Michael Solomon CompTIA Pentest+ Quiz 1 Flashcards

1
Q
Which of the following would NOT be a risk of pen testing?
A.Compromising passwords
B.Crashing a service
C.Corrupting data
D.Degrading performance
A

A.Compromising passwords

A risk of pen testing is any outcome that is undesirable for the pen test client. A pen tester being able to compromise passwords is a desirable outcome. Crashing a service, corrupting data, and degrading performance are all examples of undesirable outcomes that are risks associated with pen testing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Should you, as a pen tester, communicate your intentions to conducts tests to the potentially impacted administrators and users?
A.Yes, to avoid conflict if systems are impacted
B.Generally, yes, unless the testing plan requires that you withhold notification
C.No, in to avoid altering normal behavior
D.No. You should only inform the project sponsor

A

B.Generally, yes, unless the testing plan requires that you withhold notification

Whether or not you notify your intended victims of an attack depends on the client’s wishes. If the client (project sponsor) wants your tests to be conducted in secret, you should not inform administrators or users.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q
Which component of pen testing planning has the greatest impact on available resources and time? 
A.Scope
B.Schedule 
C.Budget
D.Constraints
A

C.Budget

The amount of money available for any project has the greatest impact on the resources available and how quickly project tasks can be completed. In general, schedule can be compressed with more money that can be used to acquire more resources. Constraints are statements of fact that enumerate any known restrictions on a project.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q
What type of file contains valuable information about web services interface requirements? 
A.SDK
B.XSD
C..service
D.WSDL
A

D.WSDL

A Web Services Definition Language (WSDL) file contains descriptive information about web services, including interface requirements. An SDK is a collection of software and documentation, an XSD file describes the content of an XML document, and there is no standard file with the name .service

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q
Which type of agreement is a high-level contract between a service provider and consumer that includes details of the business arrangement? 
A.SOW
B.NDA
C.MSA
D.PII
A

C.MSA

The Master Service Agreement (MSA) is the primary agreement between a service provider and a consumer that defines the high-level business arrangement. An SOW is a description of the scope of a specific endeavor, an NDA is an agreement to keep confidential information secret, and PII is personally identifiable information, not an agreement.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is the most important requirement of planning and scoping a penetration test engagement?
A.Get written authorization for activities
B.Get an approved project schedule
C.Enumerate potential targets
D.Assign a project sponsor

A

A.Get written authorization for activities

The most important requirement of the planning and scoping phase of a penetration test engagement is to get written authorization for all activities. You must have permission from the resource owners before conducting any tests. The project sponsor should already be the one who is identified to initiate the project. The project schedule and target identification all happen after getting test authorization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q
What is the name of the organized group within an organization that performs penetration tests on an ongoing basis to find any vulnerabilities? 
A.Red team
B.Blue team
C.CIRT
D.Audit task force
A

A.Red team

A red team is a group of internal personnel who work together to identify and exploit any existing vulnerabilities. The team acts in the role of attackers and claims success by compromising any objective using any approved means. Blue teams are organized to defend the organization’s resources and attempts to keep the red team from succeeding. A CIRT (Computer Incident Response Team) is the team that responds to incidents, and there is no formal group names Audit task force.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q
What term describes the situation in which sponsoring organization personnel incrementally add project tasks to the pen test project without going through formal change management? 
A.Progressive elaboration
B.Scope creep
C.Goal alignment
D.Silverplating
A

B.Scope creep

Scope creep happens any time the project scope expands without being formally approved. Scope creep nearly always results in negatively affecting project schedule, budget, and quality. Progressive elaboration describes the process of learning more requirements details as project work progresses and goal alignment refers to the part of project planning in which project goals are aligned with sponsor goals. There is a term, goldplating, which refers to additional unapproved tasks being added to a project, but there is no term ‘silverplating.’

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q
Which type of attacker is motivated by ideology (and not just monetary gain)? 
A.Organized crime
B.Script Kiddie
C.Insider
D.Hacktivist
A

D.Hacktivist.

A hacktivist uses his/her hacking skills to carry out activist activities, motivated by ideology. Script kiddies are generally just looking for notoriety, and both organized crime and insiders most commonly are after monetary gain.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly