Questions and Answers
What type of penetration test is being conducted when it is performed from an external IP address without prior knowledge of the internal IT system architecture?
What type of vulnerability could be exploited in a Service Oriented Architecture Protocol (SOAP) due to unsecure parsing of XML data?
What should be done when the final set of security controls does not eliminate all of the risk in a given system?
What could be a consequence of a contractor printing out a few reports from previous penetration tests?
Signup and view all the answers
What is the primary purpose of a penetration test?
Signup and view all the answers
What might happen to the contractor who inadvertently exposed numerous vulnerabilities they had found at other companies on previous assessments?
Signup and view all the answers
What type of document outlines what will and will not be performed during a penetration test?
Signup and view all the answers
What type of assessment seeks to validate a system's security posture against a particular checklist?
Signup and view all the answers
What type of threat actor is highly funded and often backed by nation states?
Signup and view all the answers
What is not a step in the NIST SP 800-115 Methodology?
Signup and view all the answers
Study Notes
Penetration Testing
- A black box penetration test involves testing without prior knowledge of the internal IT system architecture.
- It is a type of penetration test where the tester is only given an external IP address and no information about the internal system.
Service Oriented Architecture Protocol (SOAP) Vulnerability
- A common SOAP vulnerability is an XML denial of service issue.
- This type of vulnerability can be exploited to cause a denial of service.
Risk Management
- If the final set of security controls does not eliminate all of the risk in a given system, the remaining risk should be accepted if it is low enough.
- It is not necessary to continue applying additional controls until there is zero risk.
Penetration Testing and Reporting
- Proof of previous penetration testing and reporting experience is often required when bidding for a contract.
- Contractors should be careful not to inadvertently expose vulnerabilities they had found at other companies on previous assessments.
Penetration Testing Documents
- A Statement of Work (SOW) is a formal document that states what will and will not be performed during a penetration test.
- A Non-Disclosure Agreement (NDA) is a legal contract outlining the confidential material or information that will be shared by the pentester and the organization during an assessment.
NIST SP 800-115 Methodology
- The NIST SP 800-115 Methodology includes the steps of planning, discovery, and reporting.
- Scoping is not a step in the NIST SP 800-115 Methodology.
White Box Assessment
- In a white box assessment, the pentester might receive support resources such as network diagrams, SOAP project files, and XSD.
- The pentester would not receive Personally Identifiable Information (PII) of employees.
Compliance-Based Assessment
- A compliance-based assessment seeks to validate a system's security posture against a particular checklist.
- It is a type of assessment that focuses on compliance with specific regulations or standards.
Threat Actors
- An Advanced Persistent Threat (APT) is a type of threat actor that is highly funded and often backed by nation states.
- APTs are typically more sophisticated and persistent than other types of threat actors.
Studying That Suits You
Use AI to generate personalized quizzes and flashcards to suit your learning preferences.
