Planning and Scoping Penetration Tests Flashcards

1
Q

What term describes a document created to define project-specific activities, deliverables, and timelines based on an existing contract?

a. NDA
b. MSA
c. SOW
d. MOD

A

c. SOW. Statement of Work covers the working agreement between two parties and is used in addition to an existing contract or master services agreement MSA. An NDA is a nondisclosure agreement, and the acronym MOD was made up for this question.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Maria wants to build a penetration testing process for her organization and intends to start with an existing standard or methodology. Which of the following is not suitable for that purpose?

a. ISSAF
b. OSSTM
c. PTES
d. ATT&CK

A

d. ATT&CK. PTES, OSSTMM, and ISSAF are all penetration testing methodologies or standards. MITRE’s ATT&CK framework describes adversary tactics and techniques but does not outline how to perform a penetration test.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which of the following types of penetration test would provide testers with complete visibility into the configuration of a web server without having to compromise the server to gain that information?

a. Unknown environment
b. Partial environment
c. Known environment
d. Zero knowledge

A

c. Known environment. Known environment testing, often also known as “crystal box” or “white box” testing, provides complete access and visibility. Unknown environment or black-box testing, provides no information, whereas partial knowledge, or gray-box testing, provides limited information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What type of legal agreement typically covers sensitive data and information that a penetration tester may encounter while performing an assessment?

a. A noncompete
b. A NDA
c. A data security agreement
d. A DSA

A

b. A NDA. A nondisclosure agreement covers the data and other information that a penetration tester may encounter or discover during their work. It acts as a legal agreement preventing disclosure of that information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

During a penetration test scoping discussion, Charles is asked to test the organization’s SaaS-based email system. What concern should he bring up?

a. Cloud-based systems require more time and effort.
b. Determining the scope will be difficult due to the size of cloud-
hosted environments.
c. Cloud service providers do not typically allow testing of their
services.
d. Testing cloud services is illegal.

A

c. Cloud service providers don’t typically allow testing to be conducted against their services. Charles may recommend that the company ask for third-party security audit information instead. Cloud systems and large environments can be difficult to scope and may require more time, but the primary issue here is the ability to even legitimately conduct the assessment that is being requested.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

During a penetration test, Alex discovers that he is unable to scan a server that he was able to successfully scan earlier in the day from the same IP address. What has most likely happened?

a. His IP address was whitelisted.
b. The server crashed.
c. The network is down.
d. His IP address was blacklisted.

A

d. The IP address or network that Alex is sending his traffic from was most likely blacklisted as part of the target organization’s defensive practices. A whitelist would allow him in, and it is far less likely that the server or network has gone down.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What does an MSA typically include?

a. The terms that will govern future agreements.
b. Mutual support during assessments.
c. Microservices architecture.
d. The minimum service level acceptable.

A

a. A master service agreement MSA, is a contract that defines the terms under which future work will be completed. Specific work is then typically handles under a statement of work SOW.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

While performing an on-site penetration test, Cassandra plugs her laptop into an accessible network jack. When she attempts to connect, however, when does not receive an IP address and gets no network connectivity. She knows that the port was working previously. What technology has her target most likely deployed?

a. Jack whitelisting
b. Jack blacklisting
c. NAC
d. 802.15

A

c. The organization that Cassandra is testing has likely deployed network access control NAC. Her system will not have the proper NAC client installed, and she will be unable to access that network jack without authenticating and having her system approved by the NAC system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What type of penetration test is not aimed at identifying as many vulnerabilities and instead focuses on vulnerabilities that specifically align with the goals of gaining control of specific systems or data?

a. An objectives-based assessment
b. A compliance-based assessment
c. A black-team assessment
d. a red-team assessment

A

a. An objectives-based assessment specifically targets goals like gaining access to specific systems or data. A compliance-based assessment is conducted as part of compliance efforts and will focus on whether systems are properly secured or meet standards. A red-team assessment is intended to simulate an actual attack or penetration, and testers will focus on finding ways in and maximizing access rather than comprehensively identifying and testing all vulnerabilities and flaws that they can find. Black-team assessments are not commonly used penetration term.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

During an on-site penetration test, what scoping element is critical for wireless assessments when working in shared buildings?

a. Encryption type
b. Wireless frequency
c. SSIDs
d. Preshared keys

A

c. Knowing the SSIDs that are in scope is critical when working in shared buildings. Pretesting the wrong network could cause legal or even criminal repercussions for a careless penetration tester.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Ruchika has been asked to conduct a penetration test against internal business systems at a mid-sized company that operates only during a normal day shift. The test will be run against critical business systems. What restriction is most likely to be appropriate for the testing?

a. Time of day
b. Types of allowed test
c. Types of prohibited tests
d. The physical locations that can be tested.

A

a. Time of day restrictions can be used to ensure tests occur when the systems are not in use, allowing time for recovery or restoration if something goes wrong. Types of allowed tests or denied tests are less likely to be used since they can limit the value of a test, and restricting physical locations is uncommon for smaller organizations that don’t have many distinct locations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

During a penetration test specifically scoped to a single web application, Chris discovers that the web server also contains a list of passwords to other servers at the target location. After he notifies the client, they ask him to use them to validate those servers, and he proceeds to test those passwords against the other servers. What has occurred?

a. Malfeasance
b. Known environment testing
c. Scope creep
d. Target contraction

A

c. Scope creep occurs when additional items are added to the scope of an assessment. Chris has gone beyond the scope of the initial assessment agreement. This can be expensive for clients or may cost Chris income if the additional time and effort is not accounted for in an addendum to his existing contract.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Lucas has been hired to conduct a penetration test of an organization that processes credit cards. His work will follow the recommendations of the PCI DSS. What type of assessment is Lucas conducting?

a. An objectives-based assessment
b. A red-team assessment
c. A black-team assessment
d. A compliance-based assessment

A

d. The PCI DSS standard is an industry standard for compliance for credit card processing organizations. Thus, Lucas is conducting a compliance-based assessment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

The penetration testing agreement document that Greg asks his clients to sign includes a statement that the assessment is valid only at the point in time at which it occurs. Why does he include this language.

a. His testing may create changes.
b. The environment is unlikely to be the same in the future.
c. Attackers may use the same flaws to change the environment.
d. The test will not be fully comprehensive.

A

b. Assessments are valid only when they occur. Systems change due to patches, user changes, and configuration changes on a constant bases. Greg’s point-in-time validity statement is a key element in penetration testing engagement contracts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

The company that Ian is performing a penetration test for uses a wired network for their secure systems and does not connect it their wireless network. What environmental consideration should Ian note if he is conducting a partial knowledge penetration test?

a. He needs to know the IP ranges in use for the secure network.
b. He needs to know the SSIDs of any wireless networks.
c. Physical access to the network may be required.
d. Physical access to a nearby building may be required.

A

c. Access to a wired network can require physical access, which could be provided as part of a partial knowledge penetration test. In an unknown environment test, Ian might have to identify a way to compromise a system connected to the network remotely or to gain physical access to the building where the systems are. Knowing the IP ranges or the SSIDs of wireless networks is not required for this type of test. IP ranges can be determined once he is connected, and the test specifically notes that wired networks are not connected.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Megan wants to gather data from a service that provides data to an application. What type of documentation should she look for from the application’s vendor?

a. Database credentials
b. System passwords
c. API documentation
d. Network configuration settings

A

c. Megan should look for API documentation. If the application uses an API, she may be able to use default API credentials or methods to gather data. The problem does not mention a database, and system passwords and network configuration settings are not as useful here.

17
Q

Charles has completed the scoping exercise for his penetration test and has signed the agreement with his client. Whose signature should be expected as the counter signature?

a. The information security officer
b. The project sponsor
c. The proper signing authority
d. An administrative assistant

A

c. While the ISO or the sponsor may be the proper signing authority, it is important that Charles verify that the person who signs actually is the organization’s proper signing authority. That means this person must have authority to commit the organization to a penetration test. Unfortunately, it isn’t a legal term, so Charles may have to do some homework with his project sponsor to ensure that this happens correctly.

18
Q

Elaine wants to ensure that the limitations of her red-team penetration test are fully explained. Which of the following are valid disclaimers for her agreement? Choose two.

a. Risk tolerance
b. Point-in-time
c. Comprehensiveness
d. Impact tolerance

A

b, c. Both the comprehensiveness of the test and the limitation that it is only relevant at the point in time it is conducted are appropriate disclaimers for Elaine to include. The risk and impact tolerance of the organization being assessed should be used to define the scope and rules of engagement for the assessment.

19
Q

Jen wants to conduct a penetration test and includes mobile application testing. Which standard or methodology is most likely to be useful for her efforts?

a. NIST
b. OWASP
c. KALI
d. ISSAF

A

b. The Open Web Application Standards Project provides mobile application testing guidelines as part of their documentation, making it the best option on this list for Jen. NIST provides high-level guidance about what tests should include, KALI is a security-focused Linux distribution, and ISSAF is a dated penetration testing standard.

20
Q

What type of assessment most closely simulates and actual attacker’s efforts?

a. A red-team assessment with a zero knowledge strategy
b. A goals-based assessment with a full knowledge strategy
c. A red-team assessment with a full knowledge strategy
d. A compliance-based assessment with zero knowledge strategy

A

a. A red-team assessment with zero knowledge will attempt a penetration test as though they were actual attackers who do not have prior or insider knowledge of the organization. Full knowledge assessments provide more knowledge than attackers can be expected to have, and goal-based assessments target specific systems or element of an organization rather than the broader potential attack surface that actual attackers may target.