Ethical Hacking Pro - Questions, 2.4.4 - Assessment Types (Practice Questions), 2.5.7 - Legal and Ethical Compliance (Practice Questions)
Which type of threat actor only uses skills and knowledge for defensive purposes?
White hat
Company culture
ABC company is in the process of merging with XYZ company. As part of the merger, a penetration test has been recommended. Testing the network systems, physical security, and data security have all been included in the scope of work. What else should be included in the scope of work?
The following formula defines which method of dealing with risk? Cost of Risk > Damage = Risk _________
Acceptance
The Stuxnet worm was discovered in 2010 and was used to gain sensitive information on Iran's industrial infrastructure. This worm was probably active for about five years before being discovered. During this time, the attacker had access to the target. Which type of attack was Stuxnet?
Advanced Persistent Threat (APT)
Heather is in the middle of performing a penetration test when her client asks her to also check the security of an additional server. Which of the following documents does she need to submit before performing the additional task? * Rules of engagement * Permission to test * Scope of work * Change order
Change order
You are executing an attack in order to simulate an outside attack. Which type of penetration test are you performing?
Black box
Add the cloud host to the scope of work.
Hannah is working on the scope of work with her client. During the planning, she discovers that some of the servers are cloud-based servers. Which of the following should she do?
A member of the purple team.
Heather has been hired to work in a firm's cyber security division. Her role will include performing both offensive and defensive tasks. Which of the following roles applies to Heather?
Which of the following elements is generally considered the weakest link in an organization's security? * Human * Servers * Network * Physical
Human
BYOD policy
Yeswnia was recently terminated from her position, where she was using her personal cell phone for business purposes. Upon termination, her phone was remotely wiped. Which of the following corporate policies allows this action?
Specific/Measurable/Attainable/Relevant/Timely
A goal-based penetration test needs to have specific goals. Using SMART goals is extremely useful for this. What does SMART stand for?
A client asking for small deviations from the scope of work is called:
Scope creep
During a risk assessment, the organization determines that the risk of collecting personal data from its customers is not acceptable and stops. What method of dealing with risk is the organization using?
Avoidance
Permission to test
During a penetration test, Dylan is caught testing the physical security. Which document should Dylan have on his person to avoid being arrested? - AKA Get out of jail free card
Reach out to an attorney for legal advice.
During a penetration test, Heidi runs into an ethical situation she's never faced before and is unsure how to proceed. Which of the following should she do?
Immediately stop the test and report the finding to the authorities.
During a penetration test, Mitch discovers child pornography on a client's computer. Which of the following actions should he take?
Ignore the records and move on.
During an authorized penetration test, Michael discovered his client's financial records. Which of the following should he do?
Penetration testing is the practice of finding vulnerabilities and risks with the purpose of securing a computer or network. Penetration testing falls under which all-encompassing term?
Ethical Hacking
Miguel is performing a penetration test on a web server. Miguel was given only the server's IP address and name. Which of the following best describes the type of penetration test Miguel is performing? * Internal * Black box * External * White box
External
What is the third step in the ethical hacking methodology?
Gain access
Miguel has been practicing his hacking skills. He has discovered a vulnerability on a system that he did not have permission to attack. Once Miguel discovered the vulnerability, he anonymously alerted the owner and instructed him how to secure the system. What type of hacker is Miguel in this scenario?
Gray hat
You are performing a penetration test of a local area network (LAN). Refer to the circled area on the network diagram. network. Which of the following types of penetration tests is being performed? *LAN >> FIREWALL>>WAN * Internal * External * Gray Box * Black Box
Internal
Which of the following is considered a mission-critical application? * Support log * Customer database * Medical database * Video player
Medical database
HIPAA
Michael is performing a penetration test for a hospital. Which federal regulation does Michael need to ensure he follows?
Miguel is performing a penetration test on his client's web-based application. Which penetration test frameworks should Miguel utilize?
OWASP
Randy was just hired as a penetration tester for the red team. Which of the following best describes the red team? * Acts as a pipeline between teams and can work on any side. * Is responsible for establishing and implementing policies. * Is a team of specialists that focus on the organization's defensive security. * Performs offensive security tasks to test the network's security
Performs offensive security tasks to test the network's security.
The penetration testing life cycle is a common methodology used when performing a penetration test. This methodology is almost identical to the ethical hacking methodology. What is the key difference between these methodologies?
Reporting
What does an organization do to identify areas of vulnerability within their network and security systems?
Risk assessment
Heather is performing a penetration test. She has gathered a lot of valuable information about her target already. Heather has used some hacking tools to determine that, on her target network, a computer named Production Workstation has port 445 open. Which step in the ethical hacking methodology is Heather performing?
Scanning and enumeration
Which of the following documents details exactly what can be tested during a penetration test? * Scope of Work * Master Service Agreement * Non-Disclosure Agreement * Rules of Engagement
Scope of Work
Which of the following is a deviation from standard operating security protocols? * MAC filtering * Whitelisting * Security exception * Blacklisting
Security exception
Scope of work
Which document explains the details of an objective-based test?
Which of the following best describes social engineering? * A stealthy computer network attack in which a person or group gains unauthorized access for an extended period. * Sending an email that appears to be from a bank to trick the target into entering their credentials on a malicious website. * The process of analyzing an organization's security and locating security holes. * The art of deceiving and manipulating others into doing what you want.
The art of deceiving and manipulating others into doing what you want.
Which of the following best describes a gray box penetration test? * The ethical hacker is given full knowledge of the target or network. * The ethical hacker has no information regarding the target or network. * The ethical hacker has partial information about the target or network. * The ethical hacker is given strict guidelines about what can be targeted.
The ethical hacker has partial information about the target or network.
Focuses on the end results. The hacker determines the methods.
Which of the following best describes a goal-based penetration test?
Which statement best describes a suicide hacker? * This hacker's main purpose is to protest an event and draw attention to their views and opinions. * This hacker is only concerned with taking down their target for a cause. They have no concerns about being caught. * This hacker may cross the line of what is ethical, but usually has good intentions and isn't being malicious. * This hacker is motivated by religious or political beliefs and wants to create severe disruption or widespread fear.
This hacker is only concerned with taking down their target for a cause. They have no concerns about being caught.
The process of analyzing an organization's security and determining its security holes is known as:
Threat modeling
After performing a risk assessment, an organization must decide what areas of operation can be included in a penetration test and what areas cannot be included. Which of the following describes the process? * Tolerance * Mitigation * Avoidance * Transference
Tolerance
Fraud and related activity involving access devices.
United States Code Title 18, Chapter 47, Section 1029 deals with which of the following?
Corporate policies
What are the rules and regulations defined and put in place by an organization called?
Defines how federal government data, operations, and assets are handled.
Which of the following best describes what FISMA does?
Implements accounting and disclosure requirements that increase transparency.
Which of the following best describes what SOX does?
PCI DSS
Which of the following defines the security standards for any organization that handles cardholder information for any type of payment card?
Password policy
Which of the following is a common corporate policy that would be reviewed during a penetration test?
They rely heavily on password policies.
Which of the following is a limitation of relying on regulations?
Sensitive data handling policy
Which of the following policies would cover what you should do in case of a data breach?
Compliance-based
Which type of penetration test is required to ensure an organization is following federal laws and regulations?
Miguel is performing a penetration test. His client needs to add Miguel's computer to the list of devices allowed to connect to the network. What type of security exception is this? *White box * Whitelisting * Black box * Blacklisting
Whitelisting
Which of the following is a consideration when scheduling a penetration test? * Are there any security exceptions? * Which systems are being tested? * What risks are acceptable? * Who is aware of the test?
Who is aware of the test?
DMCA
Charles found a song he wrote being used without his permission in a video on YouTube. Which law will help him protect his work?
Both companies need to agree on which laws to adhere to.
Heather is working for a cyber security firm based in Florida. She will be conducting a remote penetration test for her client, who is based in Utah. Which state's laws and regulations will she need to adhere to?
A contract where parties agree to the terms will govern future actions.
Which of the following best describes a master service agreement?
A common legal contract outlining confidential material that will be shared during the assessment.
Which of the following best describes a non-disclosure agreement?
A company provides materials to another company to manufacture a product.
Which of the following best describes a supply chain?
An agreement between 41 countries to enforce similar export controls for weapons, including intrusion software.
Which of the following best describes the Wassenaar Arrangement?
Defines if the test will be a white box, gray box, or black box test and how to handle sensitive data.
Which of the following best describes the rules of engagement document?