Domain 1: Planning and Scoping

Question 1

What are the 6 overall steps in the PenTest process?

Answer 1

1. Planning and Scoping
2. Information Gathering
3. Vulnerability Analysis
4. Explotation
5. Post Exploitation
6. Reporting

Question 2

What happens during the planning and scoping phase during a Penetration Test?

Answer 2

• Discuss with the client their requirements for the test
• Define the scope

Question 3

What is Risk?

Answer 3

The proability that a threat will be realised.

Question 4

What is a Vulnerability?

Answer 4

Any weakness in a systems design or implementation

Question 5

What is a Threat?

In relation to IT Security

Answer 5

Anything that could cause harm, loss, damage or compromise to IT systems

Question 6

Where does Risk exsist?

Answer 6

When there is an overlap between vulnerability and threat

Question 7

What is Inherent Risk?

Answer 7

Occurs when risk is identified but no mitigation factors are applied.

Question 8

What is Residule Risk?

Answer 8

Occurs when risk is calculated after applying mitigations and security controls.

Question 9

What is Risk Exception?

Answer 9

Risk created due to a security exemption being granted or failure to comply with corporate policy.

Question 10

What is Risk Avoidance?

Answer 10

▪ Stops a risky activity or chooses a less risky alternative
▪ Eliminates the hazards, activities, and exposures with potential negative
effects

Question 11

What is Risk Transfer?

Answer 11

Passes the risk to a third party, such as an insurance company

Question 12

What is Risk Acceptance?

Answer 12

Accepts the current level of risk and the costs associated with it if that
risk were realized

Question 13

What is Risk Appetite?

Answer 13

▪ The amount of risk an organization is willing to accept in pursuit of its
objectives
▪ Also called risk attitude and risk tolerance

Question 14

What is Risk Tolerance?

Answer 14

Specific maximum risk the organization is willing to take
about a specific identified risk

Question 15

What are the seven different types of controls?

Answer 15

1. Compensative
2. Corrective
3. Detective
4. Deterrent
5. Directive
6. Preventitive
7. Recovery

Question 16

What are Corrective controls?

Answer 16

● Reduces the effect of an undesirable event or attack
● Examples: fire extinguishers and antivirus solutions

Question 16

What are Compensative controls?

Answer 16

● Used in place of a primary access control measure to mitigate a
given risk
● Example: dual control

Question 16

What are Detective controls?

Answer 16

● Detects an ongoing attack and notifies the proper personnel
● Examples: alarm systems, closed circuit television systems, and
honeypots

Question 17

What are Deterrent controls?

Answer 17

● Discourages any violation of security policies, both by attackers
and insiders
● Example: surveillance camera sign

Question 18

What are Directive controls?

Answer 18

● Forces compliance with the security policy and practices within
the organization
● Example: Acceptable Use Policy (AUP)

Question 19

What are Preventitive controls?

Answer 19

● Prevents or stops an attack from occurring
● Examples: password protection, security badges, antivirus
software, and intrusion prevention systems

Question 20

What are Recovery controls?

Answer 20

● Recovers a device after an attack
● Examples: Disaster Recovery Plans (DRPs), backups, and continuity
of operations plans

Question 21

What are the three broad catagories which covers controls?

Answer 21

• Administrative (Managerial)
• Logical (Technical)
• Physical

Question 22

What are Administrative controls?

Answer 22

● Manages personnel and assets through security policies,
standards, procedures, guidelines, and baselines
● Examples: proper data classification and labeling, supervision of
personnel, and security awareness training

Question 23

-

What are Logical controls?

Answer 23

● Implemented through hardware or software and used to prevent
or restrict access to a system
● Examples: firewalls, intrusion detection systems, intrusion
prevention systems, authentication schemes, encryption, new
protocols, auditing or monitoring software, and biometrics

Question 24

Whats the difference between an Audit and Monitoring?

Answer 24

An Audit is a point in time evaluation whilst Monitoring is a ongoing process

Question 25

What does continuous monitoring include?

Answer 25

● Change management
● Configuration management
● Log monitoring
● Status report analysis

Question 26

What are physical controls?

Answer 26

● Protects the organization’s personnel and facilities
● Examples: fences, locks, security badges, proximity cards for entry
into the building, guards, access control vestibules, biometrics,
and other means of securing the facility

Question 27

What is a PenTest Methodology?

Answer 27

▪ The systematic approach a pentester uses before, during, and after a
penetration test, assessment, or engagement
▪ Penetration tests use the same steps taken by threat actors or hackers

Question 28

What are the 4 stages of the CompTIA PenTest+ methodology?

Answer 28

Question 29

What is the name of NIST’s PenTest methodology?

Answer 29

NIST SP 800-115

Question 30

What are the steps of the EC Council CEH PenTest methodology?

Answer 30

Question 31

What is Adversary Emulation?

Answer 31

Mimicing the tackticks, techniques and proceedures (TTP’s) of a real worl threat actor in a penetration test.

Question 32

Why is it good to have a proper scoping process?

Answer 32

It ensures a cost effective penetration test.

Question 33

How do you narrow the scope of a penetration test?

Answer 33

Confirm the goals and objectives.

Question 34

What are the three things that can blur the lines for a penetration tester?

Answer 34

• Wireless Local Area Network
• VPN Connections
• Cloud Migrations

Question 35

What is it important to identify in terms of assets for a penetration test?

Answer 35

web and mobile applications

Question 36

What are the six types of Threat Actors?

Answer 36

1. Script Kiddies
2. Insider Threat
3. Competitor
4. Organised Crime
5. Hacktivist
6. Nation State / Advanced Persistant Threat (APT)

Question 37

What is a Script Kiddie?

Threat Actor

Answer 37

The least skilled Threat Actor, who uses freely available tools on the internet or in openly available security toolsets that security penetration testers might also use.

Question 38

What is an Insider Threat?

Threat Actor

Answer 38

A Threat Actor with authorized access to an organisations network, policies, proceedures and business practices.

Question 39

What types of things protect against Insider Threat?

Answer 39

• Data Loss Prevention (DLP)
• Internal Defenses
• SIEM

Question 40

What is a Competitor?

Threat Actor

Answer 40

A rogue business that attempts to conduct cyber espionage against an organization.

Question 41

What is an Organised Crime Threat Actor?

Threat Actor

Answer 41

A catagory of threat actor that is focused on hacking and computer fraud in order to receive finanical gain.

Usually well funded and can use sophisticated tools.

Question 42

What is a Hacktivist?

Threat Actor

Answer 42

Politically motivated hacker who targets governments, corporations and individuals to advance their own political ideologies and agendas.

Question 43

What is a Nation State / Advanced Persistant Threat (APT)?

Threat Actor

Answer 43

A group of attackers with exceptional capability, funding and organization with an intent to hack a network or system.

Question 44

What doe Nation State / ATP threat actors do?

Answer 44

Conduct highley covert attacks over long periods of time

Question 45

What are False Flag operations?

Answer 45

When the TTP’s of other Threat Actors are used to shif t the blame to them.

Question 46

As a Penetration Tester, what do you need to develop to imitate Nation State / ATP Threat Actors?

Answer 46

Developing your own custom code and exploits.

Question 47

What do Tier 1 Catagory Threat Actors do?

Answer 47

Have little money and rely on off-the-shelf tools and know exploits.

Question 48

What catogorises a Threat Actor as Tier 2?

Answer 48

they have a little money but have invested in their own tools against known vulnerabilities.

Question 49

What catogorises a Threat Actor as Tier 3?

Answer 49

They invest a lot of money to find unknown vulerabilities in order to make a profit.

Question 50

What catogorises a Threat Actor as Tier 4?

Answer 50

They are organised, highly technical, proficient and well funded hackers, working in teams to develop new exploits.

Question 51

What catogorises a Threat Actor as Tier 5?

Answer 51

Invests lots of money to create vulerabilities and exploits.

Question 52

What catogorises a Threat Actor as Tier 6?

Answer 52

They invest even more money to carry out cyber attacks and military and inteligence operations to achieve political, military and economic goals.

Question 53

What should the target list include?

Answer 53

• Internal and External targets
• First or Third Party targets

Question 54

What is an Internal Target?

Answer 54

The target is inside the organizations firewall and requires testers to be on site or gain access through a VPN, or exploit a users computer inside the organisations network.

Question 55

What is an External Target?

Answer 55

The target can be accessed directly across the internet. The target organisation must be informed if allowed to attack first-party hosted servers only or assets hosted by a third-party.

Question 56

What is a Physical Security assessment?

Answer 56

A target site at a location is tested by the penetration tester for physical access or some other goals.

Question 57

What is an On-Site Asset?

Answer 57

Any asset that is physically located where an attack is being carried out.

Question 58

Whats is an Off-Site Asset?

Answer 58

Any asset that provides a service for a company not necessiary located at the same place.

Question 59

What is the easiest attack vector for a Penetration Test?

Answer 59

Users

Question 60

What do you have to confirm when the Wireless Networks are in scope?

Answer 60

• Which SSID’s are in and out of scope
• Which assets are in scope by IP Address or ranges, Associated Domans and Sub Domans and DNS Servers.

Question 61

What is an Autonomous System Number (ASN)?

Answer 61

A unique identifier that defines a group of one or more IP Prefixes run by one or more network operators that maintain a single clearly-defined routing policy.

Question 62

What is scope creep?

Answer 62

Occurs when a client starts asking for more services than what is listed in the statement of works.

Question 63

What do you need to do if additional work is requested?

Answer 63

• Make an addendum to the contract and add it to the scope of works and master contract
• Pre-arrange cost for expansions

Question 64

What must you do before commencing a penetration test after a scope is agreed?

Answer 64

Consult with lawyer / solicitor before accepting a contract and ensure you can legally perform the service.

Question 65

Why must you be careful what penetration tools are used durign the engagement?

Answer 65

Some tools can be considered as survalienance tools in some countries.

See Wassenaar Agreement

Question 66

Whate are Rules of Engagement?

Answer 66

The ground rules that both the organization and the penetration tester must obide by.

Question 67

What are the five main features of a the Rules of Engagement?

Answer 67

1. Timeline
2. Locations
3. Time Restrictions
4. Transparency
5. Boundaries

Question 68

What does the Timeline specify in the Rules of Engagement?

Answer 68

• When the test will occur
• Total time of engagement
• Penetration Team will estimate which tasks will need performing and how long it’ll take.
• Should include who is responsible for performing a task

Question 69

What should be specified under the locations in the Rules of Engagement?

Answer 69

All authorised locations, especially those across international borders.

Question 70

Where in the Rules of Engagement is the trusted agent specified?

Answer 70

Under the transparency section.

Question 71

Who provides the penetration tester with the resources from the target side?

Answer 71

The Trusted Agent.

Question 72

What does the Boundaries specifiy in the Rules of Engagement?

Answer 72

What systems may be targeted and what techniques can be utilized.

Question 73

What is a Compliance-Based Assessment?

Answer 73

A type of assessment that focuses on finding out if policies and regulations are being properly followed. The tester can use a checklist against the specific compliance to make sure the target is compliant.

Question 74

What is a Pre-Merger Assessment?

Answer 74

A type of assessment that is conducted before two companies merge with each other in a period of time known as due dilligence.

Question 75

What is an Unknown Environment assessment?

Answer 75

An assessment where the penetration tester has no prior knowledge of the target organisation or their network.

The tester will spend a lot of time in information gathering and vulnerability scanning phases.

Question 76

What is a partially known environment assessment?

Answer 76

The most common type of assessment which entails partial knowledge of the target organization and its information systems.

Question 77

What should be done when validating the scope?

Answer 77

• Confirm all requirements
• Confirm backup and recovery status
• Who to contact when something goes wrong.
• Review all areas of the Scope of Works and Rules of Engagement.

Question 78

What could happen if there is an unauthorized disclosure of information?

Answer 78

Your company may be liable.

Question 79

WHat can you do to protect yourself and your company before the penetration test has started?

Answer 79

Include liability wavers in the documentation.