Pen + test

During a penetration test, Heidi runs into an ethical situation she's never faced before and is unsure how to proceed. Which of the following should she do? Ignore the situation and just move on. Reach out to an attorney for legal advice. Talk with her friend and do what they suggest. Trust her instincts and do what she feels is right.

Reach out to an attorney for legal advice.

Non-disclosure agreement (NDA)

A common legal contract that outlines confidential material or information that will be shared during a security assessment and what restrictions are placed on information.

Purple team

A mixture of both red and blue teams.

Rules of engagement

A rules of engagement (ROE) defines how the penetration test will be carried out.

Scope of work

A scope of work (SOW) defines exactly what a project will entail. It is also known as a statement of work.

ISO/IEC 27001

A set of processes and requirements for an organization's information security management systems.

Health Insurance Portability and Accountability Act (HIPAA)

A set of standards that ensures a person's health information is kept safe and shared only with the patient and medical professionals who need it.

White hat

A skilled hacker who uses skills and knowledge for defensive purposes only. The white hat hacker interacts only with systems for which express access permission has been given.

The Stuxnet worm was discovered in 2010 and was used to gain sensitive information on Iran's industrial infrastructure. This worm was probably active for about five years before being discovered. During this time, the attacker had access to the target. Which type of attack was Stuxnet? Trojan horse Virus Logic bomb APT

APT An APT (advanced persistent threat) is a stealthy attack that gains access to a network or computer system and remains hidden for an extended period of time.

Hannah is working on the scope of work with her client. During the planning, she discovers that some of the servers are cloud-based servers. Which of the following should she do? Get a non-disclosure agreement. Add the cloud host to the scope of work. Tell the client she can't perform the test. Not worry about this fact and test the servers.

Add the cloud host to the scope of work. Since Hannah is in the planning stage, she will need to add the cloud host to the scope of work. Cloud-based systems require some extra steps before penetration testing can begin. The issue is that the systems aren't owned by the client, but by the cloud hosting provider. An organization might be required to conduct penetration tests to meet regulations. But, in this case, the cloud provider must also authorize the penetration test and will need to be involved and approve the scope of work.

Which of the following best describes the Wassenaar Arrangement? An agreement between 41 countries to enforce similar export controls for weapons, including intrusion software. Standards that ensure medical information is kept safe and is only shared with the patient and medical professionals. A law that defines how federal government data, operations, and assets are handled. A law that defines the security standards for any organization that handles cardholder information.

An agreement between 41 countries to enforce similar export controls for weapons, including intrusion software.

Script kiddie

An extremely unskilled person who uses tools and scripts developed by real hackers.

During a risk assessment, the organization determines that the risk of collecting personal data from its customers is not acceptable and stops. What method of dealing with risk is the organization using? Avoidance Mitigation Transference Acceptance

Avoidance When you identify a risk you can avoid, you should avoid it. This action is called risk avoidance. Transference is the process of moving the risk to another entity. Risk mitigation is also called risk reduction. Sometimes the risks cannot be transferred or avoided. In this case, steps must be taken to reduce the damage that can occur. Risk acceptance occurs when the organization determines that the cost and effort to mitigate a risk outweighs the risk's potential damage, so they simply accept the risk.

Yesenia was recently terminated from her position, where she was using her personal cell phone for business purposes. Upon termination, her phone was remotely wiped. Which of the following corporate policies allows this action? Corporate policy Password policy BYOD policy Update policy

BYOD policy

You are executing an attack in order to simulate an outside attack. Which type of penetration test are you performing? Black box Black hat White hat White box

Black box In a black box test, the ethical hacker has no information regarding the target or network. This type of test best simulates an outside attack and ignores insider threats.

Heather is in the middle of performing a penetration test when her client asks her to also check the security of an additional server. Which of the following documents does she need to submit before performing the additional task? Change order Rules of engagement Scope of work Permission to test

Change order When a change to the scope of work is requested, a change order should be filled out and agreed on. Once this is done, the additional tasks can be completed.

What are the rules and regulations defined and put in place by an organization called? Rules of engagement Corporate policies Master service agreement Scope of work

Corporate policies

Which of the following best describes what FISMA does? Defines the security standards for any organization that handles cardholder information Defines how federal government data, operations, and assets are handled. Implements accounting and disclosure requirements that increase transparency. Defines standards that ensure medical information is kept safe.

Defines how federal government data, operations, and assets are handled.

Eavesdropping

Eavesdropping is an unauthorized person listening to private conversations between employees or other authorized personnel when sensitive topics are being discussed.

During an authorized penetration test, Michael discovered his client's financial records. Which of the following should he do? Sell the records to a competitor. Ignore the records and move on. Make a backup of the records for the client. Continue digging and look for illegal activity.

Ignore the records and move on. During a penetration test, the ethical hacker will run across or gain access to highly sensitive data. This could include clients' financial information, customer data, passwords, and more. In this situation, the hacker is expected to keep this information confidential and not view any more than is necessary for reporting purposes.

During a penetration test, Mitch discovers child pornography on a client's computer. Which of the following actions should he take? Delete the files and continue with the penetration test. Stop the test, inform the client, and let them handle it. Immediately stop the test and report the finding to the authorities. Ignore the files and continue with the penetration test.

Immediately stop the test and report the finding to the authorities.

Which of the following best describes what SOX does? Defines the security standards for any organization that handles cardholder information. Implements accounting and disclosure requirements that increase transparency. Defines standards that ensure medical information is kept safe. Defines how federal government data, operations, and assets are handled.

Implements accounting and disclosure requirements that increase transparency.

Spear phishing

In spear phishing, an attacker gathers information about the victim, such as their online bank. The attacker then sends a phishing email to the victim that appears to be from that bank. Usually, the email contains a link that sends the user to a site that looks legitimate, but is intended to capture the victim's personal information.

Which of the following is considered a mission-critical application? Medical database Video player Support log Customer database

Medical database

Maintaining access

Once the hacker has gained access, he can use backdoors, rootkits, or Trojans to establish permanent access to the system.

Which of the following is a common corporate policy that would be reviewed during a penetration test? Purchasing policy Password policy Meeting policy Parking policy

Password policy

Randy was just hired as a penetration tester for the red team. Which of the following best describes the red team? Is responsible for establishing and implementing policies. Acts as a pipeline between teams and can work on any side. Is a team of specialists that focus on the organization's defensive security. Performs offensive security tasks to test the network's security.

Performs offensive security tasks to test the network's security.

During a penetration test, Dylan is caught testing the physical security. Which document should Dylan have on his person to avoid being arrested? Permission to test Scope of work Rules of engagement Master service agreement

Permission to test

Ethical hacking

Perpetrating exploits against a system with the intent to find vulnerabilities so that security weaknesses can be addressed and the system can be made more secure.

Bring your own device (BYOD)

Policies that govern an organization's rules and regulations regarding support of employee-owned smart phones, tablets, and similar devices.

The penetration testing life cycle is a common methodology used when performing a penetration test. This methodology is almost identical to the ethical hacking methodology. Which of the following is the key difference between these methodologies? Reconnaissance Maintain access Reporting Gain access

Reporting The only difference between the penetration testing life cycle and ethical hacking methodology is the focus on the documentation of the penetration test. A detailed report of the tests performed and everything that was discovered is important to a penetration test.

What does an organization do to identify areas of vulnerability within their network and security systems? Internal test Risk assessment Scanning External test

Risk assessment The purpose of a risk assessment is to identify areas of vulnerability within the organization's network. The risk assessment should look at all areas, including high value data, network systems, web applications, online information, and physical security, including operating systems and web servers. This is done before beginning a penetration test.

A client asking for small deviations from the scope of work is called: Scope creep Security exception Change order Rules of engagement

Scope creep In project management, one of the most dangerous things to look out for is scope creep. This is when the client begins asking for small deviations from the scope of work. This can cause the project to go off track and increase the time and resources needed to complete it.

Which of the following documents details exactly what can be tested during a penetration test? Scope of Work Master Service Agreement Non-Disclosure Agreement Rules of Engagement

Scope of Work The scope of work is a very detailed document that defines exactly what software, and hardware, test types, and facility features are going to be included in the penetration test. This document is also referred to as the statement of work.

Which document explains the details of an objective-based test? Scope of work Rules of engagement Permission to test Change order

Scope of work

Which of the following is a deviation from standard operating security protocols? Whitelisting Blacklisting MAC filtering Security exception

Security exception

White box

The ethical hacker is given full knowledge of the target or network. This test allows for a comprehensive and thorough test, but is not very realistic.

Penetration testing

The practice of finding vulnerabilities and risks with the purpose of securing the computer or network system.

USB and keyloggers

When on site, a social engineer also has the ability to stealing data through a USB flash drive or a keystroke logger. Social engineers often employ keystroke loggers to capture usernames and passwords. As the target logs in, the username and password are saved. Later, the attacker uses the username and password to conduct an exploit.

Spam and spim

When using spam, the attacker sends an email or banner ad embedded with a compromised URL that entices a user to click it. Spim is similar, but the malicious link is sent to the target using instant messaging instead of email.

Which type of threat actor only uses skills and knowledge for defensive purposes? Gray hat Script kiddie White hat Hacktivist

White hat

Miguel is performing a penetration test. His client needs to add Miguel's computer to the list of devices allowed to connect to the network. What type of security exception is this? Blacklisting White box Whitelisting Black box

Whitelisting

Which of the following is a consideration when scheduling a penetration test? Who is aware of the test? Are there any security exceptions? Which systems are being tested? What risks are acceptable?

Who is aware of the test? The rules of engagement must specify who is aware of the penetration test and its time frame. The less people who know, the more realistic the test will be.

Gray hat

A skilled hacker who falls in the middle of the white hat and black hat hackers. The gray hat may cross the line of what is ethical, but usually has good intentions and isn't malicious like a black hat hacker.

Black hat

A skilled hacker who uses skills and knowledge for illegal or malicious purposes.

Advanced persistent threat (APT)

A stealthy computer network attack in which a person or group gains unauthorized access to a network and remains undetected for an extended period.

The following formula defines which method of dealing with risk? Cost of Risk > Damage = Risk _________ Mitigation Avoidance Transference Acceptance

Acceptance Risk acceptance occurs when the organization determines that the cost and effort to mitigate a risk outweighs the risk's potential damage, so they simply accept the risk.

Performing reconnaissance

In this phase, the hacker begins gathering information about the target. This can include gathering publicly available information, using social engineering techniques, or even dumpster diving.

Scope of work (SoW)

A very detailed document that defines exactly what is going to be included in the penetration test. This document is also referred to as the statement of work.

Which of the following best describes a non-disclosure agreement? A very detailed document that defines exactly what is going to be included in the penetration test. A contract where parties agree to most of the terms that will govern future actions. A document that defines if the test will be a white box, gray box, or black box test and how to handle sensitive data. A common legal contract outlining confidential material that will be shared during the assessment.

A common legal contract outlining confidential material that will be shared during the assessment.

Which of the following best describes a supply chain? A company provides materials to another company to manufacture a product. A company stocks their product at a store. A company stores their product at a distribution center. A company sells their products on Amazon and has Amazon ship the product.

A company provides materials to another company to manufacture a product. A supply chain is set up when materials from one company are needed from another to manufacture a product.

Which of the following best describes a master service agreement? Used as a last resort if the penetration tester is caught in the scope of their work. Defines if the test will be a white box, gray box, or black box test and how to handle sensitive data. A contract where parties agree to the terms that will govern future actions. A very detailed document that defines exactly what is going to be included in the penetration test.

A contract where parties agree to the terms that will govern future actions. The master service agreement is a contract where parties agree to the terms that will govern future actions. This makes future services and contracts much easier to handle and define.

Master service agreement (MSA)

A contract where parties agree to the terms that will govern future actions. This makes future services and contracts easier to handle and define.

Rules of engagement (RoE)

A contract where parties agree to the terms that will govern future actions. This makes future services and contracts easier to handle and define.

Blue team

A defensive security team that attempts to close vulnerabilities and stop the red team.

Permission to test

A document that explains what the penetration tester is doing and that their work is authorized. This document is sometimes referred to as the Get Out Of Jail Free Card.

Digital Millennium Copyright Act (DMCA)

A federal regulation enacted in 1998 that is designed to protect copyrighted works.

Federal Information Security Management Act (FISMA)

A federal regulation that defines how federal government data, operations, and assets are handled.

Cyber terrorist

A hacker motivated by religious or political beliefs who wants to create severe disruption or widespread fear.

Suicide hacker

A hacker who is concerned only with taking down the target for a cause.

State-sponsored hacker

A hacker who works for a government and attempts to gain top-secret information by hacking other governments.

Hacktivist

A hacker whose main purpose is to protest an event or situation and draw attention to their own views and opinions.

Heather is working for a cybersecurity firm based in Florida. She will be conducting a remote penetration test for her client, who is based in Utah. Which state's laws and regulations will she need to adhere to? Both companies will need to adhere to Utah's laws. Both companies will need to adhere to Florida's laws. Heather will adhere to Florida's laws, and the client will adhere to Utah's laws. A lawyer should be consulted on which laws to adhere to and both parties agree.

A lawyer should be consulted on which laws to adhere to and both parties agree.

Heather has been hired to work in a firm's cybersecurity division. Her role will include performing both offensive and defensive tasks. Which of the following roles applies to Heather? A member of the red team. A member of the purple team. A black hat hacker. A gray hat hacker.

A member of the purple team.

Targeted attack

A targeted attack is much more dangerous. A targeted attack is extremely methodical and is often carried out by multiple entities that have substantial resources. Targeted attacks almost always use unknown exploits, and the hackers go to great lengths to cover their tracks and hide their presence. Targeted attacks often use completely new programs that are specifically designed for the target.

Insider

An insider could be a customer, a janitor, or even a security guard. But most of the time, it's an employee. Employees pose one of the biggest threats to any organization. There are many reasons why an employee might become a threat. The employee could: Be motivated by a personal vendetta because they are disgruntled. Want to make money. Be bribed into stealing information.

Red team

An offensive security team that attempts to discover vulnerabilities in a network or computer system.

Opportunistic attack

An opportunistic attack is typically automated and involves scanning a wide range of systems for known vulnerabilities, such as old software, exposed ports, poorly secured networks, and default configurations. When one is found, the hacker will exploit the vulnerability, steal whatever is easy to obtain, and get out.

Nation state

Attacks from nation states have several key components that make them especially powerful. Typically, nation state attacks: Are highly targeted. Identify a target and wage an all-out war. Are extremely motivated. Use the most sophisticated attack techniques of all the attackers. This often includes developing completely new applications and viruses in order to carry out an attack. Are well financed.

ABC company is in the process of merging with XYZ company. As part of the merger, a penetration test has been recommended. Testing the network systems, physical security, and data security have all been included in the scope of work. What else should be included in the scope of work? Email policies Company culture Employee IDs Password policies

Company culture During the premerger, areas such as physical security, data security, company culture, and network systems need to be tested. A penetration test during this phase can help identify shortcomings and large differences that if left unattended could lead to disastrous results after the merger or acquisition.

Which of the following best describes the rules of engagement document? Defines if the test will be a white box, gray box, or black box test and how to handle sensitive data. A contract where parties agree to most of the terms that will govern future actions. A very detailed document that defines exactly what is going to be included in the penetration test. Used as a last resort if the penetration tester is caught in the scope of their work.

Defines if the test will be a white box, gray box, or black box test and how to handle sensitive data.

Hoax

Email hoaxes are often easy to spot because of their bad spelling and terrible grammar. However, hoax emails use a variety of tactics to convince the target they're real.

Penetration testing is the practice of finding vulnerabilities and risks with the purpose of securing a computer or network. Penetration testing falls under which all-encompassing term? Red teaming Network scanning Ethical hacking Blue teaming

Ethical hacking

Miguel is performing a penetration test on a web server. Miguel was given only the server's IP address and name. Which of the following best describes the type of penetration test Miguel is performing? External Black box Internal White box

External An external test focuses on any publicly facing system, such as a web server that resides in the DMZ. An internal test focuses on any systems that logically resides behind the firewall. These can be offsite or onsite. A black box test occurs when an ethical hacker has no information about the target or network. A white box test occurs when an ethical hacker has full information about the target or network.

Sarbanes Oxley Act (SOX)

Federal regulation enacted in 2002 with the goal of implementing accounting and disclosure requirements that would increase transparency in corporate governance and financial reporting and formalize a system of internal checks and balances.

Which of the following best describes a goal-based penetration test? The hacker has been given full information about the target. Ensures the organization follows federal laws and regulations. Focuses on the overall security of the organization and its data security. Focuses on the end results. The hacker determines the methods.

Focuses on the end results. The hacker determines the methods.

United States Code Title 18, Chapter 47, Section 1029 deals with which of the following? Fraud and related activity regarding identity theft. Fraud and related activity involving electronic mail. Fraud and related activity involving access devices. Fraud and related activity involving computers.

Fraud and related activity involving access devices. Section 1029 refers to fraud and related activity involving access devices. An access device is defined as any application or hardware that is created specifically to generate any type of access credentials.

Which of the following is the third step in the ethical hacking methodology? Clear your tracks Gain access Scanning and enumeration Reconnaissance

Gain access

Hacker

Generally speaking, a hacker is any threat actor who uses technical knowledge to bypass security, exploit a vulnerability, and gain access to protected information. Hackers could attack for several different reasons. Some types of hackers are: Those motivated by bragging rights, attention, and the thrill. Hacktivists with a political motive. Script kiddies, who use applications or scripts written by much more talented individuals. A white hat hacker, who tries to help a company see the vulnerabilities that exist in their security. Cybercriminals, who are motivated by significant financial gain. They typically take more risks and use extreme tactics. Corporate spies are a sub-category of cybercriminal.

Miguel has been practicing his hacking skills. He has discovered a vulnerability on a system that he did not have permission to attack. Once Miguel discovered the vulnerability, he anonymously alerted the owner and instructed him how to secure the system. What type of hacker is Miguel in this scenario? Script kiddie Gray hat White hat State-sponsored

Gray hat A gray hat hacker falls in the middle of the white hat and black hat hackers. The gray hat may cross ethical lines, but usually has good intentions and isn't being malicious like a black hat hacker.

Which of the following elements is generally considered the weakest link in an organization's security? Network Physical Human Servers

Human

Establishing access

In this phase, the hacker uses all the information gathered through reconnaissance and scanning to exploit any vulnerabilities found and gain access.

Heather is performing a penetration test. She has gathered a lot of valuable information about her target already. Heather has used some hacking tools to determine that, on her target network, a computer named Production Workstation has port 445 open. Which step in the ethical hacking methodology is Heather performing? Maintain access Gain access Reconnaissance Scanning and enumeration

Scanning and enumeration

Scanning and enumeration

Scanning is a natural extension of reconnaissance. The hacker uses various tools to gather in-depth information about the network, computer systems, live systems, open ports, and other features. Extracting information such as usernames, computer names, network resources, shares, and services is known as enumeration. Enumeration is a part of the scanning step.

Payment Card Industry Data Security Standards (PCI-DSS)

Security standards for any organization that handles cardholder information for debit cards, credit cards, prepaid cards, and other types of payment cards.

Which of the following policies would cover what you should do in case of a data breach? Update frequency policy Sensitive data handling policy Password policy Corporate data policy

Sensitive data handling policy The policy for handling sensitive data should detail who has access to data, how data is secured, and what to do if an unauthorized person gains access to the data.

Shoulder surfing

Shoulder surfing involves looking over someone's shoulder while they work on a computer or review documents. This attack's purpose is to obtain usernames, passwords, account numbers, or other sensitive information.

A goal-based penetration test needs to have specific goals. Using SMART goals is extremely useful for this. What does SMART stand for? Steps/Maintainable/Affordable/Results/Tuned Specific/Maintainable/Attainable/Relevant/Timely Steps/Measurable/Affordable/Results/Tuned Specific/Measurable/Attainable/Relevant/Timely

Specific/Measurable/Attainable/Relevant/Timely SMART goals are very useful when establishing and defining the goals of a penetration test. SMART goals help create goals that are specific, measurable, attainable, relevant, and timely (or time-bound).

Miguel is performing a penetration test on his client's web-based application. Which penetration test frameworks should Miguel utilize? OSSTMM ISO/IEC 27001 NIST SP 800-115 OWASP

The Open Web Application Security Project (OWASP) describes techniques for testing the most common web application and web service security issues.

OSSTMM ISO/IEC 27001 NIST SP 800-115 OWASP

The Open Web Application Security Project (OWASP) describes techniques for testing the most common web application and web service security issues. The Open Source Security Testing Methodology Manual (OSSTMM) attempts to enforce one accepted method for a very thorough security test. The National Institute of Standards and Technology Special Publication 800-115 (NIST SP 800-115) is a guide to the basic technical aspects of conducting information security assessments. ISO/IEC 2701 defines the processes and requirements for an organization's information security management systems.

Which of the following best describes social engineering? The process of analyzing an organization's security and locating security holes. A stealthy computer network attack in which a person or group gains unauthorized access for an extended period. The art of deceiving and manipulating others into doing what you want. Sending an email that appears to be from a bank to trick the target into entering their credentials on a malicious website.

The art of deceiving and manipulating others into doing what you want.

Black box

The ethical hacker has no information regarding the target or network. This type of test best simulates an outside attack and ignores the insider threats.

Which of the following best describes a gray box penetration test? The ethical hacker is given strict guidelines about what can be targeted. The ethical hacker has no information regarding the target or network. The ethical hacker has partial information about the target or network. The ethical hacker is given full knowledge of the target or network.

The ethical hacker has partial information about the target or network.

Gray box

The ethical hacker is given partial information of the target or network, such as IP configurations or emails lists. This test simulates an insider threat.

Clearing tracks

The final step in the hacking process is clearing tracks. The hacker overwrites log files to hide the fact they were ever there.

Threat modeling

The process of analyzing the security of the organization and determine security holes.

Which of the following is a limitation of relying on regulations? The industry standards take precedence. They rely heavily on password policies. They are regularly updated. They allow interpretation.

They rely heavily on password policies One of the drawbacks to many federal regulations is that they rely heavily on password policies, which are often outdated.

Which statement best describes a suicide hacker? This hacker may cross the line of what is ethical, but usually has good intentions and isn't being malicious. This hacker's main purpose is to protest an event and draw attention to their views and opinions. This hacker is only concerned with taking down their target for a cause. They have no concerns about being caught. This hacker is motivated by religious or political beliefs and wants to create severe disruption or widespread fear.

This hacker is only concerned with taking down their target for a cause. They have no concerns about being caught.

The process of analyzing an organization's security and determining its security holes is known as: Threat modeling Ethical hacking Enumeration Penetration testing

Threat modeling Threat modeling is the process of analyzing an organization's security and determining its security holes. Once a threat model is put together, the organization can begin securing its systems and data.

After performing a risk assessment, an organization must decide what areas of operation can be included in a penetration test and what areas cannot be included. Which of the following describes the process? Tolerance Transference Mitigation Avoidance

Tolerance After a risk assessment is performed and vulnerable areas identified, the organization needs to decide their tolerance level for performing a penetration test. Areas of risk that can be tolerated need to be placed in the scope of work, whereas those critical areas may need to be place out of scope, or off-limits. When a risk can be avoided, it should be. This is known as risk avoidance. Transference is the process of moving the risk to another entity. Risk mitigation is also called risk reduction. Sometimes the risks cannot be transferred or avoided. In this case, steps must be taken to reduce the damage that can occur.