Ch10 Test Questions & Answers Understanding How To Finalize - Model Test Questions | CompTIA PenTest+ 1e Santos by Omar Santos. DOCX document preview.
CompTIA® PenTest+ Cert Guide
Chapter 10 Understanding How to Finalize a Penetration Test
1) After you clean up a tested system, who should validate that the cleanup effort is sufficient?
A) You should validate it yourself
B) The user assigned to the tested system
C) Your supervisor
D) The client
2) Which of these should you not delete from a tested system when cleaning it up?
A) User accounts created
B) Databases that you interacted with
C) Shells spawned on exploited systems
D) Database input created by automated tools or manually
3) What is the final deliverable of a third-party penetration testing assignment?
A) Cleaned up server
B) Compromised systems
C) Penetration testing report
D) Suite of testing tools
4) It is important that your report not contain what?
A) False positive findings
B) Personally identifiable information about users
C) Identifiable information about specific servers
D) All of the above
5) How can you ensure that your report does not contain false findings?
A) Validate each finding
B) Have your report proofread for grammar and spelling
C) Delete any records from databases created during testing
D) Reimage any compromised servers
6) When writing a report for senior managers, it’s important that the report contain:
A) A glossary
B) Headings
C) An executive summary
D) An index
7) Why should you not simply cut and paste data from testing tools into your report?
A) False positives and negatives
B) Grammar and spelling errors
C) Poor formatting
D) There is no reason; it is okay to do this
8) Why is it important to correlate results to the environment?
A) People of different technical levels of expertise will read the report
B) You need to compare the most recent testing to the previous baseline
C) Temperature and humidity changes can affect server performance
D) The actual situation may be more complicated than the report suggests
9) Which of these is not a common penetration testing methodology?
A) NIST Publication (SP) 2018-220
B) Information Systems Security Assessment Framework (ISSAF)
C) Penetration Testing Execution Standard (PTES)
D) NIST Publication (SP) 800-115
10) What is the most accurate and comprehensive way to compile a report?
A) Do not start the report until all data is gathered
B) Start collecting and organizing results while you are still testing
C) Do not start the report until all data is not only gathered, but also analyzed
D) Give an oral report first, and write the written report only after questions are taken from that
11) Which of these is not a recommended section in the PCI DSS reporting guidelines?
A) Statement of Scope
B) Statement of Methodology
C) Statement of Limitations
D) Statement of Confidentiality
12) Which of these is a tool that can ingest the results from many pen testing tools and produce reports in CSV, HTML, or PDF format?
A) Kali
B) Microsoft Excel
C) Metasploit
D) Dradis
13) What should an executive summary not contain?
A) A timeline
B) Summary of metrics and measures
C) Detailed descriptions of all findings
D) Testing methodologies used
14) The Base metric group, Temporal metric group, and Environmental metric group are all part of which standard for penetration testing metrics and measures?
A) Penetration Testing Execution Standard (PTES)
B) Common Vulnerability Scoring System (CVSS)
C) Open Web Application Security Project
D) NIST Special Publication (SP) 800-115
15) As a rule of thumb, you should always consider report contents as ________ unless otherwise informed.
A) Public knowledge
B) Confidential
C) Highly classified
D) Top secret
16) Which of these is not a best practice for controlling the distribution of a report?
A) Define the distribution list in the scope of work
B) Label each copy with a unique ID number
C) Encrypt the report if transporting it electronically
D) Ensure that the handling and distribution of a hard copy is more restrictive than for an electronic copy
17) To most effectively regulate distribution, how many electronic copies should you provide to the client?
A) Only one
B) A separate emailed copy to each recipient on the client’s distribution list
C) Only two
D) Unlimited
18) Poor change management, ineffective identification of technical elements, and poor communication among stakeholders can all contribute to:
A) Escalation
B) False negatives
C) Scope creep
D) False positives
19) If a report is performed involving a DoD-owned system, the contents of the report could be subject to:
A) PCI DSS Regulations
B) International Traffic in Arms Regulations
C) HIPAA Regulations
D) Penetration Testing Framework Regulations
20) _______ publishes the Risk Rating Methodology to help with estimating the risk of a vulnerability as it pertains to a business.
A) OWASP
B) CVSS
C) PTES
D) OSSTMM