2.4 Assessment Tpyes
Which of the following best describes a supply chain?
A company provides materials to another company to manufacture a product.
A goal-based penetration test needs to have specific goals. Using SMART goals is extremely useful for this. What does SMART stand for?
Specific/Measurable/Attainable/Relevant/Timely
Which document explains the details of an objective-based test?
Scope of work
Payment Card Industry Data Security Standards (PCI-DSS)
Security standards for any organization that handles cardholder information for debit cards, credit cards, prepaid cards, and other types of payment cards.
Digital MillenniumCopyright Act (DMCA)
Enacted in 1998, this law is designed to protect copyrighted works.
Sarbanes Oxley Act (SOX)
Federal regulation enacted in 2002 with the goal of implementing accounting and disclosure requirements that would increase transparency in corporate governance and financial reporting and formalize a system of internal checks and balances.
Digital Millennium Copyright Act (DMCA)
A federal regulation enacted in 1998 that is designed to protect copyrighted works.
Federal Information Security Management Act (FISMA)
A federal regulation that defines how federal government data, operations, and assets are handled.
Goal-Based Penetration Test
A goal-based penetration test will focus on the end results. The goals must be specific and well-defined before the test can begin. The penetration tester will utilize a wide range of skills and methods to carry out the test and meet the goals. When you determine the goals of the exam, you should use S.M.A.R.T. goals. S - Specific M - Measurable A - Attainable R - Relevant T - Timely
Sarbanes Oxley Act (SOX)
A law enacted in 2002 with the goal of implementing accounting and disclosure requirements that would increase transparency in corporate governance and financial reporting and formalizing a system of internal checks and balances.
Heather has been hired to work in a firm's cybersecurity division. Her role will include performing both offensive and defensive tasks. Which of the following roles applies to Heather?
A member of the purple team.
ISO/IEC 27001
A set of processes and requirements for an organization's information security management systems.
Health Insurance Portabilityand Accountability Act (HIPAA)
A set of standards that ensures a person's health information is kept safe and only shared with the patient and medical professionals that need it.
Health Insurance Portability and Accountability Act (HIPAA)
A set of standards that ensures a person's health information is kept safe and shared only with the patient and medical professionals who need it.
Objective-Based Penetration Test
An objective-based test focuses on the overall security of the organization and its data security. When people think of a penetration test, this is often what they think of. The scope of work and rules of engagement documents specify what is to be tested.
ABC company is in the process of merging with XYZ company. As part of the merger, a penetration test has been recommended. Testing the network systems, physical security, and data security have all been included in the scope of work. What else should be included in the scope of work?
Company culture
Which type of penetration test is required to ensure an organization is following federal laws and regulations?
Compliance-based
Charles found a song he wrote being used without his permission in a video on YouTube. Which law will help him protect his work?
DMCA
Federal Information SecurityManagement Act (FISMA)
Defines how federal government data, operations, and assets are handled.
Which of the following best describes what FISMA does?
Defines how federal government data, operations, and assets are handled.
Which of the following defines the security standards for any organization that handles cardholder information for any type of payment card?
PCI DSS
ISO/IEC 27001
Defines the processes and requirements for an organization's information security management systems.
Payment Card Industry DataSecurity Standards (PCI-DSS)
Defines the security standards for any organization that handles cardholder information for debit cards, credit cards, prepaid cards, and other types of payment cards.
Which of the following best describes a goal-based penetration test?
Focuses on the end results. The hacker determines the methods.
Michael is performing a penetration test for a hospital. Which federal regulation does Michael need to ensure he follows?
HIPAA
Which of the following best describes what SOX does?
Implements accounting and disclosure requirements that increase transparency.
Special Considerations
There are a few scenarios where extra or special considerations need to be taken into account, such as mergers and establishing supply chains. During a merger, a penetration test may be performed to assess physical security, data security, company culture, or other facets of an organization to determine if there are any shortcomings that may hinder or cancel the merger. When establishing a supply chain, a penetration test needs to be performed to determine if there are any security issues or violations that could affect everyone involved. The organizations need to ensure that their systems can talk to each other and their security measures align. For these tests, companies may employ red teams and blue teams. They may also utilize purple team members.
Which of the following is a limitation of relying on regulations?
They rely heavily on password policies.