Planning and Scoping

Question 1

steps in pentest methodology

Answer 1

planning scoping, info gathering and vuln id, attacks and exploits, reporting and comms

Question 2

NIST 800-15

Answer 2

plan, discover, attack, report with a loop on attack and discover

Question 3

Project triangle

Answer 3

cost, time, money

Question 4

planning doc considerations

Answer 4

who is target (objectives), budget, resources, Communication path, end state (deliverable), Technical constraints, Disclaimers (Point-in-time, comprehensiveness)

Question 5

SOW

Answer 5

Formal document stating scope of what will be performed during a penetration test

Question 6

Master Service Agreement (MSA

Answer 6

Contract where parties agree to most of the terms that will govern future actions. If you do service over and over.

Question 7

Non-Disclosure Agreement (NDA)

Answer 7

Legal contract outlining confidential material or information that will be shared during the assessment and what restrictions are placed on it

Question 8

Rules of Engagement

Answer 8

Timeline 
▪ Locations 
▪ Time restrictions 
▪ Transparency 
▪ Test boundaries

Question 9

Wassenaar Agreement

Answer 9

precludes the transfer of technologies considered
“dual-use”
▪ Strong encryption falls under this restriction
▪ Penetration testing tools could be considered surveillance tools and fall
under these rules