WGU Penetration Testing D484 EXAM
|\ |\ |\ |\ |\
WITH ANSWERS |\
Administrative controls - CORRECT ANSWERS ✔✔security |\ |\ |\ |\ |\ |\
measures implemented to monitor the adherence to
|\ |\ |\ |\ |\ |\ |\
organizational policies and procedures. Those include activities |\ |\ |\ |\ |\ |\ |\
such as hiring and termination policies, employee training along
|\ |\ |\ |\ |\ |\ |\ |\ |\
with creating business continuity and incident response plans.
|\ |\ |\ |\ |\ |\ |\
Physical controls - CORRECT ANSWERS ✔✔restrict, detect and
|\ |\ |\ |\ |\ |\ |\ |\
monitor access to specific physical areas or assets. Methods
|\ |\ |\ |\ |\ |\ |\ |\ |\
include barriers, tokens, biometrics or other controls such as
|\ |\ |\ |\ |\ |\ |\ |\ |\
ensuring the server room doors are properly locked, along with
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
using surveillance cameras and access cards.
|\ |\ |\ |\ |\
Technical or logical controls - CORRECT ANSWERS ✔✔automate
|\ |\ |\ |\ |\ |\ |\ |\
protection to prevent unauthorized access or misuse, and include
|\ |\ |\ |\ |\ |\ |\ |\
Access Control Lists (ACL), and Intrusion Detection System (IDS)/
|\ |\ |\ |\ |\ |\ |\ |\ |\
Intrusion Prevention System (IPS) signatures and antimalware
|\ |\ |\ |\ |\ |\ |\ |\
protection that are implemented as a system hardware, software,
|\ |\ |\ |\ |\ |\ |\ |\
or firmware solution.
|\ |\ |\
What is the primary goal of PenTesting? - CORRECT ANSWERS
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
✔✔Reduce overall risk by taking proactive steps to reduce
|\ |\ |\ |\ |\ |\ |\ |\ |\
vulnerabilities.
Principle of Least Privilege - CORRECT ANSWERS ✔✔Basic
|\ |\ |\ |\ |\ |\ |\ |\
principle of security stating that something should be allocated
|\ |\ |\ |\ |\ |\ |\ |\ |\
,the minimum necessary rights, privileges, or information to
|\ |\ |\ |\ |\ |\ |\ |\
perform its role. |\ |\
Risk - CORRECT ANSWERS ✔✔Likelihood and impact (or
|\ |\ |\ |\ |\ |\ |\ |\
consequence) of a threat actor exercising a vulnerability. |\ |\ |\ |\ |\ |\ |\
Threat - CORRECT ANSWERS ✔✔represents something such as
|\ |\ |\ |\ |\ |\ |\ |\
malware or a natural disaster, that can accidentally or
|\ |\ |\ |\ |\ |\ |\ |\ |\
intentionally exploit a vulnerability and cause undesirable results. |\ |\ |\ |\ |\ |\ |\
Vulnerability - CORRECT ANSWERS ✔✔is a weakness or flaw, such |\ |\ |\ |\ |\ |\ |\ |\ |\
as a software bug, system flaw, or human error. A vulnerability
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
can be exploited by a threat
|\ |\ |\ |\ |\
Risk Analysis - CORRECT ANSWERS ✔✔is a security process used
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
to assess risk damages that can affect an organization.
|\ |\ |\ |\ |\ |\ |\ |\
Unified Threat Management (UTM) - CORRECT ANSWERS ✔✔All-
|\ |\ |\ |\ |\ |\ |\
in-one security appliances and agents that combine the functions
|\ |\ |\ |\ |\ |\ |\ |\
of a firewall, malware scanner, intrusion detection, vulnerability
|\ |\ |\ |\ |\ |\ |\ |\ |\
scanner, data loss prevention, content filtering, and so on.
|\ |\ |\ |\ |\ |\ |\ |\
Main steps of the structured PenTesting Process: - CORRECT
|\ |\ |\ |\ |\ |\ |\ |\ |\
ANSWERS ✔✔Planning and scoping, Reconnaissance, Scanning, |\ |\ |\ |\ |\ |\
Gaining Access, Maintaining Access, Covering Tracks, Analysis,
|\ |\ |\ |\ |\ |\ |\
Reporting
,Unauthorized Hacker - CORRECT ANSWERS ✔✔A hacker operating |\ |\ |\ |\ |\ |\ |\
with malicious intent.
|\ |\ |\
Payment Card Industry Data Security Standard (PCI DSS) -
|\ |\ |\ |\ |\ |\ |\ |\ |\
CORRECT ANSWERS ✔✔Information security standard for
|\ |\ |\ |\ |\ |\
organizations that process credit or bank card payments. |\ |\ |\ |\ |\ |\ |\
An organization must do the following in order to protect
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
cardholder data: - CORRECT ANSWERS ✔✔Maintain secure|\ |\ |\ |\ |\ |\ |\
infrastructure using dedicated appliances and software to |\ |\ |\ |\ |\ |\ |\
monitor and prevent attacks. Implement best practices like
|\ |\ |\ |\ |\ |\ |\ |\
changing default passwords, educating users on email safety,
|\ |\ |\ |\ |\ |\ |\ |\
and continuously monitoring for vulnerabilities with updated anti-
|\ |\ |\ |\ |\ |\ |\
malware protection. Enforce strict access controls through the
|\ |\ |\ |\ |\ |\ |\ |\
principle of least privilege and regularly test and monitor
|\ |\ |\ |\ |\ |\ |\ |\ |\
networks.
PCI DSS Level 1 - CORRECT ANSWERS ✔✔Large merchant with
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
over six million transactions a year and external auditor by a
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
Qualified Security Assessor (QSA), must complete a RoC.
|\ |\ |\ |\ |\ |\ |\
PCI DSS Level 2 - CORRECT ANSWERS ✔✔merchant with one to
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
six million transactions a year, must complete a RoC.
|\ |\ |\ |\ |\ |\ |\ |\
PCI DSS Level 3 - CORRECT ANSWERS ✔✔merchant with 20000 to
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
one million transactions a year
|\ |\ |\ |\ |\
PCI DSS Level 4 - CORRECT ANSWERS ✔✔small merchant with
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
under 20000 transactions a year
|\ |\ |\ |\
, General Data Protection Regulation (GDPR) - CORRECT ANSWERS
|\ |\ |\ |\ |\ |\ |\ |\
✔✔Provisions and requirements protecting the personal data of
|\ |\ |\ |\ |\ |\ |\ |\
European Union (EU) citizens. Transfers of personal data outside
|\ |\ |\ |\ |\ |\ |\ |\ |\
the EU Single Market are restricted unless protected by like-for-
|\ |\ |\ |\ |\ |\ |\ |\ |\
like regulations, such as the US's Privacy Shield requirements.
|\ |\ |\ |\ |\ |\ |\ |\
GDRP Components: - CORRECT ANSWERS ✔✔Require consent,
|\ |\ |\ |\ |\ |\ |\
Rescind Consent, Global reach, Restrict data collection, Violation
|\ |\ |\ |\ |\ |\ |\ |\
reporting
Stop Hacks and Improve Electronic Data Security (SHIELD) -
|\ |\ |\ |\ |\ |\ |\ |\ |\
CORRECT ANSWERS ✔✔is a law that was enacted in New York
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
state in March 2020 to protect citizens data. The law requires
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
companies to bolster their cybersecurity defense methods to
|\ |\ |\ |\ |\ |\ |\ |\
prevent a data breach and protect consumer data.
|\ |\ |\ |\ |\ |\ |\
California Consumer Privacy Act (CCPA) - CORRECT ANSWERS
|\ |\ |\ |\ |\ |\ |\ |\
✔✔was enacted in 2020 and outlines specific guidelines on how
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
to appropriately handle consumer data. To ensure that customer
|\ |\ |\ |\ |\ |\ |\ |\ |\
data is adequately protected, vendors should include PenTesting
|\ |\ |\ |\ |\ |\ |\ |\
of all web applications, internal systems along with social
|\ |\ |\ |\ |\ |\ |\ |\ |\
engineering assessments. |\
Health Insurance Portability and Accountability Act (HIPAA) -
|\ |\ |\ |\ |\ |\ |\ |\
CORRECT ANSWERS ✔✔is a law that mandates rigorous
|\ |\ |\ |\ |\ |\ |\ |\
requirements for anyone that deals with patient information.
|\ |\ |\ |\ |\ |\ |\ |\
Computerized electronic patient records are referred to as |\ |\ |\ |\ |\ |\ |\ |\
electronic protected health information (e-PHI). With HIPAA, the
|\ |\ |\ |\ |\ |\ |\ |\
|\ |\ |\ |\ |\
WITH ANSWERS |\
Administrative controls - CORRECT ANSWERS ✔✔security |\ |\ |\ |\ |\ |\
measures implemented to monitor the adherence to
|\ |\ |\ |\ |\ |\ |\
organizational policies and procedures. Those include activities |\ |\ |\ |\ |\ |\ |\
such as hiring and termination policies, employee training along
|\ |\ |\ |\ |\ |\ |\ |\ |\
with creating business continuity and incident response plans.
|\ |\ |\ |\ |\ |\ |\
Physical controls - CORRECT ANSWERS ✔✔restrict, detect and
|\ |\ |\ |\ |\ |\ |\ |\
monitor access to specific physical areas or assets. Methods
|\ |\ |\ |\ |\ |\ |\ |\ |\
include barriers, tokens, biometrics or other controls such as
|\ |\ |\ |\ |\ |\ |\ |\ |\
ensuring the server room doors are properly locked, along with
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
using surveillance cameras and access cards.
|\ |\ |\ |\ |\
Technical or logical controls - CORRECT ANSWERS ✔✔automate
|\ |\ |\ |\ |\ |\ |\ |\
protection to prevent unauthorized access or misuse, and include
|\ |\ |\ |\ |\ |\ |\ |\
Access Control Lists (ACL), and Intrusion Detection System (IDS)/
|\ |\ |\ |\ |\ |\ |\ |\ |\
Intrusion Prevention System (IPS) signatures and antimalware
|\ |\ |\ |\ |\ |\ |\ |\
protection that are implemented as a system hardware, software,
|\ |\ |\ |\ |\ |\ |\ |\
or firmware solution.
|\ |\ |\
What is the primary goal of PenTesting? - CORRECT ANSWERS
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
✔✔Reduce overall risk by taking proactive steps to reduce
|\ |\ |\ |\ |\ |\ |\ |\ |\
vulnerabilities.
Principle of Least Privilege - CORRECT ANSWERS ✔✔Basic
|\ |\ |\ |\ |\ |\ |\ |\
principle of security stating that something should be allocated
|\ |\ |\ |\ |\ |\ |\ |\ |\
,the minimum necessary rights, privileges, or information to
|\ |\ |\ |\ |\ |\ |\ |\
perform its role. |\ |\
Risk - CORRECT ANSWERS ✔✔Likelihood and impact (or
|\ |\ |\ |\ |\ |\ |\ |\
consequence) of a threat actor exercising a vulnerability. |\ |\ |\ |\ |\ |\ |\
Threat - CORRECT ANSWERS ✔✔represents something such as
|\ |\ |\ |\ |\ |\ |\ |\
malware or a natural disaster, that can accidentally or
|\ |\ |\ |\ |\ |\ |\ |\ |\
intentionally exploit a vulnerability and cause undesirable results. |\ |\ |\ |\ |\ |\ |\
Vulnerability - CORRECT ANSWERS ✔✔is a weakness or flaw, such |\ |\ |\ |\ |\ |\ |\ |\ |\
as a software bug, system flaw, or human error. A vulnerability
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
can be exploited by a threat
|\ |\ |\ |\ |\
Risk Analysis - CORRECT ANSWERS ✔✔is a security process used
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
to assess risk damages that can affect an organization.
|\ |\ |\ |\ |\ |\ |\ |\
Unified Threat Management (UTM) - CORRECT ANSWERS ✔✔All-
|\ |\ |\ |\ |\ |\ |\
in-one security appliances and agents that combine the functions
|\ |\ |\ |\ |\ |\ |\ |\
of a firewall, malware scanner, intrusion detection, vulnerability
|\ |\ |\ |\ |\ |\ |\ |\ |\
scanner, data loss prevention, content filtering, and so on.
|\ |\ |\ |\ |\ |\ |\ |\
Main steps of the structured PenTesting Process: - CORRECT
|\ |\ |\ |\ |\ |\ |\ |\ |\
ANSWERS ✔✔Planning and scoping, Reconnaissance, Scanning, |\ |\ |\ |\ |\ |\
Gaining Access, Maintaining Access, Covering Tracks, Analysis,
|\ |\ |\ |\ |\ |\ |\
Reporting
,Unauthorized Hacker - CORRECT ANSWERS ✔✔A hacker operating |\ |\ |\ |\ |\ |\ |\
with malicious intent.
|\ |\ |\
Payment Card Industry Data Security Standard (PCI DSS) -
|\ |\ |\ |\ |\ |\ |\ |\ |\
CORRECT ANSWERS ✔✔Information security standard for
|\ |\ |\ |\ |\ |\
organizations that process credit or bank card payments. |\ |\ |\ |\ |\ |\ |\
An organization must do the following in order to protect
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
cardholder data: - CORRECT ANSWERS ✔✔Maintain secure|\ |\ |\ |\ |\ |\ |\
infrastructure using dedicated appliances and software to |\ |\ |\ |\ |\ |\ |\
monitor and prevent attacks. Implement best practices like
|\ |\ |\ |\ |\ |\ |\ |\
changing default passwords, educating users on email safety,
|\ |\ |\ |\ |\ |\ |\ |\
and continuously monitoring for vulnerabilities with updated anti-
|\ |\ |\ |\ |\ |\ |\
malware protection. Enforce strict access controls through the
|\ |\ |\ |\ |\ |\ |\ |\
principle of least privilege and regularly test and monitor
|\ |\ |\ |\ |\ |\ |\ |\ |\
networks.
PCI DSS Level 1 - CORRECT ANSWERS ✔✔Large merchant with
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
over six million transactions a year and external auditor by a
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
Qualified Security Assessor (QSA), must complete a RoC.
|\ |\ |\ |\ |\ |\ |\
PCI DSS Level 2 - CORRECT ANSWERS ✔✔merchant with one to
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
six million transactions a year, must complete a RoC.
|\ |\ |\ |\ |\ |\ |\ |\
PCI DSS Level 3 - CORRECT ANSWERS ✔✔merchant with 20000 to
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
one million transactions a year
|\ |\ |\ |\ |\
PCI DSS Level 4 - CORRECT ANSWERS ✔✔small merchant with
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
under 20000 transactions a year
|\ |\ |\ |\
, General Data Protection Regulation (GDPR) - CORRECT ANSWERS
|\ |\ |\ |\ |\ |\ |\ |\
✔✔Provisions and requirements protecting the personal data of
|\ |\ |\ |\ |\ |\ |\ |\
European Union (EU) citizens. Transfers of personal data outside
|\ |\ |\ |\ |\ |\ |\ |\ |\
the EU Single Market are restricted unless protected by like-for-
|\ |\ |\ |\ |\ |\ |\ |\ |\
like regulations, such as the US's Privacy Shield requirements.
|\ |\ |\ |\ |\ |\ |\ |\
GDRP Components: - CORRECT ANSWERS ✔✔Require consent,
|\ |\ |\ |\ |\ |\ |\
Rescind Consent, Global reach, Restrict data collection, Violation
|\ |\ |\ |\ |\ |\ |\ |\
reporting
Stop Hacks and Improve Electronic Data Security (SHIELD) -
|\ |\ |\ |\ |\ |\ |\ |\ |\
CORRECT ANSWERS ✔✔is a law that was enacted in New York
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
state in March 2020 to protect citizens data. The law requires
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
companies to bolster their cybersecurity defense methods to
|\ |\ |\ |\ |\ |\ |\ |\
prevent a data breach and protect consumer data.
|\ |\ |\ |\ |\ |\ |\
California Consumer Privacy Act (CCPA) - CORRECT ANSWERS
|\ |\ |\ |\ |\ |\ |\ |\
✔✔was enacted in 2020 and outlines specific guidelines on how
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
to appropriately handle consumer data. To ensure that customer
|\ |\ |\ |\ |\ |\ |\ |\ |\
data is adequately protected, vendors should include PenTesting
|\ |\ |\ |\ |\ |\ |\ |\
of all web applications, internal systems along with social
|\ |\ |\ |\ |\ |\ |\ |\ |\
engineering assessments. |\
Health Insurance Portability and Accountability Act (HIPAA) -
|\ |\ |\ |\ |\ |\ |\ |\
CORRECT ANSWERS ✔✔is a law that mandates rigorous
|\ |\ |\ |\ |\ |\ |\ |\
requirements for anyone that deals with patient information.
|\ |\ |\ |\ |\ |\ |\ |\
Computerized electronic patient records are referred to as |\ |\ |\ |\ |\ |\ |\ |\
electronic protected health information (e-PHI). With HIPAA, the
|\ |\ |\ |\ |\ |\ |\ |\
