WGU Penetration Testing D484 – |\ |\ |\ |\ |\
Questions WITH ANSWERS |\ |\
When using a structured approach to PenTesting, each step will
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
serve a purpose with the goal of testing an infrastructure's
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
defenses by identifying and exploiting any known vulnerabilities.
|\ |\ |\ |\ |\ |\ |\ |\
List the four main steps of the CompTIA Pen Testing process. -
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
CORRECT ANSWERS ✔✔Planning and scoping |\ |\ |\ |\
Information gathering and vulnerability scanning |\ |\ |\ |\
Attacks and exploits |\ |\
Reporting and communication |\ |\
Threat actors follow the same main process of hacking as a
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
professional PenTester: Reconnaissance, Scanning, Gain Access, |\ |\ |\ |\ |\ |\
Maintain Access, and Cover Tracks. What steps are added during
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
a structured PenTest? - CORRECT ANSWERS ✔✔1) Planning and
|\ |\ |\ |\ |\ |\ |\ |\ |\
scoping along with 3) Analysis and reporting.
|\ |\ |\ |\ |\ |\
Part of completing a PenTesting exercise is following the imposed
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
guidelines of various controls, laws, and regulations. Summarize
|\ |\ |\ |\ |\ |\ |\ |\
Key takeaways of PCI DSS. - CORRECT ANSWERS ✔✔Payment
|\ |\ |\ |\ |\ |\ |\ |\ |\
Card Industry Data Security Standard (PCI DSS) specifies the
|\ |\ |\ |\ |\ |\ |\ |\ |\
controls that must be in place to securely handle credit card
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
data. Controls include methods to minimize vulnerabilities,
|\ |\ |\ |\ |\ |\ |\
employ strong access control, along with consistently testing and
|\ |\ |\ |\ |\ |\ |\ |\
monitoring the infrastructure.
|\ |\ |\
,With PCI DSS a merchant is ranked according to the number of
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
transactions completed in a year. Describe a Level 1 merchant. -
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
CORRECT ANSWERS ✔✔A Level 1 merchant is a large merchant
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
with over six million transactions a year.
|\ |\ |\ |\ |\ |\
With PCI DSS, a Level 1 merchant must have an external auditor
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
perform the assessment by an approved _____. - CORRECT
|\ |\ |\ |\ |\ |\ |\ |\ |\
ANSWERS ✔✔Qualified Security Assessor (QSA). |\ |\ |\ |\
Another regulation that affects data privacy is GDPR, which
|\ |\ |\ |\ |\ |\ |\ |\ |\
outlines specific requirements on how consumer data is
|\ |\ |\ |\ |\ |\ |\ |\
protected. List two to three components of GDPR. - CORRECT
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
ANSWERS ✔✔Require consent means a company must obtain
|\ |\ |\ |\ |\ |\ |\ |\
your permission to share your information.
|\ |\ |\ |\ |\
Rescind consent allows a consumer to opt out at any time.
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
Global reach—GDPR affects anyone who does business with
|\ |\ |\ |\ |\ |\ |\ |\
residents of the EU and Britain. |\ |\ |\ |\ |\
Restrict data collection to only what is needed to interact with
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
the site.
|\
Violation reporting—a company must report a data breach within
|\ |\ |\ |\ |\ |\ |\ |\ |\
72 hours.
|\
What should a company with over 250 employees do to be
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
compliant with the GDPR? - CORRECT ANSWERS ✔✔Under GDPR,
|\ |\ |\ |\ |\ |\ |\ |\ |\
any company with over 250 employees will need to audit their
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
systems and take rigorous steps to protect any data that is
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
processed within their systems, either locally managed or in the
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
cloud.
, Describe some of the resources available at NIST. - CORRECT
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
ANSWERS ✔✔NIST has many resources for the cybersecurity
|\ |\ |\ |\ |\ |\ |\ |\
professional that include the Special Publication 800 series, that |\ |\ |\ |\ |\ |\ |\ |\ |\
deals with cyber security policies, procedures, and guidelines.
|\ |\ |\ |\ |\ |\ |\
Discuss the significance of NIST SP 800-115. - CORRECT
|\ |\ |\ |\ |\ |\ |\ |\ |\
ANSWERS ✔✔NIST SP 800-115 is the "Technical Guide to
|\ |\ |\ |\ |\ |\ |\ |\ |\
Information Security Testing and Assessment" and contains a |\ |\ |\ |\ |\ |\ |\ |\
great deal of relevant information about PenTesting planning,
|\ |\ |\ |\ |\ |\ |\ |\
techniques, and related activities. |\ |\ |\
Explain how the MITRE ATT&CK Framework provides tools and
|\ |\ |\ |\ |\ |\ |\ |\ |\
techniques specific to PenTesting. - CORRECT ANSWERS ✔✔Once |\ |\ |\ |\ |\ |\ |\ |\
in the MITRE ATT&CK framework, you will see many columns in
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
the matrix that describe various tasks that are completed during
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
the PenTest. |\
Compare and contrast CVE and CWE. - CORRECT ANSWERS
|\ |\ |\ |\ |\ |\ |\ |\ |\
✔✔The CWE is a dictionary of software-related vulnerabilities
|\ |\ |\ |\ |\ |\ |\ |\
maintained by the MITRE Corporation that includes a detailed list
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
of weaknesses in hardware and software. CVE refers to specific
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
vulnerabilities of particular products. |\ |\ |\
A couple of your colleagues thought it might be a good idea to
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
share some guidance on how the team should conduct
|\ |\ |\ |\ |\ |\ |\ |\ |\
themselves during the PenTesting process. What topics should be |\ |\ |\ |\ |\ |\ |\ |\
covered so that all members exhibit professional behavior
|\ |\ |\ |\ |\ |\ |\ |\ |\
before, during and after the PenTest? - CORRECT ANSWERS
|\ |\ |\ |\ |\ |\ |\ |\ |\
✔✔The team will need to clearly understand that they are to
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
maintain confidentiality before, during, and after a PenTest
|\ |\ |\ |\ |\ |\ |\ |\
exercise. Once the testing begins the team will want to proceed
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
Questions WITH ANSWERS |\ |\
When using a structured approach to PenTesting, each step will
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
serve a purpose with the goal of testing an infrastructure's
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
defenses by identifying and exploiting any known vulnerabilities.
|\ |\ |\ |\ |\ |\ |\ |\
List the four main steps of the CompTIA Pen Testing process. -
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
CORRECT ANSWERS ✔✔Planning and scoping |\ |\ |\ |\
Information gathering and vulnerability scanning |\ |\ |\ |\
Attacks and exploits |\ |\
Reporting and communication |\ |\
Threat actors follow the same main process of hacking as a
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
professional PenTester: Reconnaissance, Scanning, Gain Access, |\ |\ |\ |\ |\ |\
Maintain Access, and Cover Tracks. What steps are added during
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
a structured PenTest? - CORRECT ANSWERS ✔✔1) Planning and
|\ |\ |\ |\ |\ |\ |\ |\ |\
scoping along with 3) Analysis and reporting.
|\ |\ |\ |\ |\ |\
Part of completing a PenTesting exercise is following the imposed
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
guidelines of various controls, laws, and regulations. Summarize
|\ |\ |\ |\ |\ |\ |\ |\
Key takeaways of PCI DSS. - CORRECT ANSWERS ✔✔Payment
|\ |\ |\ |\ |\ |\ |\ |\ |\
Card Industry Data Security Standard (PCI DSS) specifies the
|\ |\ |\ |\ |\ |\ |\ |\ |\
controls that must be in place to securely handle credit card
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
data. Controls include methods to minimize vulnerabilities,
|\ |\ |\ |\ |\ |\ |\
employ strong access control, along with consistently testing and
|\ |\ |\ |\ |\ |\ |\ |\
monitoring the infrastructure.
|\ |\ |\
,With PCI DSS a merchant is ranked according to the number of
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
transactions completed in a year. Describe a Level 1 merchant. -
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
CORRECT ANSWERS ✔✔A Level 1 merchant is a large merchant
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
with over six million transactions a year.
|\ |\ |\ |\ |\ |\
With PCI DSS, a Level 1 merchant must have an external auditor
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
perform the assessment by an approved _____. - CORRECT
|\ |\ |\ |\ |\ |\ |\ |\ |\
ANSWERS ✔✔Qualified Security Assessor (QSA). |\ |\ |\ |\
Another regulation that affects data privacy is GDPR, which
|\ |\ |\ |\ |\ |\ |\ |\ |\
outlines specific requirements on how consumer data is
|\ |\ |\ |\ |\ |\ |\ |\
protected. List two to three components of GDPR. - CORRECT
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
ANSWERS ✔✔Require consent means a company must obtain
|\ |\ |\ |\ |\ |\ |\ |\
your permission to share your information.
|\ |\ |\ |\ |\
Rescind consent allows a consumer to opt out at any time.
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
Global reach—GDPR affects anyone who does business with
|\ |\ |\ |\ |\ |\ |\ |\
residents of the EU and Britain. |\ |\ |\ |\ |\
Restrict data collection to only what is needed to interact with
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
the site.
|\
Violation reporting—a company must report a data breach within
|\ |\ |\ |\ |\ |\ |\ |\ |\
72 hours.
|\
What should a company with over 250 employees do to be
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
compliant with the GDPR? - CORRECT ANSWERS ✔✔Under GDPR,
|\ |\ |\ |\ |\ |\ |\ |\ |\
any company with over 250 employees will need to audit their
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
systems and take rigorous steps to protect any data that is
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
processed within their systems, either locally managed or in the
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
cloud.
, Describe some of the resources available at NIST. - CORRECT
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
ANSWERS ✔✔NIST has many resources for the cybersecurity
|\ |\ |\ |\ |\ |\ |\ |\
professional that include the Special Publication 800 series, that |\ |\ |\ |\ |\ |\ |\ |\ |\
deals with cyber security policies, procedures, and guidelines.
|\ |\ |\ |\ |\ |\ |\
Discuss the significance of NIST SP 800-115. - CORRECT
|\ |\ |\ |\ |\ |\ |\ |\ |\
ANSWERS ✔✔NIST SP 800-115 is the "Technical Guide to
|\ |\ |\ |\ |\ |\ |\ |\ |\
Information Security Testing and Assessment" and contains a |\ |\ |\ |\ |\ |\ |\ |\
great deal of relevant information about PenTesting planning,
|\ |\ |\ |\ |\ |\ |\ |\
techniques, and related activities. |\ |\ |\
Explain how the MITRE ATT&CK Framework provides tools and
|\ |\ |\ |\ |\ |\ |\ |\ |\
techniques specific to PenTesting. - CORRECT ANSWERS ✔✔Once |\ |\ |\ |\ |\ |\ |\ |\
in the MITRE ATT&CK framework, you will see many columns in
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
the matrix that describe various tasks that are completed during
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
the PenTest. |\
Compare and contrast CVE and CWE. - CORRECT ANSWERS
|\ |\ |\ |\ |\ |\ |\ |\ |\
✔✔The CWE is a dictionary of software-related vulnerabilities
|\ |\ |\ |\ |\ |\ |\ |\
maintained by the MITRE Corporation that includes a detailed list
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
of weaknesses in hardware and software. CVE refers to specific
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\
vulnerabilities of particular products. |\ |\ |\
A couple of your colleagues thought it might be a good idea to
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
share some guidance on how the team should conduct
|\ |\ |\ |\ |\ |\ |\ |\ |\
themselves during the PenTesting process. What topics should be |\ |\ |\ |\ |\ |\ |\ |\
covered so that all members exhibit professional behavior
|\ |\ |\ |\ |\ |\ |\ |\ |\
before, during and after the PenTest? - CORRECT ANSWERS
|\ |\ |\ |\ |\ |\ |\ |\ |\
✔✔The team will need to clearly understand that they are to
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
maintain confidentiality before, during, and after a PenTest
|\ |\ |\ |\ |\ |\ |\ |\
exercise. Once the testing begins the team will want to proceed
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\
