100% satisfaction guarantee Immediately available after payment Both online and in PDF No strings attached
logo-home
CompTIA Pentest+ $13.49   Add to cart

Exam (elaborations)

CompTIA Pentest+

 6 views  0 purchase
  • Course
  • Institution

Methodology - __ is a system of methods used in a particular area of study or activity. Pentest Methodology - __: 1. Planning & Scoping 2. Info Gathering & Vulnerability ID 3. Attacks & Exploits 4. Reporting & Communication NIST SP 800-115 Methodology - __: 1. Planning 2. Di...

[Show more]

Preview 4 out of 79  pages

  • April 8, 2022
  • 79
  • 2021/2022
  • Exam (elaborations)
  • Questions & answers
avatar-seller
CompTIA Pentest+

Methodology - __ is a system of methods used in a particular area of study or activity.

Pentest Methodology - __:
1. Planning & Scoping
2. Info Gathering & Vulnerability ID
3. Attacks & Exploits
4. Reporting & Communication

NIST SP 800-115 Methodology - __:
1. Planning
2. Discovery
3. Attack
4. Reporting

Planning a Penetration Test - __, Questions to ask:
▪ Why Is Planning Important?
▪ Who is the Target Audience?
▪ Budgeting
▪ Resources and Requirements
▪ Communication Paths
▪ What is the End State?
▪ Technical Constraints
▪ Disclaimers

Planning a Penetration Test - Budgeting - __:
▪ Controls many factors in a test

▪ If you have a large budget, you can perform a more in-depth test
__● Increased timeline for testing
__● Increased scope
__● Increased resources (people, tech, etc.)

Planning a Penetration Test - Resources and Requirements - __:
▪ What resources will the assessment require?

▪ What requirements will be met in the testing?
__● Confidentiality of findings
__● Known vs. unknown vulnerabilities
__● Compliance-based assessment

Planning a Penetration Test - Communication Paths - __:

,▪ Who do we communicate with about the test?

▪ What info will be communicated and when?

▪ Who is a trusted agent if testing goes wrong?

Planning a Penetration Test - What is the End State? - __:
▪ What kind of report will be provided after test?

▪ Will you provide an estimate of how long remediations would take?

Planning a Penetration Test - Technical Constraints - __:
▪ What constraints limited your ability to test?

▪ Provide the status in your report
__● Tested
__● Not Tested
__● Can't Be Tested

Planning a Penetration Test - Disclaimers - __:
▪ Point-in-Time Assessment
__● Results were accurate when the pentest occurred

▪ Comprehensiveness
__● How complete was the test?
__● Did you test the entire organization or only specific objectives?

Rules of Engagement (RoE) - __ are detailed guidelines and constraints regarding the
execution of information security testing.

The __ is established before the start of a security test, and gives the test team
authority to conduct defined activities without the need for additional permissions.

Rules of Engagement (RoE) Overview - __:
▪ Timeline
▪ Locations
▪ Time restrictions
▪ Transparency
▪ Test boundaries

RoE: Timeline - __:
▪ How long will the test be conducted?
_● A week, a month, a year

▪ What tasks will be performed and how long will each be planned for?

,RoE: Locations - __:
▪ Where will the testers be located?
_● On-site or remote location

▪ Does organization have numerous locations?

▪ Does it cross international borders?

RoE: Time Restrictions - __:
▪ Are there certain times that aren't authorized?

▪ What about days of the week?

▪ What about holidays?

RoE: Transparency - __:
▪ Who will know about the pentest?

▪ Will the organization provide resources to the testers (white box test)?

RoE: Boundaries - __:
▪ What will be tested?

▪ Is social engineering allowed to be used?

▪ What about physical security testing?

▪ How invasive can the pentest be?

Legal Concepts (1) - __ are laws and regulations regarding cyber-crime vary from
country to country, check the local laws before conducting an assessment.

Legal Concepts (2) - __ refers to consulting your attorney before performing any
penetration testing work to ensure you are within the legal bounds for the countries laws
where you are operating.

Crimes and Criminal Procedure - __:
▪ Hacking is covered under United States Code, Title 18, Chapter 47,
Sections 1029 and 1030

§ 1029 Fraud & related activity w/ access devices - __:
▪ Prosecute those who knowingly and with intent to defraud produce, use, or traffic in
one or more counterfeit access devices.

▪ Access devices can be an application or hardware that is created specifically to
generate any type of access credentials

, § 1030 Fraud and related activity with computers - __:
▪ Covers just about any computer or device connected to a network

▪ Mandates penalties for anyone who accesses a computer in an unauthorized manner
or exceeds one's access rights

▪ Can be used to prosecute employees using capability and accesses provided by their
company to conduct fraudulent activity

Obtain Written Authorization - __:
▪ White hat hackers always get permission

▪ This is your get out of jail free card...

▪ Penetration tests can expose confidential information so permission must be granted

▪ Third-party authorization when necessary
__● Ex: from a Cloud service provider

Third-Party Authorization - __:
▪ If servers and services are hosted in the cloud, you must request permission from the
provider prior to conducting a penetration test

__● Ex: from a Cloud service provider

Pentest Contracts - __:
▪ Statement of Work (SOW)

▪ Master Service Agreement (MSA)

▪ Non-Disclosure Agreement (NDA)

Statement of Work (SOW) - __ is a formal document stating scope of what will be
performed during a penetration test.

▪ Clearly states what tasks are to be accomplished during an engagement

Master Service Agreement (MSA) - __ is a contract where parties agree to most of the
terms that will
govern future actions.

▪ High level contract between a service provider and a client that specifies details of the
business arrangement

The benefits of buying summaries with Stuvia:

Guaranteed quality through customer reviews

Guaranteed quality through customer reviews

Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.

Quick and easy check-out

Quick and easy check-out

You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.

Focus on what matters

Focus on what matters

Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!

Frequently asked questions

What do I get when I buy this document?

You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.

Satisfaction guarantee: how does it work?

Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.

Who am I buying these notes from?

Stuvia is a marketplace, so you are not buying this document from us, but from seller EvaTee. Stuvia facilitates payment to the seller.

Will I be stuck with a subscription?

No, you only buy these notes for $13.49. You're not tied to anything after your purchase.

Can Stuvia be trusted?

4.6 stars on Google & Trustpilot (+1000 reviews)

85443 documents were sold in the last 30 days

Founded in 2010, the go-to place to buy study notes for 14 years now

Start selling
$13.49
  • (0)
  Add to cart