Chapter 2

Question 1

What term describes a document created to define project-specific activities, deliverables, and
timelines based on an existing contract?

Answer 1

C. SOW ( Statement of work)

MSA (master services agreement) contract reached between parties, in which the parties agree to most of the terms that will govern future transactions or future agreements.

Question 2

Maria wants to build a penetration testing process for her organization and intends to
start with an existing standard or methodology.

Which of the following is not suitable for
that purpose?
A. ISSAF
B. OSSTM
C. PTES
D. ATT&CK

Answer 2

D. ATT&CK (Describes adversary tactics)

Question 3

Which of the following types of penetration test would provide testers with complete visibility into the configuration of a web server without having to compromise the server to gain
that information?

A. Unknown environment
B. Partial knowledge
C. Known environment
D. Zero knowledge

Answer 3

C. Known environment

Question 4

During a penetration test scoping discussion, Charles is asked to test the organization’s SaaSbased email system.

What concern should he bring up?
A. Cloud-based systems require more time and effort.
B. Determining the scope will be difficult due to the size of cloud-hosted environments.
C. Cloud service providers do not typically allow testing of their services.
D. Testing cloud services is illegal.

Answer 4

C. Cloud service providers do not typically allow testing of their services.

(Large environment that will take awhile to scope)

Question 4

What type of legal agreement typically covers sensitive data and information that a penetration tester may encounter while performing an assessment?

Answer 4

B. An NDA

Question 5

What does an MSA typically include?

Answer 5

A. The terms that will govern future agreements

Question 5

During a penetration test, Alex discovers that he is unable to scan a server that he was able to
successfully scan earlier in the day from the same IP address. What has most likely happened?
A. His IP address was whitelisted.
B. The server crashed.
C. The network is down.
D. His IP address was blacklisted.

Answer 5

D. His IP address was blacklisted.

Question 6

While performing an on-site penetration test, Cassandra plugs her laptop into an accessible
network jack. When she attempts to connect, however, she does not receive an IP address and
gets no network connectivity. She knows that the port was working previously. What technology has her target most likely deployed?

Answer 6

C. NAC
(Network Access Control) she is unable to access the network until her system is approved.

Question 7

What type of penetration test is not aimed at identifying as many vulnerabilities as possible
and instead focuses on vulnerabilities that specifically align with the goals of gaining control
of specific systems or data?

Answer 7

An objectives-based assessment

Question 8

During an on-site penetration test, what scoping element is critical for wireless assessments
when working in shared buildings?

Answer 8

C. SSIDs (Penning the wrong network could cause legal or criminal repercussions)

Question 9

Ruchika has been asked to conduct a penetration test against internal business systems at a
mid-sized company that operates only during a normal day shift. The test will be run against
critical business systems.

What restriction is most likely to be appropriate for the testing?

Answer 9

A. Time of day

Question 10

During a penetration test specifically scoped to a single web application, Chris discovers that
the web server also contains a list of passwords to other servers at the target location. After
he notifies the client, they ask him to use them to validate those servers, and he proceeds to
test those passwords against the other servers. What has occurred?

Answer 10

C. Scope creep
(additional items are added to the scope of the assessment)

Question 11

Lucas has been hired to conduct a penetration test of an organization that processes credit
cards. His work will follow the recommendations of the PCI DSS. What type of assessment is
Lucas conducting?

Answer 11

D. A compliance-based assessment

Question 12

The penetration testing agreement document that Greg asks his clients to sign includes a
statement that the assessment is valid only at the point in time at which it occurs. Why does
he include this language?
A. His testing may create changes.
B. The environment is unlikely to be the same in the future.
C. Attackers may use the same flaws to change the environment.
D. The test will not be fully comprehensive.

Answer 12

B. The environment is unlikely to be the same in the future.

Question 13

The company that Ian is performing a penetration test for uses a wired network for their
secure systems and does not connect it to their wireless network.

What environmental
consideration should Ian note if he is conducting a partial knowledge penetration test?
A. He needs to know the IP ranges in use for the secure network.
B. He needs to know the SSIDs of any wireless networks.
C. Physical access to the network may be required.
D. Physical access a nearby building may be required.

Answer 13

C. Physical access to the network may be required.

Question 14

Megan wants to gather data from a service that provides data to an application. What type
of documentation should she look for from the application’s vendor?

A. Database credentials
B. System passwords
C. API documentation
D. Network configuration settings

Answer 14

C. API documentation

Question 15

Charles has completed the scoping exercise for his penetration test and has signed the
agreement with his client. Whose signature should be expected as the counter signature?
A. The information security officer
B. The project sponsor
C. The proper signing authority
D. An administrative assistant

Answer 15

C. The proper signing authority

Question 16

Elaine wants to ensure that the limitations of her red-team penetration test are fully
explained. Which of the following are valid disclaimers for her agreement? (Choose two.)
A. Risk tolerance
B. Point-in-time
C. Comprehensiveness
D. Impact tolerance

Answer 16

B. Point-in-time
C. Comprehensiveness

Question 16

Jen wants to conduct a penetration test and includes mobile application testing. Which standard or methodology is most likely to be useful for her efforts?
A. NIST
B. OWASP
C. KALI
D. ISSAF

Answer 16

B. OWASP (Open Worldwide Application Security Project)

provides mobile application testing guidelines as part of their documentation

Question 17

What type of assessment most closely simulates an actual attacker’s efforts?

A. A red-team assessment with a zero knowledge strategy
B. A goals-based assessment with a full knowledge strategy
C. A red-team assessment with a full knowledge strategy
D. A compliance-based assessment with a zero knowledge strategy

Answer 17

A. A red-team assessment with a zero knowledge strategy

Question 18

What does Goals-based / objectives based assessment include?

Answer 18

Specific reasons, validating new security, testing an app or service, assessing security of an org that has recently been acquired.

Question 19

What does a compliance-based assessment include?

Answer 19

Designed around the compliance objectives of a law, requires the organization to have an assessment performed.

Question 19

What does a red-team assessment include?

Answer 19

Attempt to act like an attacker, targeting sensitive data or systems with the goal of acquiring data and access.

Question 20

What is a known environment test?

Also known as white box, crystal box, or full knowledge tests.

Answer 20

Performed with full knowledge of the
underlying technology, configurations, and settings that make up the target.

Question 21

What is an unknown enviornment test?

sometimes called “black box” or “zero knowledge” tests,

Answer 21

Replicates what an attacker would encounter, testers hae no access to information about an environment and must instead gather that info, discover vulns, and make their way through a system as an attacker would.

Question 21

What is a partial knowledge test?
sometimes called gray box

Answer 21

A blend of unknown and known
environment testing

Question 22

What are some rules of engagement?

Answer 22

Timeline for the tests

What systems, apps, or other targets are in the scope

Types of tests allowed

Data handling requirements for information found

Targets defenses