Ethical Hacking Module 2

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

Heather is in the middle of performing a penetration test when her client asks her to also check the security of an additional server. Which of the following documents does she need to submit before performing the additional task? Scope of work Rules of engagement Permission to test Change order

Change order

Penetration testing is the practice of finding vulnerabilities and risks with the purpose of securing a computer or network. Penetration testing falls under which all-encompassing term? Ethical hacking Blue teaming Red teaming Network scanning

Ethical hacking

During a penetration test, Dylan is caught testing the physical security. Which document should Dylan have on his person to avoid being arrested? Master service agreement Scope of work Rules of engagement Permission to test

Permission to test

Which of the following defines the security standards for any organization that handles cardholder information for any type of payment card? HIPAA PCI DSS DMCS FISMA

PCI DSS

A client asking for small deviations from the scope of work is called: Rules of engagement Change order Scope creep Security exception

Scope creep

Which of the following documents details exactly what can be tested during a penetration test? Master Service Agreement Scope of Work Rules of Engagement Non-Disclosure Agreement

Scope of Work

Which document explains the details of an objective-based test? Permission to test Change order Scope of work Rules of engagement

Scope of work

Which of the following is a deviation from standard operating security protocols? Whitelisting Security exception MAC filtering Blacklisting

Security exception

Which of the following policies would cover what you should do in case of a data breach? Corporate data policy Password policy Sensitive data handling policy Update frequency policy

Sensitive data handling policy

A goal-based penetration test needs to have specific goals. Using SMART goals is extremely useful for this. What does SMART stand for? Specific/Maintainable/Attainable/Relevant/Timely Steps/Maintainable/Affordable/Results/Tuned Specific/Measurable/Attainable/Relevant/Timely Steps/Measurable/Affordable/Results/Tuned

Specific/Measurable/Attainable/Relevant/Timely

The process of analyzing an organization's security and determining its security holes is known as: Ethical hacking Enumeration Penetration testing Threat modeling

Threat modeling

After performing a risk assessment, an organization must decide what areas of operation can be included in a penetration test and what areas cannot be included. Which of the following describes the process? Transference Avoidance Tolerance Mitigation

Tolerance

Which of the following best describes a non-disclosure agreement? A common legal contract outlining confidential material that will be shared during the assessment A contract where parties agree to most of the terms that will govern future actions A document that defines if the test will be a white box, gray box, or black box test and how to handle sensitive data A very detailed document that defines exactly what is going to be included in the penetration test

A common legal contract outlining confidential material that will be shared during the assessment

Which of the following best describes a supply chain? A company sells their products on Amazon and has Amazon ship the product A company provides materials to another company to manufacture a product A company stocks their product at a store A company stores their product at a distribution center

A company provides materials to another company to manufacture a product

Which of the following best describes a master service agreement? Defines if the test will be a white box, gray box, or black box test and how to handle sensitive data A very detailed document that defines exactly what is going to be included in the penetration test Used as a last resort if the penetration tester is caught in the scope of their work A contract where parties agree to the terms that will govern future actions

A contract where parties agree to the terms that will govern future actions

Heather is working for a cybersecurity firm based in Florida. She will be conducting a remote penetration test for her client, who is based in Utah. Which state's laws and regulations will she need to adhere to? Hether will adhere to Florida's laws, and the client will adhere to Utah's laws Both companies will need to adhere to Utah's laws A lawyer should be consulted on which laws to adhere to and both parties agree Both companies will need to adhere to Florida's laws

A lawyer should be consulted on which laws to adhere to and both parties agree

Heather has been hired to work in a firm's cybersecurity division. Her role will include performing both offensive and defensive tasks. Which of the following roles applies to Heather? A member of the red team A gray hat hacker A member of the purple team A black hat hacker

A member of the purple team

The Stuxnet worm was discovered in 2010 and was used to gain sensitive information on Iran's industrial infrastructure. This worm was probably active for about five years before being discovered. During this time, the attacker had access to the target. Which type of attack was Stuxnet? Virus Trojan horse APT Logic bomb

APT

The following formula defines which method of dealing with risk? Cost of Risk > Damage = Risk ______ Acceptance Mitigation Transference Avoidance

Acceptance

Hannah is working on the scope of work with her client. During the planning, she discovers that some of the servers are cloud-based servers. Which of the following should she do? Not worry about this fact and test the servers Add the cloud host to the scope of work Tell the client she can't perform the test Get a non-disclosure agreement

Add the cloud host to the scope of work

Which of the following best describes the Wassenaar Arrangement? An agreement between 41 countries to enforce similar export controls for weapons, including intrusion software Standards that ensure medical information is kept safe and is only shared with the patient and medical professionals A law that defines the security standards for any organization that handles cardholder information A law that defines how federal government data, operations, and assets are handled

An agreement between 41 countries to enforce similar export controls for weapons, including intrusion software

During a risk assessment, the organization determines that the risk of collecting personal data from its customers is not acceptable and stops. What method of dealing with risk is the organization using? Avoidance Transference Mitigation Acceptance

Avoidance

Yesenia was recently terminated from her position, where she was using her personal cell phone for business purposes. Upon termination, her phone was remotely wiped. Which of the following corporate policies allows this action? Corporate policy BYOD policy Update policy Password policy

BYOD policy

You are executing an attack in order to simulate an outside attack. Which type of penetration test are you performing? White hat Black box Black hat White box

Black box

ABC company is in the process of merging with XYZ company. As part of the merger, a penetration test has been recommended. Testing the network systems, physical security, and data security have all been included in the scope of work. What else should be included in the scope of work? Company culture Email policies Employee IDs Password policies

Company culture

Which type of penetration test is required to ensure an organization is following federal laws and regulations? Goal-based Objective-based Compliance-based White box

Compliance-based

What are the rules and regulations defined and put in place by an organization called? Scope of work Corporate policies Rules of engagement Master service agreement

Corporate policies

Charles found a song he wrote being used without his permission in a video on YouTube. Which law will help him protect his work? HIPAA DMCA PCI DSS FISMA

DMCA

Which of the following best describes what FISMA does? Defines standards that ensure medical information is kept safe Implements accounting and disclosure requirements that increase transparency Defines the security standards for any organization that handles cardholder information Defines how federal government data, operations, and assets are handled

Defines how federal government data, operations, and assets are handled

Which of the following best describes the rules of engagement document? Used as a last resort if the penetration tester is caught in the scope of their work Defines if the test will be a white box, gray box, or black box test and how to handle sensitive data A contract where parties agree to most of the terms that will govern future actions A very detailed document that defines exactly what is going to be included in the penetration test

Defines if the test will be a white box, gray box, or black box test and how to handle sensitive data

Miguel is performing a penetration test on a web server. Miguel was given only the server's IP address and name. Which of the following best describes the type of penetration test Miguel is performing? Internal Black box White box External

External

Which of the following best describes a goal-based penetration test? Focuses on the overall security of the organization and its data security Te hacker has been given full information about the target Ensures the organization follows federal laws and regulations Focuses on the end results. The hacker determines the methods

Focuses on the end results. The hacker determines the methods

United States Code Title 18, Chapter 47, Section 1029 deals with which of the following? Fraud and related activity involving electronic mail Fraud and related activity involving computers Fraud and related activity involving access devices Fraud and related activity regarding identity theft

Fraud and related activity involving access devices

Which of the following is the third step in the ethical hacking methodology? Clear your tracks Reconnaissance Scanning and enumeration Gain access

Gain access

Miguel has been practicing his hacking skills. He has discovered a vulnerability on a system that he did not have permission to attack. Once Miguel discovered the vulnerability, he anonymously alerted the owner and instructed him how to secure the system. What type of hacker is Miguel in this scenario? White hat State-sponsored Script kiddie Gray hat

Gray hat

Michael is performing a penetration test for a hospital. Which federal regulation does Michael need to ensure he follows? HIPAA FISMA DMCA PCI DSS

HIPAA

Which of the following elements is generally considered the weakest link in an organization's security? Physical Servers Network Human

Human

During an authorized penetration test, Michael discovered his client's financial records. Which of the following should he do? Sell the records to a competitor Make a backup of the records for the client Continue digging an look for illegal activity Ignore the records and move on

Ignore the records and move on

During a penetration test, Mitch discovers child pornography on a client's computer. Which of the following actions should he take? Ignore the files and continue with the penetration test Delete the files and continue with the penetration test Immediately stop the test and report the finding to the authorities Stop the test, inform the client, and let them handle it

Immediately stop the test and report the finding to the authorities

Which of the following best describes what SOX does? Implements accounting and disclosure requirements that increase transparency Defines standards that ensure medical information is kept safe Defines how federal government data, operations, and assets are handled Defines the security standards for any organization that handles cardholder information

Implements accounting and disclosure requirements that increase transparency

Which of the following is considered a mission-critical application? Customer database Video player Support log Medical database

Medical database

Miguel is performing a penetration test on his client's web-based application. Which penetration test frameworks should Miguel utilize? OSSTMM OWASP NIST SP 800-115 ISO/IEC 27001

OWASP

Which of the following is a common corporate policy that would be reviewed during a penetration test? Purchasing policy Meeting policy Parking policy Password policy

Password policy

Randy was just hired as a penetration tester for the red team. Which of the following best describes the red team? Is a team of specialists that focus on the organization's defensive security. Is responsible for establishing and implementing policies Performs offensive security tasks to test the network's security Acts as a pipeline between teams and can work on any side

Performs offensive security tasks to test the network's security

During a penetration test, Heidi runs into an ethical situation she's never faced before and is unsure how to proceed. Which of the following should she do? Reach out to an attorney for legal advice Ignore the situation and just move on Talk with her friend and do what they suggest Trust her instincts and do what she feels is right

Reach out to an attorney for legal advice

The penetration testing life cycle is a common methodology used when performing a penetration test. This methodology is almost identical to the ethical hacking methodology. which of the following is the key difference between these methodologies? Reporting Gain access Maintain access Reconnaissance

Reporting

What does an organization do to identify areas of vulnerability within their network and security systems? Scanning External test Risk assessment Internal test

Risk assessment

Heather is performing a penetration test. She has gathered a lot of valuable information about her target already. Heather has used some hacking tools to determine that, on her target network, a computer named Production Workstation has port 445 open. Which step in the ethical hacking methodology is Heather performing? Reconnaissance Gain access Scanning and enumeration Maintain access

Scanning and enumeration

Which of the following best describes social engineering? The art of deceiving and manipulating others into doing what you want The process of analyzing an organization's security and locating security holes Sending an email that appears to be from a bank to trick the target into entering their credentials on a malicious website A stealthy computer network attack in which a person or group gains unauthorized access for an extended period

The art of deceiving and manipulating others into doing what you want

Which of the following best describes a gray box penetration test? The ethical hacker is given strict guidelines about what can be targeted The ethical hacker has partial information about the target or network The ethical hacker is given full knowledge of the target or network The ethical hacker has no information regarding the target or network

The ethical hacker has partial information about the target or network

Which of the following is a limitation of relying on regulations? They rely heavily on password policies They allow interpretation They are regularly updated The industry standards take precedence

They rely heavily on password policies

Which statement best describes a suicide hacker? This hacker may cross the line of what is ethical, but usually has good intentions and isn't being malicious This hacker is only concerned with taking down their target for a cause. They have no concerns about being caught This hacker is motivated by religious or political beliefs and wants to create severe disruption or widespread fear This hacker's main purpose is to protest an even and draw attention to their views and opinions

This hacker is only concerned with taking down their target for a cause. They have no concerns about being caught

What type of threat actor only uses skills and knowledge for defensive purposes? Gray hat Script kiddie White hat Hacktivist

White hat

Miguel is performing a penetration test. His client needs to add Miguel's computer to the list of devices allowed to connect to the network. What type of security exception is this? Whitelisting White box Black box Blacklisting

Whitelisting

Which of the following is a consideration when scheduling a penetration test? Who is aware of the test? What risks are acceptable? Which systems are being tested? Are there any security exceptions?

Who is aware of the test?


Ensembles d'études connexes

AP BIOLOGY MIDTERM REVIEW Unit 2

View Set

Personal Finance Chapter 4: Planning Your Tax Strategy

View Set

Chapter 10 Operations Management

View Set

Hofstede's Cultural Dimensions CH2 (3 Points)

View Set

Microbiology, Ch 13 Nester's 9th

View Set