CSIT 188 Midterm CH 1 Practice
In which type of penetration test does the tester have a limited amount of information about the target environment but is not granted full access? A. Gray box assessment B. Black box assessment C. Compliance-based assessment D. White box assessment
A. A gray box test may provide some information about the environment to the penetration testers without giving full access, credentials, or configuration details. A white box test is performed with full knowledge of the underlying network. In a black box test, the tester sare not provided with access to or information about the target environment. Compliance-based assessments are designed to test compliance with specific laws.
Which type of penetration test best focuses the tester's time and efforts while still providing an approximate view of what a real attacker would see? A. Gray box assessment B. Black box assessment C. Goals-based assessment D. White box assessment
A. A gray box test is a blend of black box and white box testing. A gray box test usually provides limited information about the target to the penetration testers but does not provide full access, credentials, or configuration information. A gray box test can help focus penetration testers' time and effort while also providing a more accurate view of what an attacker would actually encounter. In a black box test, the testers are not provided with access to or information about the target environment. Goals-based or objective-based assessments are usually designed to assess the overall security of an organization. A white box test is performed with full knowledge of the underlying network.
43. Which of the following is a contract where both parties agree to most of the terms that will govern future agreements? A. Master service agreement (MSA) B. Nondisclosure agreement (NDA) C. Statement of work (SOW) D. Purchase order (PO)
A. A master service agreement (MSA) is a contract where both parties agree to most of the terms that will govern future agreements. By defining these terms in an MSA, future agreements are much easier and faster to make. A purchase order is a binding agreement to make a purchase from a vendor. A SOW is a formal document that defines the scope of a penetration test. An NDA specifies what each party in an agreement is allowed to disclose to third parties.
124. You work for a penetration testing consulting firm and are negotiating with a potential client. The client has suggested that your organization sign an MSA with their organization. What should you do? A. Celebrate! This means the client wants to engage your firm for multiple engagements. B. Inform your employer that the deal likely won't go through. C. Warn your employer that the potential client will likely try to sue your firm. D. Terminate negotiations with the client.
A. A master services agreement (MSA) defines general terms that will apply to multiple future agreements. Therefore, an MSA is essentially a contract that defines the terms under which future work will be completed. Specific projects governed by the MSA will be defined by a statement of work (SOW). The fact that the client wants to sign an MSA indicates that they probably want to use your firm for multiple engagements.
120. You are the CIO of a startup company. You have selected a penetration testing firm that you want to use to run the company's first penetration test. However, the founder of the company gets upset upon finding out about your plans. The founder is concerned that proprietary information about the company's products may leak out through the contractor to competitors. Which document should you ask the contractor to sign to keep this from happening? A. NDA B. Noncompete agreement C. MSA D. SOW
A. A nondisclosure agreement (NDA) is a legal agreement that protects information that a contractor may discover during a penetration test. It forbids the contractor from revealing such information to unauthorized parties.
An attacker downloads the Low Orbit Ion Cannon from the Internet and then uses it to conduct a denial-of-service attack against a former employer's website. What kind of attacker is this? A. Script kiddie B. Hacktivist C. Organized crime D. Nation-state
A. A script kiddie is an individual who carries out an attack using code written by more advanced hackers. A hacktivist's attacks are usually politically motivated. Organized crime actors are usually a highly organized group of cybercriminals whose main goal is to make a lot of money. A nation-state threat actor acts on behalf of a nation to inflict harm on a rival nation.
109. Which of the following best describes the term disclosure within the context of penetration testing? A. Gaining unauthorized access to information B. Making unauthorized changes to information C. Preventing the legitimate use of information D. Publicly acknowledging that a security breach has occurred and information has been compromised
A. Attackers (and penetration testers) seek to undermine the goals of the CIA triad model using the corresponding goals of the DAD triad. The first D in DAD stands for disclosure, which refers to gaining unauthorized access to information or systems.
You are defining the rules of engagement (ROE) for an upcoming penetration test. This will be a black box assessment. The client has specified that they do not want the test to be conducted during peak times of the day, so you added "timeout" time frames to the document when testing will be suspended. You have specified that no communications will occur between you and the client until the end of the test when you submit your final test results. You have also specified that the target must provide you with internal access to the network, a network map, and authentication credentials. What did you do incorrectly in this scenario? A. Having detailed information about the internal network invalidates the results of the test. B. Pausing the assessment during peak times invalidates the results of the test. C. Communications between the testers and the client should occur at regular intervals throughout the test. D. Nothing. The ROE has been defined appropriately.
A. Because this is a black box assessment, the testers should have no prior knowledge of the environment to be tested nor should they have special access to it. In essence, they should attack the client from the same perspective as a real attacker would. It is quite appropriate to pause testing during peak times to avoid disrupting their critical business operations. It's also appropriate to communicate with the client only after the test is complete, especially on a black box assessment.
106. Which of the following best describes the term confidentiality within the context of penetration testing? A. Preventing unauthorized access to information B. Preventing unauthorized modifications to information C. Ensuring information remains available for authorized access D. Preventing legitimate access to information
A. Cybersecurity professionals use the well-known CIA triad model to describe the goals of information security. The letter C in CIA stands for confidentiality, which seeks to prevent unauthorized access to information or systems.
53. Which of the following tiers of adversaries ranks threat actors, generally speaking, from least threatening to most threatening? A. Script kiddie, hacktivist, malicious insider, organized crime, nation-state B. Script kiddie, malicious insider, hacktivist, organized crime, nation-state C. Hacktivist, script kiddie, malicious insider, nation-state, organized crime D. Nation-state, organized crime, malicious insider, hacktivist, script kiddie
A. Generally speaking, if you were to rank threat actors into tiers from least threatening to most threatening, it would look something like the following: script kiddie > hacktivist > malicious insider > organized crime > nation-state.
33. Which type of penetration test best simulates an outsider attack? A. Black box B. Gray box C. White box D. Blue box
A. In a black box penetration test, the tester has no prior knowledge of the target. Therefore, it best simulates what would happen during an attack from the outside. Whitebox and gray-box penetration tests allow the tester to have some degree of prior knowledge about the target.
34. You need to conduct a penetration test for a client that best assesses the target organization's vulnerability to a malicious insider who has the network privileges of an average employee. Which type of test should you perform? A. Gray box B. White box C. Black box D. Red box
A. In a gray box penetration test, the tester has partial knowledge of the target. This can be used to simulate a malicious insider attack conducted by an average employee. In a black box penetration test, the tester has no prior knowledge of the target. In a white box test, the tester has extensive knowledge of the target.
57. A client has asked you to run a white box penetration test. Her organization has offices in the United Kingdom, Saudi Arabia, Pakistan, and Hong Kong. You load your penetration testing toolkit onto your laptop and travel to each office to run the assessment on-site. What did you do incorrectly in this scenario? A. It may be illegal to transport some penetration testing software and hardware internationally. B. A laptop doesn't have sufficient computing power to effectively run a penetration test. C. Travel costs can be reduced by running the assessment remotely from the tester's home location. D. Nothing. You did everything correctly.
A. Many penetration testing tools may be covered by export restrictions. The United States prohibits the export of some types of software and hardware, including encryption tools. If you are traveling abroad with your penetration testing toolkit, you could be arrested if you have prohibited software or hardware in your possession.
42. You work for a penetration testing firm. A potential client called about your services. After reviewing what your organization can do, the client decides to schedule a single black box test. If they are happy with the results, they may consider future tests. Which of the following will you likely ask the client to sign first? A. Purchase order (PO) B. Nondisclosure agreement (NDA) C. Master service agreement (MSA) D. Statement of work (SOW)
A. Most likely, you will ask the client to sign a purchase order. A purchase order is a binding agreement to make a purchase from a vendor. With a purchase order in place, your organization can justify spending time and money defining a SOW and an NDA for the engagement. Because the client is essentially "trying" your services, an MSA would not yet be required, although it may be in the future.
77. You are scoping a white box penetration test for a client. The client has implemented network access controls (NAC) with IPSec to prevent devices that are out of compliance with company policies from connecting to the secure internal network. Because you are conducting a white box test, your testers' systems need to bypass NAC and be granted direct access to internal secure network. What should the client do to accomplish this? A. Configure certificate pinning. B. Connect their computers to a switch port that is on the secure internal network. C. Configure a NAC exception for each system. D. Temporarily disable NAC.
A. Normally, when NAC is implemented with IPSec, clients must meet company security policies before they are allowed to connect to the internal secure network. If they do, they are assigned a digital certificate that allows them to communicate with other systems on the internal secure network. To bypass NAC, certificate pinning can be used to assign a digital certificate to the testers' systems without proving they are in compliance every time they connect.
112. Natasha is running a gray box penetration test and discovers a flaw in a web application that allows her to directly access the information stored on the backend database server. Which penetration testing goal has she accomplished? A. Disclosure B. Integrity C. Alteration D. Denial
A. Penetration testers seek to undermine the goals of the CIA triad model using the corresponding goals of the DAD triad. The first D in DAD stands for disclosure, which refers to gaining unauthorized access to information or systems. In this scenario, Natasha has gained access to information within the backend database that she should not have access to.
89. Which law regulates how financial institutions handle customers' personal information? A. GLBA B. SARBOX C. HIPPA D. FIPS 140-2
A. The Gramm-Leach-Bliley Act (GLBA) regulates how financial institutions handle customers' personal information. For example, it requires companies to have a written information security plan in place that identifies processes and procedures intended to protect that information.
87. You have just met with a new client that has requested that you perform a penetration test for them. The client manages a string of retail storefronts that accept credit cards. They need you to assess whether they are PCI-DSS compliant. Which of the following tests need to be included in the assessment? A. A password policy must be in place. B. Close all ports except for 80 and 443 in the firewall that protects the cardholder data environment (CDE). C. All hosts on a network must have a default gateway. D. All hosts on a network must have a unique host address.
A. The Payment Card Industry Data Security Standard (PCI-DSS) is a set of security controls that businesses are required to implement to protect credit card data. For example, one of the requirements specifies that a strong password policy be in place within the organization.
86. You have just met with a new client that has requested that you perform a penetration test for them. The client manages a string of retail storefronts that accept credit cards. They need you to assess whether they are PCI-DSS compliant. Which of the following tests need to be included in the assessment? A. Install and update antivirus software on all systems. B. Use only security-certified Cisco routers in the environment. C. Close all ports except for 139 and 445 in the firewall that protects the cardholder data environment (CDE). D. Disable all monitoring of access to cardholder data.
A. The Payment Card Industry Data Security Standard (PCI-DSS) is a set of security controls that businesses are required to implement to protect credit card data. For example, one of the requirements specifies that antivirus software be installed on all systems and that it must be updated regularly.
68. Which of the following is a messaging protocol specification that defines how structured information can be exchanged between web applications and is created from WSDL files? A. SOAP B. XSD C. WADL D. Swagger
A. The Simple Object Access Protocol (SOAP) is a messaging protocol specification that defines how structured information can be exchanged between web applications. SOAP project files can be created from Web Services Description Language (WSDL) files.
71. Which of the following is an XML-based interface definition language used to describe the functionality offered by a Simple Object Access Protocol (SOAP) server? A. Web Service Description Language (WSDL) B. Web Application Description Language (WADL) C. Representational State Transfer (REST) D. Swagger
A. The Web Service Description Language (WSDL) is an XML-based interface definition language that is used to describe the functionality offered by a web application server, such as a SOAP server. WSDL doesn't work well with the Representational State Transfer (REST) web application architecture, which has been slowly replacing SOAP over the years.
39. What is the most important step in the penetration testing planning and scoping process? A. Obtaining written authorization from the client B. Writing the rules of engagement (ROE) C. Selecting a testing methodology D. Defining in-scope and out-of-scope systems, applications, and service providers
A. The most important step in the penetration testing planning and scoping process is to obtain written permission from the target to perform the test. Without written permission, you are considered a hacker and are subject to federal, state, and local laws regarding computer crime (such as U.S. Code, Title 18, Chapter 47, Sections 1029 and 1030).
117. Joshua works for a penetration testing consulting firm. During a recent penetration test, he ran an attack tool against the client's public-facing e-commerce website. It went offline for more than an hour. The client is now threatening to sue Joshua's employer. At what stage of the penetration testing process should the consulting firm and the client have agreed upon the risks associated with the test? A. Planning and scoping B. Information gathering and vulnerability identification C. Attacking and exploiting D. Reporting and communication
A. This discussion should have occurred during the planning and scoping phase. The penetration testing firm and the client should have agreed upon the rules to complete the assessment before the test began. This information should have been recorded in a written statement of work (SOW) that clearly identified the tools and techniques the penetration testers were allowed to use and the risks of using them.
48. A client has hired you to test the physical security of their facility. They have given you free rein to try to penetrate their facility using whatever method you want as long as it doesn't harm anyone or damage the property. What type of assessment is being conducted in this scenario? A. Goal-based B. Pre-merger C. Compliance-based D. Supply chain
A. This is an example of a goal-based assessment. The goal is to verify the organization's physical security using whatever means you desire. A premerger test is usually conducted on an organization prior to it merging with another. A compliance-based test is done to ensure that an organization remains in compliance with governmental regulations or corporate policies. A supply chain test involves testing an organization's vendors.
55. You are meeting with a new client to scope out the parameters of a future penetration test. During the course of the discussion, you ask the client if they are willing to accept the fact that a penetration test could cause service disruptions within their organization. The client responds affirmatively. What process has occurred in this scenario? A. Risk acceptance B. Due diligence C. Threat modeling D. Risk transfer
A. This is an example of risk acceptance. You have evaluated the client's tolerance of the impacts a penetration test could bring to the organization. It is important that the client be ready and able to accept the fact that a penetration test could cause a network outage or a service disruption.
78. During a penetration test, an unmonitored side door was left ajar by an employee, which the tester then used to gain physical access to the client's facility. To keep this from happening again, the client completely removes the door and its frame from the building and fills the space with concrete. Which type of risk response is described in this scenario? A. Avoidance B. Transference C. Mitigation D. Acceptance
A. This is an example of risk avoidance. By removing the door and filling in the wall with concrete, the client has completely removed the risk of the door being used by an attacker to gain unauthorized access to the facility.
60. A client has asked you to run a white box penetration test. The goal is to assess the security of their web-based applications. These applications leverage the Simple Object Access Protocol (SOAP). During the scoping process, you determine that it would be helpful if you had access to the organization's internal documentation for these applications. Which of the following should you ask your client for? A. Web Services Description Language (WSDL) documentation B. Software Development Kit (SDK) documentation C. Web Application Description Language (WADL) documentation D. Application Programming Interface (API) documentation
A. Web Services Description Language (WSDL) is an XML-based interface definition language used for describing the functionality offered by a SOAP service.
100. You are scoping a black box penetration test. Where should the penetration testers be physically located? A. Internally within the organization's IT department B. Any external location C. Within a competing organization's facility D. Anywhere internal to the organization's facility
B. A black box test is designed to simulate an external attack. The penetration testers should have the same perspective that a typical external attacker would have. Therefore, they should be located in a similar manner, that is, in any external location.
49. One of your clients accepts credit cards from customers and uses its internal network and servers to process payments. The credit card companies each specify that the client must undergo regular penetration testing to ensure that its password policies, data isolation policies, access controls, and key management mechanisms adequately protect consumer credit card data. What type of assessment is required in this scenario? A. Goal-based B. Compliance-based C. Supply chain D. Red team
B. A compliance-based assessment is required in this scenario. This is a risk-based assessment that ensures policies or regulations are being followed appropriately. Most likely, the credit card companies will provide the organization with a checklist that the penetration tester will use to conduct the assessment. A goal-based assessment will specify a goal to be met by the test. A supply chain assessment involves testing an organization's vendors. A red team assessment is usually conducted by internal testers to ensure an organization's IT staff (the blue team) can adequately defend the network.
Which threat actor is most likely to be motivated by a political cause? A. Malicious insider B. Hacktivist C. Organized crime D. Script kiddie
B. A hacktivist's attacks are usually politically motivated, instead of financially motivated. A malicious insider is usually motivated by either revenge or financial gain. An organized crime actor is most likely motivated by financial gain. A script kiddie may have a variety of motivations, such as notoriety.
An attacker who is a passionate advocate for brine shrimp attacks and defaces the website of a company that harvests brine shrimp and sells them as fish food. What type of attacker is this? A. Script kiddie B. Hacktivist C. Organized crime D. Nation-state
B. A hacktivist's attacks are usually politically motivated, instead of financially motivated. Typically, they want to expose perceived corruption or gain attention for their cause. A script kiddie is an individual who carries out an attack using code written by more advanced hackers. An organized crime threat actor is a group of cybercriminals whose main goal is financial gain. A nation-state threat actor acts on behalf of a nation to inflict harm on a rival nation.
41. You work for a penetration testing firm. You go to dinner with a potential client. To demonstrate your organization's technical expertise with penetration testing, you list several of your other clients by name and describe in detail various problems your assessments discovered at each one. Which of the following was violated when you did this? A. Statement of work (SOW) B. Nondisclosure agreement (NDA) C. Master service agreement (MSA) D. Purchase order (PO)
B. A nondisclosure agreement (NDA) is a legal contract that defines what confidential information can be shared and what cannot be shared. In most penetration testing agreements, the NDA specifies that the tester may not reveal the results of the test to anyone other than the client itself. A SOW is a formal document that defines the scope of the penetration test. An MSA defines terms that will govern future agreements. A purchase order is a binding agreement to make a purchase from a vendor.
Which threat actor is most likely to be motivated by a desire to gain attention? A. Malicious insider B. Script kiddie C. Organized crime D. Nation-state
B. A script kiddie may have a variety of motivations. One of the most common is attention. They frequently brag about their exploits in online forums and social media. A malicious insider is usually motivated by either revenge or financial gain. An organized crime actor is most likely motivated by financial gain. A nation-state is most likely motivated by political or military goals.
110. Which of the following best describes the term alteration within the context of penetration testing? A. Gaining unauthorized access to information B. Making unauthorized changes to information C. Preventing the legitimate use of information D. Leveraging one successful compromise to compromise another otherwise inaccessible system within a network
B. Attackers (and penetration testers) seek to undermine the goals of the CIA triad model using the corresponding goals of the DAD triad. The A in DAD stands for alteration, which refers to making unauthorized changes to information or systems.
37. You work for a penetration testing firm. A client calls and asks you to perform an exhaustive test that deeply probes their infrastructure for vulnerabilities. What kind of test should you recommend? A. Gray box B. White box C. Black box D. Blue box
B. Because the tester is given extensive internal access to the target network, a white box test usually provides the most exhaustive assessment. More time can be spent probing for deep vulnerabilities than is possible with a black or gray box test.
36. A penetration tester uses a typical employee email account to send a phishing email exploit to managers and executives within the target organization. The goal is to see how many actually fall for the exploit and click the link in the message. What kind of penetration test is being performed in this scenario? A. Black box B. Gray box C. White box D. Red box
B. Because the tester is using an internal email account (the kind used by a typical employee) to conduct the test, the tester is most likely performing a gray box test. In a black box test, the tester would have to use an external email account. In a white box test, the tester would likely use elevated privileges and access to conduct the test.
83. You have just met with a new client that has requested that you perform a penetration test for them. The client manages a string of retail storefronts that accept credit cards. They need you to assess whether they are PCI-DSS compliant. What should you do first in the scoping process? A. Negotiate a fee for the penetration test. B. Review the PCI-DSS requirements. C. Set the schedule for the penetration test. D. Pose as a customer and visit several of the storefronts to pre-assess the organization.
B. Because this is a compliance penetration test, you first need to access the PCI-DSS standards and review the requirements for the client to be considered "compliant." Typically, the governing organization will publish checklists that you should use to assess compliance. These checklists will strongly influence the scope, budget, and schedule for the test.
50. One of your clients was recently purchased by a large multinational organization. Before the purchase can be finalized, your client must be subjected to an extensive penetration test. What kind of assessment is required in this scenario? A. Objective-based B. Pre-merger C. Compliance-based D. Supply chain
B. Before two organizations merge, it is common for penetration tests to be conducted to identify any security vulnerabilities that need to be addressed before their networks are connected. An objective-based assessment is designed to test whether information can remain secure. A compliance-based test is done to ensure that an organization remains in compliance with governmental regulations or corporate policies. A supply chain test involves testing an organization's vendors.
Which type of penetration test best replicates the perspective of a real-world attacker? A. Gray box assessment B. Black box assessment C. Objective-based assessment D. White box assessment
B. Black box tests are sometimes called zero knowledge tests because they replicate what a typical external attacker would encounter. Testers are not provided with any access or information. A white box test is performed with full knowledge of the underlying network.A gray box test may provide some information about the environment to the penetration testers without giving full access. Objective-based assessments are usually designed to assess the overall security of an organization.
107. Which of the following best describes the term integrity within the context of penetration testing? A. Preventing unauthorized access to information B. Preventing unauthorized modifications to information C. Ensuring information remains available for authorized access D. Gaining unauthorized access to information
B. Cybersecurity professionals use the well-known CIA triad model to describe the goals of information security. The letter I in CIA stands for integrity, which seeks to prevent unauthorized modification of information or systems.
A consultant has been hired by an organization to perform a penetration test. The target of the test is the organization's e-commerce website. The tester, located in a different city, will utilize several different penetration testing tools to analyze the site and attack it. The tester does not have any information about the site or any authentication credentials. What type of test is being conducted in this scenario? A. White box assessment B. Black box assessment C. Objective-based assessment D. Gray box assessment
B. In a black box test, testers are not provided with any access to or information about the target. A white box test is performed with full knowledge of the underlying network. A gray box test may provide some information about the environment to the penetration testers without giving full access. Objective-based assessments are usually designed to assess the overall security of an organization.
47. You have recently concluded a penetration test for a client, and now need to write up your final conclusions. What should you do? A. Rely on your memory of what happened during the test to create the report. B. Analyze the testers' written log files. C. Ask your fellow testers to email you the top three issues they discovered during the test. D. Ask your client's IT staff to email you the top three issues they noticed during the test.
B. It is important that all penetration testers keep carefully written logs of the actions they take during an assessment. These logs should identify what the tester did, when they did it, what system(s) they were using, what system(s) they were attacking, and what the results were. You should avoid relying upon tester or client memories alone. They tend to be faulty and incomplete.
125. You are performing a white box penetration test for a client. You arrive at the client's site and plug your laptop into an open network jack. However, your laptop receives only limited connectivity on the client's network. You run the ipconfig command and notice that your laptop has received an IP address, but you can see only one other host on the network. Why did this happen? A. Your laptop was detected by the client's intrusion protection system (IPS) and has been blacklisted. B. The client's network access control (NAC) system has quarantined your laptop on a remediation network. C. Your laptop was detected by the client's intrusion detection system (IDS) and has been blacklisted. D. The client has enabled MAC address filtering on their network switches.
B. Most likely, the client has implemented a network access control (NAC) system. Your laptop didn't meet the criteria required by NAC to connect to the secure network, so it was quarantined on an isolated remediation network where it can access a remediation server (the other host on the network) to come into compliance.
70. Which of the following protocols is the Representational State Transfer (REST) web application architecture based on? A. FTP B. HTTP C. SMB D. LDAP
B. The Representational State Transfer (REST) web application architecture is based on the Hypertext Transfer Protocol (HTTP).
91. Which law sets standards for publicly traded companies in the United States with respect to security policies, standards, and controls? A. GLBA B. SARBOX C. HIPPA D. FIPS 140-2
B. The Sarbanes-Oxley act sets standards for publicly traded U.S. companies with respect to security policies, standards, and controls. For example, it sets standards for network access, authentication, and security.
72. Which of the following architectures is used to provide an XML-based description of HTTP-based web services running on a web application server and is commonly used with Representational State Transfer (REST) web applications? A. Simple Object Access Protocol (SOAP) B. Web Application Description Language (WADL) C. Representational State Transfer (REST) D. Swagger
B. The Web Application Description Language (WADL) provides an XML-based description of HTTP-based web services running on a web application server. WADL is typically used with Representational State Transfer (REST) web services. WADL is an alternative to WSDL and is generally considered easier to use but also lacks the flexibility associated with WSDL.
73. Which of the following is a World Wide Web Consortium (W3C) specification that identifies how to define elements within an XML document? A. SOAP B. XSD C. REST D. WSDL
B. The XLM Schema Definition (XSD) is a W3C specification that identifies how to define elements within an XML document.
28. You own a small penetration testing consulting firm. You are worried that a client may sue you months or years after penetration testing is complete if their network is compromised by an exploit that didn't exist when the test was conducted. What should you do? A. Insist that clients sign a nondisclosure agreement (NDA) prior to the test. B. Include a disclaimer in the agreement indicating that the results are valid only at the point in time when the test was performed. C. Include an arbitration clause in the agreement to prevent a lawsuit. D. Insist that clients sign a statement of work (SOW) prior to the test.
B. The testing agreement should contain a disclaimer indicating that the test is valid only at the point in time that it is conducted and that the scope and methodology requested by the client can impact the comprehensiveness of the test. An NDA specifies what each party in an agreement is allowed to disclose to third parties. An arbitration clause could still result in a settlement that goes against the pen test consultant. A SOW alone won't protect you against this kind of lawsuit unless it contains a point-in-time clause, discussed earlier.
81. An organization has recently learned that its facility has been built within a few hundred yards of a major fault line. The management team decides to purchase an extended insurance policy that will cover a loss of business operations should an earthquake occur. Which type of risk response is described in this scenario? A. Avoidance B. Transference C. Mitigation D. Acceptance
B. This is an example of risk transference. Rather than avoid the risk by moving to a new location or mitigate the risk with seismic upgrades to the facility, the client has moved the risk to the insurance company.
80. Your client hosts a large e-commerce website that sells clothing and accessories. During a penetration test, a tester was able to intercept customers' credit card numbers as they were being processed by an internal card processing application. To keep this from happening again, the client decides to outsource all credit card processing to a third-party processor. All transactions are redirected to the third-party processor such that your client never sees the actual credit card data. Which type of risk response is described in this scenario? A. Avoidance B. Transference C. Mitigation D. Acceptance
B. This is an example of risk transference. Rather than avoid the risk or mitigate the risk, the client has moved the risk to the third-party processor.
98. You are scoping an upcoming penetration test. You need to identify the technical constraints associated with the test. What should be included in this part of the scope documentation? A. A list of penetration testing tools that your testers are not qualified to use B. A list of systems that are off-limits to testing C. A list of technologies that the client's IT staff have not been certified in D. A list of uncertified hardware devices in use within the client's organization
B. Typically, the technical constraints associated with a penetration test identify systems that can be tested and those that can't be tested. For example, suppose the client uses automated robotic production equipment to make their products. This equipment is very expensive, and they may not want you to include it in the test.
A consultant has been hired by an organization to perform a penetration test. The target of the test is the organization's HR database application. The tester has been given a desk, a computer connected to the organization's network, and a network diagram. However, the tester has not been given any authentication credentials. What type of test is being conducted in this scenario? A. Compliance-based assessment B. Black box assessment C. Gray box assessment D. White box assessment
C. A gray box test may provide some information about the environment to the penetration testers without giving full access, credentials, or configuration details. Compliance-based assessments are designed to test compliance with specific laws. In a black box test, the testers are not provided with access to or information about the target environment. A white box test is performed with full knowledge of the underlying network.edg
121. Which of the following threat actors is probably the least dangerous based on the adversary tier list? A. Hacktivist B. Malicious insider C. Script kiddie D. Nation-state actor
C. A script kiddie usually lacks the technical sophistication to mount an attack using their own tools. Instead, they typically download existing tools and run them. Because these tools are already known to the cybersecurity community, script kiddies generally pose less of a threat than the other types of actors in the adversary tier list.
A group of hackers located in a former Soviet-bloc nation have banded together and released a ransomware app on the Internet. Their goal is to extort money in the form of crypto currency from their victims. What kind of attacker is this? A. Malicious insider B. Hacktivist C. Organized crime D. Nation-state
C. An organized crime threat actor is a group of cybercriminals whose main goal is financial gain. Attacks carried out by organized crime groups can last a long time, are very well-funded, and are usually quite sophisticated. A malicious insider attack occurs when someone within the organization uses the credentials they have been legitimately given to carry out an attack. A hacktivist's attacks are usually politically motivated. A nation-state threat actor acts on behalf of a nation to inflict harm on a rival nation.
67. You want to generate sample application requests for an in-house developed web application that a client's users use every day to complete their day-to-day tasks. How should this be done? A. Enter exactly the same data into the web application that end users enter. B. Enter data that is similar to the data that end users enter into the application. C. Enter completely unexpected data into the application. D. Ask the system administrator to generate the samples for you.
C. Applications developed in-house aren't usually subjected to the same level of scrutiny as commercial applications, which make them possible attack vectors that can be exploited. For example, when generating sample application requests, most penetration testers throw unexpected information at applications developed in-house to see how the application responds. For example, you may find that entering a very long text string into a field that is expecting only eight characters could generate a buffer overflow error. You could then use this poor error handling behavior to insert and run malicious code on the web server hosting the application.
115. Brittany is running a gray box penetration test. She discovers a flaw in an HR web application. Using a SQL injection attack, she can add or remove hours to or from an employee's timecard for the current pay period. Which penetration testing goal has she accomplished? A. Disclosure B. Availability C. Alteration D. Confidentiality
C. Attackers (and penetration testers) seek to undermine the goals of the CIA triad model using the corresponding goals of the DAD triad. The A in DAD stands for alteration, which refers to making unauthorized changes to information or systems. In this scenario, Brittany has altered the employee pay accounting system.
113. Kimberly is running a gray box penetration test and discovers a flaw in an online company directory application that allows her to submit LDAP commands in an employee lookup field. She uses this flaw to add a new user account that she can use as a back door. Which penetration testing goal has she accomplished? A. Disclosure B. Availability C. Alteration D. Denial
C. Attackers (and penetration testers) seek to undermine the goals of the CIA triad model using the corresponding goals of the DAD triad. The A in DAD stands for alteration, which refers to making unauthorized changes to information or systems. In this scenario, Kimberly has altered the authentication system by adding an unauthorized user account.
111. Which of the following best describes the term denial within the context of penetration testing? A. Gaining unauthorized access to information B. Making unauthorized changes to information C. Preventing the legitimate use of information D. Failing to publicly acknowledging that a security breach has occurred and that information has been compromised
C. Attackers (and penetration testers) seek to undermine the goals of the CIA triad model using the corresponding goals of the DAD triad. The second D in DAD stands for denial, which refers to preventing the legitimate use of information or systems.
A consultant has been hired to perform a penetration test for an organization in the healthcare industry. The target of the test is a public-facing self-service website that users can access to view their health records. The aim is to circumvent security measures and gain unauthorized access to this information. What type of assessment is being conducted in this scenario? A. Objective-based assessment B. Gray box assessment C. Compliance-based assessment D. White box assessment
C. Because patient records are protected by the HIPPA law in the United States, this is an example of a compliance assessment. Compliance-based assessments are designed to test compliance with specific laws. Objective-based assessments are usually designed to assess the overall security of an organization. Gray box and white box assessments identify the level of knowledge the attacker has of the organization.
35. Which type of penetration test requires the most time and money to conduct? A. White box B. Gray box C. Black box D. Green box
C. Because the penetration tester has no knowledge of the target, a black box test takes the most time and money to conduct. In contrast, gray box and white box tests are usually must less expensive and take less time to conduct because the tester has some level of prior knowledge about the target.
99. You are in the initial stages of scoping a gray box penetration test with a new client. What is a question you should ask to better define the project scope? A. Who performed penetration tests for the client in the past? B. What are the names and email addresses of all internal technical staff members? C. Should the test be conducted on-site or from an off-site location? D. Is there a cubicle near a window available for the penetration testers to use?
C. Because this is a gray box penetration test, you should probably ask the client if they want the test performed on-site or if they want you to test from a remote off-site location. An on-site test would likely produce better results, but it would also cost more because the penetration testers would incur travel expenses. An off-site test would cost less because it wouldn't require travel expenses, but it may produce lower quality results because the testers aren't physically on-site.
108. Which of the following best describes the term availability within the context of penetration testing? A. Preventing unauthorized access to information B. Preventing unauthorized modifications to information C. Ensuring information remains available for authorized access D. Making unauthorized changes to information
C. Cybersecurity professionals use the well-known CIA triad model to describe the goals of information security. The letter A in CIA stands for availability, which ensures that information remains available for authorized access.
93. A new client calls to schedule a gray box penetration test. You gather some basic information about the client over the phone, put together a scope for the test, and create a schedule for the test. You then hire several contractors to help conduct the test and begin the assessment on the scheduled date. Did you scope this assessment properly? A. Yes, proper scoping procedures were followed. B. No, the schedule should be defined before the scope is created. C. No, you should have spent more time understanding the target audience before scoping the assessment. D. No, the contracts should have helped create the scope of the assessment.
C. In this scenario, insufficient time was spent getting to know the target audience for the penetration test. Time should have been spent with the client to learn about their organization, the goals of the test, and so on. Only then should the scope be created.
96. You are scoping an upcoming external black box penetration test for the client. One of your penetration testers has developed a vulnerability scanner that is very aggressive. In fact, in a previous test, her scanner brought down the client's customer-facing website for almost 30 minutes. However, by doing so, that client was able to learn a great deal about several vulnerabilities in their web application software. What should you do for the current client? A. Instruct your penetration tester to not use her vulnerability scanner in the upcoming assessment. B. Instruct your penetration tester to use her vulnerability scanner in the upcoming assessment. C. Conduct an impact analysis with the new client and determine their tolerance to impact. D. Fire the penetration tester.
C. In this scenario, the best approach would be to conduct an impact analysis with the client and determine their tolerance to impact. Is the information to be gained by using the vulnerability scanner worth the potential risk? For some organizations, the risk may be worth the benefit. For others, it may not. Either way, the penetration tester should not use the tool until the impact analysis is complete and the client is aware of the risks.
58. A client has asked you to run a white box penetration test. Her organization has offices in the United States, Indonesia, Thailand, and Singapore. To avoid international transportation of your penetration testing software, you upload it to your Google Drive account. Then you travel to each site, download the software, and run it locally on your laptop. Did you handle your penetration testing software appropriately in this scenario? A. Yes, using Google Drive to access the software internationally shields you from prosecution. B. No, most foreign nations block access to Google Drive. C. No, it is legal to transport most penetration testing software into these countries. D. No, it is illegal to transport most penetration testing software internationally using the Internet.
C. Many penetration testing tools may be covered by export restrictions. The United States prohibits the export of some types of software and hardware, including encryption tools. If you transfer these tools internationally over the Internet, you could be arrested.
105. Which of the following best describes the term the hacker's mindset within the context of penetration testing? A. A penetration tester must adopt a defensive mind-set, trying to protect against all threats. B. A penetration tester must think like a security professional, assessing the strength and value of every security control in use. C. A penetration tester must think like an adversary who might attack the system in the real world. D. A penetration tester must think like a military leader, organizing an open attack on many fronts by many attackers.
C. Penetration testers must take a different approach in their thinking. Instead of trying to defend against all possible threats, they only need to find a single vulnerability that they can exploit to achieve their goals. To find these vulnerabilities, they must think like an adversary who might attack the system in the real world. This approach is commonly known as adopting the hacker mind-set.
90. Which law requires that healthcare-related organizations must be in compliance with certain security standards? A. GLBA B. SARBOX C. HIPPA D. FIPS 140-2
C. The Health Insurance Portability and Accountability Act of 1996 governs healthcare organizations. They must comply with the rules and regulations specified in the act, such as requiring a risk analysis and testing the organization's security controls.
61. A client has asked you to run a white box penetration test. The goal is to assess the security of their web-based applications. These applications are based on Representational State Transfer (REST) architecture. During the scoping process, you determine that it would be helpful if you had access to the organization's internal documentation for these applications. Which of the following should you ask your client for? A. Web Services Description Language (WSDL) documentation B. Software Development Kit (SDK) documentation C. Web Application Description Language (WADL) documentation D. Application Programming Interface (API) documentation
C. The Web Application Description Language (WADL) is an XML-based machinereadable description of HTTP-based web services. As such, it is typically used with REST services instead of SOAP.
You have been asked to perform a penetration test for a medium-sized organization that sells after-market motorcycle parts online. What is the first task you should complete? A. Research the organization's product offerings. B. Determine the budget available for the test. C. Identify the scope of the test. D. Gain authorization to perform the test.
C. The first step in the penetration testing process is to work with the client to clearly define the scope of the test. The scope determines what penetration testers will do and how their time will be spent. Researching the organization's products is a task that will probably be done after the scope of work has been defined. Determining the budget and gaining authorization are subtasks that are usually completed as a part of the overall scoping process.
40. Which of the following is a formal document that defines exactly what will be done during a penetration test? A. Master service agreement (MSA) B. Nondisclosure agreement (NDA) C. Statement of work (SOW) D. Purchase order (PO)
C. The statement of work (SOW) is a formal document that defines the scope of the penetration test. It identifies exactly what will happen during the test. An MSA defines terms that will govern future agreements. An NDA specifies what each party in an agreement is allowed to disclose to third parties. A purchase order is a binding agreement to make a purchase from a vendor.
29. You own a small penetration testing consulting firm. You are worried that a client who requests a black box assessment may sue you after penetration testing is complete if their network is compromised by an exploit. What should you do? A. Insist that clients sign a purchase order prior to the test. B. Insist that clients sign a master services agreement (MSA) prior to the test. C. Include a disclaimer in the agreement indicating that the test methodology can impact the comprehensiveness of the test. D. Refuse to perform black box tests.
C. The testing agreement or scope documentation should contain a disclaimer explaining that the scope and methodology requested by the client can impact the comprehensiveness of the test. For example, a white box test is more likely to discover hidden vulnerabilities than a black box test can. A purchase order is a binding agreement to purchase goods or services. An MSA is an agreement that defines terms that will govern future agreements. Black box tests can provide a unique perspective and should not be forsaken.
79. During a penetration test, an unmonitored side door was left ajar by an employee, which the tester then used to gain physical access to the client's facility. To keep this from happening again, the client places a security guard in the hallway and instructs her to prevent unauthorized access. Which type of risk response is described in this scenario? A. Avoidance B. Transference C. Mitigation D. Acceptance
C. This is an example of risk mitigation. Instead of completely removing the risk, the client has used a security guard as a countermeasure. The risk of unauthorized access still exists, but the use of the security guard controls that risk.
54. One of your clients is a public advocacy group. Some of its political stances are very unpopular with several fringe activists, and they are concerned that a hacktivist may try to hijack their public-facing website. They have asked you to run a penetration test using the same tools and techniques that a typical hacktivist would have the technical aptitude and funds to use. What process has occurred in this scenario? A. Due diligence B. Risk acceptance C. Threat modeling D. Scope creep
C. This is an example of threat modeling. Using threat modeling, you determine the type of threat you want to emulate during the penetration test. Then you use the same tools, techniques, and approaches that type of threat would typically use.
You are defining the rules of engagement (ROE) for an upcoming penetration test. During this process, you have defined off-limit times when you should not attack the target, a list of in-scope and out-of-scope systems, and data-handling requirements for the information you gather during the test. You also phoned one of the help-desk technicians at the target site and received verbal permission to conduct the test. You recorded the technician's name and the date in the ROE document. What did you do incorrectly in this scenario? A. For privacy reasons, you should not have identified the internal technician by name in the ROE document. B. Including "off-limits" times reduces the accuracy of the test. C. The ROE should include written permission from senior management. D. All systems should be potential targets during the test. E. The target should not know how you are storing the information gathered during the test.
C. Verbal permission is usually considered insufficient. Before beginning a penetration test, you must obtain a signed agreement from senior management giving you permission to conduct the test. This agreement will function as a "get out of jail free" card should your activities be reported to authorities. The other parameters described in this scenario have been defined appropriately.
63. You are scoping a black box penetration test for a client. The goal is to see whether you can gain access to the information stored on an internal database server. Which information should the client provide you with prior to starting the test? A. Architectural diagrams B. Swagger document C. XSD D. Network diagrams
D. A black box penetration test should simulate the view an external attacker would have of the network. Therefore, the tester should have little or no knowledge of the internal network.
An employee has just received a very negative performance review from his manager. The employee feels the review was biased and the poor rating unjustified. In retaliation, the employee accesses confidential employee compensation information from an HR database server and posts it anonymously on Glassdoor. What kind of attacker is this? A. Script kiddie B. Hacktivist C. Organized crime D. Malicious insider
D. A malicious insider attack occurs when someone within the organization uses the credentials they have been legitimately given to carry out an attack. A script kiddie is an individual who carries out an attack using code written by more advanced hackers. A hacktivist's attacks are usually politically motivated, instead of financially motivated. An organized crime threat actor is a group of cybercriminals whose main goal is financial gain.
52. You work on the security team for a large organization. Your team has been tasked with conducting an internal penetration test to verify whether your organization's IT staff can adequately defend against it. What type of assessment is being used in this scenario? A. Goal-based B. Compliance-based C. Supply chain D. Red team
D. A red team assessment is usually conducted by internal testers to ensure an organization's IT staff (the blue team) can adequately defend the network. A goal-based assessment is designed to test a specific aspect of an organization's security. A supply chain test involves testing an organization's vendors. A compliance-based test is performed to ensure that an organization remains in compliance with governmental regulations or corporate policies.
An attacker carries out an attack against a government contractor in a neighboring country, with the goal of gaining access through the contractor to the rival country's governmental network infrastructure. The government of the attacker's own country is directing and funding the attack. What type of threat actor is this? A. Script kiddie B. Hacktivist C. Organized crime D. Nation-state
D. A state-sponsored attacker usually operates under the direction of a government agency. The attacks are usually aimed at government contractors or even the government systems themselves. A script kiddie is an individual who carries out an attack using code written by more advanced hackers. A hacktivist's attacks are usually politically motivated. An organized crime threat actor is a group of cybercriminals whose main goal is financial gain.
118. Which of the following is a document defined during the planning and scoping phase of a penetration test that identifies specific techniques, tools, activities, deliverables, and schedules for the test? A. MSA B. NDA C. Memorandum of understanding D. SOW
D. A statement of work (SOW) is an agreement that should be defined during the planning and scoping phase of a penetration test. It contains a working agreement between the penetration tester and the client that identifies specific techniques, tools, activities, deliverables, and schedules for the test. It may be used in conjunction with an existing master services agreement (MSA).
119. Which of the following types of assessments would provide a penetration tester with access to the configuration of a network firewall without requiring the tester to actually compromise that firewall? A. Gray box B. Red team C. Black box D. White box
D. A white box penetration test provides complete access to the internal network, including configuration settings of key infrastructure devices such as routers, switches, access points, and servers. For this reason, white box tests are sometimes referred to as full-knowledge tests because they provide full access and visibility.
A consultant has been hired by an organization to perform a penetration test. The target of the test is the organization's internal firewalls. The tester has been given a desk, a computer connected to the organization's network, and a network diagram. The tester has also been given authentication credentials with a fairly high level of access. What type of test is being conducted in this scenario? A. Gray box assessment B. Black box assessment C. Goals-based assessment D. White box assessment
D. A white box test is performed with full knowledge of the underlying technology, configuration, and settings of the target organization's network. A gray box test may provide some information about the environment to the penetration testers without giving full access. In a black box test, the testers are not provided with access to or information about the target environment. Goals-based or objective-based assessments are usually designed to assess the overall security of an organization.
A consultant has been hired to perform a penetration test for an organization in the healthcare industry. The target of the test is a public-facing self-service website that users can access to view their health records. The penetration tester has been given full knowledge of the organization's underlying network. What type of test is being conducted in this example? A. Goal-based assessment B. Black box assessment C. Objective-based assessment D. White box assessment
D. A white box test is performed with full knowledge of the underlying technology,configuration, and settings of the target organization's network. In a black box test, the testers are not provided with access to or information about the target environment. Goals-based or objective-based assessments are usually designed to assess the overall security of an organization.
122. Which of the following threat actors is probably the most dangerous based on the adversary tier list? A. Hacktivist B. Malicious insider C. Organized crime actor D. APT
D. Advanced persistent threats (APTs) are often sponsored by nation-states and thus are very well funded and have access to high-end technical resources and knowledge. As such, an APT typically poses the greatest threat of all the actors on the adversary tier list.
114. Jessica is running a gray box penetration test. She uses the Low Orbit Ion Cannon utility to send a flood of TCP packets to a file server within the organization. As a result, the file server becomes overloaded and can no longer respond to legitimate network requests. Which penetration testing goal has she accomplished? A. Disclosure B. Confidentiality C. Alteration D. Denial
D. Attackers (and penetration testers) seek to undermine the goals of the CIA triad model using the corresponding goals of the DAD triad. The second D in DAD stands for denial, which refers to preventing the legitimate use of information or systems. In this scenario, Jessica has executed a denial of service (DoS) attack against the file server, denying legitimate access to it.
Which type of penetration test usually provides the most thorough assessment in the least amount of time? A. Gray box assessment B. Black box assessment C. Goals-based assessment D. White box assessment
D. Because a white box assessment provides the penetration testers with extensive information about the target, it usually provides the most thorough assessment and typically requires the least amount of time to conduct. A gray box test is a blend of black box and white box testing. As such, it takes longer to conduct because more information must be discovered by the testers. In a black box test, the testers are not provided with access to or information about the target environment, which makes the assessment much less complete and takes much longer to conduct. Goals-based or objective-based assessments are usually designed to assess the overall security of an organization.
32. You are arranging the terms of a penetration test with a new client. Which of the following is an appropriate way to secure legal permission to conduct the test? A. Ask a member of senior management via email for permission to perform the test. B. Ask a member of the IT staff over the phone for permission to perform the test. C. Ask a member of the IT staff to sign a document granting you permission to perform the test. D. Ask a member of senior management to sign a document granting you permission to perform the test.
D. Before conducting a penetration test, you must get written permission from the senior management of the target organization to perform the test. Getting permission verbally or via email is generally not acceptable. Getting permission from the IT staff is also generally not acceptable.
92. Which of the following provides standards that certify cryptographic modules? A. GLBA B. SARBOX C. HIPPA D. FIPS 140-2
D. FIPS 140-2 is a U.S. government security standard that certifies cryptographic modules.
51. An organization's network was recently hacked. The attackers first compromised the weak security used by one of the organization's contractors. Then they used the contractor's authentication credentials to gain access to the organization itself. Which type of penetration assessment could have prevented this? A. Objective-based B. Pre-merger C. Goal-based D. Supply chain
D. In a supply chain assessment, a penetration test is conducted on an organization's vendors to ensure their networks are secure and can't be used as a pivot point to compromise the organization itself. A goal-based assessment is designed to test a specific aspect of an organization's security. A premerger test is usually conducted on an organization prior to it merging with another.
64. You are scoping a white box penetration test for a client. The goal is to see whether you can gain access to confidential research data stored on an internal database server. You want to target an internally developed data collection application that the client's end users use on a daily basis to catalog and store information in the database. Which information should the client provide you with prior to starting the test? A. Architectural diagrams B. Sample requests C. XSD D. All of the above
D. In a white box test, you should have access to extensive internal documentation. Because an in-house developed application will be used as the attack vector, you should require the client to provide as much documentation about that application as possible. For example, you should ask for architectural diagrams, sample application requests, and the swagger document, as applicable.
82. During a penetration test, your testers discovered that they could easily copy confidential data to their personal mobile devices and then send that data to recipients outside the organization using their devices' mobile broadband connection. You recommend that they implement a mobile device management (MDM) system. However, the client has determined that such a measure is too expensive and complicated to implement. In fact, they will not implement any type of controls to prevent this from happening in the future. Which type of risk response is described in this scenario? A. Avoidance B. Transference C. Mitigation D. Acceptance
D. In this scenario, the client has determined that the risk is an acceptable one and will not take measures to control it. Typically, this happens when an organization determines that the cost of removing or controlling a risk exceeds the cost of a security incident arising from that risk.
94. You have just completed a gray box penetration test for a client. You have written up your final report and delivered it to the client. You also made sure that all access granted to you by the client to conduct the test has been disabled. You write a blog article identifying the client and the results of the assessment and post it to ensure no one else makes the same security mistakes the client made. Did you terminate the penetration test properly? A. Yes, the penetration test was terminated properly. B. No, the access privileges should have remained in place for the next penetration test. C. No, the access privileges should have been removed before the final report was produced. D. No, the confidentiality of the findings was not maintained.
D. In this scenario, the confidentiality of the findings was not maintained. The blog post revealed far too much information about the client. It may take the client weeks or even months to address the issues discovered in the assessment. By publishing the findings publicly, you exposed your client to potential attacks.
123. You are running a penetration test for a client. You are using your penetration testing toolkit running on a personal laptop to conduct scans on various network infrastructure devices, including servers, routers, and switches. Suddenly, the network has gone dark. You can no longer access any devices on the client's network. Which of the following could explain what has happened? A. Your scans crashed a perimeter router. B. Your scans crashed a switch on the network backbone. C. Your laptop's IP address got whitelisted. D. Your laptop's IP address got blacklisted.
D. In this scenario, your scans were detected by an intrusion protection system (IPS), and as a result, the IP address used by your laptop got put on a blacklist. Now, all the devices on the client's network are dropping packets with the blacklisted IP address.
A consultant has been hired to perform a penetration test for an organization. The target of the test is the organization's proprietary design documents. The aim is to circumvent security measures and gain unauthorized access to these documents. What type of assessment is being conducted in this scenario? A. Objective-based assessment B. Goal-based assessment C. Compliance-based assessment D. Red team assessment
D. Red team assessments are typically more targeted than normal penetration tests. The red team acts like an attacker, targeting sensitive data or systems with the goal of acquiring access. Goal-based or objective-based assessments are usually designed to assess the overall security of an organization. Compliance-based assessments are designed to test compliance with specific laws.
69. Which of the following is an open source framework designed to help developers design, build, document, and test Representational State Transfer (REST) web services? A. SOAP B. XSD C. WSDL D. Swagger
D. Swagger is an open source framework designed to help developers design, build, document, and test Representational State Transfer (REST) web services. REST is an alternative to the SOAP protocol. In fact, REST has started to replace SOAP as the framework of choice in most modern web applications.
59. You are asked to perform a penetration test for an organization with offices located in New York City, Los Angeles, and Fargo. Which cybersecurity laws and regulations do you need to check as you scope the assessment? A. U.S. federal cybersecurity law B. State cybersecurity laws in New York, California, and North Dakota C. Local cybersecurity laws in each physical location D. Interpol regulations
D. The laws and regulations that apply to penetration testing and penetration testers vary from state to state within the United States. That means you need to understand what laws apply to the work you're doing. In this scenario, you need to check all federal, state, and local laws that apply to the assessment you plan to carry out. It is recommended that you retain the services of an attorney to keep yourself out of trouble.
31. You work at a penetration testing consulting firm. An organization that you have not worked with previously calls and asks you to perform a black box assessment of its network. You agree on a price and scope over the phone. After quickly designing the test on paper, you begin execution later that afternoon. Was this test conducted properly? A. Yes, proper penetration test planning and scoping procedures were followed. B. No, new clients should be properly vetted before beginning an assessment. C. No, a master service agreement (MSA) should be signed before testing begins. D. No, the rules of engagement (ROE) for the test should be documented and signed by both parties.
D. The rules of engagement (ROE) should have been clearly defined and signed by both parties before the penetration test begins. Not having the ROE in place exposes your organization to potential litigation should something go wrong during the testing process. The vetting of a new client occurs during the process of scoping the test and creating the ROE document. An MSA defines terms that will govern future agreements.
You are defining the rules of engagement (ROE) for an upcoming penetration test. This will be a white box assessment. You have specified that the target may not employ shunning or blacklisting during the test. You have specified that the target must provide you with internal access to the network, a network map, and authentication credentials. You have also specified that applications provided by a SaaS service provider are off- limits during the test. What did you do incorrectly in this scenario? A. The target should be allowed to use whatever means it chooses to defend itself. B. Having detailed information about the internal network invalidates the results of the test. C. All network resources should be subject to testing, including cloud-based resources. D. Nothing. The ROE has been defined appropriately.
D. The rules of engagement have been defined appropriately in this scenario. For example, it is quite appropriate to define what defensive behaviors the target is allowed to use during the test. Likewise, a white box test will likely include detailed information about the internal network. It's also not uncommon for third-party service providers to be excluded from the test.
56. You are running a penetration test for a client. The original test calls for you to test the security of one of the client's remote branch offices. The client called today and indicated that they are concerned about the security readiness of a second branch office. They insisted that you expand the penetration test to include this second site. What process occurred in this scenario? A. Due diligence B. Risk acceptance C. Threat modeling D. Scope creep
D. This is an example of scope creep. Scope creep is the addition of additional parameters and/or targets to the scope of the assessment. This is a common occurrence and should be planned for in your initial scoping. For example, you and the client could agree on pricing and schedule adjustments that could be made if the scope of the test needs to expand.
74. You are scoping a white box penetration test for a client. The goal is to see whether you can gain access to confidential research data stored on an internal database server. You want to target an internally developed data collection application that the client's end users use on a daily basis to catalog and store information in the database. Which information should the client provide you with prior to starting the test? A. Configuration files B. Data flow diagrams C. Software development kit (SDK) documentation D. All of the above
D. When conducting a white box penetration test, especially one that will target applications developed in-house, having the documentation for the SDK that was used to create the application can be very helpful. Data flow diagrams can also provide penetration testers with an understanding of how the target application communicates with other network services. Configuration files may contain account information, IP addresses, API keys, and possibly even passwords.
76. You are scoping a black box penetration test for a client. The goal is to see whether you can gain access to sensitive financial data stored on an internal database server. What should the client do prior to starting the test? A. Create internal user accounts for the testers that have the same level of privileges as a typical employee. B. Whitelist the testers' user accounts in their web application firewall (WAF). C. Configure certificate pinning. D. Configure security exceptions that allow the penetration testers' systems to bypass network access controls (NAC). E. None of the above.
E. Because a black box test is being conducted in this scenario, the client's network should be in "shields up" mode. The penetration testers should not have internal user accounts, nor should their systems be allowed to bypass NAC security controls. Certificate pinning should not be allowed.