Reporting and Communication Flashcards
Tome recently conducted a penetration test for a company that is regulated under PCI DSS. Two months after the test, the client asks for a letter documenting the test results for its compliance files. What type of report is the client requesting?
a. Executive summary
b. Penetration testing report
c. Written testimony
d. Attestation of findings
d. An attestation of findings is a certification provided by the penetration testers to document that they conducted a test and the results for compliance purposes.
Wendy is reviewing the results of a penetration test and learns that her organization uses the same local administrator password on all systems. Which of the following tools can help her resolve this issue.
a. LAPS
b. Nmap
c. Nessus
d. Metasploit
a. The Local Administrator Password Solution (LAPS) from Microsoft provides a method for randomizing local administrator account credentials through integration with Active Directory.
Which one of the following is not a normal communication trigger for a penetration test?
a. Discovery of a critical finding
b. Completion of a testing stage
c. Documentation of a new test
d. Identification of prior compromise
c. The three common triggers for communication during a penetration test are the completion of a testing stage, the discovery of a critical finding, and the identification of indicators of prior compromise.
Gary ran an Nmap scan of a system and discovered that it is listening on port 22 despite the fact that it should not be accepting SSH connections. What finding should he report?
a. Shared local administrator credentials
b. Unnecessary open services
c. SQL injection vulnerability
d. No multifactor authentication
b. The only conclusion that Gary can draw from this information is that the server is offering unnecessary services because it is listening for SSH connections when it should not be supporting that service.
Tom’s organization currently uses password-based authentication and would like to move to multifactor authentication. Which one of the following is an acceptable second factor?
a. Security question
b. PIN
c. Smartphone app
d. Passphrase
c. Passphrases, security questions, and PINs are all examples of knowledge-based authentication and would not provide multifactor authentication when paired with a password, another knowledge-based factor. Smartphone apps are an example of “something you have” and are an acceptable alternative.
Which one of the following items is not appropriate for the executive summary of a penetration testing report?
a. Description of findings
b. Statement of risk
c. Plain language
d. Technical detail
d. An executive summary should be written in a manner that makes it accessible to the layperson. It should not contain technical detail.
Which of the following activities is not commonly performed during the post-engagement cleanup phase?
a. Remediation of vulnerabilities
b. Removal of shells
c. Removal of tester-created credentials
d. Removal of tools
a. Vulnerability remediation is a follow-on activity and is not conducted as part of the test. The testers should, however, remove any shells or other tools installed during testing as well as remove any accounts or credentials that they created.
Who is the most effective person to facilitate a lessons learned session after a penetration test?
a. Team leader
b. CIO
c. Third party
d. Client
c. The most effective way to conduct a lessons learned session is to ask a neutral third party to serve as the facilitator, allowing everyone to express their opinions freely.
Which one of the following is not an example of an operational control the might be implemented to remediate an issue discovered during a penetration test?
a. Job rotation
b. Time-of-day login restrictions
c. Network segmentation
d. User training
c. Network segmentation is an example of a technical control. Time-of-day restrictions, job rotation, and user training are all example of operational controls.
Which one of the following techniques is not an appropriate remediation activity for a SQL injection vulnerability?
a. Network firewall
b. Input sanitization
c. Input validation
d. Parameterized queries
a. Input sanitization ( also known as input validation) and parameterized queries are both acceptable means for preventing SQL injection attacks. Network firewalls generally would not prevent such an attack.
When should system hardening activities take place?
a. When the system is initially built
b. When the system is initially built and periodically during its life
c. When the system is initially built and when it is decommissioned
d. When the system is initially built, periodically during its life, and when it is decommissioned
b. System hardening should take place when a system is initially built and periodically during its life. There is no need to harden a system prior to decommissioning because it is being shut down at the point.
Biometric authentication technology fits into what multifactor authentication category?
a. Something you know
b. Something you are
c. Somewhere you are
d. Something you have
b. Biometric authentication techniques use a measurement of some physical characteristic of the user, such as a fingerprint scan, facial recognition, or voice analysis.
