testers, a budget may just involve the allotted time for the team to perform testing. For external testers, a budget usually starts with the estimated number of hours based on the intricacy of the testing, the size of the team, and any associated costs.

Answer 151

A

B.Findings can assist an attacker in compromising a system.

Explanation:
Confidentiality controls seek to prevent disclosure attacks. Even though confidentiality agreements (CAs) are legal documents that help to enforce confidential relationships between two parties, this question asks why it is important to maintain confidentiality of findings. If an attacker was to receive word of findings during a penetration test, they could use those to compromise your client’s system.

Answer 152

A

D.The statement of work (SOW)

Explanation:
A statement of work (SOW) defines what work will be done during an engagement. A SOW is a document that defines the purpose of the test, what tests will be done, what will be created, the timeline for the test to be completed, the price for the testing, and any additional terms and conditions.

Answer 153

A

C.Scoping

Explanation:
The first step in most penetration testing engagements is determining what should be tested, often called the scope of the assessment. The scope of the assessment determines what penetration testers will do and how their time will be spent. Thus, this is a major impact on the budget of an assessment.

Answer 154

A

A.Advanced persistent threat (APT)

Explanation:
An advanced persistent threat (APT) is a computer network attack in which a person or group gains unauthorized access to a network and remains undetected for an extended period of time. APTs provide the highest level of threat on the adversary tier list. Many of the techniques used by advanced persistent threat actors are useful for penetration testers, and vice versa. If your persistence techniques aren’t monitored for or detected by the client’s systems, the findings should include information that can help them design around this potential problem.

Answer 155

A

A.Report any critical findings.
D.Report indicators of compromise.
F.Report a server that becomes unresponsive.

Explanation:
A penetration tester will want to immediately report more serious issues with the client directly. Some of these will be documented in the report to the client at the end of testing; however, there are a few times when a penetration tester should call the client immediately, and they are as follows: to report any critical findings, report any indicators of compromise, or to report if the server becomes unresponsive to the testing.

Answer 156

A

A.Advanced persistent threat (APT) actors

Explanation:
An advanced persistent threat (APT) is a computer network attack in which a person or group gains unauthorized access to a network and remains undetected for an extended period of time. APTs provide the highest level of threat on the adversary tier list. Threat actors are often rated by their capabilities. Many of the techniques used by advanced persistent threat actors are useful for penetration testers, and vice versa. If your persistence techniques aren’t monitored for or detected by the client’s systems, the findings should include information that can help them design around this potential problem.

Answer 157

A

C.Scope creep

Explanation:
A scope creep, or the addition of more items and targets to the scope of the assessment, is a constant menace for penetration testing. During the scoping phase, a tester is unlikely to know all of the details of what may be uncovered, and during the assessment itself, a tester may encounter unexpected new targets. Scope creep refers to how a project’s requirements tend to increase over a project life cycle.

Answer 158

A

B.Swagger

Explanation:
Swagger is an open specification for defining REST APIs. A Swagger document is the REST API equivalent of a WSDL document for a SOAP-based web service. The Swagger document specifies the list of resources that are available in the REST API and the operations that can be called on those resources. It also specifies the list of parameters to an operation, including the name and type of the parameters, whether the parameters are required or optional, and information about acceptable values for those parameters. So, access to a Swagger document provides testers with a good view of how the API works and thus how they can test it.

Answer 159

A

C.Reconnaissance

Explanation:
There are seven steps of the Cyber Kill Chain that enhanc visibility into an attack and enrich an analyst’s understanding of an adversary’s tactics, techniques, and procedures. The cyber kill is a methodology for understanding how an attacker will conduct the activities necessary to cause harm to an organization. An understanding of the Cyber Kill Chain will greatly assist an information security professional in establishing strong controls and countermeasures, which will serve to protect their organization’s assets. This question describes the Reconnaissance phase, the first stage of the Cyber Kill Chain. In this stage, the attacker is assessing the target from outside of the organization from both a technical and nontechnical perspective. In this stage, the attacker is working to determine which targets will return the most benefit for the resources expended in exploiting the target’s information systems. The attacker will be looking for information systems with few protections or exploitable vulnerabilities.

Answer 160

A

A.The Actions on Objectives phase

Explanation:
The Actions on Objectives stage of the attack also may include the theft of sensitive information, the unauthorized use of computing resources to engage in denial-of-service attacks, or the unauthorized modification/deletion of information. The attacker carries out their original intentions to violate the confidentiality, integrity, and/or availability of information or systems during the Actions on Objectives stage of the Cyber Kill Chain.

Answer 161

A

C.Scope creep

Explanation:
A scope creep occurs when additional items are added to the scope of an assessment. The tester has gone beyond the scope of the initial assessment agreement.

Answer 162

A

D.Red team assessments

Explanation:
Red team assessments are usually more targeted than normal penetration tests. Red teams attempt to act like an attacker by targeting sensitive data or systems with the goal of acquiring data and access. Red team assessments are not intended to provide details of all the security flaws that a target has. Red teams can be useful as a security exercise to train incident responders or to help validate security designs and practices.

Answer 163

A

A.Certificate pinning

Explanation:
Certificate pinning associates a host with an X.509 certificate (or a public key) and then uses that association to make a trust decision. You use certificate pinning to help prevent man-in-the-middle attacks. When communicating over public networks, it is important to send and receive information securely.

Answer 164

A

B.Hacktivist

Explanation:
Hacktivists may want to make a political or social point. Hacktivists aren’t typically doing attacks for money. They are individuals or groups of hackers who get together and see themselves as fighting for injustice. Hacktivists employ the same tools and tactics as hackers.

Answer 165

A

B.Third-party authorization

Explanation:
Additional authorization may be needed for many penetration tests, especially those that involve complex IT infrastructure. Third parties are often used to host systems such as software as a service (SaaS), platform as a service (PaaS), or infrastructure as a service (IaaS) cloud providers. A penetration test could impact these providers. This is why it is crucial to determine what/if third-party providers or partners may be in scope and to obtain authorization. If third parties are involved, you will also want to make sure that both the client and the third party are aware of any potential impacts from the penetration test.

Answer 166

A

B.Nondisclosure agreement (NDA)

Explanation:
A nondisclosure agreement (NDA) is a legal document that is designed to protect the confidentiality of the client’s data and other information that the penetration tester may encounter during the test.

Answer 167

A

C.Master services agreement (MSA)

Explanation:
A master services agreement (MSA) sets the overall provisions between two organizations. Many organizations also create an MSA that defines the terms that the organizations will use for work to be done in the future. This makes ongoing engagements and contracts much easier to work through. This can help organizations prevent the need to renegotiate. MSAs are common when organizations anticipate working together over a period of time or when a support agreement is created.

Answer 168

A

D.The service set identifiers (SSIDs)

Explanation:
It is vital to know which service set identifiers (SSIDs) belong to your target and which are invalid targets. Also, knowing which subnets or IP ranges are in scope is also important to avoid targeting the wrong network or going outside of the penetration test’s scope. Knowing the SSIDs that are in scope is critical when working in shared buildings. Penetrating the wrong network could cause legal or even criminal consequences.

Brainscape's Knowledge GenomeTM

CompTIA PenTest+ Practice Test Chapter 1 Planning and Scoping (Sybex: Panek, Crystal, Tracy) Flashcards

Brainscape's Knowledge Genome^TM