Pentest+ Practice Exam Chapter 1 Pre-engagement Activities (Jonathan Ammerman) Flashcards
A company has been hacked, and several e-mails that are embarrassing to the CFO and potentially indicative of criminal activity on their part have been leaked to the press. Incident response has determined that only three user accounts accessed the organization’s mail server in the 24 hours immediately preceding the disclosure. One of these accounts was assigned to an employee who was fired two weeks before the incident. No other access to the system has been found by incident response. What type of threat actor should be considered a likely culprit for this breach first? A.Insider threat B.Advanced persistent threat (APT) C.Hacktivist D.Script kiddie
A.Insider threat
Explanation:
The situation described most likely would result from an insider threat. The question indicates that one of the accounts that accessed accessed the system in question belonged to an employee fired weeks before the e-mails were stolen and the incident occurred. This also highlights the fact that the term “insider” does not necessarily refer to someone currently employed by a company. Here, the “insider” has in fact been fired, but an oversight or other failure (or perhaps another insider threat who is sympathetic with the fired employee) has left the terminated employee’s credentials in their system, which means their knowledge of the organizational environment at the time of their termination is still on par with that of current employees. It is also worth considering an insider threat’s primary motivation: an insider threat is usually motivated by some sort of personal vendetta, is looking for financial gain, or is conducting espionage for another business or even a nation-state-level actor. Given the fact that no effort was made to profit from stolen information, and that the access relied upon credentials that should have been removed from the system, this scenario is most consistent with the insider threat variety of threat actor. Although it is possible that a hacktivist or other malicious agent would use a false flag tactic such as the impersonation of the account of a terminated employee, there is no other evidence in the question, as written, to suggest that to be the case. Therefore, the data present should be taken at face value initially.
Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 13). McGraw-Hill Education. Kindle Edition.
Which step in Microsoft’s published guidance on threat modeling consists of documenting the technologies in use in the architecture of an information systems environment and discovering how they are implemented therein? A.Rate the threats B.Architecture overview C.Identify assets D.Decompose the application
B.Architecture overview
Explanation:
The definition provided best describes the second step of Microsoft’s threat modeling process: architecture overview. This step is defined by a granular analysis of the various technologies in use in an organization’s architecture as well as the method by which they are implemented. Architecture overview is a critical step in threat modeling, as it makes identification of threats much more manageable later in the process. A, C, and D are incorrect. A is incorrect because rating threats is the last step and is often very subjective to the client and the type of environment. Threats are usually assigned a general threat value, such as high, medium, or low. This may be accompanied by a numeric value derived from a simple formula, such as Risk = (Probability) * (Damage Potential). C is incorrect because identification of assets is the first step in Microsoft’s threat modeling framework, consisting of the definition of any organizational assets that are important to the successful execution of business functions or practices. D is incorrect because decomposing the application is the third step and consists of a granular breakdown and analysis of the technologies used by an organization, marked by scrutiny of entry points (such as network ports or protocols) and trust boundaries between interconnected systems. The goal in this step is to develop a security profile that categorizes areas of the architecture that may be susceptible to a general type of vulnerability.
Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 14). McGraw-Hill Education. Kindle Edition.
In the scoping phase of a penetration testing engagement, how might a penetration tester effectively obtain the information necessary to begin testing?
A.Waiting for the client to tell them
B.Asking previous penetration test providers what they looked at
C.Starting an e-mail chain with business leadership so communications are documented
D.Sending a pre-engagement survey (also known as a scoping document) to the client for them to fill out
D. Sending a pre-engagement survey (also known as a scoping document) to the client for them to fill out
Explanation:
D. A pre-engagement survey—or scoping document—provides a great way to capture information necessary to develop a course of action for a penetration test and can also be used to provide a quote or cost estimate to the client. The pre-engagement survey is an informal document that asks general questions about the organization, its infrastructure, and various technologies that may be in use in the environment. A, B, and C are incorrect. A is incorrect because waiting for a client to volunteer information is a poor approach; a client is often unsure what exactly they require from a penetration test. Using a good scoping document that’s refined and focused with the experience of the testing team is a better approach to help guide new clients. B is incorrect because asking previous penetration testing teams would almost certainly breach multiple nondisclosure agreements (the one between you and the client, and that of the previous team with the same client). C is incorrect because starting an e-mail chain requires you as the penetration tester to continue to ask probing questions to ensure all information required is gathered. It is a far more efficient use of your time as a penetration tester to compile a prewritten list of questions and requests for information for the client organization to fill out in one fell swoop; doing so saves you time on multiple fronts because you can develop a standard form for a pre-engagement survey that you ask all clients to fill out, and then use that time for passive intelligence gathering while waiting for clearance to begin testing or for performing other preparatory activities.
Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 15). McGraw-Hill Education. Kindle Edition.
Which contractual document is a confidentiality agreement that protects the proprietary information and intellectual property of a business? A. Master service agreement (MSA) B. Statement of work (SOW) C. Nondisclosure agreement (NDA) D. Written authorization letter
C. Nondisclosure agreement (NDA)
Explanation:
A nondisclosure agreement (NDA) is a confidentiality agreement that protects the proprietary information and intellectual property of a business. A, B, and D are incorrect. A is incorrect because a master service agreement (MSA) is a contract between two or more parties that lays out the granular details of future transactions and agreements. This typically addresses conditions such as (but not limited to) payment terms and scheduling, intellectual property ownership, and allocation of risk. B is incorrect because a statement of work (SOW) is a provision found in an MSA that outlines the project-specific work to be executed by a service vendor for an organization. It typically addresses details such as (but not limited to) the purpose of the project, its scope of work, and the period of performance. D is incorrect because a written authorization letter is a document that is typically provided as part of the rules of engagement (ROE) for a penetration test and explicitly details the client organization’s authorization of the assessment to be conducted. This document is a mission-critical piece of legal protection for a penetration tester; without it, one could theoretically be exposed to punitive measures under laws that criminalize the unauthorized access of computer systems—for example, the Computer Fraud and Abuse Act (CFAA) in the United States.
Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 15). McGraw-Hill Education. Kindle Edition.
With respect to penetration testing conducted behind perimeter defenses, what does it mean to be provided limited access?
A.Client personnel will only be available for limited periods of time.
B.Network access to the target systems or networks will only be permitted during predefined hours.
C.The penetration tester is only provided with initial, basic connectivity to target systems.
D.The penetration tester is provided with an administrative user account.
C. The penetration tester is only provided with initial, basic connectivity to target systems.
Explanation:
Limited access refers to a type of starting position during a penetration test wherein the tester (or testers) is provided initial connectivity to the targets in question. This may take the form of a physical network switch connection, the SSID (service set identifier) and password to the organization’s Wi-Fi network, or IP address whitelisting.
A, B, and D are incorrect. A and B are incorrect because periods of time where testing may not be performed and hours of availability of communication escalation personnel are facts that would be explicitly declared in the rules of engagement for a penetration test. D is incorrect because providing the penetration tester with an administrative user account is an example of privileged-level access, which is a level of network access far exceeding that expected (in this case, limited access to a network or system).
Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 16). McGraw-Hill Education. Kindle Edition.
A red team assessment is typically conducted in a manner consistent with what type of threat actor? A. Hacktivist B. Insider threat C. Script kiddie D. Advanced persistent threat
D. Advanced persistent threat
Explanation:
Red team assessments are generally conducted in a manner consistent with the real-world operation of an advanced persistent threat, or APT. A, B, and C are incorrect. Red team assessments are typically meant to emulate the most skilled and dedicated of threat actors, so one would not expect such an assessment to go out of its way to emulate the tactics and methodology typical of hacktivists, insider threats, or script kiddies, who all vary widely in terms of technical ability.
Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 16). McGraw-Hill Education. Kindle Edition.
As noted in Microsoft’s threat modeling procedures, the formula used to calculate total risk is as follows:
Risk = Probability * Damage Potential During a penetration test, you identify a vulnerability with a relatively high damage potential (8/10) and an above-average probability of occurrence (7/10). Per the preceding formula, what is the associated risk value for this vulnerability?
A.15
B.1
C.56
D.560
C.56
Explanation:
The risk value for this situation is 56. Using Microsoft’s threat modeling risk formula, Risk = Probability * Damage Potential, we can place known values for Probability (7) and Damage Potential (8) into the formula. Thus, Risk = 7 * 8, or 56.
Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 17). McGraw-Hill Education. Kindle Edition.
Per Microsoft’s threat modeling system, what would the final risk prioritization be for this vulnerability? A.Medium B.Low C.High D.Urgent
A.Medium
Explanation:
A risk value of 56 corresponds to a medium risk priority in Microsoft’s threat modeling framework. B, C, and D are incorrect. B is incorrect because a low-risk priority corresponds to a risk value between 1 and 39. C is incorrect because a high-risk priority corresponds to a risk value between 80 and 100. D is incorrect because urgent is not its own risk priority level; instead, urgent is considered a means of describing items with a high-risk prioritization value.
Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 17). McGraw-Hill Education. Kindle Edition.
In Microsoft’s guidance on threat modeling, which step involves the categorization of external and internal threats to an organization? A.Rate the threats B. Decompose the application C. Identify threats D. Identify assets
C. Identify threats
Explanation:
The definition provided best describes the fourth step of Microsoft’s threat modeling process: identification of threats. This step is marked by the categorization of external and internal threats to an organization. The determination of where threats are found, how they can be exploited, and the identification of agents capable of exploiting them are crucial steps that can greatly aid the process of bolstering an organization’s defense posture. A, B, and D are incorrect. A is incorrect because rating threats is the last step of Microsoft’s threat modeling process and is often very subjective to the client and the type of environment. Threats are usually assigned a general threat value, such as high, medium, or low. This may be accompanied by a numeric value derived from a simple formula, such as Risk = (Probability) * (Damage Potential).
Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (pp. 17-18). McGraw-Hill Education. Kindle Edition.
A swagger document is intended to serve what purpose?
A.To describe functionality offering through a web service
B.To provide API descriptions and test cases
C.To offer simulated testing scenarios, allow inspection and debugging of requests, or possibly uncover undocumented APIs
D.To elaborate on the framework in use for development of a software application
B. To provide API descriptions and test cases
Explanation:
Swagger is an open source software development framework used for RESTful web services; swagger documentation provides API descriptions and sample test cases for their use.
A, C, and D are incorrect. A (the support resource that describes the functionality offered through a web service) refers to WSDL. C (simulated testing scenarios, inspection, and debugging of requests, and the revealing of undocumented APIs) refers to sample application requests. D (documentation used to elaborate on the framework used in the development of the software application) refers to software development kits, or SDKs.
Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 18). McGraw-Hill Education. Kindle Edition.
If travel to remote field offices or data centers is required as part of a penetration test, in what contractual document would this usually be found? A. Nondisclosure agreement B. Statement of work C. Written authorization letter D. Rules of engagement
B. Statement of work
Explanation:
B. If travel is required as part of a penetration test, the details would most often be defined in the statement of work, or SOW. Other details addressed often include (but are not limited to) the purpose of the engagement, its scope of work, and the period of performance.
Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 18). McGraw-Hill Education. Kindle Edition.
All the following assets may be candidates for target selection for a penetration test except:
A. Technologies
B.Employee bank accounts managed by a different company
C. Personnel
D. Facilities
B. Employee bank accounts managed by a different company
Explanation:
Assets to be targeted are items that are owned, operated, or deployed by the client organization—in short, anything for which the client organization can explicitly and definitively provide authorization for testing. Such assets include (but are not limited to) personnel, business processes, facilities, and technologies. While it is not unusual for employees to have personal business e-mails (such as those pertaining to their personal online banking) come to their work address, obtaining detailed information that is not owned or managed by the client organization would be well outside of scope. A, C, and D are incorrect. Again, pay close attention to the wording of questions during the exam; a question containing a negating word like “not” or “except” will have answers that are opposite those of the same question without negation. In this case, technologies, personnel, and facilities owned, employed, or deployed by the client organization are assets that may be considered candidates for target selection for a penetration test; these are therefore incorrect answers to this question.
Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 19). McGraw-Hill Education. Kindle Edition.
Identified by the target audience of a penetration test, a(n) \_\_\_\_\_\_\_\_\_\_ is a specific technological challenge that could significantly impact an organization (for example, a mission-critical host or delicate legacy equipment that is scheduled for replacement). A. technical constraint B. statement of work C. engagement scope D. nondisclosure agreement
A. technical constraint
Explanation:
A. Technical constraints of an organization detail specific technological challenges that could significantly impact an organization such as mission-critical hosts or delicate legacy equipment that is scheduled for replacement. This information is often used as part of a business’s decision-making process when determining what systems or networks are in or out of scope for a penetration test. B, C, and D are incorrect. B is incorrect because a statement of work (SOW) is a provision found in an MSA that outlines the project-specific work to be executed by a service vendor for an organization. It typically addresses details such as (but not limited to) the purpose of the project, its scope of work, and the period of performance. C is incorrect because the engagement scope is often detailed as part of the ROE of a penetration test, explicitly declaring hosts, networks, and subnets as being in or out of scope. D is incorrect because a nondisclosure agreement (NDA) is a confidentiality agreement that protects the proprietary information and intellectual property of a business.
Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (pp. 19-20). McGraw-Hill Education. Kindle Edition.
Which of the following are types of point-in-time assessments? (Choose two.) A. Compliance-based B. Black box C. Gray box D. Goals-based
A. Compliance-based
D. Goals-based
Explanation:
Compliance-based and goals-based testing are both point-in-time assessment types. Whereas compliance-based testing assesses an organization’s ability to follow and implement a given set of security standards within its environment, environment, goals-based testing is more strategic in nature and focuses on the penetration tester(s) working to achieve a specific desired outcome.
Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 20). McGraw-Hill Education. Kindle Edition.
15.Which category of threat actor is highly skilled, frequently backed by nation-state-level resources, and is often motivated by obtaining sensitive information (such as industrial or national secrets) or financial gain? A. Insider threat B. Hacktivist C. Advanced persistent threat D. Script kiddies
C. Advanced persistent threat
Explanation:
An advanced persistent threat, or APT, is highly skilled, frequently backed by nation-state-level resources, and is often motivated by financial gain or by corporate or national loyalties to conduct espionage.
Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 21). McGraw-Hill Education. Kindle Edition.
A defense contractor that manufactures hardware for the U.S. military has put out a request for proposal for penetration tests of a new avionics system. The contractor indicated that penetration testers for this project must hold a security clearance. Which of the following is the most likely explanation for this requirement? A. Export control restriction B. Corporate policy C. Government restriction D. Nondisclosure agreement
C. Government restriction
Explanation:
This is an example of national government restrictions at work. Defense contract work contains some of the most sensitive information that can be found in a country, as by its very nature it is essential to national defense. As such, it should come as no surprise surprise that national governments have strict regulations on who is and is not authorized to access such data, systems, or networks.
Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 21). McGraw-Hill Education. Kindle Edition.
Which of the following are items typically addressed in a master service agreement (MSA)? (Choose two.) A. Dispute resolution practices B. Location of work C. Acceptance criteria D. Indemnification clauses
A. Dispute resolution practices
D. Indemnification clauses
Explanation:
Dispute resolution practices and indemnification clauses are items typically addressed in a master service agreement, or MSA. Other items detailed in an MSA include (but are not limited to) payment terms and scheduling, intellectual property ownership, and allocation of risk.
Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 22). McGraw-Hill Education. Kindle Edition.
Which type of assessment is marked by a longer-than-typical engagement time and significant risk or cost to the organization without effective expectation management? A. White box B. Compliance-based C. Red team D. Goals-based
C. Red team
Explanation:
Red team assessments are generally larger-scale engagements, taking longer than other types of assessment, and potentially imposing much greater risk and expense to an organization when expectations are not managed appropriately.
Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 22). McGraw-Hill Education. Kindle Edition.
19.In compliance-based testing, why is it problematic for a penetration tester to have only limited or restricted access to an organization’s network or systems?
A.The tester might not have sufficient time within the testing period to find all vulnerabilities present on the target system or network.
B.The tester needs to be able to verify that export control regulations are adhered to.
C.The tester needs sufficient time to be able to accurately emulate an advanced persistent threat (APT).
D.The tester requires sufficient access to the information and resources necessary to successfully complete a full audit.
D. The tester requires sufficient access to the information and resources necessary to successfully complete a full audit.
Explanation:
Without adequate access to the appropriate networks and systems, the tester will be unable to fully assess their compliance to guidelines as detailed by the regulatory framework in question. This can lead to inconsistencies in the results of the assessment and jeopardize the legitimacy of the assessment overall.
Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 23). McGraw-Hill Education. Kindle Edition.
The function of which support resource is to define a format used for sending and receiving messages? A. WSDL B. XSD C. Architecture diagram D. SOAP project file
D. SOAP project file
Explanation: A SOAP (Simple Object Access Protocol) project file is a support resource that details how messages are sent and received by a given web service.
A is incorrect because WSDL (Web Services Description Language) describes the functionality offered through a web service. B is incorrect because XSD is an XML (Extensible Markup Language) scheme definition that formally describes the elements made up in an XML document. C is incorrect because an architecture diagram is a map or illustration that represents the relationship between the various elements of an organization’s network footprint or a piece of software.
Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 23). McGraw-Hill Education. Kindle Edition.
Which type of threat actor is generally unskilled, is typically motivated by curiosity or personal profit, and is frequently indicated by the use of publicly available exploits? A. Advanced persistent threat B. Script kiddies, or “skids” C. Insider threat D. Hacktivist
B. Script kiddies, or “skids”
Explanation:
Script kiddies, or “skids,” are self-motivated and generally less skilled adversaries who tend to target less risk-averse organizations or those with little to no knowledge of or interest in security; their motivation often lies in curiosity and wanting to see what they can do to a live network.
Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 23). McGraw-Hill Education. Kindle Edition.
22.All the following may typically be considered stakeholders in the findings of a penetration test except which two? A. IT department B. Rival corporations C. Third-party media organizations D. Executive management
B. Rival corporations
C. Third-party media organizations
Explanation:
B is correct because revealing the results of a penetration test to an organization’s rival would be damaging to that organization’s standing and possibly expose them to targeted corporate espionage efforts, in addition to being certain to breach the NDA for the assessment. Thus, they are clearly not considered stakeholders for the purposes of a penetration test. Similarly, C is correct because dissemination of penetration test findings to media organizations—or indeed, any third party—would be guaranteed to be in violation of the NDA for the assessment. Your job as a penetration tester is to find information to be given to your client; under no circumstances should that information be provided to anyone not explicitly named in your MSA. A and D are incorrect. Pay close attention to the wording of questions during the exam; a question containing negating words like “not” or “except” will have answers that are opposite those of the same question without negation. In the case of answers A and D, the IT department and executive personnel are typically stakeholders for a penetration test and are therefore incorrect answers to this question.
Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 24). McGraw-Hill Education. Kindle Edition.
According to Microsoft’s published procedures, what is the first step in threat modeling? A. Identify assets B. Identify threats C. Decompose the application D. Architecture overview
A. Identify assets
Explanation:
Identification of assets is the first step in Microsoft’s threat modeling framework, consisting of the definition of any organizational assets that are important to the successful execution of business functions or practices.
B is incorrect because identification of threats is the fourth step of Microsoft’s threat modeling framework and is marked by the categorization of external and internal threats to an organization. The determination of where threats are found, how they can be exploited, and the identification of agents capable of exploiting them are crucial steps that can greatly aid the process of bolstering an organization’s defense posture. C is incorrect because decomposing the application is the third step and consists of a granular breakdown and analysis of the technologies used by an organization,
organization, marked by scrutiny of entry points (such as network ports or protocols) and trust boundaries between interconnected systems; the goal in this step is to develop a security profile that categorizes areas of the architecture that may be susceptible to a general type of vulnerability. D is incorrect because an architecture overview is the second step in the process, and it is defined by a granular analysis of the various technologies in use in an organization’s architecture and the method by which they are implemented. Architecture overview is a critical step in threat modeling, as it makes identification of threats much more manageable later in the process. Refer to Microsoft’s guidance on improving web application security at https://msdn.microsoft.com/en-us/library/ff648644.aspx for further details on their threat modeling process.
Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 25). McGraw-Hill Education. Kindle Edition.
Refer to the following scenario for the next five questions: You have been contracted for a penetration test by a local hospital. The client has requested a third-party security assessment to provide confirmation that they are adhering to HIPAA guidelines. In addition, the client requests that you perform a detailed penetration test of a proprietary web application that they use to manage their inventories. To further assist this effort, they have provided a detailed map of their network architecture architecture in addition to authorized administrative credentials, source code, and related materials for the web application. Your master service agreement with the client indicates that your written authorization is to be a separately delivered document, and that it should be digitally delivered one week before the scheduled start date of the engagement. It is currently three days before the start date agreed upon in preliminary meetings, and you do not yet have a signed authorization letter.
What type of penetration test is most likely being requested by the client in this scenario?
A. Goals-based
B. Objective-based
C. Compliance-based
D. Red team
C. Compliance-based
Explanation:
Because the client is requesting validation of their adherence to HIPAA guidelines, they are most likely requesting a compliance-based assessment of their environment.
Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 26). McGraw-Hill Education. Kindle Edition.