2.4 assessment types / special considerations
ISO/IEC 27001
is a very highly respected set of standards that defines the processes and requirements for an organization's information security management systems.
Which document explains the details of an objective-based test? Permission to test Rules of engagement Scope of work Change order
Scope of work; is a very detailed document that defines exactly what is going to be included in a penetration test. This document is also referred to as the statement of work.
Payment Card Industry Data Security Standards (PCI-DSS)
Security standards for any organization that handles cardholder information for debit cards, credit cards, prepaid cards, and other types of payment cards.
A goal-based penetration test needs to have specific goals. Using SMART goals is extremely useful for this. What does SMART stand for? Specific/Measurable/Attainable/Relevant/Timely Steps/Maintainable/Affordable/Results/Tuned Specific/Maintainable/Attainable/Relevant/Timely Steps/Measurable/Affordable/Results/Tuned
Specific/Measurable/Attainable/Relevant/Timely
What are the main laws and regulations a penetration tester needs to be aware of?
PCI DDS HIPAA ISO/IEC 27001 SOX DMCA FISMA
Why would a penetration test be performed before a merger of two organizations?
-When two companies merge, they have to COMBINE systems, policies, and regulations. A penetration test during this phase can help identify shortcomings and differences that, if left unattended, could lead to disastrous results after the companies combine. -During this penetration test, things could also come to light that cause the merge to fall through.
what are the different types of penetration tests?
-goal-based penetration test (focuses on end result) -objective-based penetration test -compliance-based penetration test (Ensuring that the organization is in compliance with federal laws and regulations is a major purpose for performing a penetration test.)
Which of the following best describes a supply chain? A company stores their product at a distribution center. A company stocks their product at a store. A company provides materials to another company to manufacture a product. A company sells their products on Amazon and has Amazon ship the product.
A company provides materials to another company to manufacture a product.
Digital Millennium Copyright Act (DMCA)
A federal regulation enacted in 1998 that is designed to protect copyrighted works.
Federal Information Security Management Act (FISMA)
A federal regulation that defines how federal government data, operations, and assets are handled.
Heather has been hired to work in a firm's cybersecurity division. Her role will include performing both offensive and defensive tasks. Which of the following roles applies to Heather? A member of the purple team. A black hat hacker. A member of the red team. A gray hat hacker.
A member of the purple team.; A black hat hacker is a skilled hacker who uses skills and knowledge for illegal or malicious purposes. A gray hat hacker may cross the line of what is ethical, but usually has good intentions and isn't malicious like a black hat hacker.
Health Insurance Portability and Accountability Act (HIPAA)
A set of standards that ensures a person's health information is kept safe and shared only with the patient and medical professionals who need it.
ABC company is in the process of merging with XYZ company. As part of the merger, a penetration test has been recommended. Testing the network systems, physical security, and data security have all been included in the scope of work. What else should be included in the scope of work? Company culture Employee IDs Email policies Password policies
Company culture; During the premerger, areas such as physical security, data security, company culture, and network systems need to be tested. A penetration test during this phase can help identify shortcomings and large differences that if left unattended could lead to disastrous results after the merger or acquisition. Email and password policies are already included in the network systems test. Employee IDs are included in the physical security test.
Which type of penetration test is required to ensure an organization is following federal laws and regulations? Goal-based Compliance-based Objective-based White box
Compliance-based
Charles found a song he wrote being used without his permission in a video on YouTube. Which law will help him protect his work? FISMA PCI DSS DMCA HIPAA
DMCA; The Digital Millennium Copyright Act (DMCA) was enacted in 1998 to protect copyrighted works.
Which of the following best describes what FISMA does? Defines standards that ensure medical information is kept safe. Defines how federal government data, operations, and assets are handled. Implements accounting and disclosure requirements that increase transparency. Defines the security standards for any organization that handles cardholder information
Defines how federal government data, operations, and assets are handled and was signed into law in 2002
Sarbanes Oxley Act (SOX)
Federal regulation enacted in 2002 with the goal of implementing accounting and disclosure requirements that would increase transparency in corporate governance and financial reporting and formalize a system of internal checks and balances. - DOESN'T specify how to store and record information; it ONLY dictates what information is stored and how long it's stored for
Which of the following best describes a goal-based penetration test? The hacker has been given full information about the target. Focuses on the overall security of the organization and its data security. Ensures the organization follows federal laws and regulations. Focuses on the end results. The hacker determines the methods.
Focuses on the end results. The hacker determines the methods.
Which of the following best describes what SOX does? Defines the security standards for any organization that handles cardholder information. Implements accounting and disclosure requirements that increase transparency. Defines how federal government data, operations, and assets are handled. Defines standards that ensure medical information is kept safe.
Implements accounting and disclosure requirements that increase transparency. -in corporate governance and financial reporting and formalize a system of internal checks and balances.
Which of the following defines the security standards for any organization that handles cardholder information for any type of payment card? DMCA FISMA HIPAA PCI DSS
PCI DSS; The Payment Card Industry Data Security Standards (PCI DSS) defines the security standards for any organization that handles cardholder information for debit cards, credit cards, prepaid cards, and any other type of payment cards.
Michael is performing a penetration test for a hospital. Which federal regulation does Michael need to ensure he follows? HIPAA DMCA PCI DSS FISMA
The Health Insurance Portability and Accountability Act (HIPPA); was created as health records and data started being stored electronically. Its goal is to create a set of standards that would ensure this information is kept safe and is only shared with the patient and medical professionals that need it.
How does being part of a supply chain affect a penetration test?
When companies are setting up a supply chain, they have to make sure that their systems are able to talk to each other, security standards are consistent, and policies align. There might also be laws and regulations that need to be followed. For example, if one of the companies is involved in medical supplies, the other may need to implement some HIPPA policies.
what does a supply chain do?
When one company needs to transfer materials to another, you need a supply chain process to make that happen.
Which of the following is a limitation of relying on regulations? They rely heavily on password policies. They are regularly updated. They allow interpretation. The industry standards take precedence.
they rely heavily on password policies.; One of the drawbacks to many federal regulations is that they rely heavily on password policies, which are often outdated.
what does the scope of work determine?
this kind of document determines what the objective of the test is by specifying which devices, IP scopes, networks, and other system elements the penetration tester is allowed to access.