Ch. 2- Planning and Scoping Penetration Tests
Statement of Work (SOW)
A document that defines the purpose of the work, what work will be done, what deliverables will be created, the timeline for the work to be completed, the price for the work, and any additional terms and conditions that cover the work.
C. While the ISO or the sponsor may be the proper signing authority, it is important that Charles verify that the person who signs actually is the organization's proper signing authority. That means this person must have the authority to commit the organization to a penetration test. Unfortunately, it isn't a legal term, so Charles may have to do some homework with his project sponsor to ensure that this happens correctly.
Charles has completed the scoping exercise for his penetration test and has signed the agreement with his client. Whose signature should be expected as the counter signature? A. The information security officer B. The project sponsor C. The proper signing authority D. An administrative assistant
Master Services Agreement (MSA)
Defines the terms that the organizations will use for future work. This makes ongoing engagements and SOWs much easier to work through, as this is referred to in the SOW, preventing the need to renegotiate terms. They are common when organizations anticipate working together over a period of time or when a support contract is created.
C. Scope creep occurs when additional items are added to the scope of an assessment. Chris has gone beyond the scope of the initial assessment agreement. This can be expensive for clients or may cost Chris income if the additional time and effort is not accounted for in an addendum to his existing contract.
During a penetration test specifically scoped to a single web application, Chris discovers that the web server also contains a list of passwords to other servers at the target location. After he notifies the client, they ask him to use them to validate those servers, and he proceeds to test those passwords against the other servers. What has occurred? A. Malfeasance B. Pivoting C. Scope creep D. Target expansion
D. The IP address or network that Alex is sending his traffic from was most likely blacklisted as part of the target organization's defensive practices. A whitelist would allow him in, and it is far less likely that the server or network has gone down.
During a penetration test, Alex discovers that he is unable to scan a server that he was able to successfully scan earlier in the day from the same IP address. What has most likely happened? A. His IP address was whitelisted. B. The server crashed. C. The network is down. D. His IP address was blacklisted.
C. Knowing the SSIDs that are in scope is critical when working in shared buildings. Penetrating the wrong network could cause legal or even criminal repercussions for a careless penetration tester!
During an on-site penetration test, what scoping element is critical for wireless assessments when working in shared buildings? A. Encryption type B. Wireless frequency C. SSIDs D. Preshared keys
C. Lauren has limited information about her target, which means she is likely conducting a gray box assessment. If she had full knowledge, she would be conducting a white, or crystal, box assessment. If she had no knowledge, it would be a black box assessment.
During the scoping phase of a penetration test, Lauren is provided with the IP range of the systems she will test, as well as information about what the systems run, but she does not receive a full network diagram. What type of assessment is she most likely conducting? A. A white box assessment B. A crystal box assessment C. A gray box assessment D. A black box assessment
B, C. Both the comprehensiveness of the test and the limitation that it is only relevant at the point in time it is conducted are appropriate disclaimers for Elaine to include. The risk and impact tolerance of the organization being assessed should be used to define the scope and rules of engagement for the assessment.
Elaine wants to ensure that the limitations of her red-team penetration test are fully explained. Which of the following are valid disclaimers for her agreement? (Choose two.) A. Risk tolerance B. Point-in-time C. Comprehensiveness D. Impact tolerance
Pre-merger
In this scenario, the penetration test is typically intended to help the acquiring company understand the security capabilities and status of the acquired company.
D. The PCI DSS standard is an industry standard for compliance for credit card processing organizations. Thus, Lucas is conducting a compliance-based assessment.
Lucas has been hired to conduct a penetration test of an organization that processes credit cards. His work will follow the recommendations of the PCI DSS. What type of assessment is Lucas conducting? A. An objectives-based assessment B. A red-team assessment C. A black-team assessment D. A compliance-based assessment
B. Certificate pinning associates a host with an X.509 certificate or public key. The rest of the answers were made up!
Susan's organization uses a technique that associates hosts with their public keys. What type of technique are they using? A. Key boxing B. Certificate pinning C. X.509 locking D. Public key privacy
B. Assessments are valid only when they occur. Systems change due to patches, user changes, and configuration changes on a constant basis. Greg's point-in-time validity statement is a key element in penetration testing engagement contracts.
The penetration testing agreement document that Greg asks his clients to sign includes a statement that the assessment is valid only at the point in time at which it occurs. Why does he include this language? A. His testing may create changes. B. The environment is unlikely to be the same in the future. C. Attackers may use the same flaws to change the environment. D. The test will not be fully comprehensive.
Non-Disclosure Agreement (NDA) or Confidentiality Agreements (CAs)
These are legal documents that help to enforce confidential relationships between two parties. They protect one or more parties in the relationship and typically outline the parties, what information should be considered confidential, how long the agreement lasts, when and how disclosure is acceptable, and how confidential information should be handled.
Gray box
These tests are a blend of black box and white box testing. This test may provide some information about the environment to the penetration testers without giving full access, credentials, or configuration details. This test can help focus penetration testers' time and effort while also providing a more accurate view of what an attacker would actually encounter.
Goals-based or objectives-based assessments
These tests are conducted for specific reasons. Examples include validation of a new security design, testing an application or service infrastructure before it enters production, and assessing the security of an organization that has recently been acquired.
Compliance-based assessments
These tests are designed around the compliance objectives of a law, standard, or other guidance and may require engaging a specific provider or assessor that is certified to perform the assessment.
Black box
These tests are intended to replicate what an attacker would encounter. Testers are not provided with access to or information about an environment, and instead, they must gather information, discover vulnerabilities, and make their way through an infrastructure or systems as an attacker would.
White box
These tests are performed with full knowledge of the underlying technology, configurations, and settings that make up the target. Testers will typically have information including network diagrams, lists of systems and IP network ranges, and even credentials to the systems they are testing.
Red-team assessments
These tests are typically more targeted than normal penetration tests. The teams attempt to act like an attacker, targeting sensitive data or systems with the goal of acquiring data and access. Unlike other types of penetration tests, these assessments are not intended to provide details of all of the security flaws a target has.
Noncompete Agreements
This asks you to agree not to take a job with a competitor or to directly compete with your employer in a future job, and they are often time-limited, with a clause stating that you won't take a job in the same field for a set period of time.
Certificate pinning
This associates a host with an X.509 certificate (or a public key) and then uses that association to make a trust decision. That means that if the certificate changes, the remote system will no longer be recognized and the client shouldn't be able to visit it.
Scope
This determines what penetration testers will do and how their time will be spent.
Contract
This documents the agreement between the penetration tester and the client or customer who engaged them for the test.
Authorization
This is a concept where penetration tests need signatures from proper signing authorities.
Supply chain
This scenario is usually targeted at companies and organizations that the client organization wants to review to determine if suppliers have effective security controls in place.
Statements of Objectives (SOOs) Performance Work Statements (PWSs)
Two alternatives to statements of work include __________ and __________, both of which are used by the US government.
A. A master services agreement (MSA) is a contract that defines the terms under which future work will be completed. Specific work is then typically handled under a statement of work or SOW.
What does an MSA typically include? A. The terms that will govern future agreements B. Mutual support during assessments C. Micro-services architecture D. The minimum service level acceptable
A. Black box testing is often called "zero knowledge" testing because testers do not have any knowledge of the systems or their settings as they would with white box or even the limited knowledge provided by a gray box test.
What penetration testing strategy is also known as "zero knowledge" testing? A. Black box testing B. Grey box testing C. Red-team testing D. White box testing
C. A statement of work covers the working agreement between two parties and is used in addition to an existing contract or master services agreement (MSA). An NDA is a nondisclosure agreement, and the acronym MOD was made up for this question.
What term describes a document created to define project-specific activities, deliverables, and timelines based on an existing contract? A. NDA B. MSA C. SOW D. MOD
B. Script kiddies are most likely to only use prebuilt attack tools and techniques. More advanced threats will customize existing tools or even build entirely new tools and techniques to compromise a target.
What type of adversary is most likely to use only prewritten tools for their attacks? A. APTs B. Script kiddies C. Hacktivists D. Organized crime
A. A red-team assessment actively seeks to act like an attacker, and a black box strategy means the attacker has no foreknowledge or information about the organization. This best simulates an actual attacker's efforts to penetrate an organization's security.
What type of assessment most closely simulates an actual attacker's efforts? A. A red-team assessment with a black box strategy B. A goals-based assessment with a white box strategy C. A red-team assessment with a crystal box strategy D. A compliance-based assessment with a black box strategy
B. Web Services Description Language is an XML-based language used to describe the functionality that a web service provides. XML is a common basis for many descriptive languages used for a variety of documents and service definitions that a penetration tester may encounter.
What type of language is WSDL based on? A. HTML B. XML C. WSML D. DIML
B. A nondisclosure agreement, or NDA, covers the data and other information that a penetration tester may encounter or discover during their work. It acts as a legal agreement preventing disclosure of that information.
What type of legal agreement typically covers sensitive data and information that a penetration tester may encounter while performing an assessment? A. A noncompete B. An NDA C. A data security agreement D. A DSA
D. A red-team assessment is intended to simulate an actual attack or penetration, and testers will focus on finding ways in and maximizing access rather than comprehensively identifying and testing all the vulnerabilities and flaws that they can find.
What type of penetration test is not aimed at identifying as many vulnerabilities as possible and instead focuses on vulnerabilities that specifically align with the goals of gaining control of specific systems or data? A. An objectives-based assessment B. A compliance-based assessment C. A black-team assessment D. A red-team assessment
A. Advanced persistent threats are often nation state-sponsored organizations with significant resources and capabilities. They provide the highest level of threat on the adversary tier list.
Which of the following threat actors is the most dangerous based on the adversary tier list? A. APTs B. Hacktivists C. Insider threats D. Organized crime
C. White box testing, also known as "crystal box" or "full knowledge" testing, provides complete access and visibility. Black box testing provides no information, while gray box testing provides limited information. Red box testing is not a common industry term.
Which of the following types of penetration test would provide testers with complete visibility into the configuration of a web server without having to compromise the server to gain that information? A. Black box B. Gray box C. White box D. Red box
C. The organization that Cassandra is testing has likely deployed network access control, or NAC. Her system will not have the proper NAC client installed, and she will be unable to access that network jack without authenticating and having her system approved by the NAC system.
While performing an on-site penetration test, Cassandra plugs her laptop into an accessible network jack. When she attempts to connect, however, she does not receive an IP address and gets no network connectivity. She knows that the port was working previously. What technology has her target most likely deployed? A. Jack whitelisting B. Jack blacklisting C. NAC D. 802.15
