2.4.3 Quiz – Planning and Scoping a Penetration Testing Assessment Answers
1. A contractor is hired to review and perform cybersecurity vulnerability assessments for a local health clinic facility. Which U.S. government regulation must the contractor understand before the contractor can start?
- GDPR
- GLBA
- HIPAA
- FedRAMP
Explanation: The original intent of the Health Insurance Portability and Accountability Act (HIPAA) was to simplify and standardize healthcare administrative processes. The U.S. Department of Health and Human Services (HHS) was instructed to develop and publish standards to protect individual electronic health information while permitting appropriate access and use by healthcare providers and other entities. A cybersecurity professional must fully understand HIPAA before performing a compliance-based assessment.
2. An Internal Revenue Service office in New York is considering moving some services to a cloud computing platform. Which U.S. government regulation must the office follow in the process?
- GDPR
- FFIEC
- HIPAA
- FedRAMP
Explanation: Federal Risk and Authorization Management Program (FedRAMP) provides a standardized approach to U.S. government security authorizations for cloud service offerings.
3. An US university in California plans to offer online courses to students in partner universities in France and Germany. Which regulation should the university follow when those courses are offered?
- GDPR
- HIPAA
- FERPA
- FedRAMP
Explanation: General Data Protection Regulation (GDPR) is European legislation associated with personal data privacy. GDPR includes strict rules around the processing of data and privacy. Due to its effectiveness and abilities, GDPR extends to manage data regardless of whether in Europe, the US, or any part of the world.
4. Which U.S. government agency is responsible for enforcing the Privacy of Consumer Financial Information Rule of the Gramm-Leach-Bliley Act (GLB Act)?
- Securities and Exchange Commission (SEC)
- Commodity Futures Trading Commission (CFTC)
- Federal Trade Commission (FTC)
- Federal Deposit Insurance Corporation (FDIC)
Explanation: The U.S. Gramm-Leach-Bliley Act (GLB Act) applies to all financial services organizations, regardless of size. The Federal Trade Commission (FTC) is responsible for enforcing GLBA.
5. In the healthcare sector, which term defines an entity that processes nonstandard health information it receives from another entity into a standard format?
- health plan
- healthcare provider
- business associates
- healthcare clearinghouse
Explanation: In the healthcare sector, a healthcare clearinghouse is an entity that processes nonstandard health information it receives from another entity into a standard format.
6. In the healthcare sector, which term is used to define an entity that provides payment for medical services?
- health plan
- healthcare provider
- business associates
- healthcare clearinghouse
Explanation: In the healthcare sector, a health plan is an entity that provides payment for medical services, such as health insurance companies, HMOs, government health plans, or government programs that pay for healthcare, such as Medicare, Medicaid, military, and veteran programs.
7. In e-commerce, what determines the application of the Payment Card Industry Data Security Standard (PCI DSS) requirements?
- merchant
- payment brand
- primary account number
- approved scanning vendor
Explanation: The primary account number (PAN) is the defining factor in the applicability of PCI DSS requirements. PCI DSS requirements apply if the PAN is stored, processed, or transmitted.
8. What are two examples of sensitive authentication data associated with a payment card that requires compliance with the Payment Card Industry Data Security Standard (PCI DSS)? (Choose two.)
- expiration date
- cardholder name
- CAV2/CVC2/CVV2/CID
- primary account number
- full magnetic strip data or equivalent data on a chip
Explanation: The payment card account data consists of cardholder data and sensitive authentication data. Cardholder data includes the primary account number, cardholder name, expiration date, and service code. Sensitive authentication data includes a full magnetic strip or equivalent data on a chip, CAV2/CVC2/CVV2/CID code, and PINs/PIB blocks.
9. Match the parts of Recommendation for Key Management in the NIST SP 800-57 to the description.
Explanation: Place the options in the following order:
| Part 1: General | provides general guidance and best practices for the management of cryptographic keying material |
| Part 2: Best Practices for Key Management Organization | provides guidance on policy and security planning requirements for U.S. government agencies |
| Part 3: Application Specific Key Management Guidance | provides guidance when using the cryptographic features of current systems |
10. An employee of a cybersecurity consulting firm in the U.S. is assigned to help assess the system and operation vulnerabilities of several financial institutions in Europe. The task includes penetration tests for compliance. What is a key element the employee must have before starting the assignment?
- state-of-the-art penetration testing tools
- valid user credentials to perform tests at each client institution
- detailed network diagrams and asset inventories from each client institution
- documentation of permission for performing the tests from the client institutions
Explanation: An employee performing penetration testing should be aware of any local restrictions. Countries may have specific country limitations and local laws that may restrict whether the employee can perform some tasks as a penetration tester. The employee must always have clear documentation from the client indicating that permission to perform the testing is granted.
11. A company hires a cybersecurity professional to perform penetration tests to assess government regulation compliance. Which legal document should be provided to the cybersecurity professional that specifies the expectations and constraints, including quality of work, timelines, and cost?
- statement of work (SOW)
- service-level agreement (SLA)
- non-disclosure agreement (NDA)
- master service agreement (MSA)
Explanation: A service-level agreement (SLA) is a well-documented expectation or constraint related to one or more of the penetration testing service’s minimum and maximum performance measures (such as quality, timeline, and cost).
12. A company hires a cybersecurity professional to perform penetration testing to assess government regulation compliance. Which document will be provided to the cybersecurity professional that specifies a detailed and descriptive list of all the deliverables, including the scope of the project, the timeline and report delivery schedule, the location of the work, and the payment schedule?
- statement of work (SOW)
- service-level agreement (SLA)
- master service agreement (MSA)
- non-disclosure agreement (NDA)
Explanation: A statement of work (SOW) is a document that specifies the details of the activities to be performed during a penetration testing engagement. It can be used to define some of the elements:
Project (penetration testing) timelines, including the report delivery schedule
The scope of the work to be performed
The location of the work (geographic location or network location)
Special technical and nontechnical requirements
Payment schedule
13. A company hires a cybersecurity consultant to perform penetration testing to assess government regulation compliance. The company wants the consultant to disclose information to them and no one else. Which type of NDA agreement should be presented to the consultant?
- mutual NDA
- bilateral NDA
- unilateral NDA
- multilateral DNA
Explanation: With a unilateral NDA, only one party discloses certain information to the other party, and the information must be kept protected and not disclosed. In this case, the company must provide sufficient information for the consultant to perform penetration tests to assess government regulation compliance. The company would ask the consultant to sign a unilateral non-disclosure agreement to protect the internal private information.
14. A company hires a cybersecurity consultant to perform penetration testing to assess government regulation compliance. Which document must the consultant receive that specifies the agreement between the consultant and the company for the penetration testing engagement?
- contract
- disclaimers
- statement of work
- non-disclosure agreement
Explanation: The contract is one of the most important documents in a pen testing engagement. It specifies the terms of the agreement and how the consultant will get paid, and it provides clear documentation of the services that will be performed.
15. A company hires a cybersecurity consultant to perform penetration testing to assess government regulation compliance. The consultant is preparing the final report after the penetration testing is completed. In which section of the report should the consultant cover the limitation of the work performed, such as the only dates when the testing is performed and that the findings mentioned in the report do not guarantee that all vulnerabilities are covered?
- disclaimers
- scope of work
- findings and analysis
- non-disclosure statement
Explanation: The party performing work in a penetration testing engagement may add a disclaimer in the pre-engagement documentation and in the final report to disclaim the limited responsibility and reliability. Cybersecurity threats are always changing, and new vulnerabilities are discovered daily. No software, hardware, or technology is immune to security vulnerabilities, no matter how much security testing is conducted. One example of a disclaimer is that the penetration testing report is intended only to provide documentation and that the hiring company will determine the best way to remediate any vulnerabilities.
16. A company hires a cybersecurity consultant to perform penetration tests and review the rules of engagement documents. What are three examples of typical elements in the rules of engagement document? (Choose three.)
- testing timeline
- payment schedule
- location of testing
- non-disclosure agreement
- preferred method of communication
- unknown-environment testing condition
Explanation: The rules of engagement document specify the conditions under which the security penetration testing engagement will be conducted. Examples of the elements that are typically included in the rules of engagement document are:
- Testing timeline
- Location of testing
- Preferred method of communication
- The time window of the testing
- The security controls that the cloud potentially detects or prevent test
- IP addresses or networks from which testing will originate
- Types of allowed or disallowed tests
17. A company hires a cybersecurity consultant to perform penetration tests and review the rules of engagement documents. The consultant notices that one element specifies that the tests should be performed toward only web applications on websites www1.company.com and www2.company.com, with no social engineering attacks and no cross-site scripting attacks. Which element in the document is used for the specification?
- location of testing
- types of allowed or disallowed tests
- IP addresses or networks from which testing will originate
- the security controls that could potentially detect or prevent testing
Explanation: The rules of engagement document specify the conditions under which the security penetration testing engagement will be conducted. The types of allowed or disallowed tests element in the rules of engagement document should specify specific penetration tests that are allowed or disallowed.
18. A company hires a cybersecurity consultant to assess applications using different APIs. Which document should the company provide to the consultant about an XML-based language used to document a web service’s functionality?
- GraphQL documentation
- Swagger (OpenAPI) documentation
- Web Services Description Language (WSDL) document
- Web Application Description Language (WADL) document
Explanation: Web Services Description Language (WSDL) is an XML-based language used to document a web service’s functionality.
19. A company hires a cybersecurity consultant to assess applications using different APIs. Which document should the company provide to the consultant about a query language for APIs and a language for executing queries at runtime?
- GraphQL documentation
- Swagger (OpenAPI) documentation
- Web Services Description Language (WSDL) document
- Web Application Description Language (WADL) document
Explanation: GraphQL is a query language for APIs. It is also a server-side runtime language for executing queries using a type system a user defines for the data.
20. A company hires a cybersecurity consultant to assess vulnerability on crucial web application devices such as web and database servers. Which document should the company provide to help the consultant document and define what systems are in the testing?
- examples of application requests
- source codes of the applications
- system and network architectural diagram
- software development kit (SDK) for specific applications
Explanation: The system and network architectural diagrams can be very beneficial for penetration testers to help them to document and define what systems are in scope during the testing.
21. A company hires a cybersecurity consultant to perform penetration tests. What can cause scope creep of the engagement?
- lack of up-to-date testing tools
- lack of system and network architectural diagrams
- poor formatted request for proposal (RFP) by the company
- ineffective identification of what technical and nontechnical elements will be required for the penetration test
Explanation: Scope creep is a project management term that refers to the uncontrolled growth of the scope of a project. Causes of scope creep include:
poor change management in the penetration testing engagement
ineffective identification of what technical and nontechnical elements will be required for the penetration test
poor communication among stakeholders, including your client and your team
22. A company hires a cybersecurity consultant to perform penetration tests. What should be the consultant’s first step in validating the engagement scope?
- Confirm the contents of the request for proposal (RFP).
- Request user credentials in accessing targeted systems.
- Question the company contact person and review contracts.
- Ensure that systems and network architectural diagrams are accurate.
Explanation: The first step in validating the scope of an engagement is to question the client and review contracts. The consultant must understand the target audience for the penetration testing report. The consultant should also understand the subjects, business units, and any other entity such a penetration testing engagement will assess.
23. A company hires a cybersecurity consultant to perform penetration tests. The consultant is working with the company to set up communication procedures. Which two protocols should be considered for exchanging emails securely? (Choose two.)
- SCP
- PGP
- SFTP
- HTTPS
- S/MIME
Explanation: Pretty Good Privacy (PGP) keys or Secure/Multipurpose Internet Mail Extensions (S/MIME) keys can enforce email security by encrypting email exchanges. Secure Copy Protocol (SCP) or Secure File Transfer Protocol (SFTP) can transfer files securely over the network. HTTPS provides secure communication between web browsers and web servers.
24. A company hires a cybersecurity consultant to perform penetration tests. The consultant is discussing with the company about the penetration testing strategy. Which statement describes the term unknown-environment testing?
- This is a type of testing where the scope of the work could be extended later.
- This is a type of testing where the time frame of the work can be flexible and extension is possible.
- This type is a type of testing where the budget can be further negotiated throughout the testing.
- This type of testing is where the consultant will be provided with very limited information about the targeted systems and network.
Explanation: In unknown-environment testing (formerly called black-box penetration testing), the consultant is typically provided only a very limited amount of information, for example, only the domain names and IP addresses that are in scope for a particular target. This type of limitation is to have the consultant start with the perspective that an external attacker might have.
25. A company hires a cybersecurity consultant to perform penetration tests. What is the key difference between unknown-environment testing and known-environment testing?
- the types of systems and network to be tested
- the amount of information provided to the consultant
- the tools and types of tests allowed during testing
- credentials and certificates required of the consultant
Explanation: The key difference between unknown-environment testing and known-environment testing is the amount of information provided to the consultant. In typical unknown-environment testing, only a very limited amount of information would be provided to the consultant. This type of limitation is to have the consultant start with the perspective that an external attacker might have. In typical known-environment testing (formerly known as white-box penetration testing), the consultant starts with significant information about the organization and its infrastructure. Other factors could be the same or similar to both testing types.