Planning and Scoping Penetration Tests Flashcards
What term describes a document created to define project-specific activities, deliverables, and timelines based on an existing contract?
a. NDA
b. MSA
c. SOW
d. MOD
c. SOW. Statement of Work covers the working agreement between two parties and is used in addition to an existing contract or master services agreement MSA. An NDA is a nondisclosure agreement, and the acronym MOD was made up for this question.
Maria wants to build a penetration testing process for her organization and intends to start with an existing standard or methodology. Which of the following is not suitable for that purpose?
a. ISSAF
b. OSSTM
c. PTES
d. ATT&CK
d. ATT&CK. PTES, OSSTMM, and ISSAF are all penetration testing methodologies or standards. MITRE’s ATT&CK framework describes adversary tactics and techniques but does not outline how to perform a penetration test.
Which of the following types of penetration test would provide testers with complete visibility into the configuration of a web server without having to compromise the server to gain that information?
a. Unknown environment
b. Partial environment
c. Known environment
d. Zero knowledge
c. Known environment. Known environment testing, often also known as “crystal box” or “white box” testing, provides complete access and visibility. Unknown environment or black-box testing, provides no information, whereas partial knowledge, or gray-box testing, provides limited information.
What type of legal agreement typically covers sensitive data and information that a penetration tester may encounter while performing an assessment?
a. A noncompete
b. A NDA
c. A data security agreement
d. A DSA
b. A NDA. A nondisclosure agreement covers the data and other information that a penetration tester may encounter or discover during their work. It acts as a legal agreement preventing disclosure of that information.
During a penetration test scoping discussion, Charles is asked to test the organization’s SaaS-based email system. What concern should he bring up?
a. Cloud-based systems require more time and effort.
b. Determining the scope will be difficult due to the size of cloud-
hosted environments.
c. Cloud service providers do not typically allow testing of their
services.
d. Testing cloud services is illegal.
c. Cloud service providers don’t typically allow testing to be conducted against their services. Charles may recommend that the company ask for third-party security audit information instead. Cloud systems and large environments can be difficult to scope and may require more time, but the primary issue here is the ability to even legitimately conduct the assessment that is being requested.
During a penetration test, Alex discovers that he is unable to scan a server that he was able to successfully scan earlier in the day from the same IP address. What has most likely happened?
a. His IP address was whitelisted.
b. The server crashed.
c. The network is down.
d. His IP address was blacklisted.
d. The IP address or network that Alex is sending his traffic from was most likely blacklisted as part of the target organization’s defensive practices. A whitelist would allow him in, and it is far less likely that the server or network has gone down.
What does an MSA typically include?
a. The terms that will govern future agreements.
b. Mutual support during assessments.
c. Microservices architecture.
d. The minimum service level acceptable.
a. A master service agreement MSA, is a contract that defines the terms under which future work will be completed. Specific work is then typically handles under a statement of work SOW.
While performing an on-site penetration test, Cassandra plugs her laptop into an accessible network jack. When she attempts to connect, however, when does not receive an IP address and gets no network connectivity. She knows that the port was working previously. What technology has her target most likely deployed?
a. Jack whitelisting
b. Jack blacklisting
c. NAC
d. 802.15
c. The organization that Cassandra is testing has likely deployed network access control NAC. Her system will not have the proper NAC client installed, and she will be unable to access that network jack without authenticating and having her system approved by the NAC system.
What type of penetration test is not aimed at identifying as many vulnerabilities and instead focuses on vulnerabilities that specifically align with the goals of gaining control of specific systems or data?
a. An objectives-based assessment
b. A compliance-based assessment
c. A black-team assessment
d. a red-team assessment
a. An objectives-based assessment specifically targets goals like gaining access to specific systems or data. A compliance-based assessment is conducted as part of compliance efforts and will focus on whether systems are properly secured or meet standards. A red-team assessment is intended to simulate an actual attack or penetration, and testers will focus on finding ways in and maximizing access rather than comprehensively identifying and testing all vulnerabilities and flaws that they can find. Black-team assessments are not commonly used penetration term.
During an on-site penetration test, what scoping element is critical for wireless assessments when working in shared buildings?
a. Encryption type
b. Wireless frequency
c. SSIDs
d. Preshared keys
c. Knowing the SSIDs that are in scope is critical when working in shared buildings. Pretesting the wrong network could cause legal or even criminal repercussions for a careless penetration tester.
Ruchika has been asked to conduct a penetration test against internal business systems at a mid-sized company that operates only during a normal day shift. The test will be run against critical business systems. What restriction is most likely to be appropriate for the testing?
a. Time of day
b. Types of allowed test
c. Types of prohibited tests
d. The physical locations that can be tested.
a. Time of day restrictions can be used to ensure tests occur when the systems are not in use, allowing time for recovery or restoration if something goes wrong. Types of allowed tests or denied tests are less likely to be used since they can limit the value of a test, and restricting physical locations is uncommon for smaller organizations that don’t have many distinct locations.
During a penetration test specifically scoped to a single web application, Chris discovers that the web server also contains a list of passwords to other servers at the target location. After he notifies the client, they ask him to use them to validate those servers, and he proceeds to test those passwords against the other servers. What has occurred?
a. Malfeasance
b. Known environment testing
c. Scope creep
d. Target contraction
c. Scope creep occurs when additional items are added to the scope of an assessment. Chris has gone beyond the scope of the initial assessment agreement. This can be expensive for clients or may cost Chris income if the additional time and effort is not accounted for in an addendum to his existing contract.
Lucas has been hired to conduct a penetration test of an organization that processes credit cards. His work will follow the recommendations of the PCI DSS. What type of assessment is Lucas conducting?
a. An objectives-based assessment
b. A red-team assessment
c. A black-team assessment
d. A compliance-based assessment
d. The PCI DSS standard is an industry standard for compliance for credit card processing organizations. Thus, Lucas is conducting a compliance-based assessment.
The penetration testing agreement document that Greg asks his clients to sign includes a statement that the assessment is valid only at the point in time at which it occurs. Why does he include this language.
a. His testing may create changes.
b. The environment is unlikely to be the same in the future.
c. Attackers may use the same flaws to change the environment.
d. The test will not be fully comprehensive.
b. Assessments are valid only when they occur. Systems change due to patches, user changes, and configuration changes on a constant bases. Greg’s point-in-time validity statement is a key element in penetration testing engagement contracts.
The company that Ian is performing a penetration test for uses a wired network for their secure systems and does not connect it their wireless network. What environmental consideration should Ian note if he is conducting a partial knowledge penetration test?
a. He needs to know the IP ranges in use for the secure network.
b. He needs to know the SSIDs of any wireless networks.
c. Physical access to the network may be required.
d. Physical access to a nearby building may be required.
c. Access to a wired network can require physical access, which could be provided as part of a partial knowledge penetration test. In an unknown environment test, Ian might have to identify a way to compromise a system connected to the network remotely or to gain physical access to the building where the systems are. Knowing the IP ranges or the SSIDs of wireless networks is not required for this type of test. IP ranges can be determined once he is connected, and the test specifically notes that wired networks are not connected.