CompTIA PenTest+ Practice Test Chapter 1 Planning and Scoping (Sybex: Panek, Crystal, Tracy) Flashcards
(168 cards)
1
Q
You have been asked to perform a penetration test for a medium-sized organization that sells after-market motorcycle parts online. What is the first task you should complete?
A.Research the organization’s product offerings. B.Determine the budget available for the test.
C.Identify the scope of the test.
D.Gain authorization to perform the test.
A
C.Identify the scope of the test.
Explanation:
The first step in the penetration testing process is to work with the client to clearly define the scope of the test. The scope determines what penetration testers will do and how their time will be spent. Researching the organization’s products is a task that will probably be done after the scope of work has been defined. Determining the budget and gaining authorization are subtasks that are usually completed as a part of the overall scoping process.
2
Q
A consultant has been hired to perform a penetration test for an organization. The target of the test is the organization’s proprietary design documents. The aim is to circumvent security measures and gain unauthorized access to these documents. What type of assessment is being conducted in this scenario? A.Objective-based assessment B.Goal-based assessment C.Compliance-based assessment D.Red team assessment
A
D.Red team assessment
Explanation:
Red team assessments are typically more targeted than normal penetration tests. The red team acts like an attacker, targeting sensitive data or systems with the goal of acquiring access. Goal-based or objective-based assessments are usually designed to assess the overall security of an organization.
Compliance-based assessments are designed to test compliance with specific laws.
3
Q
A consultant has been hired to perform a penetration test for an organization in the healthcare industry. The target of the test is a public-facing self-service website that users can access to view their health records. The aim is to circumvent security measures and gain unauthorized access to this information. What type of assessment is being conducted in this scenario?
A.Objective-based assessment
B.Gray box assessment
C.Compliance-based assessment
D.White box assessment
A
C.Compliance-based assessment
Explanation:
Because patient records are protected by the HIPPA law in the United States, this is an example of a compliance assessment.
Compliance-based assessments are designed to test compliance with specific laws. Objective-based assessments are usually designed to assess the overall security of an organization.
Gray box and white box assessments identify the level of knowledge the attacker has of the organization.
4
Q
A consultant has been hired to perform a penetration test for an organization in the healthcare industry. The target of the test is a public-facing self-service website that users can access to view their health records. The penetration tester has been given full knowledge of the organization’s underlying network. What type of test is being conducted in this example?
A.Goal-based assessment
B.Black box assessment
C.Objective-based assessment
D.White box assessment
A
D.White box assessment
Explanation:
A white box test is performed with full knowledge of the underlying technology, configuration, and settings of the target organization’s network. In a black box test, the testers are not provided with access to or information about the target environment. Goals-based or objective-based assessments are usually designed to assess the overall security of an organization.
5
Q
In which type of penetration test does the tester have a limited amount of information about the target environment but is not granted full access?
A.Gray box assessment
B.Black box assessment
C.Compliance-based assessment
D.White box assessment
A
A.Gray box assessment
Explanation:
A gray box test may provide some information about the environment to the penetration testers without giving full access, credentials, or configuration details. A white box test is performed with full knowledge of the underlying network. In a black box test, the testers are not provided with access to or information about the target environment. Compliance-based assessments are designed to test compliance with specific laws.
6
Q
Which type of penetration test best replicates the perspective of a real-world attacker?
A.Gray box assessment
B.Black box assessment
C.Objective-based assessment
D.White box assessment
A
B.Black box assessment
Explanation:
Black box tests are sometimes called zero knowledge tests because they replicate what a typical external attacker would encounter. Testers are not provided with any access or information. A white box test is performed with full knowledge of the underlying network. A gray box test may provide some information about the environment to the penetration testers without giving full access. Objective-based assessments are usually designed to assess the overall security of an organization.
7
Q
A consultant has been hired by an organization to perform a penetration test. The target of the test is the organization’s HR database application. The tester has been given a desk, a computer connected to the organization’s network, and a network diagram. However, the tester has not been given any authentication credentials.
What type of test is being conducted in this scenario?
A.Compliance-based assessment
B.Black box assessment
C.Gray box assessment
D.White box assessment
A
C.Gray box assessment
Explanation:
A gray box test may provide some information about the environment to the penetration testers without giving full access, credentials, or configuration details. Compliance-based assessments are designed to test compliance with specific laws. In a black box test, the testers are not provided with access to or information about the target environment. A white box test is performed with full knowledge of the underlying network.
8
Q
A consultant has been hired by an organization to perform a penetration test. The target of the test is the organization’s e-commerce website. The tester, located in a different city, will utilize several different penetration testing tools to analyze the site
and attack it. The tester does not have any information about the site or any authentication credentials.
What type of test is being conducted in this scenario?
A.White box assessment
B.Black box assessment
C.Objective-based assessment
D.Gray box assessment
A
B.Black box assessment
Explanation:
In a black box test, testers are not provided with any access to or information about the target. A white box test is performed with full knowledge of the underlying network. A gray box test may provide some information about the environment to the penetration testers without giving full access. Objective-based assessments are usually designed to assess the overall security of an organization.
9
Q
A consultant has been hired by an organization to perform a penetration test. The target of the test is the organization’s internal firewalls. The tester has been given a desk, a computer connected to the organization’s network, and a network diagram. The tester has also been given authentication credentials with a fairly high level of access. What type of test is being conducted in this scenario?
A.Gray box assessment
B.Black box assessment
C.Goals-based assessment
D.White box assessment
A
D.White box assessment
Explanation:
A white box test is performed with full knowledge of the underlying technology, configuration, and settings of the target organization’s network. A gray box test may provide some information about the environment to the penetration testers without giving full access. In a black box test, the testers are not provided with access to or information about the target environment. Goals-based or objective-based assessments are usually designed to assess the overall security of an organization.
10
Q
Which type of penetration test best focuses the tester’s time and efforts while still providing an approximate view of what a real attacker would see?
A.Gray box assessment
B.Black box assessment
C.Goals-based assessment
D.White box assessment
A
A.Gray box assessment
Explanation:
A gray box test is a blend of black box and white box testing. A gray box test usually provides limited information about the target to the penetration testers but does not provide full access, credentials, or configuration information. A gray box test can help focus penetration testers’ time and effort while also providing a more accurate view of what an attacker would actually encounter. In a black box test, the testers are not provided with access to or information about the target environment. Goals-based or objective-based assessments are usually designed to assess the overall security of an organization. A white box test is performed with full knowledge of the underlying network.
11
Q
An attacker downloads the Low Orbit Ion Cannon from the Internet and then uses it to conduct a denial-of-service attack against a former employer’s website. What kind of attacker is this?
A.Script kiddie
B.Hacktivist
C.Organized crime
D.Nation-state
A
A.Script kiddie
Explanation:
A script kiddie is an individual who carries out an attack using code written by more advanced hackers. A hacktivist’s attacks are usually politically motivated. Organized crime actors are usually a highly organized group of cybercriminals whose main goal is to make a lot of money. A nation-state threat actor acts on behalf of a nation to inflict harm on a rival nation.`
12
Q
An attacker carries out an attack against a government contractor in a neighboring country, with the goal of gaining access through the contractor to the rival country’s governmental network infrastructure. The government of the attacker’s own country is directing and funding the attack.
What type of threat actor is this?
A.Script kiddie
B.Hacktivist
C.Organized crime
D.Nation-state
A
D.Nation-state
Explanation:
A state-sponsored attacker usually operates under the direction of a government agency. The attacks are usually aimed at government contractors or even the government systems themselves. A script kiddie is an individual who carries out an attack using code written by more advanced hackers. A hacktivist’s attacks are usually politically motivated. An organized crime threat actor is a group of cybercriminals whose main goal is financial gain.
13
Q
A group of hackers located in a former Soviet-bloc nation have banded together and released a ransomware app on the Internet. Their goal is to extort money in the form of crypto currency from their victims.
What kind of attacker is this?
A.Malicious insider
B.Hacktivist
C.Organized crime
D.Nation-state
A
C.Organized crime
Explanation:
An organized crime threat actor is a group of cybercriminals whose main goal is financial gain. Attacks carried out by organized crime groups can last a long time, are very well-funded, and are usually quite sophisticated. A malicious insider attack occurs when someone within the organization uses the credentials they have been legitimately given to carry out an attack. A hacktivist’s attacks are usually politically motivated. A nation-state threat actor acts on behalf of a nation to inflict harm on a rival nation.
14
Q
An attacker who is a passionate advocate for brine shrimp attacks and defaces the website of a company that harvests brine shrimp and sells them as fish food.
What type of attacker is this?
A.Script kiddie
B.Hacktivist
C.Organized crime
D.Nation-state
A
B.Hacktivist
Explanation:
A hacktivist’s attacks are usually politically motivated, instead of financially motivated. Typically, they want to expose perceived corruption or gain attention for their cause. A script kiddie is an individual who carries out an attack using code written by more advanced hackers. An organized crime threat actor is a group of cybercriminals whose main goal is financial gain. A nation-state threat actor acts on behalf of a nation to inflict harm on a rival nation.
15
Q
An employee has just received a very negative performance review from his manager. The employee feels the review was biased and the poor rating unjustified. In retaliation, the employee accesses confidential employee compensation information from an HR database server and posts it anonymously on Glassdoor.
What kind of attacker is this?
A.Script kiddie
B.Hacktivist
C.Organized crime
D.Malicious insider
A
D.Malicious insider
Explanation:
A malicious insider attack occurs when someone within the organization uses the credentials they have been legitimately given to carry out an attack. A script kiddie is an individual who carries out an attack using code written by more advanced hackers. A hacktivist’s attacks are usually politically motivated, instead of financially motivated. An organized crime threat actor is a group of cybercriminals whose main goal is financial gain.
16
Q
Which of the following attackers are most likely to be able to carry out an advanced persistent threat (APT)? (Choose two.)
A.Malicious insider B.Script kiddie C.Hacktivist D.Organized crime E.Nation-state
A
D.Organized crime
E.Nation-state
Explanation:
An advanced persistent threat (APT) is a prolonged targeted attack in which the attacker gains access to a network and remains there undetected for an extended period of time. As such, only an organized crime or nation-state actor is likely to have the level of sophistication and the funds required to carry out such an attack. Script kiddies, hacktivists, and malicious insiders usually lack the technical expertise and/or the funds necessary to carry out an APT.
17
Q
Which of the following entities are most likely to become the target of an advanced persistent threat (APT)? (Choose two.)
A.A government contractor B.A website offering lessons on search engine optimization (SEO) C.A multinational bank D.A dental practice E.A community college
A
A.A government contractor
C.A multinational bank
Explanation:
Advanced persistent threats (APTs) are typically aimed at high-value targets, such as governments, defense contractors, multinational organizations, and financial organizations. Online learning websites, dental practices, and even community colleges are typically not valuable enough as targets to warrant an APT.
18
Q
Which threat actor is most likely to be motivated by a political cause?
A.Malicious insider
B.Hacktivist
C.Organized crime
D.Script kiddie
A
B.Hacktivist
Explanation:
A hacktivist’s attacks are usually politically motivated, instead of financially motivated. A malicious insider is usually motivated by either revenge or financial gain. An organized crime actor is most likely motivated by financial gain. A script kiddie may have a variety of motivations, such as notoriety.
19
Q
Which threat actor is most likely to be motivated by a desire to gain attention?
A.Malicious insider
B.Script kiddie
C.Organized crime
D.Nation-state
A
B.Script kiddie
Explanation:
A script kiddie may have a variety of motivations. One of the most common is attention. They frequently brag about their exploits in online forums and social media. A malicious insider is usually motivated by either revenge or financial gain. An organized crime actor is most likely motivated by financial gain. A nation-state is most likely motivated by political or military goals.
20
Q
Which type of penetration test usually provides the most thorough assessment in the least amount of time?
A.Gray box assessment
B.Black box assessment
C.Goals-based assessment
D.White box assessment
A
D.White box assessment
Explanation:
Because a white box assessment provides the penetration testers with extensive information about the target, it usually provides the most thorough assessment and typically requires the least amount of time to conduct. A gray box test is a blend of black box and white box testing. As such, it takes longer to conduct because more information must be discovered by the
21
Q
You are performing research that will be used to define the scope of a penetration test that your company will perform for a client. What information must be included in your research? (Choose two.)
A.Why is the test being performed?
B.When was the last time a test was performed? C.What were the results of the last test performed? D.To whom should invoices be sent?
E.Who is the target audience for the test?
A
A.Why is the test being performed?
E.Who is the target audience for the test?
Explanation:
The scope document must specify, among other things, why the test is being performed and who the target audience is. The other options listed in this question may be included if necessary, but they are not required.
22
Q
You are documenting the rules of engagement (ROE) for an upcoming penetration test.
Which elements must be included? (Choose two.)
A. A timeline for the engagement
B. A review of laws that specifically govern the target
C.A list of similar organizations that you have assessed in the past
D.A list of the target’s competitors
E.A detailed map of the target’s network
A
B. A review of laws that specifically govern the target
C.A list of similar organizations that you have assessed in the past
Explanation:
The rules of engagement (ROE) should always include the timeline for the engagement as well as a review of any laws that specifically govern the target to ensure you don’t break them. A list of other organizations that you have tested in the past or a list of the target organization’s competitors is unlikely to be specified in the rules of engagement. A detailed map of the target’s network will probably not be included in a black or gray box test.
23
Q
You are documenting the rules of engagement (ROE) for an upcoming penetration test.
Which elements should you make sure to include? (Choose two.)
A.Detailed billing procedures
B.A list of out-of-scope systems
C.A list of in-scope systems
D.An approved process for notifying the target’s competitors about the engagement
E.Arbitration procedures for resolving disputes between you and the client
A
B.A list of out-of-scope systems
C.A list of in-scope systems
Explanation:
The ROE should identify which locations, systems, applications, or other potential targets are included in or excluded from the test. This should identify any third-party service providers that may be impacted by the test such as ISPs, cloud service providers, or security monitoring services. Billing and arbitration procedures will likely be addressed in the general contract between you and the client, not in the ROE. It is unlikely that the client will want you to notify their competitors that you are testing their security.
24
Q
You are documenting the rules of engagement (ROE) for an upcoming penetration test.
Which elements should be considered? (Choose two.)
A. A list of IP addresses assigned to the systems you will use to conduct the test
B.How you will communicate the results of the test with the target
C.A list of penetration testing tools you will use during the test
D.A list of references from past clients for whom you have conducted penetration tests
E.A list of behaviors that are not allowed on the part of the target during the test
A
B.How you will communicate the results of the test with the target
E.A list of behaviors that are not allowed on the part of the target during the test
Explanation:
The ROE should specify when and how communications will occur between you and the client. Should you provide daily or weekly updates, or will you simply report when the test is complete? The ROE should also specify the behaviors allowed on the part of the target. For example, engaging in defensive behaviors such as shunning or blacklisting could limit the value of the test.
25
You are defining the rules of engagement (ROE) for an upcoming penetration test. During this process, you have defined off-limit times when you should not attack the target, a list of in-scope and out-of-scope systems, and data-handling requirements for the information you gather during the test. You also phoned one of the help-desk technicians at the target site and received verbal permission to conduct the test. You recorded the technician’s name and the date in the ROE document.
What did you do incorrectly in this scenario?
A.For privacy reasons, you should not have identified the internal technician by name in the ROE document.
B.Including “off-limits” times reduces the accuracy of the test.
C.The ROE should include written permission from senior management.
D.All systems should be potential targets during the test.
E.The target should not know how you are storing the information gathered during the test.
C.The ROE should include written permission from senior management.
Explanation:
Verbal permission is usually considered insufficient. Before beginning a penetration test, you must obtain a signed agreement from senior management giving you permission to conduct the test. This agreement will function as a “get out of jail free” card should your activities be reported to authorities.
26
You are defining the rules of engagement (ROE) for an upcoming penetration test. This will be a white box assessment. You have specified that the target may not employ shunning or blacklisting during the test. You have specified that the target must provide you with internal access to the network, a network map, and authentication credentials. You have also specified that applications provided by a SaaS service provider are off-limits during the test. What did you do incorrectly in this scenario?
A.The target should be allowed to use whatever means it chooses to defend itself.
B.Having detailed information about the internal network invalidates the results of the test.
C.All network resources should be subject to testing, including cloud-based resources.
D.Nothing. The ROE has been defined appropriately.
D.Nothing. The ROE has been defined appropriately.
Explanation:
The rules of engagement have been defined appropriately in this scenario. For example, it is quite appropriate to define what defensive behaviors the target is allowed to use during the test. Likewise, a white box test will likely include detailed information about the internal network. It’s also not uncommon for third-party service providers to be excluded from the test.
27
You are defining the rules of engagement (ROE) for an upcoming penetration test. This will be a black box assessment. The client has specified that they do not want the test to be conducted during peak times of the day, so you added “timeout” time frames to the document when testing will be suspended. You have specified that no communications will occur between you and the client until the end of the test when you submit your final test results. You have also specified that the target must provide you with internal access to the network, a network map, and authentication credentials. What did you do incorrectly in this scenario?
A.Having detailed information about the internal network invalidates the results of the test.
B.Pausing the assessment during peak times invalidates the results of the test.
C.Communications between the testers and the client should occur at regular intervals throughout the test. D.Nothing. The ROE has been defined appropriately.
A.Having detailed information about the internal network invalidates the results of the test.
Explanation:
Because this is a black box assessment, the testers should have no prior knowledge of the environment to be tested nor should they have special access to it. In essence, they should attack the client from the same perspective as a real attacker would. It is quite appropriate to pause testing during peak times to avoid disrupting their critical business operations. It’s also appropriate to communicate with the client only after the test is complete, especially on a black box assessment.
28
You own a small penetration testing consulting firm. You are worried that a client may sue you months or years after penetration testing is complete if their network is compromised by an exploit that didn’t exist when the test was conducted.
What should you do?
A.Insist that clients sign a nondisclosure agreement (NDA) prior to the test.
B.Include a disclaimer in the agreement indicating that the results are valid only at the point in time when the test was performed.
C.Include an arbitration clause in the agreement to prevent a lawsuit.
D.Insist that clients sign a statement of work (SOW) prior to the test.
B.Include a disclaimer in the agreement indicating that the results are valid only at the point in time when the test was performed.
Explanation:
The testing agreement should contain a disclaimer indicating that the test is valid only at the point in time that it is conducted and that the scope and methodology requested by the client can impact the comprehensiveness of the test. An NDA specifies
what each party in an agreement is allowed to disclose to third parties. An arbitration clause could still result in a settlement that goes against the pen test consultant. A SOW alone won’t protect you against this kind of lawsuit unless it contains a point-in-time clause, discussed earlier.
29
You own a small penetration testing consulting firm. You are worried that a client who requests a black box assessment may sue you after penetration testing is complete if their network is compromised by an exploit.
What should you do?
A.Insist that clients sign a purchase order prior to the test.
B.Insist that clients sign a master services agreement (MSA) prior to the test.
C.Include a disclaimer in the agreement indicating that the test methodology can impact the comprehensiveness of the test.
D.Refuse to perform black box tests.
C.Include a disclaimer in the agreement indicating that the test methodology can impact the comprehensiveness of the test.
Explanation:
The testing agreement or scope documentation should contain a disclaimer explaining that the scope and methodology requested by the client can impact the comprehensiveness of the test. For example, a white box test is more likely to discover hidden vulnerabilities than a black box test can. A purchase order is a binding agreement to purchase goods or services. An MSA is an agreement that defines terms that will govern future agreements. Black box tests can provide a unique perspective and should not be forsaken.
30
You are defining the rules of engagement (ROE) for an upcoming penetration test. You are working on the problem resolution section of the document. Which elements should be included in this section? (Choose two.)
A.Clearly defined problem escalation procedures
B.A timeline for the engagement
C.In-scope systems, applications, and service providers
D.Out-of-scope systems, applications, and service providers
E.Acknowledgment that penetration testing carries inherent risks
A.Clearly defined problem escalation procedures
E.Acknowledgment that penetration testing carries inherent risks
Explanation:
When documenting problem handling and resolution in a rules of engagement document, you should clearly define escalation procedures on both sides of the agreement to help minimize downtime for the target organization. You should also include verbiage that requires the client to acknowledge that penetration testing carries inherent risks. A timeline for the engagement, along with scoping information, is also included in the ROE, just not in the problem resolution section.
31
You work at a penetration testing consulting firm. An organization that you have not worked with previously calls and asks you to perform a black box assessment of its network. You agree on a price and scope over the phone. After quickly designing the test on paper, you begin execution later that afternoon. Was this test conducted properly?
A.Yes, proper penetration test planning and scoping procedures were followed.
B.No, new clients should be properly vetted before beginning an assessment.
C.No, a master service agreement (MSA) should be signed before testing begins.
D.No, the rules of engagement (ROE) for the test should be documented and signed by both parties.
D.No, the rules of engagement (ROE) for the test should be documented and signed by both parties.
Explanation:
The rules of engagement (ROE) should have been clearly defined and signed by both parties before the penetration test begins. Not having the ROE in place exposes your organization to potential litigation should something go wrong during the testing process. The vetting of a new client occurs during the process of scoping the test and creating the ROE document. An MSA defines terms that will govern future agreements.
32
You are arranging the terms of a penetration test with a new client. Which of the following is an appropriate way to secure legal permission to conduct the test?
A.Ask a member of senior management via email for permission to perform the test.
B.Ask a member of the IT staff over the phone for permission to perform the test.
C.Ask a member of the IT staff to sign a document granting you permission to perform the test.
D.Ask a member of senior management to sign a document granting you permission to perform the test.
D.Ask a member of senior management to sign a document granting you permission to perform the test.
Explanation:
Before conducting a penetration test, you must get written permission from the senior management of the target organization to perform the test. Getting permission verbally or via email is generally not acceptable. Getting permission from the IT staff is also generally not acceptable.
33
Which type of penetration test best simulates an outsider attack?
A.Black box
B.Gray box
C.White box
D.Blue box
A.Black box
Explanation:
In a black box penetration test, the tester has no prior knowledge of the target. Therefore, it best simulates what would happen during an attack from the outside. White-box and gray-box penetration tests allow the tester to have some degree of prior knowledge about the target.
34
You need to conduct a penetration test for a client that best assesses the target organization’s vulnerability to a malicious insider who has the network privileges of an average employee. Which type of test should you perform?
A.Gray box
B.White box
C.Black box
D.Red box
A.Gray box
Explanation:
In a gray box penetration test, the tester has partial knowledge of the target. This can be used to simulate a malicious insider attack conducted by an average employee. In a black box penetration test, the tester has no prior knowledge of the target. In a white box test, the tester has extensive knowledge of the target.
35
Which type of penetration test requires the most time and money to conduct?
A.White box
B.Gray box
C.Black box
D.Green box
C.Black box
Explanation:
Because the penetration tester has no knowledge of the target, a black box test takes the most time and money to conduct. In contrast, gray box and white box tests are usually must less expensive and take less time to conduct because the tester has some level of prior knowledge about the target.
36
A penetration tester uses a typical employee email account to send a phishing email exploit to managers and executives within the target organization. The goal is to see how many actually fall for the exploit and click the link in the message. What kind of penetration test is being performed in this scenario?
A.Black box
B.Gray box
C.White box
D.Red box
B.Gray box
Explanation:
Because the tester is using an internal email account (the kind used by a typical employee) to conduct the test, the tester is most likely performing a gray box test. In a black box test, the tester would have to use an external email account. In a white box test, the tester would likely use elevated privileges and access to conduct the test.
37
You work for a penetration testing firm. A client calls and asks you to perform an exhaustive test that deeply probes their infrastructure for vulnerabilities. What kind of test should you recommend?
A.Gray box
B.White box
C.Black box
D.Blue box
B.White box
Explanation:
Because the tester is given extensive internal access to the target network, a white box test usually provides the most exhaustive assessment. More time can be spent probing for deep vulnerabilities than is possible with a black or gray box test.
38
You are defining the rules of engagement (ROE) for an upcoming penetration test. This will be a white box assessment. This will be an internal test. No third parties may be involved. Which of the following resources could be considered in-scope for the assessment? (Choose two.)
A.Active Directory users
B.Password policies defined within Group Policy C.Microsoft Office 365 cloud applications
D.Google Docs
E.Microsoft Azure web servers
A.Active Directory users
B.Password policies defined within Group Policy
Explanation:
The scope of this engagement in this scenario is limited to the internal network infrastructure. Microsoft Office 365, Google Docs, and Microsoft Azure are all cloud-based services hosted by third parties and are therefore considered out of scope.
39
What is the most important step in the penetration testing planning and scoping process?
A.Obtaining written authorization from the client
B.Writing the rules of engagement (ROE)
C.Selecting a testing methodology
D.Defining in-scope and out-of-scope systems, applications, and service providers
A.Obtaining written authorization from the client
Explanation:
The most important step in the penetration testing planning and scoping process is to obtain written permission from the target to perform the test. Without written permission, you are considered a hacker and are subject to federal, state, and local laws regarding computer crime (such as U.S. Code, Title 18, Chapter 47, Sections 1029 and 1030).
40
Which of the following is a formal document that defines exactly what will be done during a penetration test?
A.Master service agreement (MSA)
B.Nondisclosure agreement (NDA)
C.Statement of work (SOW)
D.Purchase order (PO)
C.Statement of work (SOW)
Explanation:
The statement of work (SOW) is a formal document that defines the scope of the penetration test. It identifies exactly what will happen during the test. An MSA defines terms that will govern future agreements. An NDA specifies what each party in an agreement is allowed to disclose to third parties. A purchase order is a binding agreement to make a purchase from a vendor.
41
You work for a penetration testing firm. You go to dinner with a potential client. To demonstrate your organization’s technical expertise with penetration testing, you list several of your other clients by name and describe in detail various problems your assessments discovered at each one.
Which of the following was violated when you did this?
A.Statement of work (SOW)
B.Nondisclosure agreement (NDA)
C.Master service agreement (MSA)
D.Purchase order (PO)
B.Nondisclosure agreement (NDA)
Explanation:
A nondisclosure agreement (NDA) is a legal contract that defines what confidential information can be shared and what cannot be shared. In most penetration testing agreements, the NDA specifies that the tester may not reveal the results of the test to anyone other than the client itself. A SOW is a formal document that defines the scope of the penetration test. An MSA defines terms that will govern future agreements. A purchase order is a binding agreement to make a purchase from a vendor.
42
You work for a penetration testing firm. A potential client called about your services. After reviewing what your organization can do, the client decides to schedule a single black box test. If they are happy with the results, they may consider future tests. Which of the following will you likely ask the client to sign first?
A.Purchase order (PO)
B.Nondisclosure agreement (NDA)
C.Master service agreement (MSA)
D.Statement of work (SOW)
A.Purchase order (PO)
Explanation:
Most likely, you will ask the client to sign a purchase order. A purchase order is a binding agreement to make a purchase from a vendor. With a purchase order in place, your organization can justify spending time and money defining a SOW and an NDA for the engagement. Because the client is essentially “trying” your services, an MSA would not yet be required, although it may be in the future.
43
Which of the following is a contract where both parties agree to most of the terms that will govern future agreements?
A.Master service agreement (MSA)
B.Nondisclosure agreement (NDA)
C.Statement of work (SOW)
D.Purchase order (PO)
A.Master service agreement (MSA)
Explanation:
A master service agreement (MSA) is a contract where both parties agree to most of the terms that will govern future agreements. By defining these terms in an MSA, future agreements are much easier and faster to make. A purchase order is a binding agreement to make a purchase from a vendor. A SOW is a formal document that defines the scope of a penetration test. An NDA specifies what each party in an agreement is allowed to disclose to third parties.
44
You have been recently hired by a security firm to conduct penetration tests on clients.
Which agreements will your new employer most likely ask you to sign as a condition of employment? (Choose two.)
```
A.Master service agreement (MSA)
B.Nondisclosure agreement (NDA)
C.Statement of work (SOW)
D.Purchase order (PO)
E.Noncompete agreement
```
B.Nondisclosure agreement (NDA)
E.Noncompete agreement
Explanation:
As an employee of a security firm, you will likely to be asked by your employer to sign a nondisclosure agreement (NDA) and a noncompete agreement. The NDA specifies what each party in an agreement is allowed to disclose to third parties. Your employer likely doesn’t want you to reveal proprietary information to its competitors. The noncompete agreement requires you to agree to not work for a competitor or directly compete with your employer in a future job.
45
Your penetration testing consulting firm has been negotiating a contract with the U.S. federal government to run penetration tests against some of its systems. Which agreements will you be asked to sign instead of a statement of work (SOW)? (Choose two.)
A.Statement of objective (SOO)
B.Performance work statement (PWS)
C.Noncompete agreement
D.Purchase order (PO)
A.Statement of objective (SOO)
B.Performance work statement (PWS)
Explanation:
Alternatives to a SOW used by the U.S. federal government include a statement of objectives (SOO) and a performance work statement (PWS). Purchase orders and a noncompete agreements are not typically used as alternatives to a SOW.
46
You are defining the scope of an upcoming penetration test. Your client’s offices are located in a large office complex with many other tenants. The client has asked you to include the organization’s network in the test. Which parameters should be identified as in-scope? (Choose two.)
A.The IP addresses of public-facing web services owned by neighboring tenants
B.The IP address of perimeter security devices owned by neighboring tenants
C.Wireless SSIDs used by neighboring tenants D.Wireless SSIDs used by the client
E.IP address ranges used on the client’s internal network
D.Wireless SSIDs used by the client
E.IP address ranges used on the client’s internal network
Explanation:
If the client’s network itself is in scope, then you need to define the client’s wireless network SSIDs as in-scope. Defining the client’s IP address ranges as in-scope is also important. You must not target third parties, such as neighboring tenants or cloud service providers, without their written permission.
47
You have recently concluded a penetration test for a client, and now need to write up your final conclusions. What should you do?
A.Rely on your memory of what happened during the test to create the report.
B.Analyze the testers’ written log files.
C.Ask your fellow testers to email you the top three issues they discovered during the test.
D.Ask your client’s IT staff to email you the top three issues they noticed during the test.
B.Analyze the testers’ written log files.
Explanation:
It is important that all penetration testers keep carefully written logs of the actions they take during an assessment. These logs should identify what the tester did, when they did it, what system(s) they were using, what system(s) they were attacking, and what the results were. You should avoid relying upon tester or client memories alone. They tend to be faulty and incomplete.
48
A client has hired you to test the physical security of their facility. They have given you free rein to try to penetrate their facility using whatever method you want as long as it doesn’t harm anyone or damage the property. What type of assessment is being conducted in this scenario?
A.Goal-based
B.Pre-merger
C.Compliance-based
D.Supply chain
A.Goal-based
Explanation:
This is an example of a goal-based assessment. The goal is to verify the organization’s physical security using whatever means you desire. A premerger test is usually conducted on an organization prior to it merging with another. A compliance-based test is done to ensure that an organization remains in compliance with governmental regulations or corporate policies. A supply chain test involves testing an organization’s vendors.
49
One of your clients accepts credit cards from customers and uses its internal network and servers to process payments. The credit card companies each specify that the client must undergo regular penetration testing to ensure that its password policies, data isolation policies, access controls, and key management mechanisms adequately protect consumer credit card data.
What type of assessment is required in this scenario?
A.Goal-based
B.Compliance-based
C.Supply chain
D.Red team
B.Compliance-based
Explanation:
A compliance-based assessment is required in this scenario. This is a risk-based assessment that ensures policies or regulations are being followed appropriately. Most likely, the credit card companies will provide the organization with a checklist that the penetration tester will use to conduct the assessment. A goal-based assessment will specify a goal to be met by the test. A supply chain assessment involves testing an organization’s vendors. A red team assessment is usually conducted by internal testers to ensure an organization’s IT staff (the blue team) can adequately defend the network.
50
One of your clients was recently purchased by a large multinational organization. Before the purchase can be finalized, your client must be subjected to an extensive penetration test.
What kind of assessment is required in this scenario?
A.Objective-based
B.Pre-merger
C.Compliance-based
D.Supply chain
B.Pre-merger
Explanation:
Before two organizations merge, it is common for penetration tests to be conducted to identify any security vulnerabilities that need to be addressed before their networks are connected. An objective-based assessment is designed to test whether information can remain secure. A compliance-based test is done to ensure that an organization remains in compliance with governmental regulations or corporate policies. A supply chain test involves testing an organization’s vendors.
51
An organization’s network was recently hacked. The attackers first compromised the weak security used by one of the organization’s contractors. Then they used the contractor’s authentication credentials to gain access to the organization itself. Which type of penetration assessment could have prevented this?
A.Objective-based
B.Pre-merger
C.Goal-based
D.Supply chain
D.Supply chain
Explanation:
In a supply chain assessment, a penetration test is conducted on an organization’s vendors to ensure their networks are secure and can’t be used as a pivot point to compromise the organization itself. A goal-based assessment is designed to test a specific aspect of an organization’s security. A premerger test
is usually conducted on an organization prior to it merging with another.
52
You work on the security team for a large organization. Your team has been tasked with conducting an internal penetration test to verify whether your organization’s IT staff can adequately defend against it. What type of assessment is being used in this scenario?
A.Goal-based
B.Compliance-based
C.Supply chain
D.Red team
D.Red team
Explanation:
A red team assessment is usually conducted by internal testers to ensure an organization’s IT staff (the blue team) can adequately defend the network. A goal-based assessment is designed to test a specific aspect of an organization’s security. A supply chain test involves testing an organization’s vendors. A compliance-based test is performed to ensure that an organization remains in compliance with governmental regulations or corporate policies.
53
Which of the following tiers of adversaries ranks threat actors, generally speaking, from least threatening to most threatening?
A.Script kiddie, hacktivist, malicious insider, organized crime, nation-state
B.Script kiddie, malicious insider, hacktivist, organized crime, nation-state
C.Hacktivist, script kiddie, malicious insider, nation-state, organized crime
D.Nation-state, organized crime, malicious insider, hacktivist, script kiddie
A.Script kiddie, hacktivist, malicious insider, organized crime, nation-state
Explanation:
Generally speaking, if you were to rank threat actors into tiers from least threatening to most threatening, it would look something like the following: script kiddie > hacktivist > malicious insider > organized crime > nation-state.
54
One of your clients is a public advocacy group. Some of its political stances are very unpopular with several fringe activists, and they are concerned that a hacktivist may try to hijack their public-facing website. They have asked you to run a penetration test using the same tools and techniques that a typical hacktivist would have the technical aptitude and funds to use. What process has occurred in this scenario?
A.Due diligence
B.Risk acceptance
C.Threat modeling
D.Scope creep
C.Threat modeling
Explanation:
This is an example of threat modeling. Using threat modeling, you determine the type of threat you want to emulate during the penetration test. Then you use the same tools, techniques, and approaches that type of threat would typically use.
55
You are meeting with a new client to scope out the parameters of a future penetration test. During the course of the discussion, you ask the client if they are willing to accept the fact that a penetration test could cause service disruptions within their organization. The client responds affirmatively. What process has occurred in this scenario?
A.Risk acceptance
B.Due diligence
C.Threat modeling
D.Risk transfer
A.Risk acceptance
Explanation:
This is an example of risk acceptance. You have evaluated the client’s tolerance of the impacts a penetration test could bring to the organization. It is important that the client be ready and able to accept the fact that a penetration test could cause a network outage or a service disruption.
56
You are running a penetration test for a client. The original test calls for you to test the security of one of the client’s remote branch offices. The client called today and indicated that they are concerned about the security readiness of a second branch office. They insisted that you expand the penetration test to include this second site.
What process occurred in this scenario?
A.Due diligence
B.Risk acceptance
C.Threat modeling
D.Scope creep
D.Scope creep
Explanation:
This is an example of scope creep. Scope creep is the addition of additional parameters and/or targets to the scope of the assessment. This is a common occurrence and should be planned for in your initial scoping. For example, you and the client could agree on pricing and schedule adjustments that could be made if the scope of the test needs to expand.
57
A client has asked you to run a white box penetration test. Her organization has offices in the United Kingdom, Saudi Arabia, Pakistan, and Hong Kong. You load your penetration testing toolkit onto your laptop and travel to each office to run the assessment on-site. What did you do incorrectly in this scenario?
A.It may be illegal to transport some penetration testing software and hardware internationally.
B.A laptop doesn’t have sufficient computing power to effectively run a penetration test.
C.Travel costs can be reduced by running the assessment remotely from the tester’s home location.
D.Nothing. You did everything correctly.
A.It may be illegal to transport some penetration testing software and hardware internationally.
Explanation:
Many penetration testing tools may be covered by export restrictions. The United States prohibits the export of some types of software and hardware, including encryption tools. If you are traveling abroad with your penetration testing toolkit, you could be arrested if you have prohibited software or hardware in your possession.
58
A client has asked you to run a white box penetration test. Her organization has offices in the United States, Indonesia, Thailand, and Singapore. To avoid international transportation of your penetration testing software, you upload it to your Google Drive account. Then you travel to each site, download the software, and run it locally on your laptop. Did you handle your penetration testing software appropriately in this scenario?
A.Yes, using Google Drive to access the software internationally shields you from prosecution.
B.No, most foreign nations block access to Google Drive.
C.No, it is legal to transport most penetration testing software into these countries.
D.No, it is illegal to transport most penetration testing software internationally using the Internet.
D.No, it is illegal to transport most penetration testing software internationally using the Internet.
Explanation:
The laws and regulations that apply to penetration testing and penetration testers vary from state to state within the United States. That means you need to understand what laws apply to the work you’re doing. In this scenario, you need to check all federal, state, and local laws that apply to the assessment you plan to carry out. It is recommended that you retain the services of an attorney to keep yourself out of trouble.
59
You are asked to perform a penetration test for an organization with offices located in New York City, Los Angeles, and Fargo. Which cybersecurity laws and regulations do you need to check as you scope the assessment?
A.U.S. federal cybersecurity law
B.State cybersecurity laws in New York, California, and North Dakota
C.Local cybersecurity laws in each physical location D.Interpol regulations
D.Interpol regulations
Explanation:
The laws and regulations that apply to penetration testing and penetration testers vary from state to state within the United States. That means you need to understand what laws apply to the work you’re doing. In this scenario, you need to check all federal, state, and local laws that apply to the assessment you plan to carry out. It is recommended that you retain the services of an attorney to keep yourself out of trouble.
60
A client has asked you to run a white box penetration test. The goal is to assess the security of their web-based applications. These applications leverage the Simple Object Access Protocol (SOAP). During the scoping process, you determine that it would be helpful if you had access to the organization’s internal documentation for these applications. Which of the following should you ask your client for?
A.Web Services Description Language (WSDL) documentation
B.Software Development Kit (SDK) documentation C.Web Application Description Language (WADL) documentation
D.Application Programming Interface (API) documentation
A.Web Services Description Language (WSDL) documentation
Explanation:
Web Services Description Language (WSDL) is an XML-based interface definition language used for describing the functionality offered by a SOAP service.
61
A client has asked you to run a white box penetration test. The goal is to assess the security of their web-based applications. These applications are based on Representational State Transfer (REST) architecture. During the scoping process, you determine that it would be helpful if you had access to the organization’s internal documentation for these applications. Which of the following should you ask your client for?
A.Web Services Description Language (WSDL) documentation
B.Software Development Kit (SDK) documentation C.Web Application Description Language (WADL) documentation
D.Application Programming Interface (API) documentation
C.Web Application Description Language (WADL) documentation
Explanation:
The Web Application Description Language (WADL) is an XML-based machine-readable description of HTTP-based web services. As such, it is typically used with REST services instead of SOAP.
62
A client has asked you to run a white box penetration test. The goal is to assess the security of several PC applications that were written in-house using the C++ programming language. These applications are used on a day-to-day basis by employees to manage orders, inventory, and payouts. During the scoping process, you determine that it would be helpful if you had access to the organization’s internal software development documentation for these applications. Which of the following should you ask your client for? (Choose two.)
A.Simple Object Access Protocol (SOAP) documentation
B.Software Development Kit (SDK) documentation C.Web Application Description Language (WADL) documentation
D.Application Programming Interface (API) documentation
B.Software Development Kit (SDK) documentation
D.Application Programming Interface (API) documentation
Explanation:
Application programming interface (API) documentation describes how software components communicate. Software development kits (SDKs) also come with documentation. Organizations may create their own SDKs, use commercial SDKs, or use open source SDKs. Understanding which SDKs are in use and where they are can help a penetration tester test applications, especially those written in-house.
63
You are scoping a black box penetration test for a client. The goal is to see whether you can gain access to the information stored on an internal database server. Which information should the client provide you with prior to starting the test?
A.Architectural diagrams
B.Swagger document
C.XSD
D.Network diagrams
D.Network diagrams
Explanation:
A black box penetration test should simulate the view an external attacker would have of the network. Therefore, the tester should have little or no knowledge of the internal network.
64
You are scoping a white box penetration test for a client. The goal is to see whether you can gain access to confidential research data stored on an internal database server. You want to target an internally developed data collection application that the client’s end users use on a daily basis to catalog and store information in the database. Which information should the client provide you with prior to starting the test?
A.Architectural diagrams
B.Sample requests
C.XSD
D.All of the above
D.All of the above
Explanation:
In a white box test, you should have access to extensive internal documentation. Because an in-house developed application will be used as the attack vector, you should require the client to provide as much documentation about that application as possible. For example, you should ask for architectural diagrams, sample application requests, and the swagger document, as applicable.
65
You are scoping a white box penetration test for a client. The goal is to see whether you can gain access to confidential customer data stored on an internal database server. You have asked the client for architectural diagrams. Which information should the client provide you with? (Choose two.)
```
A.Swagger document
B.Simple Object Access Protocol (SOAP) documentation
C.Network diagrams
D.XSD
E.Facility maps
```
C.Network diagrams
E.Facility maps
Explanation:
When requesting internal architectural diagrams as a part of a white box test, you should typically be supplied with documentation such as network diagrams and facility maps. You can use this information to map out the network topology and locate key infrastructure devices, such as switches, routers, and servers.
66
You are scoping a white box penetration test for a client. The goal is to see whether you can gain access to confidential research data stored on an internal database server. To facilitate this, you have requested that the client provide you with access to applications that end users use to generate sample application requests. Which specific applications should be included in the request? (Choose two.)
A.An in-house developed desktop application used to access the information stored in the database
B.Microsoft Word, which end users use on a daily basis to compose documents stored in the database C.Microsoft Excel, which end users use on a daily basis to compose spreadsheets stored in the database
D.An in-house developed web application used to generate reports using the information stored in the database
E.Adobe Photoshop, which end users use on a daily basis to edit graphic files stored in the database
A.An in-house developed desktop application used to access the information stored in the database
D.An in-house developed web application used to generate reports using the information stored in the database
Explanation:
Sample application requests are typically used to test applications (desktop or web) that have been developed in-house. Applications developed in-house aren’t usually subjected to the same level of scrutiny as commercial applications, which make them possible attack vectors that can be exploited. Sample application requests aren’t generally required for commercial applications, such as Word, Excel, or Photoshop, because their weaknesses are already well-documented.
67
You want to generate sample application requests for an in-house developed web application that a client’s users use every day to complete their day-to-day tasks. How should this be done?
A.Enter exactly the same data into the web application that end users enter.
B.Enter data that is similar to the data that end users enter into the application.
C.Enter completely unexpected data into the application.
D.Ask the system administrator to generate the samples for you.
C.Enter completely unexpected data into the application.
Explanation:
Applications developed in-house aren’t usually subjected to the same level of scrutiny as commercial applications, which make them possible attack vectors that can be exploited. For example, when generating sample application requests, most penetration testers throw unexpected information at applications developed in-house to see how the application responds. For example, you may find that entering a very long text string into a field that is expecting only eight characters could generate a buffer overflow error. You could then use this
poor error handling behavior to insert and run malicious code on the web server hosting the application.
68
Which of the following is a messaging protocol specification that defines how structured information can be exchanged between web applications and is created from WSDL files?
A.SOAP
B.XSD
C.WADL
D.Swagger
A.SOAP
Explanation:
The Simple Object Access Protocol (SOAP) is a messaging protocol specification that defines how structured information can be exchanged between web applications. SOAP project files can be created from Web Services Description Language (WSDL) files.
69
```
Which of the following is an open source framework designed to help developers design, build, document, and test Representational State Transfer (REST) web services?
A.SOAP
B.XSD
C.WSDL
D.Swagger
```
D.Swagger
Explanation:
Swagger is an open source framework designed to help developers design, build, document, and test Representational State Transfer (REST) web services. REST is an alternative to the SOAP protocol. In fact, REST has started to replace SOAP as the framework of choice in most modern web applications.
70
Which of the following protocols is the Representational State Transfer (REST) web application architecture based on?
A.FTP
B.HTTP
C.SMB
D.LDAP
B.HTTP
Explanation:
The Representational State Transfer (REST) web application architecture is based on the Hypertext Transfer Protocol (HTTP).
71
Which of the following is an XML-based interface definition language used to describe the functionality offered by a Simple Object Access Protocol (SOAP) server?
A.Web Service Description Language (WSDL)
B.Web Application Description Language (WADL) C.Representational State Transfer (REST)
D.Swagger
A.Web Service Description Language (WSDL)
Explanation:
The Web Service Description Language (WSDL) is an XML-based interface definition language that is used to describe the functionality offered by a web application server, such as a SOAP server. WSDL doesn’t work well with the Representational State Transfer (REST) web application architecture, which has been slowly replacing SOAP over the years.
72
Which of the following architectures is used to provide an XML-based description of HTTP-based web services running on a web application server and is commonly used with Representational State Transfer (REST) web applications?
A.Simple Object Access Protocol (SOAP)
B.Web Application Description Language (WADL) C.Representational State Transfer (REST)
D.Swagger
B.Web Application Description Language (WADL)
Explanation:
The Web Application Description Language (WADL) provides an XML-based description of HTTP-based web services running on a web application server. WADL is typically used with Representational State Transfer (REST) web services. WADL is an alternative to WSDL and is generally considered easier to use but also lacks the flexibility associated with WSDL.
73
Which of the following is a World Wide Web Consortium (W3C) specification that identifies how to define elements within an XML document?
A.SOAP
B.XSD
C.REST
D.WSDL
B.XSD
Explanation:
The XLM Schema Definition (XSD) is a W3C specification that identifies how to define elements within an XML document.
74
You are scoping a white box penetration test for a client. The goal is to see whether you can gain access to confidential research data stored on an internal database server. You want to target an internally developed data collection application that the client’s end users use on a daily basis to catalog and store information in the database. Which information should the client provide you with prior to starting the test?
A.Configuration files
B.Data flow diagrams
C.Software development kit (SDK) documentation
D.All of the above
D.All of the above
Explanation:
When conducting a white box penetration test, especially one that will target applications developed in-house, having the documentation for the SDK that was used to create the application can be very helpful. Data flow diagrams can also provide penetration testers with an understanding of how the target application communicates with other network services. Configuration files may contain account information, IP addresses, API keys, and possibly even passwords.
75
You are scoping a white box penetration test for a client. The goal is to see whether you can gain access to sensitive patient data stored on an internal database server. What should the client do prior to starting the test? (Choose two.)
A.Blacklist the testers’ user accounts in their intrusion protection system (IPS).
B.Whitelist the testers’ user accounts in their intrusion protection system (IPS).
C.Configure network firewalls to function in fail-open mode.
D.Configure security exceptions that allow the penetration testers’ systems to bypass network access controls (NAC).
B.Whitelist the testers’ user accounts in their intrusion protection system (IPS).
D.Configure security exceptions that allow the penetration testers’ systems to bypass network access controls (NAC).
Explanation:
When running a white box assessment, you will usually want the client to white-list the testers’ user accounts in their IPS. This will prevent them from being blocked when they start probing defenses. They should also configure security exceptions that allow the penetration testers’ systems to bypass NAC security controls.
76
You are scoping a black box penetration test for a client. The goal is to see whether you can gain access to sensitive financial data stored on an internal database server. What should the client do prior to starting the test?
A.Create internal user accounts for the testers that have the same level of privileges as a typical employee.
B.Whitelist the testers’ user accounts in their web application firewall (WAF).
C.Configure certificate pinning.
D.Configure security exceptions that allow the penetration testers’ systems to bypass network access controls (NAC).
E.None of the above.
E.None of the above.
Explanation:
Because a black box test is being conducted in this scenario, the client’s network should be in “shields up” mode. The penetration testers should not have internal user accounts, nor should their systems be allowed to bypass NAC security controls. Certificate pinning should not be allowed.
77
You are scoping a white box penetration test for a client. The client has implemented network access controls (NAC) with IPSec to prevent devices that are out of compliance with company policies from connecting to the secure internal network. Because you are conducting a white box test, your
testers’ systems need to bypass NAC and be granted direct access to internal secure network. What should the client do to accomplish this?
A.Configure certificate pinning.
B.Connect their computers to a switch port that is on the secure internal network.
C.Configure a NAC exception for each system. D.Temporarily disable NAC.
A.Configure certificate pinning.
Explanation:
Normally, when NAC is implemented with IPSec, clients must meet company security policies before they are allowed to connect to the internal secure network. If they do, they are assigned a digital certificate that allows them to communicate with other systems on the internal secure network. To bypass NAC, certificate pinning can be used to assign a digital certificate to the testers’ systems without proving they are in compliance every time they connect.
78
During a penetration test, an unmonitored side door was left ajar by an employee, which the tester then used to gain physical access to the client’s facility. To keep this from happening again, the client completely removes the door and its frame from the building and fills the space with concrete. Which type of risk response is described in this scenario?
A.Avoidance
B.Transference
C.Mitigation
D.Acceptance
A.Avoidance
Explanation:
This is an example of risk avoidance. By removing the door and filling in the wall with concrete, the client has completely removed the risk of the door being used by an attacker to gain unauthorized access to the facility.
79
During a penetration test, an unmonitored side door was left ajar by an employee, which the tester then used to gain physical access to the client’s facility. To keep this from happening again, the client places a security guard in the hallway and instructs her to prevent unauthorized access. Which type of risk response is described in this scenario?
A.Avoidance
B.Transference
C.Mitigation
D.Acceptance
C.Mitigation
Explanation:
This is an example of risk mitigation. Instead of completely removing the risk, the client has used a security guard as a countermeasure. The risk of unauthorized access still exists, but the use of the security guard controls that risk.
80
Your client hosts a large e-commerce website that sells clothing and accessories. During a penetration test, a tester was able to intercept customers’ credit card numbers as they were being processed by an internal card processing application. To keep this from happening again, the client decides to outsource all credit card processing to a third-party processor. All transactions are redirected to the third-party processor such that your client never sees the actual credit card data. Which type of risk response is described in this scenario?
A.Avoidance
B.Transference
C.Mitigation
D.Acceptance
B.Transference
Explanation:
This is an example of risk transference. Rather than avoid the risk or mitigate the risk, the client has moved the risk to the third-party processor.
81
An organization has recently learned that its facility has been built within a few hundred yards of a major fault line. The management team decides to purchase an extended insurance policy that will cover a loss of business operations should an earthquake occur. Which type of risk response is described in this scenario?
A.Avoidance
B.Transference
C.Mitigation
D.Acceptance
B.Transference
Explanation:
This is an example of risk transference. Rather than avoid the risk by moving to a new location or mitigate the risk with seismic upgrades to the facility, the client has moved the risk to the insurance company.
82
During a penetration test, your testers discovered that they could easily copy confidential data to their personal mobile devices and then send that data to recipients outside the organization using their devices’ mobile broadband connection. You recommend that they implement a mobile device management (MDM) system. However, the client has determined that such a measure is too expensive and complicated to implement. In fact, they will not implement any type of controls to prevent this from happening in the future. Which type of risk response is described in this scenario?
A.Avoidance
B.Transference
C.Mitigation
D.Acceptance
D.Acceptance
Explanation:
In this scenario, the client has determined that the risk is an acceptable one and will not take measures to control it. Typically, this happens when an organization determines that the cost of removing or controlling a risk exceeds the cost of a security incident arising from that risk.
83
You have just met with a new client that has requested that you perform a penetration test for them. The client manages a string of retail storefronts that accept credit cards. They need you to assess whether they are PCI-DSS compliant. What should you do first in the scoping process?
A.Negotiate a fee for the penetration test.
B.Review the PCI-DSS requirements.
C.Set the schedule for the penetration test.
D.Pose as a customer and visit several of the storefronts to pre-assess the organization.
B.Review the PCI-DSS requirements.
Explanation:
Because this is a compliance penetration test, you first need to access the PCI-DSS standards and review the requirements for the client to be considered “compliant.” Typically, the governing organization will publish checklists that you should use to assess compliance. These checklists will strongly influence the scope, budget, and schedule for the test.
84
You have just met with a new client that has requested that you perform a penetration test for them. The client manages a string of retail storefronts that accept credit cards. They need you to assess whether they are PCI-DSS compliant. Which of the following tests need to be included in the assessment? (Choose two.)
A.Physical access to cardholder data is restricted. B.The cardholder data environment (CDE) is isolated from the rest of the network.
C.A refund policy is in place for credit card purchases.
D.A chargeback policy is in place.
A.Physical access to cardholder data is restricted. B.The cardholder data environment (CDE) is isolated from the rest of the network.
Explanation:
The Payment Card Industry Data Security Standard (PCI-DSS) is a set of security controls that businesses are required to implement to protect credit card data. For example, two of the requirements specify that the organization must restrict physical access to all cardholder data and that the CDE network be isolated from the rest of the network.
85
You have just met with a new client that has requested that you perform a penetration test for them. The client manages a string of retail storefronts that accept credit cards. They need you to assess whether they are PCI-DSS compliant. Which of the following tests need to be included in the assessment? (Choose two.)
A.Use only hardware certified by Microsoft to be Windows 10–compatible.
B.Encrypt the transmission of cardholder data. C.Ensure that only one user account is used by all employees to access network resources and cardholder data.
D.Use a NAT router to isolate the cardholder data environment (CDE) from the rest of the network. E.Remove all default passwords from software and hardware devices.
B.Encrypt the transmission of cardholder data.
E.Remove all default passwords from software and hardware devices.
Explanation:
The Payment Card Industry Data Security Standard (PCI-DSS) is a set of security controls that businesses are required to implement to protect credit card data. For example, two of the requirements specify that all cardholder data be encrypted before being transmitted on a network medium and that all default passwords be removed from hardware and software deployed.
86
You have just met with a new client that has requested that you perform a penetration test for them. The client manages a string of retail storefronts that accept credit cards. They need you to assess whether they are PCI-DSS compliant. Which of the following tests need to be included in the assessment?
A.Install and update antivirus software on all systems.
B.Use only security-certified Cisco routers in the environment.
C.Close all ports except for 139 and 445 in the firewall that protects the cardholder data environment (CDE).
D.Disable all monitoring of access to cardholder data.
A.Install and update antivirus software on all systems.
Explanation:
The Payment Card Industry Data Security Standard (PCI-DSS) is a set of security controls that businesses are required to implement to protect credit card data. For example, one of the requirements specifies that antivirus software be installed on all systems and that it must be updated regularly.
87
You have just met with a new client that has requested that you perform a penetration test for them. The client manages a string of retail storefronts that accept credit cards. They need you to assess whether they are PCI-DSS compliant. Which of the following tests need to be included in the assessment?
A.A password policy must be in place.
B.Close all ports except for 80 and 443 in the firewall that protects the cardholder data environment (CDE).
C.All hosts on a network must have a default gateway.
D.All hosts on a network must have a unique host address.
A.A password policy must be in place.
Explanation:
The Payment Card Industry Data Security Standard (PCI-DSS) is a set of security controls that businesses are required to implement to protect credit card data. For example, one of the requirements specifies that a strong password policy be in place within the organization.
88
You have just met with a new client that has requested that you perform a penetration test for them. The client manages a string of retail storefronts that accept credit cards. They need you to assess whether they are PCI-DSS compliant. Which of the following tests need to be included in the assessment? (Choose two.)
A.Monitor all access to cardholder data.
B.Ensure that WPA2 is used to secure all wireless networks.
C.Ensure that TKIP is used to secure all wireless networks.
D.Restrict access to cardholder data on a need-to-know basis.
A.Monitor all access to cardholder data
D.Restrict access to cardholder data on a need-to-know basis.
Explanation:
The Payment Card Industry Data Security Standard (PCI-DSS) is a set of security controls that businesses are required to implement to protect credit card data. For example, two of the requirements specify that the organization must monitor and audit all access to cardholder data and that access to that data must be restricted on a need-to-know basis.
89
Which law regulates how financial institutions handle customers’ personal information?
A.GLBA
B.SARBOX
C.HIPPA
D.FIPS 140-2
A.GLBA
Explanation:
The Gramm-Leach-Bliley Act (GLBA) regulates how financial institutions handle customers’ personal information. For example, it requires companies to have a written information security plan in place that identifies processes and procedures intended to protect that information.
90
Which law requires that healthcare-related organizations must be in compliance with certain security standards?
A.GLBA
B.SARBOX
C.HIPPA
D.FIPS 140-2
C.HIPPA
Explanation:
The Health Insurance Portability and Accountability Act of 1996 governs healthcare organizations. They must comply with the rules and regulations specified in the act, such as requiring a risk analysis and testing the organization’s security controls.
91
```
Which law sets standards for publicly traded companies in the United States with respect to security policies, standards, and controls?
A.GLBA
B.SARBOX
C.HIPPA
D.FIPS 140-2
```
B.SARBOX
Explanation:
The Sarbanes-Oxley act sets standards for publicly traded U.S. companies with respect to security policies, standards, and controls. For example, it sets standards for network access, authentication, and security.
92
```
Which of the following provides standards that certify cryptographic modules?
A.GLBA
B.SARBOX
C.HIPPA
D.FIPS 140-2
```
D.FIPS 140-2
Explanation:
FIPS 140-2 is a U.S. government security standard that certifies cryptographic modules.
93
A new client calls to schedule a gray box penetration test. You gather some basic information about the client over the phone, put together a scope for the test, and create a schedule for the test. You then hire several contractors to help conduct the test and begin the assessment on the scheduled date. Did you scope this assessment properly?
A.Yes, proper scoping procedures were followed.
B.No, the schedule should be defined before the scope is created.
C.No, you should have spent more time understanding the target audience before scoping the assessment.
D.No, the contracts should have helped create the scope of the assessment.
C.No, you should have spent more time understanding the target audience before scoping the assessment.
Explanation:
In this scenario, insufficient time was spent getting to know the target audience for the penetration test. Time should have been spent with the client to learn about their organization, the goals of the test, and so on. Only then should the scope be created.
94
You have just completed a gray box penetration test for a client. You have written up your final report and delivered it to the client. You also made sure that all access granted to you by the client to conduct the test has been disabled. You write a blog article identifying the client and the results of the assessment and post it to ensure no one else makes the same security mistakes the client made. Did you terminate the penetration test properly?
A.Yes, the penetration test was terminated properly. B.No, the access privileges should have remained in place for the next penetration test.
C.No, the access privileges should have been removed before the final report was produced.
D.No, the confidentiality of the findings was not maintained.
D.No, the confidentiality of the findings was not maintained.
Explanation:
In this scenario, the confidentiality of the findings was not maintained. The blog post revealed far too much information about the client. It may take the client weeks or even months to address the issues discovered in the assessment. By publishing the findings publicly, you exposed your client to potential attacks.
95
You are scoping an upcoming external black box penetration test for the client. You are trying to determine what will be included in the test and what won’t.
Which of the following questions should you ask the client? (Choose two.)
A.Should the test focus on a specific known vulnerability?
B.Will the client grant physical access to their facility? C.Should the test look for unknown vulnerabilities? D.Will the client provide administrator-level accounts to conduct the assessment?
A.Should the test focus on a specific known vulnerability?
C.Should the test look for unknown vulnerabilities?
Explanation:
Part of the scoping process is to determine whether the penetration test will assess the organizations susceptibility to a specific known vulnerability or whether it should investigate unknown vulnerabilities. Because this is an external black box test, the client probably won’t provide user accounts or physical access to their facility.
96
You are scoping an upcoming external black box penetration test for the client. One of your penetration testers has developed a vulnerability scanner that is very aggressive. In fact, in a previous test, her scanner brought down the client’s customer-facing website for almost 30 minutes. However, by doing so, that client was able to learn a great deal about several vulnerabilities in their web application software.
What should you do for the current client?
A.Instruct your penetration tester to not use her vulnerability scanner in the upcoming assessment. B.Instruct your penetration tester to use her vulnerability scanner in the upcoming assessment.
C.Conduct an impact analysis with the new client and determine their tolerance to impact.
D.Fire the penetration tester.
C.Conduct an impact analysis with the new client and determine their tolerance to impact.
Explanation:
In this scenario, the best approach would be to conduct an impact analysis with the client and determine their tolerance to impact. Is the information to be gained by using the vulnerability scanner worth the potential risk? For some organizations, the risk may be worth the benefit. For others, it may not. Either way, the penetration tester should not use the tool until the impact analysis is complete and the client is aware of the risks.
97
While planning an upcoming penetration test, your client has requested that you include a description of the end state of the assessment in the project scope. What kind of information should be included in this description? (Choose two.)
A.A breakdown of how the funds allotted to the test were spent
B.A description of what kind of report will be provided to the client when the test is complete
C.A remediation timeline that provides an estimate of how long it will take to bring their systems into compliance
D.A list of all the penetration testers who conducted the assessment
B.A description of what kind of report will be provided to the client when the test is complete
C.A remediation timeline that provides an estimate of how long it will take to bring their systems into compliance
Explanation:
Most likely, the client will want to know what kind of report you are going to provide them with once the test is complete. They will also want to know how long it will take to remediate their systems as a result of the test.
98
You are scoping an upcoming penetration test. You need to identify the technical constraints associated with the test. What should be included in this part of the scope documentation?
A.A list of penetration testing tools that your testers are not qualified to use
B.A list of systems that are off-limits to testing
C.A list of technologies that the client’s IT staff have not been certified in
D.A list of uncertified hardware devices in use within the client’s organization
B.A list of systems that are off-limits to testing
Explanation:
Typically, the technical constraints associated with a penetration test identify systems that can be tested and those that can’t be tested. For example, suppose the client uses automated robotic production equipment to make their products. This equipment is very expensive, and they may not want you to include it in the test.
99
You are in the initial stages of scoping a gray box penetration test with a new client. What is a question you should ask to better define the project scope?
A.Who performed penetration tests for the client in the past?
B.What are the names and email addresses of all internal technical staff members?
C.Should the test be conducted on-site or from an off-site location?
D.Is there a cubicle near a window available for the penetration testers to use?
C.Should the test be conducted on-site or from an off-site location?
Explanation:
Because this is a gray box penetration test, you should probably ask the client if they want the test performed on-site or if they want you to test from a remote off-site location. An on-site test would likely produce better results, but it would also cost more because the penetration testers would incur travel expenses. An off-site test would cost less because it wouldn’t require travel expenses, but it may produce lower quality results because the testers aren’t physically on-site.
100
You are scoping a black box penetration test. Where should the penetration testers be physically located?
A.Internally within the organization’s IT department B.Any external location
C.Within a competing organization’s facility D.Anywhere internal to the organization’s facility
B.Any external location
Explanation:
A black box test is designed to simulate an external attack. The penetration testers should have the same perspective that a typical external attacker would have. Therefore, they should be located in a similar manner, that is, in any external location.
101
You are the CIO for a mid-sized corporation. You are putting together a plan to implement regular penetration tests and are considering using an internal penetration testing team consisting of your own employees. Which of the following are benefits of using an internal team? (Choose two.)
A.They have contextual knowledge of the organization.
B.They are less biased than an external contractor. C.They have the independence required to perform a thorough test.
D.They have in-depth experience performing penetration tests for many organizations.
E.It’s usually less expensive than using an external contractor.
A.They have contextual knowledge of the organization.
E.It’s usually less expensive than using an external contractor.
Explanation:
There are two major benefits of using internal teams to conduct penetration tests. First, they have contextual knowledge of the organization that can improve the effectiveness of the tests. Second, it’s usually less expensive to conduct testing using internal employees than it is to hire a penetration testing contractor. When the internal staff isn’t involved in a penetration test, they can work on other projects for the organization.
102
You are the CIO for a mid-sized corporation. You are putting together a plan to implement regular penetration tests and are considering using an external penetration testing contractor. Which of the following are benefits of using an external team? (Choose two.)
A.They have contextual knowledge of the organization.
B.They are less biased than an internal team.
C.They have the independence required to perform a thorough test.
D.They are intimately familiar with the security controls within the organization.
D.It’s usually less expensive than using an internal team.
B.They are less biased than an internal team.
C.They have the independence required to perform a thorough test.
Explanation:
External penetration testing teams are hired for the express purpose of performing penetration tests. Because they aren’t directly employed by the organization, they tend to have a higher degree of independence. They don’t have to worry about upsetting a manager or director if vulnerabilities are discovered. In fact, they usually delight in such an event. Also, they tend to be less biased because they don’t participate in the design or ongoing maintenance of the organization’s network infrastructure.
103
You are the CIO for a mid-sized corporation. You are putting together a plan to implement regular penetration tests and are considering using an internal penetration testing team consisting of your own employees. Which of the following are disadvantages of using an internal team? (Choose two.)
A.Maintaining an internal team is very expensive. B.There is a potential conflict of interest if they also perform testing for one of your competitors.
C.They may feel that a vulnerability discovered may reflect poorly on them.
D.They may lack objectivity.
C.They may feel that a vulnerability discovered may reflect poorly on them.
D.They may lack objectivity.
Explanation:
An internal penetration testing team may be too closely affiliated with the organization. For example, they may worry that a vulnerability discovered during a penetration test may reflect poorly on their team because they likely designed and continue to maintain the network being tested. This could cause a lack of objectivity when conducting penetration tests.
104
You are the CIO for a mid-sized corporation. You are putting together a plan to implement regular penetration tests and are considering using an external penetration testing contractor. Which of the following are disadvantages of using an external team? (Choose two.)
A.There is a potential conflict of interest if they also perform testing for one of your competitors.
B.They lack the technical talent of an internal team. C.They are usually more expensive than an internal team.
D.They may bring their personal biases into the test.
A.There is a potential conflict of interest if they also perform testing for one of your competitors.
C.They are usually more expensive than an internal team.
Explanation:
Using an external team of contractors to perform penetration testing has several drawbacks that should be considered. First, there could be a potential for a conflict of interest if they also perform penetration testing for one of your competitors. Second, they tend to be quite expensive.
105
Which of the following best describes the term the hacker’s mindset within the context of penetration testing?
A.A penetration tester must adopt a defensive mind-set, trying to protect against all threats.
B.A penetration tester must think like a security professional, assessing the strength and value of every security control in use.
C.A penetration tester must think like an adversary who might attack the system in the real world.
D.A penetration tester must think like a military leader, organizing an open attack on many fronts by many attackers.
C.A penetration tester must think like an adversary who might attack the system in the real world.
Explanation:
Penetration testers must take a different approach in their thinking. Instead of trying to defend against all possible threats, they only need to find a single vulnerability that they can exploit to achieve their goals. To find these vulnerabilities, they must think like an adversary who might attack the system in the real world. This approach is commonly known as adopting the hacker mind-set.
106
Which of the following best describes the term confidentiality within the context of penetration testing?
A.Preventing unauthorized access to information B.Preventing unauthorized modifications to information
C.Ensuring information remains available for authorized access
D.Preventing legitimate access to information
A.Preventing unauthorized access to information
Explanation:
Cybersecurity professionals use the well-known CIA triad model to describe the goals of information security. The letter C in CIA stands for confidentiality, which seeks to prevent unauthorized access to information or systems.
107
Which of the following best describes the term integrity within the context of penetration testing?
A.Preventing unauthorized access to information B.Preventing unauthorized modifications to information
C.Ensuring information remains available for authorized access
D.Gaining unauthorized access to information
B.Preventing unauthorized modifications to information
Explanation:
Cybersecurity professionals use the well-known CIA triad model to describe the goals of information security. The letter I in CIA stands for integrity, which seeks to prevent unauthorized modification of information or systems.
108
Which of the following best describes the term availability within the context of penetration testing?
A.Preventing unauthorized access to information B.Preventing unauthorized modifications to information
C.Ensuring information remains available for authorized access
D.Making unauthorized changes to information
C.Ensuring information remains available for authorized access
Explanation:
Cybersecurity professionals use the well-known CIA triad model to describe the goals of information security. The letter A in CIA stands for availability, which ensures that information remains available for authorized access.
109
Which of the following best describes the term disclosure within the context of penetration testing?
A.Gaining unauthorized access to information B.Making unauthorized changes to information C.Preventing the legitimate use of information D.Publicly acknowledging that a security breach has occurred and information has been compromised
A.Gaining unauthorized access to information
Explanation:
Attackers (and penetration testers) seek to undermine the goals of the CIA triad model using the corresponding goals of the DAD triad. The first D in DAD stands for disclosure, which refers to gaining unauthorized access to information or systems.
110
Which of the following best describes the term alteration within the context of penetration testing?
A.Gaining unauthorized access to information B.Making unauthorized changes to information C.Preventing the legitimate use of information D.Leveraging one successful compromise to compromise another otherwise inaccessible system within a network
B.Making unauthorized changes to information
Explanation:
Attackers (and penetration testers) seek to undermine the goals of the CIA triad model using the corresponding goals of the DAD triad. The A in DAD stands for alteration, which refers to making unauthorized changes to information or systems.
111
Which of the following best describes the term denial within the context of penetration testing?
A.Gaining unauthorized access to information B.Making unauthorized changes to information C.Preventing the legitimate use of information
D.Failing to publicly acknowledging that a security breach has occurred and that information has been compromised
C.Preventing the legitimate use of information
Explanation:
Attackers (and penetration testers) seek to undermine the goals of the CIA triad model using the corresponding goals of the DAD triad. The second D in DAD stands for denial, which refers to preventing the legitimate use of information or systems.
112
Natasha is running a gray box penetration test and discovers a flaw in a web application that allows her to directly access the information stored on the backend database server. Which penetration testing goal has she accomplished?
A.Disclosure
B.Integrity
C.Alteration
D.Denial
A.Disclosure
Explanation:
Penetration testers seek to undermine the goals of the CIA triad model using the corresponding goals of the DAD triad. The first D in DAD stands for disclosure, which refers to gaining unauthorized access to information or systems. In this scenario, Natasha has gained access to information within the backend database that she should not have access to.
113
Kimberly is running a gray box penetration test and discovers a flaw in an online company directory application that allows her to submit LDAP commands in an employee lookup field. She uses this flaw to add a new user account that she can
use as a back door. Which penetration testing goal has she accomplished?
A.Disclosure
B.Availability
C.Alteration
D.Denial
C.Alteration
Explanation:
Attackers (and penetration testers) seek to undermine the goals of the CIA triad model using the corresponding goals of the DAD triad. The A in DAD stands for alteration, which refers to making unauthorized changes to information or systems. In this scenario, Kimberly has altered the authentication system by adding an unauthorized user account.
114
Jessica is running a gray box penetration test. She uses the Low Orbit Ion Cannon utility to send a flood of TCP packets to a file server within the organization. As a result, the file server becomes overloaded and can no longer respond to legitimate network requests.
Which penetration testing goal has she accomplished?
A.Disclosure
B.Confidentiality
C.Alteration
D.Denial
D.Denial
Explanation:
Attackers (and penetration testers) seek to undermine the goals of the CIA triad model using the corresponding goals of the DAD triad. The second D in DAD stands for denial, which refers to preventing the legitimate use of information or systems. In this scenario, Jessica has executed a denial of service (DoS) attack against the file server, denying legitimate access to it.
115
Brittany is running a gray box penetration test. She discovers a flaw in an HR web application. Using a SQL injection attack, she can add or remove hours to or from an employee’s timecard for the current pay period. Which penetration testing goal has she accomplished?
A.Disclosure
B.Availability
C.Alteration
D.Confidentiality
C.Alteration
Explanation;
Attackers (and penetration testers) seek to undermine the goals of the CIA triad model using the corresponding goals of the DAD triad. The A in DAD stands for alteration, which refers to making unauthorized changes to information or systems. In this scenario, Brittany has altered the employee pay accounting system.
116
An online retailer directly handles payment processing for credit card orders. As such, the credit card companies require the organization to PCI-DSS compliant. When must this organization conduct penetration testing? (Choose two.)
A.Once a month
B.Every six months
C.Once a year
D.Whenever significant changes are made to the network infrastructure
E.Immediately before peak selling seasons, such as the holidays
C.Once a year
D.Whenever significant changes are made to the network infrastructure
Explanation:
The PCI-DSS standard requires that organizations that handle credit card processing conduct both internal and external penetration tests at least once per year. They can perform them more frequently, if desired, but they are not required to. These organizations must also conduct penetration testing after they make a significant change to the network infrastructure.
117
Joshua works for a penetration testing consulting firm. During a recent penetration test, he ran an attack tool against the client’s public-facing e-commerce website. It went offline for more than an hour. The client is now threatening to sue Joshua’s employer. At what stage of the penetration testing process should the consulting firm and the client have agreed upon the risks associated with the test? A.Planning and scoping
B.Information gathering and vulnerability identification
C.Attacking and exploiting
D.Reporting and communication
A.Planning and scoping
Explanation:
This discussion should have occurred during the planning and scoping phase. The penetration testing firm and the client should have agreed upon the rules to complete the assessment before the test began. This information should have been recorded in a written statement of work (SOW) that clearly identified the tools and techniques the penetration testers were allowed to use and the risks of using them.
118
Which of the following is a document defined during the planning and scoping phase of a penetration test that identifies specific techniques, tools, activities, deliverables, and schedules for the test?
A.MSA
B.NDA
C.Memorandum of understanding
D.SOW
D.SOW
Explanation:
A statement of work (SOW) is an agreement that should be defined during the planning and scoping phase of a penetration test. It contains a working agreement between the penetration tester and the client that identifies specific techniques, tools, activities, deliverables, and schedules for the test. It may be used in conjunction with an existing master services agreement (MSA).
119
Which of the following types of assessments would provide a penetration tester with access to the configuration of a network firewall without requiring the tester to actually compromise that firewall?
A.Gray box
B.Red team
C.Black box
D.White box
D.White box
Explanation:
A white box penetration test provides complete access to the internal network, including configuration settings of key infrastructure devices such as routers, switches, access points, and servers. For this reason, white box tests are sometimes referred to as full-knowledge tests because they provide full access and visibility.
120
You are the CIO of a startup company. You have selected a penetration testing firm that you want to use to run the company’s first penetration test. However, the founder of the company gets upset upon finding out about your plans. The founder is concerned that proprietary information about the
company’s products may leak out through the contractor to competitors. Which document should you ask the contractor to sign to keep this from happening?
A.NDA
B.Noncompete agreement
C.MSA
D.SOW
A.NDA
Explanation:
A nondisclosure agreement (NDA) is a legal agreement that protects information that a contractor may discover during a penetration test. It forbids the contractor from revealing such information to unauthorized parties.
121
Which of the following threat actors is probably the least dangerous based on the adversary tier list?
A.Hacktivist
B.Malicious insider
C.Script kiddie
D.Nation-state actor
C.Script kiddie
Explanation:
A script kiddie usually lacks the technical sophistication to mount an attack using their own tools. Instead, they typically download existing tools and run them. Because these tools are already known to the cybersecurity community, script kiddies generally pose less of a threat than the other types of actors in the adversary tier list.
122
```
Which of the following threat actors is probably the most dangerous based on the adversary tier list?
A.Hacktivist
B.Malicious insider
C.Organized crime actor
D.APT
```
D.APT
Explanation;
Advanced persistent threats (APTs) are often sponsored by nation-states and thus are very well funded and have access to high-end technical resources and knowledge. As such, an APT typically poses the greatest threat of all the actors on the adversary tier list.
123
You are running a penetration test for a client. You are using your penetration testing toolkit running on a personal laptop to conduct scans on various network infrastructure devices, including servers, routers, and switches. Suddenly, the network has gone dark. You can no longer access any devices on the client’s network. Which of the following could explain what has happened?
A.Your scans crashed a perimeter router.
B.Your scans crashed a switch on the network backbone.
C.Your laptop’s IP address got whitelisted.
D.Your laptop’s IP address got blacklisted.
D.Your laptop’s IP address got blacklisted.
Explanation:
In this scenario, your scans were detected by an intrusion protection system (IPS), and as a result, the IP address used by your laptop got put on a blacklist. Now, all the devices on the client’s network are dropping packets with the blacklisted IP address
124
You work for a penetration testing consulting firm and are negotiating with a potential client. The client has suggested that your organization sign an MSA with their organization. What should you do?
A.Celebrate! This means the client wants to engage your firm for multiple engagements.
B.Inform your employer that the deal likely won’t go through.
C.Warn your employer that the potential client will likely try to sue your firm.
D.Terminate negotiations with the client.
A.Celebrate! This means the client wants to engage your firm for multiple engagements.
Explanation:
A master services agreement (MSA) defines general terms that will apply to multiple future agreements. Therefore, an MSA is essentially a contract that defines the terms under which future work will be completed. Specific projects governed by the MSA will be defined by a statement of work (SOW). The fact that the client wants to sign an MSA indicates that they probably want to use your firm for multiple engagements.
125
You are performing a white box penetration test for a client. You arrive at the client’s site and plug your laptop into an open network jack. However, your laptop receives only limited connectivity on the client’s network. You run the ipconfig command and notice that your laptop has received an IP address, but you can see only one other host on the network. Why did this happen?
A.Your laptop was detected by the client’s intrusion protection system (IPS) and has been blacklisted.
B.The client’s network access control (NAC) system has quarantined your laptop on a remediation network.
C.Your laptop was detected by the client’s intrusion detection system (IDS) and has been blacklisted.
D.The client has enabled MAC address filtering on their network switches.
B.The client’s network access control (NAC) system has quarantined your laptop on a remediation network.
Explanation:
Most likely, the client has implemented a network access control (NAC) system. Your laptop didn’t meet the criteria required by NAC to connect to the secure network, so it was quarantined on an isolated remediation network where it can access a remediation server (the other host on the network) to come into compliance.
126
```
A team of testers is conducting an assessment for an organization. The team is not concerned with assessing a broad range of vulnerabilities. Instead, they are conducting a coordinated attack governed by very narrow objectives. The rules of engagement specify that they can use physical, electronic, and social exploits to achieve their objective. What kind of penetration test is happening in this scenario?
A.Compliance-based penetration test
B.White box penetration test
C.Gray box penetration test
D.Black box penetration test
E.Red team penetration test
```
E.Red team penetration test
Explanation:
In this scenario, a red team penetration test is being conducted. A red team assessment usually has narrow objectives, rather than trying to comprehensively identify and test all possible vulnerabilities. A red team assessment may use a coordinated attack coming from many different vectors to achieve those objectives. The team may be allowed to use a wide variety of tools and techniques to accomplish this, including technological, physical, and social exploits.
127
You are conducting a black box penetration test for client. The client leases its office space in a building shared with other tenants. You are sitting in your car in a parking lot in front of the client’s offices scanning for wireless network signals emanating from the building. You have identified five separate SSIDs. You don’t know which one belongs to your client, so you decide to clandestinely connect to all of them and then run some simple scans to isolate which one is your client’s wireless network. What did you do incorrectly in this scenario?
A.Sitting in a car in front of the client’s offices will likely draw suspicion.
B.A gray box test would have been more effective in this scenario.
C.Wireless signals emanating outside of a building are usually too weak to be of use.
D.You are attacking wireless networks that are out of scope.
D.You are attacking wireless networks that are out of scope.
Explanation:
Knowing which SSIDs are in scope is critical when conducting a penetration test within a shared facility with many tenants. Compromising the wrong wireless network is illegal and could result in prosecution and/or a lawsuit.
128
Which of the following threat actors typically have the financial resources and technical expertise required to develop their own extensive exploits? (Choose two.)
```
A.Organized crime
B.Malicious insider
C.Script kiddie
D.Nation-state actor
E.Hacktivist
```
A.Organized crime
D.Nation-state actor
Explanation:
Organized crime and nation-state threat actors typically have access to extensive financial resources and technical expertise. This many times allows them to develop their own custom exploits that aren’t used by anyone else.
129
Which of the following threat actors exploits the trust that has been legitimately granted to them by an organization to compromise that organization’s information or systems?
```
A.Organized crime
B.Malicious insider
C.Script kiddie
D.Nation-state actor
E.Hacktivist
```
B.Malicious insider
Explanation:
A malicious insider is typically an employee or a contractor that has been legitimately granted a degree of access to an organization’s information and systems. The malicious insider exploits this trust and uses it to compromise the organization’s information or systems.
130
Which of the following threat actors typically lacks the technical expertise to develop their own exploits and must rely on prewritten code downloaded from the Internet?
A.Organized crime
B.Hacktivist
C.Script kiddie
D.Nation-state actor
C.Script kiddie
Explanation:
A script kiddie usually lacks the technical sophistication to mount an attack using their own tools. Instead, they typically download existing tools and run them. Because these tools are already known to the cybersecurity community, script kiddies generally pose less of a threat than the other types of actors in the adversary tier list.
131
You are conducting a white box penetration test. The scope of test specifies that the test will be conducted against the organization’s switches, routers, and firewalls. As the assessment is nearing completion, the client asks you to use the time remaining to also test her email servers. What has occurred in this scenario?
A.Pivoting
B.Goal-based testing
C.Scope creep
D.Objectives-based testing
C.Scope creep
Explanation:
In this scenario, the client has asked you to go beyond the agreed-upon test scope. This is an example of scope creep, and it is a common occurrence in IT contracting. In this scenario, you could respond in one of two ways. First, you could simply reject the request as being out-of-scope. Alternatively, you could ask the client to include the email servers in an addendum to the existing contract for an additional fee.
132
You are conducting a penetration test of an organization that processes credit cards. The client has asked that the scope of the test be based on the PCI-DSS standard. What type of assessment is occurring in this scenario?
A.Compliance-based assessment
B.Objectives-based assessment
C.Red team assessment
D.Goals-based assessment
A.Compliance-based assessment
Explanation:
The PCI -DSS standard is an industry standard for ensuring that organizations that process credit cards comply with certain security requirements. Because you are testing the client’s adherence to these requirements, you are conducting a compliance-based assessment.
133
You are negotiating an upcoming penetration test with a new client. In the agreement, you have included language that specifies that the results of the test are valid only at the point in time when the test was performed. Why is this language in the agreement?
A.The penetration test could take critical systems offline.
B.It could take some time to remediate the network after the test is complete.
C.Future technological changes could expose new vulnerabilities that are currently unknown.
D.The penetration test will use the same tools and techniques available to real attackers.
C.Future technological changes could expose new vulnerabilities that are currently unknown.
Explanation:
The testing agreement should contain a disclaimer indicating that the test is valid only at the point in time that it is conducted because future technological changes could expose new vulnerabilities that are currently unknown. You can’t be held liable if new exploits or vulnerabilities appear a later point in time after the test is complete.
134
You are negotiating an upcoming penetration test with a new client. In the agreement, you have included language that specifies that the scope and methodology requested by the client can impact the comprehensiveness of the test. Why is this language in the agreement?
A.It could take some time to remediate the network after the test is complete.
B.The rules of engagement and the type of assessment used could preclude some vulnerability from being discovered.
C.The penetration test will use the same tools and techniques available to real attackers.
D.The rules of engagement and the type of assessment used should ensure that all known vulnerabilities are identified.
B.The rules of engagement and the type of assessment used could preclude some vulnerability from being discovered.
Explanation:
The amount of information uncovered in a penetration test is heavily dependent upon the rules of engagement and the type of assessment used. For example, a white box test usually provides more complete information than a black box test can. Likewise, if certain systems and devices are identified as out of scope, then any vulnerabilities they harbor will not be discovered. This language in the agreement is intended to protect you in the event a vulnerability is identified in an out-of-scope system after the test is complete.
135
You are negotiating an upcoming penetration test with a new client. They have requested that you perform a “zero knowledge” test of their network. Which type of penetration test should you perform?
A.Black box
B.Grey box
C.White box
D.Compliance based
A.Black box
Explanation:
A black box test is sometimes referred to as a zero knowledge assessment because the penetration testers have little or no knowledge of the client’s network. This type of assessment best emulates a real-world external attack.
136
You are negotiating an upcoming penetration test with a new client. They have requested that you perform a “partial knowledge” test of their network. Which type of penetration test should you perform?
A.Black box
B.Grey box
C,White box
D.Objectives based
B.Grey box
Explanation:
A gray box test is sometimes referred to as a partial knowledge assessment because the penetration testers have some knowledge of the client’s network, but they don’t have the full picture. This type of assessment best emulates a real-world malicious insider attack.
137
```
You are negotiating an upcoming penetration test with a new client. They have requested that you perform a “full knowledge” test of their network. Which type of penetration test should you perform?
A.Black box
B.Grey box
C.White box
D.Goal based
```
C.White box
Explanation:
A white box test is sometimes referred to as a full knowledge assessment because the penetration testers have full knowledge of the client’s network, including administrative access to all infrastructure devices and servers. This type of assessment usually provides the most comprehensive results because the testers do not need to spend time in discovery mode. They have all the information they need to immediately begin an extensive assessment.
138
You are scoping an upcoming white box penetration test with a new client. Their network employs network access control (NAC) using IPSec. Which technique will your penetration testers need to use to enable them to access the secure internal network protected by NAC?
A.Certificate pinning
B.Session hijacking
C.Man-in-the-middle
D.Cross-site scripting
A.Certificate pinning
Explanation:
Usually, when NAC is implemented with IPSec, network devices (such as desktops and laptops) must meet company security policies before they are allowed to connect to the internal secure network. If they do, they are assigned a digital certificate that allows them to communicate with other systems on the internal secure network. Otherwise, they are placed on an isolated remediation network until they come into compliance. To bypass NAC, certificate pinning can be used to assign a digital certificate to the testers’ systems without proving they are in compliance every time they connect.
139
You work for a penetration testing firm. You have been scoping an upcoming penetration test with a client. You have worked with the CIO to identify the scope of the assessment, such as in- and out-of-scope systems, the methodology to be used, the techniques allowed, and the schedule. You have a final draft of the agreement ready to be signed. Who should sign it?
A.The proper signing authority
B.The IT manager
C.The CIO
D.Any help-desk staff can sign off on the agreement.
A.The proper signing authority
Explanation:
The proper signing authority within the client’s organization is the only one person authorized to agree to the penetration test scope. Who this actually is will vary from organization to organization. Therefore, you need to verify that the person who signs the agreement is actually the appropriate signing authority for the organization. Don’t assume that a given individual is authorized based on their job title alone.
140
You work for a penetration testing firm. You have been scoping an upcoming penetration test with a client. Within the scope document, you include verbiage warning that the methodology and techniques used for this test could potentially take critical systems offline for a period of time. You ask the client to confirm that this is acceptable. What is this an example of?
A.Assessing impact tolerance
B.A comprehensiveness disclaimer
C.A point-in-time disclaimer
D.Rules for completing the assessment
A.Assessing impact tolerance
Explanation:
In this example, you are assessing the client’s tolerance for impacts. By including this verbiage within the scope, you protect your organization from litigation if the penetration test truly does knock critical systems offline.
141
You are defining the rules of engagement (ROE) for an upcoming penetration test. This will be a white box assessment. You have specified that the target may not employ shunning or blacklisting during the test. You have specified that the target must provide you with internal access to the network, a network map, and authentication credentials. You have also specified that applications provided by a SaaS service provider will be in-scope during the test. From whom do you need written authorization to perform this test? (Choose two.)
A.The target organization
B.The Internet Corporation for Assigned Names and Numbers (ICANN)
C.The American Registry for Internet Numbers (ARIN) D.The SaaS service provider
E.The Public Interest Registry (PIR)
A.The target organization
D.The SaaS service provider
Explanation:
Because the test will include both the target organization’s network as well as service provided by the third-party SaaS provider, you must obtain written permission from both entities before performing the penetration test. Failure to obtain either one could expose you to prosecution and/or litigation.
142
You are defining the rules of engagement (ROE) for an upcoming penetration test. This will be a white box assessment. This will be an internal test. No third parties may be involved. Which of the following resources could be considered in-scope for the assessment? (Choose two.)
A.The wireless networks used by neighboring organizations
B.They key management system they use to store encryption keys
C.The organization’s Internet service provider (ISP) D.Their Amazon Web Service (AWS) content delivery system
E.Their router configurations
B.They key management system they use to store encryption keys
E.Their router configurations
Explanation:
The scope of this engagement in this scenario is limited to the internal network infrastructure. The
organization’s ISP, Amazon Web Services, and their neighbor’s wireless networks are all owned by third parties and are therefore considered out of scope.
143
You are defining the rules of engagement (ROE) for an upcoming penetration test. This will be a gray box assessment. This will be an internal test. What limitations might you expect to encounter as you conduct the assessment? (Choose two.)
A.You will have limited network access.
B.You will experience pushback from the internal IT staff.
C.You will have limited storage access.
D.You will not be allowed to enter the organization’s facility.
E.You will not be allowed to run vulnerability scans in the organization’s network infrastructure devices, such as servers, routers, and switches
A.You will have limited network access.
C.You will have limited storage access.
Explanation;
Because this is a gray box test, you can expect to have limited network access and limited storage access. Essentially, you can expect to have a level of knowledge and access similar to what the average employee within the organization would have.
144
```
A security analyst receives an outline of the scope of an upcoming penetration test. This document contains the times that each can be scanned as well as the IP addresses. What document would contain this information?
A.Business impact analysis (BIA)
B.Master service agreement (MSA)
C.Request for proposal (RFP)
D.Rules of engagement (RoE)
```
D.Rules of engagement (RoE)
Explanation:
The rules of engagement include the following: The timeline when testing will be conducted What locations, systems, applications, and other potential targets are to be included/excluded The data handling requirements for information gathered What behaviors to expect from the target What resources are committed to the test Any legal concerns that should be addressed The when/how communication will occur
Who to contact in case of events Who is permitted to engage in the penetration testing team
145
A security analyst is planning on using black box penetration testing. This type of strategy will provide the tester with which of the following?
A.Privileged credentials
B.A network diagram
C.Source code
D.Nothing; they must do their own discovery.
D.Nothing; they must do their own discovery.
Explanation:
Black box tests, sometimes called zero knowledge tests, are intended to replicate what an attacker would encounter. Testers are not provided with access to or information about an environment, and instead, they must gather information, discover vulnerabilities, and make their way through an infrastructure or systems as an attacker would.
146
A client has requested an external network penetration test, but during the discussion between the penetration tester and the client, the client is reluctant to add the tester’s source IP address to their IPS whitelist for the duration of the test. Which argument best describes why the tester’s source IP address should be on the client’s IPS whitelist?
A.IPS whitelisting rules require regular updates to keep current, to address constantly developing vulnerabilities and newly discovered weaknesses. B.Penetration testing of third-party IPS systems often requires additional authorization and documentation, which can potentially delay the time-sensitive test. C.Testing should focus on the discovery of potential security issues through all in-scope systems, not just on determining the effectiveness of active defenses such as the IPS.
D.Whitelisting prevents a possible unintentional DoS attack against the IPS and supporting log-monitoring systems.
C.Testing should focus on the discovery of potential security issues through all in-scope systems, not just on determining the effectiveness of active defenses such as the IPS.
Explanation:
Whitelisting testers in intrusion prevention systems (IPSs), web application firewalls (WAFs), and other security devices will allow them to perform their tests without being blocked. For a white box test, this means that testers won’t spend time waiting to be unblocked when security measures detect their efforts. Black box and red team tests are more likely to result in testers being blacklisted or blocked by security measures. In this scenario, the penetration tester should tell the client that testing should focus on the discovery of potential security issues through all in-scope systems and not just on
Location: 6920
determining the effectiveness of active defenses such as the IPS.
147
A security analyst is attempting to construct specialized XML files to test the security of the parsing functions of a Windows application during testing. Before starting to test the application, which of the following should the analyst request from the client?
A.A protocol fuzzing utility
B.Software development kit (SDK) for specific applications
C.Samples of the Simple Object Access Protocol (SOAP) project files
D.The Representational State Transfer (REST) application programming interface (API) documentation
C.Samples of the Simple Object Access Protocol (SOAP) project files
Explanation:
SOAP is an API standard that relies on XML and related schemas. XML-based specifications are governed by XML Schema Definition (XSD) documents. Having a good reference of what a specific API supports can be valuable for a penetration tester. This question specifically asks about XML files, so the SOAP project files would be the most beneficial.
148
```
When planning for an engagement, which of the following are the most important? (Choose two.)
A.Architectural diagrams
B.Company policies
C.Goals/objectives
D.Storage time for a report
E.Tolerance to impact
```
B.Company policies
E.Tolerance to impact
Explanation:
Knowing the company policies and their tolerance to impact are two of the most important items needed to know when planning for an engagement. The others are important, but this scenario is asking for the two most important. Cybersecurity professionals widely agree that vulnerability management is a critical component of any information security program, and for this reason, many organizations mandate vulnerability scanning in corporate policy, even if that is not a regulatory requirement. The risk and impact tolerance of the organization being assessed should be used to define the scope and rules of engagement for the assessment.
149
Which of the following statements would come from a client’s corporate policy?
A.That the corporate systems must store passwords using the MD5 hashing algorithm
B.That employee passwords must contain a minimum of eight characters, with one being alphanumeric
C.The phone number to contact the help desk to perform password resets
D.That in order to access corporate assets, employees must use strong passwords
A.That the corporate systems must store passwords using the MD5 hashing algorithm
Explanation:
A company policy, also known as a corporate policy, is a documented set of guidelines, formulated after an analysis of all internal and external factors that can affect a firm’s objectives, operations, and plans. It is created by the company’s board of directors. Corporate policy lays down the company’s response to known and knowable situations and circumstances. It also determines the formulation and implementation of strategy and directs and restricts the plans, decisions, and actions of the company’s officers in achievement of its objectives. In this scenario, the corporate policy should be detailed and specific; hence, the corporate systems must store passwords using the MD5 hashing algorithm.
150
```
You are a performance tester, and you are discussing performing compliance-based assessments for a client. Which is an important key consideration?
A.Any additional rates
B.Any company policies
C.The industry type
D.The impact tolerance
```
A.Any additional rates
Explanation:
Budgeting is a key factor of the business process of penetration testing. A budget is required to complete a penetration test and is determined by the scope of the test and the rules of engagement. For internal penetration testers, a budget may just involve the allotted time for the team to perform testing. For external testers, a budget usually starts with the estimated number of hours based on the intricacy of the testing, the size of the team, and any associated costs.
151
You are a penetration tester, and you are discussing with the client the importance of maintaining confidentiality of any findings when performing a penetration test. Why is it important to maintain confidentiality when performing penetrations tests?
A.Findings are legal documents containing privileged information.
B.Findings can assist an attacker in compromising a system.
C.Findings often contain company intellectual property.
D.Findings could lead to consumer discontent if results are made public.
B.Findings can assist an attacker in compromising a system.
Explanation:
Confidentiality controls seek to prevent disclosure attacks. Even though confidentiality agreements (CAs) are legal documents that help to enforce confidential relationships between two parties, this question asks why it is important to maintain confidentiality of findings. If an attacker was to receive word of findings during a penetration test, they could use those to compromise your client’s system.
152
```
A penetration tester is currently in the middle of a test when the client asks the tester to add more addresses. Which of the following defines the target list that the tester can follow?
A.The end-user license agreement
B.The master services agreement (MSA)
C.The rules of engagement (RoE)
D.The statement of work (SOW)
```
D.The statement of work (SOW)
Explanation:
A statement of work (SOW) defines what work will be done during an engagement. A SOW is a document that defines the purpose of the test, what tests will be done, what will be created, the timeline for the test to be completed, the price for the testing, and any additional terms and conditions.
153
```
You are planning on setting up a security assessment. Which of the following has a major impact on the budget of the assessment?
A.Compliance requirement
B.Scheduling
C.Scoping
D.Target risk
```
C.Scoping
Explanation:
The first step in most penetration testing engagements is determining what should be tested, often called the scope of the assessment. The scope of the assessment determines what penetration testers will do and how their time will be spent. Thus, this is a major impact on the budget of an assessment.
154
```
A penetration tester has been asked by a client to imitate a recently laid-off help desk technician. What best describes the abilities of a threat actor?
A.Advanced persistent threat (APT)
B.Hacktivist
C.Organized crime
D.Script kiddie
```
A.Advanced persistent threat (APT)
Explanation:
An advanced persistent threat (APT) is a computer network attack in which a person or group gains unauthorized access to a network and remains undetected for an extended period of time. APTs provide the highest level of threat on the adversary tier list. Many of the techniques used by advanced persistent threat actors are useful for penetration testers, and vice versa. If your persistence techniques aren’t monitored for or detected by the client’s systems, the findings should include information that can help them design around this potential problem.
155
A penetration tester should have a customer’s contact information available at all times. Which of the following should penetration testers immediately report to their client? (Choose three.)
A.Report any critical findings.
B.Report a cracked password.
C.Report findings that cannot be exploited.
D.Report indicators of compromise.
E.Report the latest published exploits.
F.Report a server that becomes unresponsive.
A.Report any critical findings.
D.Report indicators of compromise.
F.Report a server that becomes unresponsive.
Explanation:
A penetration tester will want to immediately report more serious issues with the client directly. Some of these will be documented in the report to the client at the end of testing; however, there are a few times when a penetration tester should call the client immediately, and they are as follows: to report any critical findings, report any indicators of compromise, or to report if the server becomes unresponsive to the testing.
156
A client has recently come to you voicing concern over a large number of companies being compromised by remote attackers who are looking for trade secrets. What best describes the types of adversaries that would be looking for trade secrets? A.Advanced persistent threat (APT) actors
B.Hacktivist groups
C.Insider threats
D.Script kiddies
A.Advanced persistent threat (APT) actors
Explanation:
An advanced persistent threat (APT) is a computer network attack in which a person or group gains unauthorized access to a network and remains undetected for an extended period of time. APTs provide the highest level of threat on the adversary tier list. Threat actors are often rated by their capabilities. Many of the techniques used by advanced persistent threat actors are useful for penetration testers, and vice versa. If your persistence techniques aren’t monitored for or detected by the client’s systems, the findings should include information that can help them design around this potential problem.
157
```
You are a penetration tester, and a company has asked you to perform a web application penetration test. The company has asked you to discover any vulnerabilities. The company has now come to you and asked if you will review additional code and check for updates to firewall settings. What is the client asking you to do?
A.Post-mortem review
B.Risk acceptance
C.Scope creep
D.Threat prevention
```
C.Scope creep
Explanation:
A scope creep, or the addition of more items and targets to the scope of the assessment, is a constant menace for penetration testing. During the scoping phase, a tester is unlikely to know all of the details of what may be uncovered, and during the assessment itself, a tester may encounter unexpected new targets. Scope creep refers to how a project’s requirements tend to increase over a project life cycle.
158
```
A penetration tester is preparing to conduct API testing. Which of the following would be the most beneficial when preparing for this engagement?
A.Nikto
B.Swagger
C.Web Application Archive (WAR)
D.W3AF
```
B.Swagger
Explanation:
Swagger is an open specification for defining REST APIs. A Swagger document is the REST API equivalent of a WSDL document for a SOAP-based web service. The Swagger document specifies the list of resources that are available in the REST API and the operations that can be called on those resources. It also specifies the list of parameters to an operation, including the name and type of the parameters, whether the parameters are required or optional, and information about acceptable values for those parameters. So, access to a Swagger document provides testers with a good view of how the API works and thus how they can test it.
159
Lockheed Martin developed the framework that is part of the Intelligence Driven Defense model for identification and prevention of cyber intrusions activity. This model identifies what the adversaries must complete in order to achieve their objective. This model is known as the Cyber Kill Chain model and is made up of seven parts. Which of the following is the first stage of the Cyber Kill Chain, when the attacker is assessing the target from outside of the organization from both a technical and nontechnical perspective?
A.Exploitation
B.Installation
C.Reconnaissance
D.Weaponization
C.Reconnaissance
Explanation:
There are seven steps of the Cyber Kill Chain that enhanc visibility into an attack and enrich an analyst’s understanding of an adversary’s tactics, techniques, and procedures. The cyber kill is a methodology for understanding how an attacker will conduct the activities necessary to cause harm to an organization. An understanding of the Cyber Kill Chain will greatly assist an information security professional in establishing strong controls and countermeasures, which will serve to protect their organization’s assets. This question describes the Reconnaissance phase, the first stage of the Cyber Kill Chain. In this stage, the attacker is assessing the target from outside of the organization from both a technical and nontechnical perspective. In this stage, the attacker is working to determine which targets will return the most benefit for the resources expended in exploiting the target’s information systems. The attacker will be looking for information systems with few protections or exploitable vulnerabilities.
160
During what phase of the Cyber Kill Chain does an attacker steal sensitive information, use unauthorized computing resources to engage in denial-of-service attacks, or modify information?
A.The Actions on Objectives phase
B.The Command and Control phase
C.The Delivery phase
D.The Exploration phase
A.The Actions on Objectives phase
Explanation:
The Actions on Objectives stage of the attack also may include the theft of sensitive information, the unauthorized use of computing resources to engage in denial-of-service attacks, or the unauthorized modification/deletion of information. The attacker carries out their original intentions to violate the confidentiality, integrity, and/or availability of information or systems during the Actions on Objectives stage of the Cyber Kill Chain.
161
A penetration tester is in the middle of conducting a penetration test specifically scoped to a single web application. The tester learns that the web server also contains a list of passwords to other servers at the target location. The tester notifies the client. The client then asks the tester to validate those servers. What has occurred once the tester proceeds with testing the passwords against the other servers?
A.Threat hunting
B.Pivoting
C.Scope creep
D.Target expansion
C.Scope creep
Explanation:
A scope creep occurs when additional items are added to the scope of an assessment. The tester has gone beyond the scope of the initial assessment agreement.
162
You are a penetration tester. You are looking at the type of penetration test that is not meant to identify as many vulnerabilities as possible but instead concentrates on the vulnerabilities that specifically align with the goals of gaining control of specific systems or data. What type of assessment are you looking at running?
A.Goals-based assessments
B.Compliance-based assessments
C.Objectives-based assessments
D.Red team assessments
D.Red team assessments
Explanation:
Red team assessments are usually more targeted than normal penetration tests. Red teams attempt to act like an attacker by targeting sensitive data or systems with the goal of acquiring data and access. Red team assessments are not intended to provide details of all the security flaws that a target has. Red teams can be useful as a security exercise to train incident responders or to help validate security designs and practices.
163
You are a penetration tester and have been asked to test an organization that uses an authentication method that associates hosts with their public keys. What type of authentication technique is the organization using?
A.Certificate pinning
B.Self-signed server authentication
C.SSL handshake
D.X.509 bypassing
A.Certificate pinning
Explanation:
Certificate pinning associates a host with an X.509 certificate (or a public key) and then uses that association to make a trust decision. You use certificate pinning to help prevent man-in-the-middle attacks. When communicating over public networks, it is important to send and receive information securely.
164
```
An attacker has attacked a government agency because he or she is unhappy with a new law that has been passed. What type of threat actor is this?
A.Script kiddie
B.Hacktivist
C.Organized crime
D.Nation-state
```
B.Hacktivist
Explanation:
Hacktivists may want to make a political or social point. Hacktivists aren’t typically doing attacks for money. They are individuals or groups of hackers who get together and see themselves as fighting for injustice. Hacktivists employ the same tools and tactics as hackers.
165
```
You have been asked to perform a penetration test on a large, complex IT infrastructure. Some of the scope may include contents found on a cloud network hosted by a cloud provider. What will be needed to perform this type of testing?
A.Authorization from the client only
B.Third-party authorization
C.Environmental differences
D.Data ownership
```
B.Third-party authorization
Explanation:
Additional authorization may be needed for many penetration tests, especially those that involve complex IT infrastructure. Third parties are often used to host systems such as software as a service (SaaS), platform as a service (PaaS), or infrastructure as a service (IaaS) cloud providers. A penetration test could impact these providers. This is why it is crucial to determine what/if third-party providers or partners may be in scope and to obtain authorization. If third parties are involved, you will also want to make sure that both the client and the third party are aware of any potential impacts from the penetration test.
166
You have been asked to perform a penetration test for a client. You need a legal document that is used to protect the confidentiality of the client’s data and other information that you may encounter. What is this legal document called?
A.Noncompete agreement
B.Nondisclosure agreement (NDA)
C.Master services agreement (MSA)
D.Statement of work (SOW)
B.Nondisclosure agreement (NDA)
Explanation:
A nondisclosure agreement (NDA) is a legal document that is designed to protect the confidentiality of the client’s data and other information that the penetration tester may encounter during the test.
167
You have been asked to perform a penetration test for a client. You need a document that will set the overall terms between the two organizations. This will also be used for future work between your organizations as you plan on setting up a support agreement. What is this document called?
A.Noncompete agreement
B.Nondisclosure agreement (NDA)
C.Master services agreement (MSA)
D.Statement of work (SOW)
C.Master services agreement (MSA)
Explanation:
A master services agreement (MSA) sets the overall provisions between two organizations. Many organizations also create an MSA that defines the terms that the organizations will use for work to be done in the future. This makes ongoing engagements and contracts much easier to work through. This can help organizations prevent the need to renegotiate. MSAs are common when organizations anticipate working together over a period of time or when a support agreement is created.
168
You are a penetration tester, and you are performing an on-site penetration test. What scoping element do you need to know for a wireless assessment when working on-site in a shared building?
A.The encryption type
B.The frequency of the wireless network
C.Any preshared keys
D.The service set identifiers (SSIDs)
D.The service set identifiers (SSIDs)
Explanation:
It is vital to know which service set identifiers (SSIDs) belong to your target and which are invalid targets. Also, knowing which subnets or IP ranges are in scope is also important to avoid targeting the wrong network or going outside of the penetration test’s scope. Knowing the SSIDs that are in scope is critical when working in shared buildings. Penetrating the wrong network could cause legal or even criminal consequences.
