Pen Test

Question 1

Security Assessment

Answer 1

Any test performed in order to assess the level of security on a network or system

Question 2

Security Audit

Answer 2

Tests whether an organization is following security policies and procedures

Question 3

Vulnerability Assessment

Answer 3

Scans and tests for existing vulnerabilities but does not intentionally exploit any of them

Question 4

Pen test

Answer 4

Scans and tests for existing vulnerabilities AND DOES intentionally exploit them. A signed agreement outlining the scopes and limitations of the pen test should be in place before the test is conducted. A service level agreement (SLA) needs to cover all possibilities.

Question 5

External Pen Test

Answer 5

Analyzes publicly available information and conducts network scanning, enumeration, and testing from the network perimeter, usually from the Internet

Question 6

Internal Pen Test

Answer 6

Performed from inside the organization

Question 7

Red Team

Answer 7

Offensive

Question 8

Blue Team

Answer 8

Defensive

Question 9

Automated Pen Testing tools

Answer 9

Core Impact Pro
Codenomicon
Metasploit
CANVAS

Question 10

Comprehensive PenTest Report

Answer 10

1. An executive summary of the organizations overall security posture under the auspices of FISMA, DIACAP, RMF, HIPAA
2. The name of all participants and the dates of all tests
3. A list of findings, presented in order of highest risk
4. An analysis of each finding and recommended mitigation steps
5. Log files and other evidence with screenshots

Question 11

Insider Threats

Answer 11

Pure Insider - an employee
Insider Associate - contractor, guard, cleaning service
Insider Affiliate - spouse, friend or client of an employee
Outside Affiliate - someone outside who uses an open channel to gain access