10 Questions
What is the primary purpose of stopping an Internal Penetration Test and alerting the client?
If a system becomes unresponsive or evidence of illegal activity is found
What should be mentioned to customers during a penetration test?
The possibility of log entries and alarms in their security applications
Why is an additional contractor's agreement required for physical testing?
To comply with physical environment laws
What is the purpose of the additional contractor's agreement in physical testing?
To act as a 'get out of jail free card' in case of issues
What should customers do if a penetration test negatively impacts their network?
Immediately contact the testing company
What is the primary goal of Information Gathering during a penetration test?
To gather data about the target system
What type of intelligence is used during Information Gathering?
Open-Source Intelligence
What is a potential risk of brute forcing or similar attacks during a penetration test?
Locking out users
Why is it essential to inform employees about the penetration test?
To limit the risk of social engineering
What is a category of Information Gathering during a penetration test?
Service Enumeration
Study Notes
Third-Party Providers
- Determining third-party providers from which the customer obtains services is essential
- Examples of third-party providers include cloud providers, ISPs, and other hosting providers
- Written consent from these providers is required, describing their agreement and awareness of the simulated hacking attack
Evasive Testing
- Evasive testing involves evading and passing security traffic and security systems in the customer's infrastructure
- Techniques used to find out information about internal components and attack them
- Permission from the client is required to use such techniques
Risks and Consequences
- Informing the client about the risks involved in the tests and possible consequences is crucial
- Based on the risks and their potential severity, limitations can be set and precautions taken
Scope and Limitations
- Determining which servers, workstations, or other network components are essential for the client's proper functioning is vital
- Avoiding these components and not influencing them further is necessary to prevent critical technical errors
Information Handling
- Compliance with regulations such as HIPAA, PCI, HITRUST, FISMA/NIST, etc. is necessary
- Scoping questionnaire is used to determine the services chosen by the client
Penetration Testing Process
- Various types of penetration tests include Internal Vulnerability Assessment, External Vulnerability Assessment, Internal Penetration Test, External Penetration Test, etc.
- Additional questions to be answered include expected live hosts, IPs/CIDR ranges in scope, domains/subdomains, wireless SSIDs, etc.
Notification and Risks
- Notifying the client of potential risks during a penetration test is essential
- Examples of potential risks include many log entries and alarms in security applications, accidentally locking users, and negatively impacting the network
Contractors Agreement
- Additional contractor's agreement is required for physical testing
- This agreement is necessary to avoid legal implications in case of physical intrusion or social engineering attempts
This quiz covers the importance of obtaining written consent from third-party providers, such as cloud providers and ISPs, before conducting simulated hacking attacks. It's essential to ensure they are aware of the potential risks and agree to the terms.
Make Your Own Quizzes and Flashcards
Convert your notes into interactive study material.
Get started for free