1_8_1 Section 1 – Attacks, Threats, and Vulnerabilities - 1.8 – Penetration Testing - Penetration Testing

Questions and Answers

What is the purpose of creating persistence in a system?

• To identify the exploit used to gain access to the system
• To prevent others from gaining access to the system
• To fix the vulnerabilities found in the system
• To ensure that access to the system can be regained later (correct)

What is a pivot point in penetration testing?

• A system that is used to store exploits and vulnerabilities
• A system that is used to launch attacks on other systems (correct)
• The initial system that is exploited to gain access to the network
• A system that is used to monitor the network traffic

What is the importance of reverting systems back to their original state after a penetration test?

• To prevent the system from being used for malicious purposes
• To restore the system to its original configuration to prevent any further exploitation (correct)
• To erase any evidence of the penetration test
• To ensure that the exploits found are fixed

What is a bug bounty?

A reward for identifying vulnerabilities in a system (C)

Why is it essential to remove back doors and pivot points after a penetration test?

To prevent others from using them for malicious purposes (D)

What is the goal of a penetration tester who performs tests in search of a bug bounty?

To earn money by identifying vulnerabilities (C)

What is the main goal of a penetration test?

To gain access to a system and simulate an external attack (B)

What is the difference between a penetration test and a vulnerability scan?

A penetration test actively tries to exploit vulnerabilities, whereas a vulnerability scan only identifies them (B)

What is the purpose of defining rules of engagement for a penetration test?

To ensure everybody knows the purpose and scope of the test (B)

What document can provide guidance on designing and planning for penetration tests?

NIST's Technical Guide to Information Security Testing and Assessment (B)

Who typically performs penetration tests?

Third-party contractors (C)

Why are penetration tests often mandated?

To ensure compliance with regulations (C)

What is the purpose of including a list of IP addresses in the rules of engagement for a penetration test?

To identify devices that are in scope for the test and those that are not (B)

Why is it important to have emergency contacts listed in the rules of engagement?

In case something goes wrong during the test and quick action is needed (B)

What is the goal of a penetration test?

To identify vulnerabilities and exploit them (D)

What is lateral movement in the context of a penetration test?

Moving from device to device on the inside of a network (C)

Why is it important to perform a penetration test?

To identify vulnerabilities and fix them before attackers do (D)

What type of penetration test is it where the tester has no prior knowledge of the systems?

Unknown environment (A)

What is the purpose of including sensitive information in the rules of engagement?

To ensure that the tester is aware of sensitive data that may be accessed (C)

What is a potential risk of performing a penetration test?

Creating a denial of service (A)

What is the purpose of performing password brute-force attacks during a penetration test?

To try to guess passwords using common passwords (D)

Why is it important to have permission to exploit vulnerabilities during a penetration test?

To avoid legal consequences (D)