IT430 Scoping & Engagement

What reference list is published by MITRE to be used as a baseline of known vulnerabilities?

CVE

Which items are included in a statement of work (SOW)?

Deliverables Payment Schedule Scope of work

Which act updated the Wiretap Act of 1968 to include email and computer-based communications?

Electronic Communications Privacy Act (ECPA)

What is the primary focus of the service level agreement (SLA)?

Ensuring service expectations are met

Which clauses typically appear in a non-disclosure agreement?

Governing law and jurisdiction Return of materials Purpose

What is the primary focus of the master services agreement (MSA)?

Governs the relationship

Tests carried out with partial knowledge Tests carried out with full knowledge Tests carried out without access

Gray Box - Partial White Box - Full Black Box - No access

What is one of the biggest risks to confidentiality once a pentesting project has been completed?

Not wrapping up and unwinding pentesting changes

What environment is under consideration when pentesting against non-production systems?

Testing environment

Impersonating a high-level or important individual to breach sensitive data or transfer money is which type of attack?

Whaling

What form of approval is needed before pentesting attacks begin?

Written agreement from signing authority

How frequently does the PCI DSS require pentesting be performed to maintain compliance?

Yearly

What is it called when additions or changes are made to the scope after pentesting is underway?

scope creep