Sybex Chapter 2 - Planning and Scoping Penetration Tests

Question 1

what is a “white box” or “crystal box” test?

Answer 1

Known environment OR Full Knowledge

Question 2

What does ATT&CK stand for in MITRE ATT&CK Framework?

Answer 2

Adversarial Tactics, Techniques, and Common Knowledge

Question 3

OWASP

Answer 3

Open Web Application Security Project: testing guides for web security, mobile security, firmware

Question 4

PTES

Answer 4

Penetration Testing Execution Standard: pre-engagement interactions like scoping and client questions; testing techniques and concepts

Question 5

OSSTMM

Answer 5

Open Source Security Testing Methodology Manual: broad penetration testing methodology guide. Not updated since 2010

Question 6

NIST

Answer 6

National Institute of Standards and Technology: provides standards and cybersecurity frameworks that includes penetration testing.

Question 7

ISSAF

Answer 7

Information Systems Security Assessment Framework: highly detailed pen testing framework, but not updated since 2005

Question 8

SOW

Answer 8

Statement of Work

Question 9

SOO

Answer 9

Statement of Objective; alternative to SOW. Used by US gov

Question 10

PSW

Answer 10

Performance Work Statement: used by US gov; alternative to SOW

Question 11

MSA

Answer 11

Master Service Agreement: defines terms the orgs will use for future work. Prevents the need to renegotiate terms at every SOW

Question 12

CA

Answer 12

Confidentiality Agreement. Like NDA

Question 13

GLBA

Answer 13

Gramm-Leach-Bliley Act: complies regarding how financial institutions manage personal information

Question 14

FIPS 140-2 -> FIPS 140-3

Answer 14

US Gov computer security standard to approve cryptographic modules. Crypto modules can be FIPS 140-2 certified