Penetration Testing Fundamentals Flashcards
Identify the activity that focuses on real-time attacks instead of discovering a specific vulnerability and demonstrates if attackers can successfully exploit the vulnerabilities in the system.
Penetration Testing
Ginita, a penetration tester, has recently joined the organization, and she is asked to conduct a security assessment to evaluate its overall security. She followed an adversarial goal-based assessment approach, in which she mimicked herself as a real attacker and targeted an environment to perform the testing.
Identify the type of penetration testing approach followed by Ginita in the above scenario.
Red-team-oriented penetration testing approach: This approach is an adversarial goal-based assessment in which the pen tester must mimic a real attacker and target an environment.
Freddy, a penetration tester, plans to perform testing on an organization’s network infrastructure. Before initiating the process, he defined and decided the range of testing, what will be tested, where testing will be performed from, and who will perform testing.
Identify the operation performed by Freddy before initiating the test.
Defining the scope
Jude, a pen tester, was assigned to test the network of an organization. As part of the task, Jude gathered as much information as possible about the organization. This information helped Jude in performing other sophisticated attacks. He employed techniques such as reconnaissance, port scanning, service scanning, and OS scanning to gather the information.
Identify the penetration testing phase Jude was currently executing in the above scenario.
Pre-attack Phase: This phase focuses on gathering as much information as possible about the target. Information can be gathered invasively through, for example, passive and active reconnaissance, port scanning, service scanning, and OS scanning, or it can be gathered noninvasively by, for example, reviewing public records.
In which of the following situations is penetration testing required and conducted by a professional penetration tester?
A new threat to the organization’s infrastructure has been discovered
Richard, a penetration tester, has recently joined the company for initiating the pen testing process. He was a little negligent toward monitoring and responding to incidents during and after the pen test. This resulted in repetitive and unwanted triggering of the incident-handling processes, which disrupted the business continuity of the organization.
Identify the type of risk that evolved in the above scenario as a consequence of the pen test.
Organizational risks: This type of risks can occur as a side effect of penetration testing. It includes the following.
Repetitive and unwanted triggering in the incident-handling processes of the organization
Negligence toward monitoring and responding incidents during or after the pen test
Disruption in business continuity
Loss of reputation
Identify the guideline that addresses the risks associated with penetration testing.
Use partial isolation and replication of target environment
Which of the following activities is implemented to check whether an organization is following a set of standard policies and procedures in protecting its network?
Security audit
Steve, a professional pen tester, was hired by an organization to assess its cybersecurity. The organization provided Steve with details such as network topology documents, asset inventory, and valuation information. This information helped Steve complete the penetration test successfully, and he provided a snapshot of the organization’s current security posture.
Identify the penetration testing strategy followed by Steve in the above scenario.
white-box testing
Which of the following guidelines helps a penetration tester minimize risks and avoid DoS conditions while performing penetration testing?
Use reserved addresses
