Pentest+ Practice Exam Chapter 12 Reporting and Communication (Jonanthan Ammerman)

Question 1

When preparing a penetration test report, which of the following is not a recommended best practice?

A. Verification and full documentation of findings
B. Robust accounting of testing methodology
C. Omission of findings lower than 3.0 on the CVSS 3.0
D. Reduction of redundancy and streamlining of data presented

Answer 1

C. Omission of findings lower than 3.0 on the CVSS 3.0

Explanation:
Omission of any findings would be unethical and counterproductive to the purpose of a penetration test. It is far better to overreport findings no matter how seemingly inconsequential—a penetration tester works to provide information on vulnerabilities found on a given network, subnet, or system. It is upon the client to determine how that information is turned into action, or which portions require attention.

Question 2

Which component of a written penetration test report is meant to provide a high-level overview of findings without getting too wrapped up in the technical details?            
A. Conclusion            
B. Executive summary            
C. Methodology            
D. Risk ratings

Answer 2

B. Executive summary

Explanation:
The component described is the executive summary. As hinted at in the name, the executive summary aims to provide a 50,000-foot view of the penetration test report without relying on technical terms that may not mean anything to readers.

Question 3

Which of the following choices best defines the term “risk appetite” with regard to information security?

A. The ability or willingness of an organization to withstand the effects of any events or situations that adversely affect its business assets, such as computer systems or networks
B. An organization’s understanding and acceptance of the likelihood and impact of a specific threat on its systems or networks
C. A key factor that helps an organization determine if a penetration test is a financially supportable business expense
D. The amount and kinds of risk an organization is willing to accept in its information systems environment

Answer 3

D. The amount and kinds of risk an organization is willing to accept in its information systems environment

Explanation:
Risk appetite is defined as the amount and kinds of risk an organization is willing to accept, and can be expected to drive much of the organization’s decision making when pursuing mitigation techniques for vulnerabilities discovered during a penetration test.

Question 4

Which of the following is a secure, reasonable method for the handling and disposition of a penetration test report?
A. Encrypt the file with DES, send it to the declared recipients as detailed in your statement of work, and determine a secondary communication channel through which to send the decryption password (if not previously declared in the SOW).
B. E-mail the file in plaintext
C. Encrypt the file with AES-256, provide it to the declared recipients as detailed in your statement of work, and determine a secondary communication channel through which to send the decryption password (if not previously declared in the SOW) D. Encrypt the file with AES-256, upload it to a publicly viewable repository of reports written by your organization, and determine a secondary channel through which to send the decryption password (if not previously declared in the SOW)

Answer 4

C. Encrypt the file with AES-256, provide it to the declared recipients as detailed in your statement of work, and determine a secondary communication channel through which to send the decryption password (if not previously declared in the SOW)

Explanation:
Of the options presented, the best solution for handling and disposition of a penetration test report is to encrypt the file with AES-256, provide it to the declared recipients as detailed in your statement of work, and determine a secondary communication channel through which to send the decryption password (if not previously declared in the SOW).

Question 5

While wrapping up a penetration test, you look through your notes and see that you made changes to the root crontab as shown here:
What change most likely needs to be made as part of the post-engagement cleanup?

A. Change the first entry to run every day rather than every Monday
B.Change the fourth entry to perform a reload of the apache2 service rather than a reboot
C. Remove the /dev/null redirect of the output from the second entry
D. Delete the third entry

Answer 5

D. Delete the third entry

Explanation:
The third entry invokes a reverse shell call back to an attacking system at 10.1.2.2. Good penetration testing ethics demands that we eliminate readily exploitable artifacts of an engagement, removing any vulnerabilities that may have necessarily been introduced. A reverse shell in the root user’s crontab is an obvious penetration testing fragment and should therefore be removed.

Question 6

Which section of a penetration test report details broad, strategic information about testing techniques and practices used as well as the decision-making processes that guided information collection, analysis, and risk evaluation?
A. Executive summary            
B. Methodology            
C. Risk ratings            
D. Appendixes

Answer 6

B. Methodology

Explanation:
The methodology section of a penetration test report details information about testing techniques and practices used, and the decision-making processes that guided information collection, analysis, and risk evaluation, presenting a view of the strategic approach to the engagement used by the penetration testing team.
A is incorrect because the executive summary of a written penetration test report serves to provide a high-level overview of findings without getting too wrapped up in the technical details. C is incorrect because risk ratings are a component of the findings and remediation section of a penetration test that serve to quantify the dangers presented by vulnerabilities in a readily understood manner. D is incorrect because the appendixes are the final portions of a penetration test report and consist of supplemental material that is related to the report but not critical for the purposes of understanding its contents

Question 7

When finalizing a penetration test report prior to delivery to a client, which document should be consulted to ensure that all acceptance criteria are being met?            
A. Statement of work            
B. Rules of engagement            
C. Nondisclosure agreement            
D. Executive summary

Answer 7

A. Statement of work

Explanation:
Acceptance criteria are detailed in the statement of work for a penetration test. B, C, and D are incorrect. B is incorrect because the rules of engagement cover the guidelines and restrictions to be observed during a penetration test. C is incorrect because the nondisclosure agreement for a penetration test ensures that sensitive corporate information is protected from unauthorized disclosure or dissemination. D is incorrect because the executive summary is a component of a written penetration test report that is intended to provide a high-level overview of things that does not get mired down in technical knowledge that may confuse or otherwise put off non technical readers such as executive personnel

Question 8

When detailing findings in a penetration test report, which of the following can serve as evidence for the purpose of attestation? (Choose all that apply.)
A. Human- and machine-readable format reports from automated security scanners
B. Written descriptions
C. Entries on exploit-db.com
D. Screenshots of exploitation or vulnerabilities

Answer 8

D. Screenshots of exploitation or vulnerabilities

Explanation:
Screenshots of vulnerabilities on display or exploits at work are the gold standard for providing proof of a vulnerability. When providing attestation of results, it is a good best practice to back up one’s words with hard evidence. A, B, and C are incorrect. A is incorrect because automated scanners can produce false positives and should never be accepted at face value; anything identified by a scanner should be tested and verified. B is incorrect because while written descriptions are helpful in communicating
the nature of a vulnerability and the potential threat it represents, a description does not provide proof of a vulnerability in and of itself. C is incorrect because while exploit code from exploit-db.com or other sources can be useful in detailing the ease of exploitation of a vulnerability, they do not prove the vulnerability’s presence.

Question 9

Which section of a penetration test report details discovered vulnerabilities, explains the risk they carry, and provides appropriate recommendations to secure the system in question? 
 A. Nondisclosure agreement            
 B. Findings and remediation            
 C. Methodology            
 D. Appendixes

Answer 9

B. Findings and remediation

Explanation:
The findings and remediation section of a penetration test report details any vulnerabilities that have been discovered and provides recommendations for mitigation of the same.
A, C, and D are incorrect. A is incorrect because a nondisclosure agreement is a pre-engagement document that ensures that sensitive corporate information is protected from unauthorized disclosure or dissemination. C is incorrect because the methodology portion of a penetration test report provides detailed information about testing techniques and practices used, and the decision-making processes that guided information collection, analysis, and risk evaluation during the penetration testing process. D is incorrect because appendixes are the final portions of a penetration test report, consisting of supplemental material that is related to the report but not critical for the purposes of understanding its contents.

Question 10

While wrapping up a penetration test, you look through your notes and see that you made changes to the list of authorized users for a system as shown here: What change most likely needs to be made as part of the post-engagement cleanup?

A. Enable the Guest account for traveling client executive personnel
B. Add a user for the client’s new systems administrator
C. Delete the user account you added for persistence on the system
D. Change the administrator password to a previously agreed-upon keyword

Answer 10

C. Delete the user account you added for persistence on the system

C is correct. In the scenario described in the question, the user account described should be deleted.

As a rule of thumb, if a change made to a system during the course of a pentest would leave a system vulnerable, the change should be reverted wherever possible and always reported.

There are caveats; for example, log files that may have captured evidence of your actions should be left intact, as they can provide the clients defenders valuable information for refining their detection and alerting processes

Question 11

While working on a penetration test report for a client organization, you note that there were numerous discrepancies in software package versions installed on business-critical servers. How might this issue best be mitigated?
A. Revision of client scripts used to execute system updates
B. Remedial training for client systems administrators C. Implementation of patching and change control programs
D. Refrain from patching systems until software logic flaws prevent work from being completed

Answer 11

C. Implementation of patching and change control programs

Explanation:
his is an example of a situation where a procedural recommendation can best serve to mitigate vulnerabilities or flaws in an environment. The best recommendation here is to implement patching and change control programs, which would help ensure that changes are made to all systems when required, while also minimizing business disruption and providing tracking of those changes. Proper implementation of patch and change management
can help provide further information if a tool or resource suddenly begins experiencing problems

Question 12

Of the following choices, which type of finding is most amplified in severity by a resulting inability to confirm the source of actions taken on a given system using a highly privileged account, effectively destroying the concept of non-repudiation for a given user?
A. SQL injection
B. Single-factor authentication
C. Shared local administrator credentials
D. Unnecessary open services

Answer 12

C. Shared local administrator credentials

Explanation:
The finding described is the sharing of local administrator credentials. While there is some obvious necessity in retaining a local administrator account in the event that a system becomes unresponsive or unavailable over the network, deploying a secure mechanism for retaining that password is a best practice. Options for mitigation of this finding include Microsoft’s LAPS—Local Administrator Password Solution—which periodically randomizes the local administrator password and secures the account by requiring authorized users to request access to the password (effectively logging times of access and the users responsible), or through commercial competing products such as Centrify’s SAPM (Shared Account Password Management), which operates in a similar fashion.

Question 13

One potential reason for communicating with the client point of contact during a penetration test is to ensure that a penetration tester’s actions are clearly identifiable and distinct from the actions of system accounts or other users that may occur in the environment. What is this concept known as? A. De-confliction
B. Impact mitigation
C. Collision detection
D. Deprogramming

Answer 13

A. De-confliction

Explanation:
A is correct. De-confliction is the process of identifying a penetration tester’s actions so as to clearly differentiate them from actions of system accounts or other users that may occur in the environment. In the context of a penetration test, de-confliction is used to assist in identifying root causes of unexpected behavior that may occur during an engagement.

Question 14

Which section of a penetration test report consists of supplemental material that is related to the report but is not critical for the purposes of understanding its contents? Examples may include nmap scan results, automated scan output, or other code written or deployed in the course of the penetration test. A. Executive summary
B. Findings
C. Appendixes
D.Methodology

Answer 14

C. Appendixes

Explanation:
The appendixes of a penetration test report consist of supplemental material that is related to the report but not critical for the purposes of understanding its contents. Examples may include nmap scan results, automated scan output, or other code written or deployed in the course of the penetration test.

Question 15

Which post-report delivery activity is focused on identifying any patterns within the types of vulnerabilities discovered in an organization’s networks during a penetration test, and the identification of broader knowledge that can be gained from the specific details of the penetration test results?
A. Debriefing/closing meeting
B. Post-engagement cleanup
C. Engagement survey
D. Retesting

Answer 15

A. Debriefing/closing meeting

Explanation:
Of the choices presented, debriefing/closing meeting is the best fit. The closing meeting can often take the form of an after-action review (AAR), where the overall timeline of the engagement is analyzed in its entirety. The goal here is to identify key lessons learned, which can be taken to the client organization and used to drive needed changes in its security program.

Question 16

During a penetration test, you determine that you require additional information before testing a discovered web application, but your point of contact is unresponsive. Which of the following describes the best course of action in this situation?
A. Consult the rules of engagement to determine the next individual in the communications path
B. Reach out to one of the organization’s web developers, as they are responsible for the web application and its maintenance
C. Contact one of the organization’s systems administrators, as the web application runs on servers they tend
D. E-mail the CISO of the organization directly for further information

Answer 16

A. Consult the rules of engagement to determine the next individual in the communications path

Explanation:
If the point of contact is unresponsive, the appropriate course of action is always to refer to the rules of engagement to identify the secondary and tertiary contact points when communication is necessary.

Question 17

While working on a penetration test report, you note repeatedly that security best practices are often not enforced, and that there seems to be no overarching design philosophy with regard to organization or network expansion. Which of the following would be an appropriate mitigation strategy to recommend for this scenario?
A. Spend a few hundred thousand dollars on a new hardware firewall and leave it running with the default configuration
B. Search for additional personnel with experience in enterprise-level information security and network architecture
C. Implement a log centralization service to better aggregate data on user activities
D. Accelerate the tech refresh cycle so as to get all organizational assets to a baseline configuration

Answer 17

B. Search for additional personnel with experience in enterprise-level information security and network architecture

Explanation:
In the situation described, there seems to be an obvious lack of security-minded focus in the implementation of security programs and network architecture design. Therefore, suggesting the acquisition of such personnel would be the best fit in this situation. This is an example of a personnel-based solution to vulnerability mitigation.

Question 18

The vulnerability represented by which of the following findings has been number one on the OWASP Top 10 list for a number of years and can often result in theft or destruction of data, or even complete system compromise?            
A. Broken authentication            
B. Injection attacks            
C. Sensitive data exposure            
D. Cross-site scripting

Answer 18

B. Injection attacks

Explanation:
Injection attacks have been the number one finding on the OWASP Top 10 list for a number of years, and can often result in theft or destruction of data, or even complete system compromise. Injection attacks are best mitigated through the parameterization of queries and user input.

Question 19

While wrapping up a penetration test, you look through your notes and see that you left some exploit code in a user home directory after gaining a low-privilege shell via a web application as shown here:

What is the appropriate action to take in this situation?
A. Encrypt the exploit script in a .zip file and provide the password to the organization’s point of contact for their later review
B. Make the script hidden by making it a “dot file” by running mv getroot.sh .getroot.sh
C. Delete the script and any other digital artifacts of the testing on the system
D. Leave it for the organization’s security team to address as they see fit

Answer 19

C. Delete the script and any other digital artifacts of the testing on the system

Explanation:
In the scenario described in the question, the
exploit script deployed by the penetration tester should be deleted entirely. As a rule of thumb, if a change made to a system during the course of a penetration test would leave a system vulnerable, the change should be reverted wherever possible and always reported. There are caveats; for example, log files that may have captured evidence of your actions should be left intact, as they can provide the client’s defenders valuable information for refining their detection and alerting processes.

Question 20

You have identified multiple vulnerabilities during a penetration test. Which of the following findings would be most likely to merit an escalation contact with the organization-provided point of contact outside of standard meetings?
A. An identified remote code execution vulnerability for which exploit code is publicly available in a web app exposed to the Internet.
B. XSS on a web app used in the company intranet. C. A user clicked a malicious link in an e-mail sent as part of your phishing campaign.
D. A company web application has a directory traversal flaw, allowing unauthorized users to view the contents of directories on the server outside of the scope of the web app.

Answer 20

A. An identified remote code execution vulnerability for which exploit code is publicly available in a web app exposed to the Internet.

Explanation:
Of the choices presented, immediate contact is most appropriate for a vulnerability that can immediately be leveraged to obtain code execution on a target system. It is not uncommon for rules of engagement documents to explicitly require such contact.

Question 21

Which element of a penetration test report aims to provide a normalized and standardized representation of discovered vulnerabilities and the overall threat they present to an affected system or network?
A. Methodology
B. Vulnerability severity rating
C. Appendixes
D. Executive summary

Answer 21

B. Vulnerability severity rating

Explanation:
The vulnerability severity rating paradigm used in a penetration test report seeks to provide a normalized and standardized representation of discovered vulnerabilities and the overall threat they present to an affected system or network.

Question 22

One potential reason for communicating with the client point of contact during a penetration test is to provide resolution if a component of testing brings down a system or service, leaving it unavailable for both legitimate users and further testing. Which term best describes this concept?            
A. Retesting            
B. Collision detection           
C. Remediation            
D. De-escalation

Answer 22

D. De-escalation

Explanation:
The need to communication with the client to eliminate crises and issues that may arise during a penetration test is referred to as de-escalation. A, B, and C are incorrect. These terms have no specific meaning within the context of penetration testing reporting procedures.

Question 23

Encryption at rest and in transit are the best recommended mitigation techniques for which of the following findings in a penetration test?
A. Single-factor authentication
B. SQL injection
C. Shared local administrator credentials
D. Passwords stored in plaintext

Answer 23

D. Passwords stored in plaintext

Explanation:
Encryption (at rest and in transit) is the best recommended mitigation strategy for passwords being stored in plaintext. Storing passwords in plaintext weakens an organization’s security posture through both the simplification of lateral movement for a theoretical adversary and by destroying the concept of non-repudiation and verification of individuals responsible for actions under a given username.

Question 24

After obtaining a low-privilege shell on a target server and beginning work on privilege escalation, you identify a netcat process running on an unprivileged port returning a /bin/bash instance to an IP address that is not part of any address block
used by either your penetration testing organization or the client. What is the appropriate action to take in this case?
A. Begin OSINT collection on the IP address in question to begin identifying the remote end B. Immediately halt testing and call an emergency meeting with the client
C. Take screenshots to serve as a finding when writing the penetration test report
D. Close out the process once you have escalated to root and ignore it, as it was probably a remnant from a previous penetration test

Answer 24

B. Immediately halt testing and call an emergency meeting with the client

Explanation:
Identifying a running reverse shell that you did not invoke, or discovering any other evidence of a previous breach of a target system or network, is grounds to immediately halt testing and notify the client. When conducting a penetration test, it is important to remember to stay in your lane; identification of the culprit of a security breach is a forensics task, and the tools and knowledge necessary to perform a forensic analysis of a system are markedly distinct from those used in penetration testing.

Question 25

While writing a penetration test report, you note that security monitoring by the client seems to revolve around SMS alerts driven by log aggregation. Issues logged seem well tended but you further note that you did not have any issue moving laterally in the environment, as you did not encounter any network segregation or network flow control measures. Which of the following would be good recommendations for mitigation of these issues? (Choose all that apply.) A. Hire additional personnel to deal with alert flow and improve responsiveness
B. Deploy a hardware firewall to prevent unrestricted movement in the network
C. Enforce network segmentation
D.Create a daily task list for network admin to ensure issues are addresses in a timely manner

Answer 25

B. Deploy a hardware firewall to prevent unrestricted movement in the network
C. Enforce network segmentation

Explanation:
B and C are correct. The lack of obstruction of network traffic points to a lack of network segmentation and a lack of flow control measures, which can simplify the task of lateral movement for an adversary. Deploying a hardware firewall and enforcing network segmentation are recommendations that would help mitigate these issues and serve as examples of technological solutions for vulnerability mitigation.

Question 26

The vulnerability represented by which of the following findings weakens an organization’s security posture by increasing its viable attack surface without a business need?
A. Passwords stored in plaintext
B. Single-factor authentication
C. Unnecessary open services
D. SQL injection

Answer 26

C. Unnecessary open services

Explanation:
Unnecessary open services weaken an organization’s security posture by increasing its viable attack surface without a business need; this finding is best mitigated by encouraging hardening of the target system.

Question 27

Enforcing minimum password requirements and preventing users from choosing passwords found in common dictionary files would best mitigate what type of finding?
A. Shared local administrator credentials
B. SQL injection
C. Passwords stored in plaintext
D. Weak password complexity

Answer 27

D. Weak password complexity

Explanation:
Enforcement of minimum password requirements and preventing users from choosing passwords in common dictionary files would best mitigate the discovery of weak password complexity requirements in a target system or environment.

Question 28

Which of the following documents would detail the timeframe for which a penetration testing organization should retain copies of a report that it provided to a client?
A. Statement of work
B. Master service agreement
C. Written authorization letter
D. Nondisclosure agreement

Answer 28

A. Statement of work

Explanation:
The timeframe for which a penetration testing team should retain copies of a penetration test report is going to be dictated in the statement of work, out of the choices provided. In some cases, it may be detailed in the rules of engagement for a penetration test.

Question 29

Potential reasons for communicating with the client point of contact during a penetration test are to ensure client understanding of progress and actions taken and to alert the client when beginning testing on a system the client has previously identified as fragile or prone to lockups. This sort of communication is best for maintaining which of the following?            
A. De-confliction            
B. Milestone            
C. De-escalation            
D. Situational awareness

Answer 29

D. Situational awareness

Explanation:
These are examples of situational awareness contact, which simply serves to alert pertinent personnel of the actions of the penetration testing team in real time. This contact is beneficial and worth the effort because it can help remove the need for de-confliction and de-escalation before they even become necessary.

Question 30

Which post-report delivery activity is focused on executing any additional assessment work that may be desired by the client or required based on terms defined in the engagement’s statement of work? A. Debriefing
B. Post-engagement cleanup
C. Follow-up actions/retesting
D. Client acceptance

Answer 30

C. Follow-up actions/retesting

Explanation:
The activity described is retesting, or follow-up actions. Based on the results of a portion of a penetration test, the penetration testers may be asked to attempt to retest a given component of the network, or the entire network. For instance, in the event that a network switch was down and
prevented access to a series of systems that were slated for testing, these systems may be addressed during the follow-up actions phase of post-report delivery tasks.

Question 31

Which type of finding weakens overall security posture by reducing the difficulty of compromising legitimate user credentials?
A. Single-factor authentication
B. Shared local administrator credentials
C. Unnecessary open services
D. SQL injection

Answer 31

A. Single-factor authentication

Explanation:
Single-factor authentication weakens overall security posture by reducing the difficulty of compromising legitimate user credentials.

Question 32

It is often detailed in penetration test contracts that communication with the client is expected when beginning certain phases of testing, such as when beginning a phishing campaign, or when beginning testing of a web application or specific subnet. Which of the following best describes this type of communication?            
A. Milestone/stage based            
B. De-confliction            
C. De-escalation            
D. Weekly report

Answer 32

A. Milestone/stage based

Explanation:
The communication type described is known as milestone (or stage-based) reporting.

Question 33

Why should multifactor authentication be used and encouraged instead of single-factor methods? (Choose all that apply.)
A. Single-factor authentication reduces the complexity of obtaining access to a target system. B. Multifactor authentication often is required by compliance guidelines.
C. Multifactor authentication increases user friction, increasing the likelihood of the use of weak passwords.
D. Single-factor authentication allows remote users to more easily perform their work.

Answer 33

A. Single-factor authentication reduces the complexity of obtaining access to a target system. B. Multifactor authentication often is required by compliance guidelines.

Explanation:
The increased complexity of attacking an account with MFA and its value in meeting regulatory compliance guidelines make it the best mitigation available for single-factor authentication.

Question 34

Parameterization of user input and queries is the recommended mitigation technique for which class of vulnerability?
A. Weak password complexity
B. Shared local administrator credentials
C. SQL injection
D. Unnecessary open services

Answer 34

C. SQL injection

Explanation:
SQL injection is best combated by the parameterization of user input and queries.

Question 35

Which of the following represent examples of goal reprioritization? (Choose all that apply.)
A. A client sending an e-mail politely requesting that you also scan a new web application that just got installed on the client’s servers while you’re conducting a penetration test in the same subnet B. Explicit detailing of terms and conditions that are previously agreed to trigger a shift in goal priorities in the engagement’s statement of work or rules of engagement
C. Being asked to add new targets to your engagement scope in preparation for a newly announced merger and its impact on the organization’s logistical supply chain
D. A client request to expend additional effort on a previously identified vulnerable system rather than begin testing on a separate subnet

Answer 35

B. Explicit detailing of terms and conditions that are previously agreed to trigger a shift in goal priorities in the engagement’s statement of work or rules of engagement

D. A client request to expend additional effort on a previously identified vulnerable system rather than begin testing on a separate subnet

Explanation:
B and D are correct. B is correct because if terms have been agreed and a trigger condition has been satisfied, there is no scope creep—it is simply the modification of the penetration test terms as agreed by both the client and the penetration testers. D is correct because it does not alter the scope of a penetration test, but rather seeks to guide the penetration testers’ efforts elsewhere as necessary due to hardware failure or other system unavailability.

Question 36

Which type of finding weakens security posture by leaving user passwords more susceptible to cracking or online brute-force attempts?
A. Weak password complexity requirements
B. SQL injection
C. Unnecessary open services
D. Shared local administrator

Answer 36

A. Weak password complexity requirements

Explanation:
A is correct. Weak password complexity requirements weaken security posture by leaving user passwords more susceptible to cracking or online brute-forcing efforts.

Question 37

Randomization of account credentials through the use of LAPS or similar commercial products such as SAPM is the best mitigation tactic for which class of finding?
A. SQL injection
B. Shared local administrator credentials
C. Passwords stored in plaintext
D. Single-factor authentication

Answer 37

B. Shared local administrator credentials

Explanation:
Shared local administrator credentials are best mitigated through the use of Microsoft LAPS (Local Administrator Password Solution) or similar commercial products such as Centrify’s SAPM (Shared Account Password Management).

Question 38

System hardening is the process of reducing available attack surface in order to mitigate which of the following findings?
A. Passwords stored in plaintext
B. Unnecessary open services
C. Single-factor authentication
D. Weak password complexity requirements

Answer 38

B. Unnecessary open services

Explanation:
System hardening reduces available attack surface in order to mitigate the risk inherent in systems with unnecessary open services.

Question 39

Which of the following is the best choice available for a vulnerability severity rating scale when writing a penetration test report?
A. A simple low, medium, or high rating based on how useful it was from the perspective of an attacker
B. A scale from one to ten emoji bombs based on the threat provided by the vulnerability in question
C. An established risk assessment model such as DREAD
D. A tool that attempts to present threats in a normalized and standardized manner based on impact to the key tenants of confidentiality, integrity, and availability, such as the CVSS

Answer 39

D. A tool that attempts to present threats in a normalized and standardized manner based on impact to the key tenants of confidentiality, integrity, and availability, such as the CVSS

Example:
The severity of a vulnerability is always going to be subjective to some degree, but there are rating systems that attempt to standardize the nature of a vulnerability and its overall severity. For example, the CVSS is one of the popular systems. By normalizing the descriptions individual components of vulnerabilities and providing an easy-to-understand 1 through 10 rating, the CVSS makes it easier to provide meaningful data to clients and allow them to better inform their risk assessment and remediation efforts.

Question 40

The collection of screenshots of discovered vulnerabilities is one of the easiest methods to provide or facilitate which of the following?
A. Lessons to be learned from the engagement B. Normalization of data from a penetration test C. Positive attestation of findings
D. Client acceptance of findings

Answer 40

C. Positive attestation of findings

Explanation:
Screenshots provide evidence that can grossly simplify the matter of providing attestation of findings discovered during the course of a penetration test. Providing an affidavit or other document attesting that findings were discovered is one thing, but hard evidence always speaks louder than words.`

Question 41

Of the following, which document might be consulted if the client has an issue with accepting a penetration test report that has been provided?
A. Signed authorization letter
B. Nondisclosure agreement
C. Rules of engagement
D. Statement of work

Answer 41

D. Statement of work

Explanation:
The terms of acceptance of a penetration test report are laid out in the statement of work on an engagement.

Question 42

Which findings reduce an organization’s security posture through both the simplification of lateral movement for a theoretical adversary and by destroying the concept of non-repudiation and verification of individuals responsible for actions under a given username? (Choose two.)
A. Shared local administrator credentials
B. Single-factor authentication
C. Passwords stored in plaintext
D. SQL injection

Answer 42

A. Shared local administrator credentials
C. Passwords stored in plaintext

Explanation:
A and C are correct. The use of shared local administrator credentials and passwords being stored in plaintext make lateral movement easier for adversaries, obfuscating their activities and leading to conflict regarding who is responsible for actions under a given username. These findings are best mitigated, respectively, by the use of local account password randomization and by the encryption of passwords when they are at rest and in transit.