Section 5: Monitoring, Scanning and Penetration Testing

Question 1

Which pen tester would be given source code?

Answer 1

White box.

Question 2

Why would a shared account pose a problem to monitoring?

Answer 2

Prevents you from monitoring or auditing an individual.

Question 3

Which pen tester would be given no access before the test but, at the last minute, is given a diagram of the desktops?

Answer 3

Gray box testers are given at least one piece of information.

Question 4

What needs to be established prior to a pen test commencing?

Answer 4

Rules of engagement.

Question 5

While carrying out an unannounced pen test, how does the tester know if the internal security team is on to him?

Answer 5

He would have regular meetings with the client, who would tell him.

Question 6

What is the scope of rules of engagement?

Answer 6

Determines whether the pen test is black, gray or white.

Question 7

If the pen test has been announced to the IT team, what information should they give regarding the test before the test start?

Answer 7

Pen tester would provide their IP address so that they can establish whether or not it is the pen tester or an attacker.

Question 8

What is the main difference between a credentialed an a non-credentialed vulnerability scan?

Answer 8

Credentialed: more permissions than a non-credentialed, has ability to audit, scan documents, check account information, check certificates, provide more accurate information.

Question 9

At what phase of a pen test does the tester return the systems to the original state or inform the IT team of vulnerabilities that need patching?

Answer 9

Cleanup phase.

Question 10

What is OSINT? Is it legal?

Answer 10

Open-source intelligence is legal intelligence collected from the public domain.

Question 11

What is the purpose of the red team?

Answer 11

Fulfill the role of the attacker.

Question 12

What is the purpose of the blue team?

Answer 12

Fulfill the role of the defender.

Question 13

What is the purpose of the white team?

Answer 13

Organize and judge the cybersecurity events, ensuring reports are accurate, correct countermeasures are recommended.

Question 14

What is the purpose of the purple team?

Answer 14

Carry out the rules of both red and blue teams, external consultants/auditors.

Question 15

When evaluating CVSS scores, which vulnerabilities should you deal with first?

Answer 15

Critical vulnerabilities.

Question 16

Describe a false positive.

Answer 16

When a monitoring system and manual inspection differ.

Question 17

What is a true positive?

Answer 17

When a monitoring system and manual inspection agree on events.

Question 18

What is the difference between intrusive and non-intrusive scans?

Answer 18

Intrusive: will cause damage.
Non-intrusive: passive and non-damaging.

Question 19

What is regression testing and who will carry it out?

Answer 19

Where a coding expert checks the code written for an application to ensure there are no flaws.

Question 20

When would dynamic analysis be carried out?

Answer 20

Evaluating a program where it is running in real-time.

Question 21

What is a syslog server and what purpose does it serve?

Answer 21

Collects data from various sources in an event logging database. Filters out legitimate events and forwards rest of data to SIEM server for further analysis.

Question 22

Why does a SIEM server rely on synchronized time clocks between all servers and devices that it collects data from?

Answer 22

SIEM puts events into chronological order. If clocks are not synced, events cannot be put into sequential order.

Question 23

What is the purpose of threat hunting?

Answer 23

To discovery whether they have been subjected to a cyber-attack. Information can be obtained from conference or threat feeds.