Planning and Engagement

Question 1

The process, tools, and strategies that organizations use to address compliance with industry regulations, enterprise risk management, and internal governance.

Answer 1

Governance, risk, and compliance (GRC)

Question 2

The concept of limiting access to data based on need to know

Answer 2

Confidentiality

Question 3

A legal concept that addresses what rights an individual has to control how their personal information is used, collected, and disclosed

Answer 3

Privacy

Question 4

Generally data that allows identification of one individual over other individuals

Answer 4

Personally identifiable Information (PII)

Question 5

Similar to PII, but applies to data that was created or used in health care context

Answer 5

Protected Health Information (PHI)

Question 6

Specific to PCI-DSS, this type of PII is specifically related to cardholders

Answer 6

Cardholder Data (CHD)

Question 7

What is the General Data Protection Regulation (GDPR)?

Answer 7

A law passed within the European Union that imposes data privacy and security obligations on organizations that collect or target data related to people in the EU.

Question 8

What is PCI-DSS?

Answer 8

A series of rules that businesses that process payments using payment cards should follow tin order to better secure card data and transactions.

Question 9

What is the goal of PCI-DSS testing?

Answer 9

Security of storage, transmission, and retention of CHD by data processors.

Question 10

What kinds of agreements are mutual and enforceable by law, requiring an authorized representative from each party to sign?

Answer 10

Contracts

Question 11

What is a Master Services Agreement (MSA)?

Answer 11

A type of overarching contract reached between two or more parties where each party agrees to most terms that will govern all other future transactions and agreements.

Question 12

What kinds of conditions are covered by an MSA?

Answer 12

Payment terms, product warranties, intellectual property ownership, dispute resolution, allocation of risk, and indemnification

Question 13

Where are MSA (Master Services Agreements) typically used?

Answer 13

Fields that tend to be open-ended and support an organization’s functional areas, like manufacturing, sales, accounting and finance

Question 14

What is a confidentiality agreement that protects a business’s competitive advantage by protecting its proprietary information and intellectual property?

Answer 14

Non-disclosure Agreement (NDA)

Question 15

What is a formal document that is routinely employed in the field of project management, which outlines project-specific work to be executed by a service vendor for an organization?

Answer 15

Statement Of Work (SOW)

Question 16

During a pentest, which document puts into writing the guidelines and constraints regarding the execution of a pentest - most importantly, what is and is not authorized for testing?

Answer 16

Rules of Engagement (RoE)

Question 17

What does the scope of a pentesting engagement define?

Answer 17

It outlines the objectives and requirements for the assessment. It defines the boundaries for what you are permitted to test.

Question 18

What is the MITRE ATT&CK standard?

Answer 18

A knowledge base of attacker actions created from a survey of publicly reported attacker activities.

Question 19

What is the objective of MITRE ATT&CK?

Answer 19

To catalog the actions of reported attackers using standardized reference criteria (tactics, techniques, and subtechniques)

Question 20

Which part of the MITRE ATT&CK matrix attempts to describe an attacker’s high-level objective for using that method of attack?

Answer 20

Tactics

Question 21

What is the nonprofit organization and open-source community effort that produces tools, technologies, methodologies, and documentation related to the field of web application security?

Answer 21

The OWASP Project

Question 22

Name several well-known OWASP publications and resources

Answer 22

The OWASP Top Ten, OWASP Testing Guide, OWASP ZAP Project, DirBuster, and Webgoat

Question 23

Which OWASP tool provides community awareness of the most serious web application security risks for a broad array of organizations?

Answer 23

The OWASP Top Ten

Question 24

What is the nonregulatory U.S. government agency whose pursuit is to advance technology and maintain several publications that describe recommendations for cybersecurity and security testing initiatives?

Answer 24

The National Institute for Standards and Technology (NIST)

Question 25

Which NIST Special Publication defines a methodology for information security assessment?

Answer 25

NIST SP 800-115

Question 26

NIST SP 800-115 defines a methodology for information security assessment. What are the four phases of the model it defines?

Answer 26

Planning, Discovery, Attack, & Reporting

Question 27

What is the Open Source Security Testing Methodology Manual (OSS-TMM)?

Answer 27

A complete pentest methodology released by ISECOM and designed to assure thorough, legal, consistent, and repeatable testing that can be measured.

Question 28

What are the six testing types of the OSS-TMM?

Answer 28

Blind, Double-Blind, Gray Box, Double Gray Box, Tandem, and Reversal

Question 29

What is a community-driver effort to establish standards for penetration testing that is contributed to by a number of professionals in the pentest consulting community?

Answer 29

PTES (Penetration Testing Execution Standard)

Question 30

What does the PTES focus exclusively on?

Answer 30

A methodology for penetration testing. It applies largely to pentests from a consulting point of view and does not specify execution of a pentest, rather what it should cover.

Question 31

Which framework is a full security assessment methodology that applies to security auditing as well as other types of security testing?

Answer 31

The information Systems Security Assessment Framework (ISSAF)

Question 32

Why should you verify IP ranges that are supplied by the customer as a part of a pentest?

Answer 32

A typo or miscommunicated subnet or IP address could easily result in a serious problem of authority for you.

Question 33

What is the difference between internal and external targets when performing a pentest?

Answer 33

External testing may evaluate the security of an organization against an Internet-based attacker, and can include tools like VPNs. Internal assessments evaluate various levels of trust between organizational systems, applications, and networks.

Question 34

What is an important consideration for Third-Party Hosted environments, such as cloud service providers (CSP)?

Answer 34

Pentesting is not only subject to the company’s policies, it is also subject to third party’s acceptable use policies.

Question 35

Within an organization, who is typically responsible for the organization’s overall goals and success, and often must provide written authorization and approval for a pentest?

Answer 35

Executive Managment

Question 36

What are some limitations that could be placed on a pentest contract?

Answer 36

Hours of testing, allowed methodologies or tools, liabilities for the tester

Question 37

What kind of agreement defines measurements for the expectations between customer and the service provider, as well as the terms of what happens if those expectations are not met?

Answer 37

Service Level Agreement (SLA)

Question 38

During the planning process of a pentest, which plan covers when you should communicate, what you should communicate, to whom you should communicate, and how you should communicate?

Answer 38

The Communications Plan

Question 39

What and where should you define how to help remedy issues that may arise during testing?

Answer 39

The communication escalation path, which is defined in the RoEs.

Question 40

What should you do if you uncover criminal activity during a pentest?

Answer 40

Stop testing immediately, record everything you’ve done along with evidence of the activity, and activate your communication plan.

Question 41

Which standard or framework has certification options via ISECOM and provides a methodology for measuring and reporting risk values (metrics)?

Answer 41

OSS-TMM (Open Source Security Testing Methodology Manual)

Question 42

Which standard, while designed more for security testing than pentesting, has best practices for engagement and lists testing tasks with their associated tools for each task?

Answer 42

ISSAF (Information System Security Assessment Framework)