Pentest+ Practice Exam Chapter 1 Pre-engagement Activities (Jonathan Ammerman) Flashcards by keegz Whodis?

A company has been hacked, and several e-mails that are embarrassing to the CFO and potentially indicative of criminal activity on their part have been leaked to the press. Incident response has determined that only three user accounts accessed the organization’s mail server in the 24 hours immediately preceding the disclosure. One of these accounts was assigned to an employee who was fired two weeks before the incident. No other access to the system has been found by incident response. What type of threat actor should be considered a likely culprit for this breach first? 
A.Insider threat 
B.Advanced persistent threat (APT) 
C.Hacktivist 
D.Script kiddie

A.Insider threat

Explanation:
The situation described most likely would result from an insider threat. The question indicates that one of the accounts that accessed accessed the system in question belonged to an employee fired weeks before the e-mails were stolen and the incident occurred. This also highlights the fact that the term “insider” does not necessarily refer to someone currently employed by a company. Here, the “insider” has in fact been fired, but an oversight or other failure (or perhaps another insider threat who is sympathetic with the fired employee) has left the terminated employee’s credentials in their system, which means their knowledge of the organizational environment at the time of their termination is still on par with that of current employees. It is also worth considering an insider threat’s primary motivation: an insider threat is usually motivated by some sort of personal vendetta, is looking for financial gain, or is conducting espionage for another business or even a nation-state-level actor. Given the fact that no effort was made to profit from stolen information, and that the access relied upon credentials that should have been removed from the system, this scenario is most consistent with the insider threat variety of threat actor. Although it is possible that a hacktivist or other malicious agent would use a false flag tactic such as the impersonation of the account of a terminated employee, there is no other evidence in the question, as written, to suggest that to be the case. Therefore, the data present should be taken at face value initially.

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 13). McGraw-Hill Education. Kindle Edition.

How well did you know this?

Not at all

Perfectly

Which step in Microsoft’s published guidance on threat modeling consists of documenting the technologies in use in the architecture of an information systems environment and discovering how they are implemented therein? 
A.Rate the threats 
B.Architecture overview 
C.Identify assets 
D.Decompose the application

B.Architecture overview

Explanation:
The definition provided best describes the second step of Microsoft’s threat modeling process: architecture overview. This step is defined by a granular analysis of the various technologies in use in an organization’s architecture as well as the method by which they are implemented. Architecture overview is a critical step in threat modeling, as it makes identification of threats much more manageable later in the process. A, C, and D are incorrect. A is incorrect because rating threats is the last step and is often very subjective to the client and the type of environment. Threats are usually assigned a general threat value, such as high, medium, or low. This may be accompanied by a numeric value derived from a simple formula, such as Risk = (Probability) * (Damage Potential). C is incorrect because identification of assets is the first step in Microsoft’s threat modeling framework, consisting of the definition of any organizational assets that are important to the successful execution of business functions or practices. D is incorrect because decomposing the application is the third step and consists of a granular breakdown and analysis of the technologies used by an organization, marked by scrutiny of entry points (such as network ports or protocols) and trust boundaries between interconnected systems. The goal in this step is to develop a security profile that categorizes areas of the architecture that may be susceptible to a general type of vulnerability.

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 14). McGraw-Hill Education. Kindle Edition.

How well did you know this?

Not at all

Perfectly

In the scoping phase of a penetration testing engagement, how might a penetration tester effectively obtain the information necessary to begin testing?
A.Waiting for the client to tell them
B.Asking previous penetration test providers what they looked at
C.Starting an e-mail chain with business leadership so communications are documented
D.Sending a pre-engagement survey (also known as a scoping document) to the client for them to fill out

D. Sending a pre-engagement survey (also known as a scoping document) to the client for them to fill out

Explanation:
D. A pre-engagement survey—or scoping document—provides a great way to capture information necessary to develop a course of action for a penetration test and can also be used to provide a quote or cost estimate to the client. The pre-engagement survey is an informal document that asks general questions about the organization, its infrastructure, and various technologies that may be in use in the environment. A, B, and C are incorrect. A is incorrect because waiting for a client to volunteer information is a poor approach; a client is often unsure what exactly they require from a penetration test. Using a good scoping document that’s refined and focused with the experience of the testing team is a better approach to help guide new clients. B is incorrect because asking previous penetration testing teams would almost certainly breach multiple nondisclosure agreements (the one between you and the client, and that of the previous team with the same client). C is incorrect because starting an e-mail chain requires you as the penetration tester to continue to ask probing questions to ensure all information required is gathered. It is a far more efficient use of your time as a penetration tester to compile a prewritten list of questions and requests for information for the client organization to fill out in one fell swoop; doing so saves you time on multiple fronts because you can develop a standard form for a pre-engagement survey that you ask all clients to fill out, and then use that time for passive intelligence gathering while waiting for clearance to begin testing or for performing other preparatory activities.

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 15). McGraw-Hill Education. Kindle Edition.

How well did you know this?

Not at all

Perfectly

Which contractual document is a confidentiality agreement that protects the proprietary information and intellectual property of a business? 
A.  Master service agreement (MSA) 
B.  Statement of work (SOW) 
C.  Nondisclosure agreement (NDA) 
D.  Written authorization letter

C. Nondisclosure agreement (NDA)

Explanation:
A nondisclosure agreement (NDA) is a confidentiality agreement that protects the proprietary information and intellectual property of a business. A, B, and D are incorrect. A is incorrect because a master service agreement (MSA) is a contract between two or more parties that lays out the granular details of future transactions and agreements. This typically addresses conditions such as (but not limited to) payment terms and scheduling, intellectual property ownership, and allocation of risk. B is incorrect because a statement of work (SOW) is a provision found in an MSA that outlines the project-specific work to be executed by a service vendor for an organization. It typically addresses details such as (but not limited to) the purpose of the project, its scope of work, and the period of performance. D is incorrect because a written authorization letter is a document that is typically provided as part of the rules of engagement (ROE) for a penetration test and explicitly details the client organization’s authorization of the assessment to be conducted. This document is a mission-critical piece of legal protection for a penetration tester; without it, one could theoretically be exposed to punitive measures under laws that criminalize the unauthorized access of computer systems—for example, the Computer Fraud and Abuse Act (CFAA) in the United States.

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 15). McGraw-Hill Education. Kindle Edition.

How well did you know this?

Not at all

Perfectly

With respect to penetration testing conducted behind perimeter defenses, what does it mean to be provided limited access?
A.Client personnel will only be available for limited periods of time.
B.Network access to the target systems or networks will only be permitted during predefined hours.
C.The penetration tester is only provided with initial, basic connectivity to target systems.
D.The penetration tester is provided with an administrative user account.

C. The penetration tester is only provided with initial, basic connectivity to target systems.

Explanation:
Limited access refers to a type of starting position during a penetration test wherein the tester (or testers) is provided initial connectivity to the targets in question. This may take the form of a physical network switch connection, the SSID (service set identifier) and password to the organization’s Wi-Fi network, or IP address whitelisting.
A, B, and D are incorrect. A and B are incorrect because periods of time where testing may not be performed and hours of availability of communication escalation personnel are facts that would be explicitly declared in the rules of engagement for a penetration test. D is incorrect because providing the penetration tester with an administrative user account is an example of privileged-level access, which is a level of network access far exceeding that expected (in this case, limited access to a network or system).

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 16). McGraw-Hill Education. Kindle Edition.

How well did you know this?

Not at all

Perfectly

A red team assessment is typically conducted in a manner consistent with what type of threat actor? 
A.  Hacktivist 
B.  Insider threat 
C.  Script kiddie 
D.  Advanced persistent threat

D. Advanced persistent threat

Explanation:
Red team assessments are generally conducted in a manner consistent with the real-world operation of an advanced persistent threat, or APT. A, B, and C are incorrect. Red team assessments are typically meant to emulate the most skilled and dedicated of threat actors, so one would not expect such an assessment to go out of its way to emulate the tactics and methodology typical of hacktivists, insider threats, or script kiddies, who all vary widely in terms of technical ability.

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 16). McGraw-Hill Education. Kindle Edition.

How well did you know this?

Not at all

Perfectly

As noted in Microsoft’s threat modeling procedures, the formula used to calculate total risk is as follows:
Risk = Probability * Damage Potential During a penetration test, you identify a vulnerability with a relatively high damage potential (8/10) and an above-average probability of occurrence (7/10). Per the preceding formula, what is the associated risk value for this vulnerability?
A.15
B.1
C.56
D.560

C.56

Explanation:
The risk value for this situation is 56. Using Microsoft’s threat modeling risk formula, Risk = Probability * Damage Potential, we can place known values for Probability (7) and Damage Potential (8) into the formula. Thus, Risk = 7 * 8, or 56.

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 17). McGraw-Hill Education. Kindle Edition.

How well did you know this?

Not at all

Perfectly

Per Microsoft’s threat modeling system, what would the final risk prioritization be for this vulnerability? 
A.Medium 
B.Low 
C.High 
D.Urgent

A.Medium

Explanation:
A risk value of 56 corresponds to a medium risk priority in Microsoft’s threat modeling framework. B, C, and D are incorrect. B is incorrect because a low-risk priority corresponds to a risk value between 1 and 39. C is incorrect because a high-risk priority corresponds to a risk value between 80 and 100. D is incorrect because urgent is not its own risk priority level; instead, urgent is considered a means of describing items with a high-risk prioritization value.

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 17). McGraw-Hill Education. Kindle Edition.

How well did you know this?

Not at all

Perfectly

In Microsoft’s guidance on threat modeling, which step involves the categorization of external and internal threats to an organization? 
A.Rate the threats 
B.  Decompose the application 
C.  Identify threats 
D.  Identify assets

C. Identify threats

Explanation:
The definition provided best describes the fourth step of Microsoft’s threat modeling process: identification of threats. This step is marked by the categorization of external and internal threats to an organization. The determination of where threats are found, how they can be exploited, and the identification of agents capable of exploiting them are crucial steps that can greatly aid the process of bolstering an organization’s defense posture. A, B, and D are incorrect. A is incorrect because rating threats is the last step of Microsoft’s threat modeling process and is often very subjective to the client and the type of environment. Threats are usually assigned a general threat value, such as high, medium, or low. This may be accompanied by a numeric value derived from a simple formula, such as Risk = (Probability) * (Damage Potential).

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (pp. 17-18). McGraw-Hill Education. Kindle Edition.

How well did you know this?

Not at all

Perfectly

A swagger document is intended to serve what purpose?
A.To describe functionality offering through a web service
B.To provide API descriptions and test cases
C.To offer simulated testing scenarios, allow inspection and debugging of requests, or possibly uncover undocumented APIs
D.To elaborate on the framework in use for development of a software application

B. To provide API descriptions and test cases

Explanation:
Swagger is an open source software development framework used for RESTful web services; swagger documentation provides API descriptions and sample test cases for their use.
A, C, and D are incorrect. A (the support resource that describes the functionality offered through a web service) refers to WSDL. C (simulated testing scenarios, inspection, and debugging of requests, and the revealing of undocumented APIs) refers to sample application requests. D (documentation used to elaborate on the framework used in the development of the software application) refers to software development kits, or SDKs.

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 18). McGraw-Hill Education. Kindle Edition.

How well did you know this?

Not at all

Perfectly

If travel to remote field offices or data centers is required as part of a penetration test, in what contractual document would this usually be found? 
A.  Nondisclosure agreement 
B.  Statement of work 
C.  Written authorization letter 
D.  Rules of engagement

B. Statement of work

Explanation:
B. If travel is required as part of a penetration test, the details would most often be defined in the statement of work, or SOW. Other details addressed often include (but are not limited to) the purpose of the engagement, its scope of work, and the period of performance.

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 18). McGraw-Hill Education. Kindle Edition.

How well did you know this?

Not at all

Perfectly

All the following assets may be candidates for target selection for a penetration test except:
A. Technologies
B.Employee bank accounts managed by a different company
C. Personnel
D. Facilities

B. Employee bank accounts managed by a different company

Explanation:
Assets to be targeted are items that are owned, operated, or deployed by the client organization—in short, anything for which the client organization can explicitly and definitively provide authorization for testing. Such assets include (but are not limited to) personnel, business processes, facilities, and technologies. While it is not unusual for employees to have personal business e-mails (such as those pertaining to their personal online banking) come to their work address, obtaining detailed information that is not owned or managed by the client organization would be well outside of scope. A, C, and D are incorrect. Again, pay close attention to the wording of questions during the exam; a question containing a negating word like “not” or “except” will have answers that are opposite those of the same question without negation. In this case, technologies, personnel, and facilities owned, employed, or deployed by the client organization are assets that may be considered candidates for target selection for a penetration test; these are therefore incorrect answers to this question.

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 19). McGraw-Hill Education. Kindle Edition.

How well did you know this?

Not at all

Perfectly

Identified by the target audience of a penetration test, a(n) \_\_\_\_\_\_\_\_\_\_ is a specific technological challenge that could significantly impact an organization (for example, a mission-critical host or delicate legacy equipment that is scheduled for replacement). 
A.  technical constraint 
B.  statement of work 
C.  engagement scope 
D.  nondisclosure agreement

A. technical constraint

Explanation:
A. Technical constraints of an organization detail specific technological challenges that could significantly impact an organization such as mission-critical hosts or delicate legacy equipment that is scheduled for replacement. This information is often used as part of a business’s decision-making process when determining what systems or networks are in or out of scope for a penetration test. B, C, and D are incorrect. B is incorrect because a statement of work (SOW) is a provision found in an MSA that outlines the project-specific work to be executed by a service vendor for an organization. It typically addresses details such as (but not limited to) the purpose of the project, its scope of work, and the period of performance. C is incorrect because the engagement scope is often detailed as part of the ROE of a penetration test, explicitly declaring hosts, networks, and subnets as being in or out of scope. D is incorrect because a nondisclosure agreement (NDA) is a confidentiality agreement that protects the proprietary information and intellectual property of a business.

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (pp. 19-20). McGraw-Hill Education. Kindle Edition.

How well did you know this?

Not at all

Perfectly

Which of the following are types of point-in-time assessments? (Choose two.) 
A.  Compliance-based 
B.  Black box
C.  Gray box 
D.  Goals-based

A. Compliance-based
D. Goals-based

Explanation:
Compliance-based and goals-based testing are both point-in-time assessment types. Whereas compliance-based testing assesses an organization’s ability to follow and implement a given set of security standards within its environment, environment, goals-based testing is more strategic in nature and focuses on the penetration tester(s) working to achieve a specific desired outcome.

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 20). McGraw-Hill Education. Kindle Edition.

How well did you know this?

Not at all

Perfectly

15.Which category of threat actor is highly skilled, frequently backed by nation-state-level resources, and is often motivated by obtaining sensitive information (such as industrial or national secrets) or financial gain? 
A.  Insider threat 
B.  Hacktivist 
C.  Advanced persistent threat 
D.  Script kiddies

C. Advanced persistent threat

Explanation:
An advanced persistent threat, or APT, is highly skilled, frequently backed by nation-state-level resources, and is often motivated by financial gain or by corporate or national loyalties to conduct espionage.

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 21). McGraw-Hill Education. Kindle Edition.

How well did you know this?

Not at all

Perfectly

A defense contractor that manufactures hardware for the U.S. military has put out a request for proposal for penetration tests of a new avionics system. The contractor indicated that penetration testers for this project must hold a security clearance. Which of the following is the most likely explanation for this requirement?
A.  Export control restriction 
B.  Corporate policy 
C.  Government restriction 
D.  Nondisclosure agreement

C. Government restriction

Explanation:
This is an example of national government restrictions at work. Defense contract work contains some of the most sensitive information that can be found in a country, as by its very nature it is essential to national defense. As such, it should come as no surprise surprise that national governments have strict regulations on who is and is not authorized to access such data, systems, or networks.

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 21). McGraw-Hill Education. Kindle Edition.

How well did you know this?

Not at all

Perfectly

Which of the following are items typically addressed in a master service agreement (MSA)? (Choose two.)
A.  Dispute resolution practices 
B.  Location of work 
C.  Acceptance criteria 
D.  Indemnification clauses

A. Dispute resolution practices
D. Indemnification clauses

Explanation:
Dispute resolution practices and indemnification clauses are items typically addressed in a master service agreement, or MSA. Other items detailed in an MSA include (but are not limited to) payment terms and scheduling, intellectual property ownership, and allocation of risk.

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 22). McGraw-Hill Education. Kindle Edition.

How well did you know this?

Not at all

Perfectly

Which type of assessment is marked by a longer-than-typical engagement time and significant risk or cost to the organization without effective expectation management?
 A.  White box 
B.  Compliance-based 
C.  Red team
D.  Goals-based

C. Red team

Explanation:
Red team assessments are generally larger-scale engagements, taking longer than other types of assessment, and potentially imposing much greater risk and expense to an organization when expectations are not managed appropriately.

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 22). McGraw-Hill Education. Kindle Edition.

How well did you know this?

Not at all

Perfectly

19.In compliance-based testing, why is it problematic for a penetration tester to have only limited or restricted access to an organization’s network or systems?
A.The tester might not have sufficient time within the testing period to find all vulnerabilities present on the target system or network.
B.The tester needs to be able to verify that export control regulations are adhered to.
C.The tester needs sufficient time to be able to accurately emulate an advanced persistent threat (APT).
D.The tester requires sufficient access to the information and resources necessary to successfully complete a full audit.

D. The tester requires sufficient access to the information and resources necessary to successfully complete a full audit.

Explanation:

Without adequate access to the appropriate networks and systems, the tester will be unable to fully assess their compliance to guidelines as detailed by the regulatory framework in question. This can lead to inconsistencies in the results of the assessment and jeopardize the legitimacy of the assessment overall.

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 23). McGraw-Hill Education. Kindle Edition.

The function of which support resource is to define a format used for sending and receiving messages?
A.  WSDL 
B.  XSD 
C.  Architecture diagram 
D.  SOAP project file

D. SOAP project file

Explanation:
A SOAP (Simple Object Access Protocol) project file is a support resource that details how messages are sent and received by a given web service.

A is incorrect because WSDL (Web Services Description Language) describes the functionality offered through a web service. B is incorrect because XSD is an XML (Extensible Markup Language) scheme definition that formally describes the elements made up in an XML document. C is incorrect because an architecture diagram is a map or illustration that represents the relationship between the various elements of an organization’s network footprint or a piece of software.

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 23). McGraw-Hill Education. Kindle Edition.

Which type of threat actor is generally unskilled, is typically motivated by curiosity or personal profit, and is frequently indicated by the use of publicly available exploits? 
A.  Advanced persistent threat 
B.  Script kiddies, or “skids” 
C.  Insider threat 
D.  Hacktivist

B. Script kiddies, or “skids”

Explanation:
Script kiddies, or “skids,” are self-motivated and generally less skilled adversaries who tend to target less risk-averse organizations or those with little to no knowledge of or interest in security; their motivation often lies in curiosity and wanting to see what they can do to a live network.

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 23). McGraw-Hill Education. Kindle Edition.

22.All the following may typically be considered stakeholders in the findings of a penetration test except which two? 
A.  IT department 
B.  Rival corporations 
C.  Third-party media organizations
D.  Executive management

B. Rival corporations
C. Third-party media organizations

Explanation:
B is correct because revealing the results of a penetration test to an organization’s rival would be damaging to that organization’s standing and possibly expose them to targeted corporate espionage efforts, in addition to being certain to breach the NDA for the assessment. Thus, they are clearly not considered stakeholders for the purposes of a penetration test. Similarly, C is correct because dissemination of penetration test findings to media organizations—or indeed, any third party—would be guaranteed to be in violation of the NDA for the assessment. Your job as a penetration tester is to find information to be given to your client; under no circumstances should that information be provided to anyone not explicitly named in your MSA. A and D are incorrect. Pay close attention to the wording of questions during the exam; a question containing negating words like “not” or “except” will have answers that are opposite those of the same question without negation. In the case of answers A and D, the IT department and executive personnel are typically stakeholders for a penetration test and are therefore incorrect answers to this question.

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 24). McGraw-Hill Education. Kindle Edition.

According to Microsoft’s published procedures, what is the first step in threat modeling? 
A.  Identify assets 
B.  Identify threats 
C.  Decompose the application 
D.  Architecture overview

A. Identify assets

Explanation:
Identification of assets is the first step in Microsoft’s threat modeling framework, consisting of the definition of any organizational assets that are important to the successful execution of business functions or practices.
B is incorrect because identification of threats is the fourth step of Microsoft’s threat modeling framework and is marked by the categorization of external and internal threats to an organization. The determination of where threats are found, how they can be exploited, and the identification of agents capable of exploiting them are crucial steps that can greatly aid the process of bolstering an organization’s defense posture. C is incorrect because decomposing the application is the third step and consists of a granular breakdown and analysis of the technologies used by an organization,
organization, marked by scrutiny of entry points (such as network ports or protocols) and trust boundaries between interconnected systems; the goal in this step is to develop a security profile that categorizes areas of the architecture that may be susceptible to a general type of vulnerability. D is incorrect because an architecture overview is the second step in the process, and it is defined by a granular analysis of the various technologies in use in an organization’s architecture and the method by which they are implemented. Architecture overview is a critical step in threat modeling, as it makes identification of threats much more manageable later in the process. Refer to Microsoft’s guidance on improving web application security at https://msdn.microsoft.com/en-us/library/ff648644.aspx for further details on their threat modeling process.

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 25). McGraw-Hill Education. Kindle Edition.

Refer to the following scenario for the next five questions: You have been contracted for a penetration test by a local hospital. The client has requested a third-party security assessment to provide confirmation that they are adhering to HIPAA guidelines. In addition, the client requests that you perform a detailed penetration test of a proprietary web application that they use to manage their inventories. To further assist this effort, they have provided a detailed map of their network architecture architecture in addition to authorized administrative credentials, source code, and related materials for the web application. Your master service agreement with the client indicates that your written authorization is to be a separately delivered document, and that it should be digitally delivered one week before the scheduled start date of the engagement. It is currently three days before the start date agreed upon in preliminary meetings, and you do not yet have a signed authorization letter.
What type of penetration test is most likely being requested by the client in this scenario?
A. Goals-based
B. Objective-based
C. Compliance-based
D. Red team

C. Compliance-based

Explanation:
Because the client is requesting validation of their adherence to HIPAA guidelines, they are most likely requesting a compliance-based assessment of their environment.

Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 26). McGraw-Hill Education. Kindle Edition.

``` What testing methodology is most likely desired by this client? A. Red team B. Gray box C. Black box D. White box ```

D. White box Explanation: White box testing is most likely desired by this client, due to the provision of authorized administrator credentials and source code for the proprietary web application in use. A, B, and C are incorrect. A is incorrect because red team testing is a type of testing, not a testing methodology. Close reading of the questions will aid you when weeding out incorrect answers such as this one. B and C are incorrect because gray box and black box testing methodologies are not in line with the amount of information provided to you, the penetration tester, in this scenario; neither of these options would provide you with administrative credentials or source code for a web application, for example. Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 26). McGraw-Hill Education. Kindle Edition.

Of the following options, which are the chief indicators for the answer to the previous question? (Choose two.) A. A detailed network diagram has been provided. B. Testing of a proprietary web application. C. The client is a local hospital. D. Legitimate credentials and source code for the web application have been provided.

A. A detailed network diagram has been provided. D. Legitimate credentials and source code for the web application have been provided. Explanation: The provisioning of a detailed network diagram grants a penetration tester an intimate level of knowledge of the environment to be tested. The same can be said for the explicit provisioning of administrative credentials and source code for the web application. Both premises are characteristic of white box testing. B, and C are incorrect. B is incorrect because testing of a proprietary web application can be performed without any valid credentials or being provided source code, which could be consistent with black or gray box testing as well. C is incorrect because the fact that the client is a local hospital will have no impact on the testing methodology; if anything, the identity of the client in this case would be a clue as to the specific type of test (in this case, compliance-based) to be performed, rather than a testing methodology. Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 26). McGraw-Hill Education. Kindle Edition.

Of the following choices, which member or members of a client organization are most likely authorized to provide a signed authorization letter prior to the start date of the penetration test? A. The IT department B. Human resources C. Organizational security personnel D. Executive management and legal personnel

D. Executive management and legal personnel Explanation: The signed authorization letter is typically provided by an organization’s executive management team, the organizational legal team, or the two working together. Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 27). McGraw-Hill Education. Kindle Edition.

Of the following options, who should be contacted in the client organization to assist with procuring a written authorization letter before the scheduled start date for the assessment? A. The IT department B. Organizational security personnel C. The point of contact listed in your ROE D. Whomever you see at the first nurse’s station you come across when entering the building

C. The point of contact listed in your ROE Explanation: The point of contact (POC) listed in the ROE should be the first person you notify in the event of any issues or problems that may arise at any point in a penetration test; this includes the pre-testing phase, where contracts and documents are signed. Therefore, it would be most appropriate to contact your POC in the event you are not provided your written authorization letter on time Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 27). McGraw-Hill Education. Kindle Edition.

``` A(n) __________ is an individual or group with the capability and motivation necessary to manifest a threat to an organization and deploy exploits against its assets. A. advanced persistent threat B. script kiddie C. threat actor D. hacktivist ```

C. threat actor Explanation: A threat actor is an individual or group with the capability and motivation necessary to manifest a threat to an organization and deploy exploits against its assets. Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 28). McGraw-Hill Education. Kindle Edition.

``` The types of threats identified during the threat modeling process include which of the following? (Choose three.) A. Network threats B. Host threats C. Operating system threats D. Application threats ```

A. Network threats B. Host threats D. Application threats Explanation: Network threats, host threats, and application threats are all types of threats that may be identified during the threat modeling process. incorrect. Threats to an operating system are a specific subtype of host threat, and although they would be identified during the threat modeling process, they would be classified as a threat to the host. Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 28). McGraw-Hill Education. Kindle Edition.

``` Systems governed by compliance frameworks such as PCI DSS and HIPAA are often required to meet standards of which of the following? (Choose two.) A. Password complexity B. Availability C. Data isolation D. Acceptable use ```

B. Availability C. Data isolation Explanation: Baseline standards for password complexity and data isolation are established by PCI DSS, HIPAA, and FISMA compliance frameworks. In addition to these, compliance frameworks also establish standards for key management. B is incorrect because in compliance frameworks, availability is initially framed by the requirements of the framework in question. Modifications can be made to systems to enhance or further restrict availability as needed, so long as the regulatory guidelines are met first. D is incorrect because acceptable use policies address the interaction between users and an organization’s information systems; regulatory frameworks address the data stored by an organization and the way it is stored. Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 28). McGraw-Hill Education. Kindle Edition.

``` 32. What is the process by which risks associated with an organization’s information systems are identified, quantified, and addressed? A. Threat modeling B. Risk assessment C. Target selection D. Penetration testing ```

A. Threat modeling Explanation: Threat modeling is the process by which risks associated with an organization’s information systems are identified, quantified, and addressed. B, C, and D are incorrect. B is incorrect because although risk assessment is related in that proper threat modeling is a specific type of risk assessment, this answer is too vague for the definition provided. C is incorrect because target selection is a process performed during the scoping phase of an engagement, and is how the hosts, systems, and networks subject to a penetration test are identified and defined. D is incorrect because penetration testing is the process of examining a computer system, network, or application to identify vulnerabilities that could be exploited by a malicious agent. Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 29). McGraw-Hill Education. Kindle Edition.

``` You have been contracted to perform a penetration test for an organization. The initial meetings went well, and you have well-defined rules of engagement (ROE) and target-scoping documents. Two weeks later, you are asked if you can “squeeze in another /22 subnet” for the given assessment time frame. This is a potential example of: A. Impact analysis B. Scope creep C. Objective-based assessment D. Black box assessment ```

B. Scope creep

``` Found in the ROE, which component tells the penetration tester(s) who to contact in the event of an issue during an engagement, and how? A. Engagement scope B. Communication escalation path C. Swagger document D. Statement of work (SOW) ```

B. Communication escalation path Explanation: The communication escalation path is part of the ROE and will contain a list of personnel to contact in the event of issues during a penetration test, in addition to detailing the method that should be used to contact them. Issues that may require notification of target organization personnel range from something as simple as a named and in scope host or network not being accessible as expected to the discovery of evidence of a previous breach of the organization’s computer systems. Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 30). McGraw-Hill Education. Kindle Edition.

``` What type of assessment gauges an organization’s implementation of and adherence to a given set of security standards defined for a given environment? A. White box B. Objectives-based C. Red team D. Compliance-based ```

D. Compliance-based Explanation: A compliance-based assessment gauges an organization’s implementation and adherence to a given set of security standards—that is, a regulatory compliance framework—defined for a given environment. Examples of such regulatory compliance frameworks include Payment Card Industry (PCI), Health Insurance Portability and Accountability Act (HIPAA), and Federal Information Security Management Act (FISMA). Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 30). McGraw-Hill Education. Kindle Edition.

``` Which support resource details an organization’s network or software design and infrastructure as well as defines the relationships between those elements? A. Architecture diagram B. WADL C. XSD D. Engagement scope ```

A. Architecture diagram Explanation: An architecture diagram details an organization’s network or software design and infrastructure and defines the relationships between the elements thereof. B, C, and D are incorrect. B is incorrect because WADL (or Web Application Description Language) is a machine-readable XML description of HTTP-based web services. C is incorrect because an XSD (or Extensible Scheme Definition) serves to formally describe the elements made up in an XML document. D is incorrect because an engagement’s scope is often detailed as part of the ROE of a penetration test, explicitly declaring hosts, networks, and subnets as being in or out of scope. Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 31). McGraw-Hill Education. Kindle Edition.

``` Which document outlines the project-specific work to be executed by a penetration tester for an organization? A. Nondisclosure agreement B. Statement of work C. Rules of engagement D. Communication escalation path ```

B. Statement of work Explanation: A statement of work is a document often (but not always) attached as a provision to an MSA that outlines the project-specific work to be executed by a service vendor for an organization. It typically addresses details such as (but not limited to) the purpose of the project, its scope of work, and the period of performance Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 31). McGraw-Hill Education. Kindle Edition.

``` This key aspect of requirements management is the formal approach to assessing the potential pros and cons of pursuing a course of action. A. Executive management B. Impact analysis C. Scheduling D. Technical constraint identification ```

B. Impact analysis Explanation: Impact analysis is the formal approach to assessing the potential pros and cons of pursuing a given course of action. A, C, and D are incorrect. A is incorrect because executive management is often heavily involved in impact analysis and frequently the final decision maker on a course of action, but the process is greater than one suborganization within a company or business. C and D are incorrect because scheduling and technical constraint identification are critical components of impact analysis, determining when a penetration test may be conducted and what hosts and networks or subnets are considered in scope, respectively. Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 32). McGraw-Hill Education. Kindle Edition.

``` General terms for future agreements and conditions such as payment schedules, intellectual property ownership, and dispute resolution are typically addressed in which contractual document between a penetration tester and their client? A. Statement of work B. Master service agreement C. Rules of engagement D. Nondisclosure agreement ```

B. Master service agreement Explanation: B. The master service agreement, or MSA, is the overarching document that provides general guidelines for future transactions and agreements between two or more parties. Conditions covered by the MSA include (but are not limited to) payment terms, product warranties, intellectual property ownership, dispute resolution, risk allocation, and indemnification clauses. A, C, and D are incorrect. A is incorrect because a statement of work (SOW) is a provision often (but not always) found in an MSA that outlines the project-specific work to be executed by a service vendor for an organization. It typically addresses details such as (but not limited to) the purpose of the project, its scope of work, and the period of performance. C is incorrect because the rules of engagement (ROE) is a document that dictates guidelines and restraints that are to guide the penetration tester(s) during the assessment, most critically detailing what is and is not authorized for testing. The ROE may be delivered on its own, or as a component of the SOW. D is incorrect because a nondisclosure agreement (NDA) is a confidentiality agreement that protects the proprietary information and intellectual property of a business. Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 32). McGraw-Hill Education. Kindle Edition.

``` Which penetration testing methodology may require valid authentication credentials or other information granting intimate knowledge of an environment or network? A. Black box B. Red box C. Red team D. White box ```

D. White box

Refer to the following scenario for the next five questions: You have been contracted for a penetration test by a U.S. government office. The client has requested a longer-term assessment, meant to simulate the actions of a highly skilled adversary. Portions of the contract require that all penetration testers on the engagement be U.S. citizens with active security clearances. Additionally, a series of illustrations that detail the design of the client network has been included in the contract as a support document. 41. Of the following options, what type of assessment has most likely been requested by this client? A. Red team B. Goals-based C. Compliance-based D. Objective-based

A. Red team Explanation: A red team engagement is marked by a longer than typical engagement period, and it seeks to emulate the actions of a highly skilled adversary—often an APT. Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 33). McGraw-Hill Education. Kindle Edition.

``` Which of the following contractual documents would most likely detail the requirement that testers all be U.S. citizens with active security clearances? + A. Nondisclosure agreement B. Master service agreement C. Statement of work D. Rules of engagement ```

C. Statement of work Explanation: Items such as the period of performance, deliverables schedule, and special requirements such as requiring all testers to be U.S. citizens with active security clearances would be detailed in the statement of work (SOW). Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 34). McGraw-Hill Education. Kindle Edition.

``` Based on the description provided, what type of support document has been provided by the client? A. WADL file B. SDK documentation C. Architecture diagram D. SOAP project file ```

C. Architecture diagram Explanation: “Illustrations that detail the design of the client network” is a phrase that best describes an architecture diagram.

``` The support document provided would be attached as a part of what contractual document? A. Rules of engagement B. Statement of work C. Master service agreement D. Nondisclosure agreement ```

A. Rules of engagement Explanation:

During the engagement, the client’s “blue team” (the defenders) identifies your scans and sets a firewall rule to block all traffic to their environment from your IP address. Of the following options, which would be the most appropriate course of action to continue the penetration test? A. Note that the defenders caught you and then halt all testing. There is no need to test any further. B. Obtain a foothold on an out-of-scope system owned by the client so you can continue testing without being noticed. C. Create numerous USB flash drives with malicious files named “Sequestration layoffs” that will return shells to your attacking system, and drop them in the client’s main parking lot. D. Make note of the fact that your traffic seems to have been identified as malicious, notify the client-side point of contact that you have reason to believe that your traffic has been identified and blocked, and request input on the preferred course of action from this point in the assessment.

D. Make note of the fact that your traffic seems to have been identified as malicious, notify the client-side point of contact that you have reason to believe that your traffic has been identified and blocked, and request input on the preferred course of action from this point in the assessment. Explanation: The point of contact (POC) listed in the ROE for a penetration test is there to serve as a liaison between the client organization and the penetration tester(s) for any issues that may occur during the engagement. Because blocking traffic impacts the tester’s ability to continue an assessment, this is a situation where contact must be made in order to determine how to proceed; for instance, the POC may contact the IT department and tell them to whitelist your IP address for the purposes of continued testing, or they may advise you to change IP addresses in order to further test their defenders. As an additional note, the fact that your traffic was identified and halted should be captured as a positive finding for the final report. Being a defender is difficult: the blue team must be right 100 percent of the time, whereas a penetration tester only needs to get lucky once. By letting the defenders know when they’ve done something right, you increase the value you add to the assessment by raising their morale. Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (p. 36). McGraw-Hill Education. Kindle Edition. Ammerman, Jonathan; Ammerman, Jonathan. CompTIA PenTest+ Certification Practice Exams (Exam PT0-001) (pp. 35-36). McGraw-Hill Education. Kindle Edition.