Topic 1

Question 1

Administrative Controls

Answer 1

Security measures implemented to monitor the adherence to organizational policies and procedures. Those include activities such as hiring and termination policies, employee training along with creating business continuity and incident response plans.

Question 2

Physical Controls

Answer 2

Restrict, detect and monitor access to specific physical areas or assets. Methods include barriers, tokens, biometrics or other controls such as ensuring the server room doors are properly locked, along with using surveillance cameras and access cards.

Question 3

Technical or Logical Controls

Answer 3

Automate protection to prevent unauthorized access or misuse, and include Access Control Lists (ACL), and Intrusion Detection System (IDS)/Intrusion Prevention System (IPS) signatures and antimalware protection that are implemented as a system hardware, software, or firmware solution.

Question 4

Principle of Least Privilege

Answer 4

which states that an object should only be allocated the minimum necessary rights, privileges, or information in order to perform its role.

Question 5

Risk

Answer 5

represents the consequence of a threat exploiting a vulnerability. When dealing with cybersecurity, a risk can result in financial loss, business disruption, or physical harm. The formula for determining risk is as follows:

Risk = Threat x Vulnerability

Question 6

Threat

Answer 6

A threat represents something such as malware or a natural disaster, that can accidentally or intentionally exploit a vulnerability and cause undesirable results.

Question 7

Vulnerability

Answer 7

A vulnerability is a weakness or flaw, such as a software bug, system flaw, or human error. A vulnerability can be exploited by a threat

Question 8

Risk Management

Answer 8

The cyclical process of identifying, assessing, analyzing, and responding to risks.

Question 9

Main Steps of the Structure Pentesting Process

Answer 9

1. Planning and Scoping
2. Reconnaissance
3. Scanning
4. Gaining Access
5. Maintaining Access
6. Covering Tracks
7. Analysis
8. Reporting

The Threat actor will use the same steps, except 1, 7, and 8. The threat actor has a main goal of altering the integrity of the system and/or causing harm.

Question 10

GDPR

Answer 10

General Data Protection Regulation (GDPR), which outlines specific requirements on how consumer data is protected.The law affects anyone who does business with residents of the EU and Britain. This comprehensive law focuses on the privacy of consumer data and, more importantly, gives consumers the ability to control how their data is handled.

Question 11

OWASP

Answer 11

Open Web Application Security Project

Question 12

NIST Guide to Pentesting

Answer 12

NIST SP 800-115 is the “Technical Guide to Information Security Testing and Assessment.”

Question 13

OSSTMM

Answer 13

Open-source Security Testing Methodology Manual

Question 14

ISSAF

Answer 14

Information Systems Security Assessment Framework

Question 15

PTES

Answer 15

Penetration Testing Execution Standard

seven main sections that provide a comprehensive overview of the proper structure of a complete PenTest. Some of the sections include details on topics such as:

Preengagement interactions
Threat modeling
Vulnerability analysis
Exploitation
Reporting

Question 16

MITRE ATT&CK

Answer 16

Adversarial Tactics, Techniques & Common Knowledge

Question 17

CVSS CVE and CWE

Answer 17

Common Vulnerability Scoring System

Common Vulnerabilities and Exposures -
The CVE is a listing of all publicly disclosedvulnerabilities. Each entry refers to specific vulnerability of a particular product and iscataloged
CVE-[YEAR]-[NUMBER]

Common Weakness Enumeration - database of software-related vulnerabilities