Reporting and Communication Flashcards
Tom recently conducted a penetration test for a company that is regulated under PCI DSS. Two months after the test, the client asks for a letter documenting the test results for its compliance files. What type of report is the client requesting?
A. Executive summary
B. Penetration testing report
C. Written testimony
D. Attestation of findings
Answer:
D. An attestation of findings is a certification provided by the penetration testers to document that they conducted a test and the results for compliance purposes.
Wendy is reviewing the results of a penetration test and learns that her organization uses the same local administrator password on all systems. Which one of the following tools can help her resolve this issue?
A. LAPS
B. Nmap
C. Nessus
D. Metasploit
Answer:
A. The Local Administrator Password Solution (LAPS) from Microsoft provides a method for randomizing local administrator account credentials through integration with Active Directory.
Which one of the following is not a normal communication trigger for a penetration test?
A. Discovery of a critical finding
B. Completion of a testing stage
C. Documentation of a new test
D. Identification of prior compromise
Answer:
C. The three common triggers for communication during a penetration test are the completion of a testing stage, the discovery of a critical finding, and the identification of indicators of prior compromise.
Gary ran an Nmap scan of a system and discovered that it is listening on port 22 despite the fact that it should not be accepting SSH connections. What finding should he report?
A. Shared local administrator credentials
B. Unnecessary open services
C. SQL injection vulnerability
D. No multifactor authentication
Answer:
B. The only conclusion that Gary can draw from this information is that the server is offering unnecessary services because it is listening for SSH connections when it should not be supporting that service.
Tom’s organization currently uses password‐based authentication and would like to move to multifactor authentication. Which one of the following is an acceptable second factor?
A. Security question
B. PIN
C. Smartphone app
D. Passphrase
Answer:
C. Passphrases, security questions, and PINs are all examples of knowledge‐based authentication and would not provide multifactor authentication when paired with a password, another knowledge‐based factor. Smartphone apps are an example of “something you have” and are an acceptable alternative.
Which one of the following items is not appropriate for the executive summary of a penetration testing report?
A. Description of findings
B. Statement of risk
C. Plain language
D. Technical detail
Answer:
D. An executive summary should be written in a manner that makes it accessible to the layperson. It should not contain technical detail.
Which one of the following activities is not commonly performed during the post‐engagement cleanup phase?
A. Remediation of vulnerabilities
B. Removal of shells
C. Removal of tester‐created credentials
D. Removal of tools
Answer:
A. Vulnerability remediation is a follow‐on activity and is not conducted as part of the test. The testers should, however, remove any shells or other tools installed during testing as well as remove any accounts or credentials that they created.
Who is the most effective person to facilitate a lessons learned session after a penetration test?
A. Team leader
B. CIO
C. Third party
D. Client
Answer:
C. The most effective way to conduct a lessons learned session is to ask a neutral third party to serve as the facilitator, allowing everyone to express their opinions freely.
Which one of the following is not an example of an operational control that might be implemented to remediate an issue discovered during a penetration test?
A. Job rotation
B. Time‐of‐day login restrictions
C. Network segmentation
D. User training
Answer:
C. Network segmentation is an example of a technical control. Time‐of‐day restrictions, job rotation, and user training are all examples of operational controls.
Which one of the following techniques is not an appropriate remediation activity for a SQL injection vulnerability?
A. Network firewall
B. Input sanitization
C. Input validation
D. Parameterized queries
Answer:
A. Input sanitization (also known as input validation) and parameterized queries are both acceptable means for preventing SQL injection attacks. Network firewalls generally would not prevent such an attack.
When should system hardening activities take place?
A. When the system is initially built
B. When the system is initially built and periodically during its life
C. When the system is initially built and when it is decommissioned
D. When the system is initially built, periodically during its life, and when it is decommissioned
Answer:
B. System hardening should take place when a system is initially built and periodically during its life. There is no need to harden a system prior to decommissioning because it is being shut down at that point.
Biometric authentication technology fits into what multifactor authentication category?
A. Something you know
B. Something you are
C. Somewhere you are
D. Something you have
Answer:
B. Biometric authentication techniques use a measurement of some physical characteristic of the user, such as a fingerprint scan, facial recognition, or voice analysis.
