CompTIA Pentest+ Certification For Dummies. Glen E. Clarke
the work being performed?
(A) SOW
(B) NDA
(C) MSA
(D) SLA
2. Bob is performing a penetration test for Company XYZ. During the planning and scoping phase, the company identified two web servers as targets for the penetration test. While scanning the network, Bob identified a third web server. When discussing this new finding with the customer, the customer states that the third server runs critical web applications and needs to be assessed as well. What is this an example of?
(A) Statement of work
(B) Master service agreement
(C) Disclaimer
(D) Scope creep
3. You are drafting the agreement for the penetration test and working on the disclaimer section. What two key points should be covered by the disclaimer? (Choose two.)
(A) Compliance-based
(B) Point-in-time
(C) WSDL document
(D) Comprehensiveness
4. What type of contract is a description of the type of job being performed, the timeline, and the cost of the job?
(A) SOW
(B) NDA
(C) MSA
(D) SLA
5. You have been hired to do the pentest for Company XYZ. You acquired proper written authorization, performed the planning and scoping phase, and are ready to start discovery. You connect your laptop to the customer network and are unable to obtain an IP address from the company DHCP server. Which of the following could be the problem?
(A) MSA
(B) SSID
(C) SOW
(D) NAC
6. You are performing the penetration test for a company and have completed the planning and scoping phase. You wish to do the pentest on the wireless networks. What scoping element would you need?
(A) MSA
(B) NDA
(C) SSID
(D) NAC
7. What type of contract is used to define the terms of the repeat work performed?
(A) MSA
(B) NDA
(C) SOW
(D) NAC
8. You drafted the agreement to perform the penetration test, and you are now looking to have the agreement signed by the customer. Who should sign the agreement on behalf of the customer?
(A) Office manager
(B) IT manager
(C) Security manager
(D) Signing authority
9. You are working on the planning and scoping of the penetration test, and you are concerned that the consultants performing the pentest will be blocked by security controls on the network. What security feature would you look to leverage to allow the pentesters’ systems to communicate on the network?
(A) Blacklisting
(B) Whitelisting
(C) NAC
(D) Certificate pinning
10. You are performing a penetration test for a company that has requested the pentest because it is processing credit card payments from customers. What type of assessment is being performed?
(A) Goal-based assessment
(B) Security-based assessment
(C) Compliance-based assessment
(D) Credit card–based assessment
Answers
1 B. A non-disclosure agreement (NDA) is designed to outline the requirements of confidentiality between two parties and the work performed. See “Understanding Key Legal Concepts.”
2 D. Scope creep is when the scope of the project is modified as the project is being performed. Review “Scope creep.”
3 B, D. The disclaimer should cover the fact that the pentest is a point-in-time assessment and stress that the comprehensiveness of the assessment is based on the scope. Check out “Understanding Key Legal Concepts.”
4 A. The statement of work (SOW) is a description of the work being performed, includes the timeline for the project, and contains a breakdown of the cost for the project. Peruse “Understanding Key Legal Concepts.”
5 D. Network access control (NAC) is a suite of technologies that limits connections to the network based on health criteria. Take a look at “Defining Targets for the PenTest.”
6 C. The SSIDs of the wireless network should be identified during the planning and scoping phase so that you can be sure you have authorization to perform the assessment on the correct wireless networks. Peek at “Defining Targets for the PenTest.”
7 A. The master service agreement (MSA) is used when repeat engagements occur. It contains the terms of the work being performed and is referenced from the statement of work (SOW). Look over “Understanding Key Legal Concepts.”
8 D. The signing authority for the company, such as the business owner, should sign the agreement as proof of authorization. Study “Understanding Key Legal Concepts.”
9 B. Whitelisting is a method to allow systems to access network resources and bypass the security controls. Whitelisted systems and applications are considered authorized systems and applications, as opposed to blacklisted systems, which are non-authorized components. Peek at “Defining Targets for the PenTest.”
10 C. A compliance-based assessment is an assessment that is driven by the need to be compliant with laws and regulations that are governing an organization. See “Conducting Compliance-based Assessments.”
Конец ознакомительного фрагмента.
Текст предоставлен ООО «ЛитРес».
Прочитайте эту книгу целиком, купив