2.4.4 Practice Questions Flashcards
Which type of penetration test is required to ensure an organization is following federal laws and regulations?
answer
Goal-based
White box
Objective-based
Compliance-based
Compliance-based
Explanation
Compliance-based penetration tests are required to ensure an organization follows federal laws and regulations.
Which of the following defines the security standards for any organization that handles cardholder information for any type of payment card?
answer
DMCA
HIPAA
FISMA
PCI DSS
PCI DSS
Explanation
The Payment Card Industry Data Security Standards (PCI DSS) defines the security standards for any organization that handles cardholder information
Michael is performing a penetration test for a hospital. Which federal regulation does Michael need to ensure he follows?
answer
PCI DSS
FISMA
HIPAA
DMCA
HIPAA
Explanation
The Health Insurance Portability and Accountability Act (HIPPA)
Charles found a song he wrote being used without his permission in a video on YouTube. Which law will help him protect his work?
answer
HIPAA
PCI DSS
DMCA
FISMA
DMCA
The Digital Millennium Copyright Act (DMCA)
Which of the following best describes what FISMA does?
answer
Defines how federal government data, operations, and assets are handled.
Defines standards that ensure medical information is kept safe.
Implements accounting and disclosure requirements that increase transparency.
Defines the security standards for any organization that handles cardholder information
Defines how federal government data, operations, and assets are handled.
Explanation
The Federal Information Security Management Act (FISMA
Which of the following best describes what SOX does?
answer
Implements accounting and disclosure requirements that increase transparency.
Defines standards that ensure medical information is kept safe.
Defines how federal government data, operations, and assets are handled.
Defines the security standards for any organization that handles cardholder information.
Implements accounting and disclosure requirements that increase transparency.
Explanation
The Sarbanes Oxley Act (SOX)
Which of the following is a limitation of relying on regulations?
answer
They rely heavily on password policies.
They allow interpretation.
They are regularly updated.
The industry standards take precedence.
They rely heavily on password policies.
Explanation
One of the drawbacks to many federal regulations is that they rely heavily on password policies, which are often outdated.
Which of the following best describes a goal-based penetration test?
answer
Ensures the organization follows federal laws and regulations.
Focuses on the end results. The hacker determines the methods.
Focuses on the overall security of the organization and its data security.
The hacker has been given full information about the target.
Focuses on the end results. The hacker determines the methods.
Explanation
A goal-based penetration test focuses on end results. The goals are specific, but the methods for reaching them are determined by the hacker himself.
A goal-based penetration test needs to have specific goals. Using SMART goals is extremely useful for this. What does SMART stand for?
answer
Specific/Maintainable/Attainable/Relevant/Timely
Specific/Measurable/Attainable/Relevant/Timely
Steps/Maintainable/Affordable/Results/Tuned
Steps/Measurable/Affordable/Results/Tuned
Specific/Measurable/Attainable/Relevant/Timely
Explanation
SMART
Which document explains the details of an objective-based test?
answer
Permission to test
Scope of work
Rules of engagement
Change order
Scope of work
Explanation
The scope of work is a very detailed document that defines exactly what is going to be included in a penetration test.
Which of the following best describes a supply chain?
answer
A company sells their products on Amazon and has Amazon ship the product.
A company stocks their product at a store.
A company provides materials to another company to manufacture a product.
A company stores their product at a distribution center.
A company provides materials to another company to manufacture a product.
Explanation
A supply chain is set up when materials from one company are needed from another to manufacture a product.
Heather has been hired to work in a firm’s cybersecurity division. Her role will include performing both offensive and defensive tasks. Which of the following roles applies to Heather?
answer
A black hat hacker.
A member of the red team.
A member of the purple team.
A gray hat hacker.
A member of the purple team.
Explanation
The purple team is a mix of red and blue team members.
ABC company is in the process of merging with XYZ company. As part of the merger, a penetration test has been recommended. Testing the network systems, physical security, and data security have all been included in the scope of work. What else should be included in the scope of work?
answer
Email policies
Company culture
Employee IDs
Password policies
Company culture
Explanation
During the premerger, areas such as physical security, data security, company culture, and network systems need to be tested.
