Solution Manual For CompTIA PenTest+ Guide to Penetration Testing 1st Edition by Rob Wilson Module 1-13

Document Content and Description Below

Solution Manual For CompTIA PenTest+ Guide to Penetration Testing 1st Edition by Rob Wilson Module 1-13-1. What are two other terms for penetration testing? a. Vulnerability testing b. Pen testing ... c. Ethical hacking d. Blue teaming Answer: b, c Penetration testing is also known as pen testing or ethical hacking and is an authorized series of security-related, non-malicious ―attacks‖ on targetssuch as computing devices, applications, or an organization‘s physical resources and personnel. 2. The purpose of pen testing is to discover vulnerabilities in targets so that these vulnerabilities can be eliminated or mitigated. a. True b. False Answer: a The purpose of pen testing is to discover vulnerabilities in targets so that the vulnerabilities can be eliminated or mitigated before a threat actor with malicious intent exploits them to cause damage to systems, data, and the organization that owns them. 3. Pen testing should be performed under which of the following circumstances? Choose all that apply. a. A new computer system has been installed. b. A new software system or an update to a software system has been installed. c. Following a regular schedule to make sure no unknown changes have impacted security. d. Performed as dictated by compliance standards such as PCI DSS. Answer: a, b, c, d 2 Pen testing should be performed as a regular practice, to meet compliance standards, and after a major change in a computing environment, such as the installation of a new computer system, application, or update. 4. Which of the following are possible targets for penetration testing? a. Web application. b. Computer. c. Staff. d. All of these are correct. Answer: d Web applications and other software, computers and related systems, and staff or other personnel can be targets for penetration testing. 5. The targets under test and the actions that a pen tester is allowed to perform need to be well-defined, documented, and agreed upon by all parties before pen testing begins. True or false? a. True b. False Answer: a Because pen-testing activities are the same as illegal hacking activities, though with different goals, the pen-testing targets and actions must be well-defined, documented, and agreed upon by all parties before pen testing begins. 6. Use your favorite search engine to research bug bounties. Find three different bug bounties that were paid, and in a one-page report, summarize these bounties. Make sure to include the vulnerability details, the organization that paid the bounty, and how much they paid. Answers will vary, but a good report will follow the instructions and have exactly three bug bounty examples. It will also describe the vulnerability details, the organization that paid the bounty, and the amount. 7. The CIA triad expresses how the cornerstones of confidentiality, integrity, and accessibility are linked together to provide security for computer systems and their data. a. True b. False Answer: a In the CIA triad, confidentiality of information dictates that an object should only be accessible to authorized entities. Integrity of information or systems ensures that an object has not been corrupted or destroyed by unauthorized entities. Availability requires that objects and services must be accessible to authorized entities when needed and should not be made unavailable by threat actors or system failures. 8. Which triad is the antithesis of the CIA triad? a. BAD b. SAD c. ADD d. DAD 3 Answer: d The DAD (disclosure, alteration, destruction) triad is the antithesis of the CIA triad because it expresses the goals of disclosing confidential information, altering or corrupting the integrity of information, and destroying or denying the availability of access to resources. 9. Which of the following are needed to properly maintain the ethical hacking mindset? a. Pen testers must be careful to conduct themselves ethically with professionalism and integrity. b. Pen testers must not accidentally stray into the realm of the malicious hacker and cause damage to systems or data. c. Pen testers must do no harm and stay within the boundaries of what activities have been specified and sanctioned in the penetration testing agreement documents. d. All of these are correct. Answer: d Pen testers must conduct themselves ethically with professionalism and integrity, cannot accidentally stray into the realm of the malicious hacker and cause damage to systems or data, and must do no harm by staying within the boundaries of the specified activities. 10. Which penetration testing team isresponsible for launching ―authorized attacks‖ against an organization‘s resources/targets? a. Red team b. Blue team c. Purple team d. Other stakeholders Answer: a The red team launches authorized attacks against an organization‘s resources or targets to discover vulnerabilities and prove a vulnerability exists. 11. Which penetration testing team consists of defenders trying to detect and thwart attacks? a. Red team b. Blue team c. Purple team d. Other stakeholders Answer: b Blue team members are the defenders trying to detect, identify, and thwart red team attacks. 12. Which penetration testing team helps coordinate the pen- testing activities by providing an oversight role to bridge between other teams? a. Red team b. Blue team c. Purple team d. Other stakeholders Answer: c 4 The purple team helps coordinate the pen testing activities. It provides oversight by observing red and blue team activities, offers guidance on how to make the teams and their operations more effective, and reports the results of pen testing activities. 13. Which of the following groups are considered to be other stakeholders? Choose all that apply. a. Management b. Development c. Legal d. IT Department Answer: a, b, c Other stakeholders are members of the organization with expertise in management, development, and legal areas. 14. Which phase of the pen-testing process includes activities such as active reconnaissance, vulnerability scanning, and social engineering? a. Planning and scoping b. Information gathering and vulnerability scanning c. Attacking and exploiting d. Reporting and communicating results Answer: b The information gathering and vulnerability scanning phase includes active reconnaissance (also called footprinting), vulnerability scanning and analysis, and social engineering. 15. Which phase of the pen-testing process includes activities such as getting written authorization, determining targets, defining goals, and building teams? a. Planning and scoping b. Information gathering and vulnerability scanning c. Attacking and exploiting d. Reporting and communicating results Answer: a The planning and scoping phase lays the groundwork for all the activities that follow and includes securing written authorization, determining targets, defining goals, and building teams. 16. You are a member of the penetration-testing red team. You are trying to get into the server room without authorization. What phase of pen testing are you in? a. Planning and scoping b. Information gathering and vulnerability scanning c. Attacking and exploiting d. Reporting and communicating results Answer: c The attacking and exploiting phase includes activities such as password cracking, SQL injection, circumventing security settings to access data, and physical attacks such as trying to break into the server room. [Show More]

Last updated: 8 months ago

Preview 5 out of 72 pages