Planning And Scoping A Penetration – Exam Questions – Ch.2

CompTIA® PenTest+ Cert Guide

Chapter 2 Planning and Scoping a Penetration Testing Assessment

1) All of these are important factors when thinking about the target audience of a testing report except which one?

A) The individual's responsibility and authority to make decisions based on your findings.

B) Who will have access to protected or sensitive information

C) Why the entity or individual needs the report

D) The approximate ages of the recipients

2) The _________ documentation would typically specify the testing timeline, location, preferred method, and IP addresses or networks from which testing will originate.

A) Nondisclosure

B) Rules of engagement

C) Audience analysis

D) Security control

3) A ______ chart shows the timeline for each task and for the project overall.

A) Tabular

B) Column

C) Pie

D) Gantt

4) Which of these is not a form of risk mitigation?

A) Risk transference

B) Risk avoidance

C) Risk acceptance

D) Risk sharing

5) What should you do after every testing engagement in order to preserve confidentiality?

A) Delete the email addresses of the clients from your address book

B) Delete any project records from your systems

C) Ask clients to sign a non-disclosure statement

D) All of the above

6) The purpose of conducting multiple point-in-time assessments is to:

A) Assess progress toward a goal

B) Save money

C) Redo tests to make sure the initial results are repeatable

D) Save time

7) What is CVSS?

A) A scoring system for IT security incident responses

B) A government agency that regulates IT security

C) A well-known private IT security company

D) A standards organization that releases security white papers

8) Risk _____ is how much of an undesirable outcome a risk taker is willing to accept in exchange for the potential benefit.

A) Transfer

B) Tolerance

C) Management

D) Mitigation

9) A _____ team is a corporate security team that defends the organization against cybersecurity threats.

A) Black

B) Red

C) Blue

D) Gray

10) Which of these is not a financial institution, by the definition of the Gramm-Leach-Bliley Act (GLBA)?

A) Real estate appraisers

B) Check-cashing businesses

C) Debt collectors

D) None of the above

11) Which of these is a set of regulations that governs healthcare data storage, confidentiality, and usage?

A) HIPAA

B) PCI DSS

C) FedRAMP

D) OSHA

12) _________ happens when a threat actor exploits more than one vulnerability in sequence to infiltrate progressively further into the system or network and gain more control over it.

A) Vulnerability chaining

B) Attack complexity

C) Modified base metrics

D) Exploit code maturity

13) ______ cannot exist without a(n) ________.

A) Vulnerabilities, Exploit

B) Exploits, Vulnerability

C) Access Vectors, Exploit

D) Exploits, User Interaction

14) Including a statement that says you provide no warranties or legal certifications concerning the testing tools and methods is an example of a:

A) Technical Constraint

B) Statement of Work

C) Contract

D) Disclaimer

15) A statement that certain areas cannot be tested due to operational limitations is an example of a:

A) Technical Constraint

B) Statement of Work

C) Contract

D) Disclaimer

16) What legal document specifies the terms of the agreement for testing and how you will get paid, as well as clear documentation of the services to be performed?

A) Technical Constraint

B) Statement of Work

C) Contract

D) Disclaimer

17) Which of these is a document that specifies the activities to be performed during the penetration testing engagement?

A) Master Service Agreement

B) Statement of Work

C) Contract

D) Nondisclosure Agreement

18) What type of contract allows quick negotiation for a series of projects, so you do not have to renegotiate the same terms every time you perform work for the same customer?

A) Master Service Agreement

B) Statement of Work

C) Contract

D) Nondisclosure Agreement

19) What type of legal document specifies and defines confidential material, knowledge, and information that should be kept private by both parties?

A) Master Service Agreement

B) Statement of Work

C) Contract

D) Nondisclosure Agreement

20) _______ refers to the uncontrolled growth of a project’s scale.

A) Blurring

B) Fuzzing

C) Scope creep

D) Proliferation