UPDATED CREST CPSA - Appendix A: Soft Skills and Assessment Management 2023 Questions And Answers

UPDATED CREST CPSA - Appendix A: Soft Skills and Assessment Management 2023 Questions And Answers What are the Benefits and utility of penetration testing to the client? - CORRECT ANSWERS 1.) Identifies existing and potential security risks. 2.) Obtain recommendations to remove vulnerabilities and increase security and protection against attack. 3.) Increase awareness of security issues 4.) Meet regulatory requirements 5.) Satisfy external customers of the client that there system meets recognised security standards What is NDA? - CORRECT ANSWERS Non-disclosure agreement What is infrastructure testing? - CORRECT ANSWERS Security review of network connected IT equipment including security/networking devices, servers, and workstations. What is application testing? - CORRECT ANSWERS Security review of computer program running on a IT system. What is Blackbox testing? - CORRECT ANSWERS Zero knowledge of internal workings What is Whitebox testing? - CORRECT ANSWERS Detailed knowledge of internal workings, for example design specs or source code (application). What is Computer Misuse Act 1990? - CORRECT ANSWERS 1.) Covers intended unauthorised access to a computer material. 2.) Covers unauthorised modification of computer system or data held on a computer system. 3.) Unauthorised access to a computer system with intent to commit or facilitate further offences 4.) Need to ensure you have signed permission to access systems otherwise it is a breach of the Computer Misuse Act. What is Humans Rights Act 1998? - CORRECT ANSWERS 1.) Employees have a right to privacy while in their place of work. This right may be breached during the pen-test due to network traffic capture, access to shared resources containing personal data, terminal services type access, etc. 2.) The client contract should advise users that testers may gain access to private information. The onus is then on the client to inform their employees about the testing if not covered by employment contracts warning of internet/mail/data logging and monitoring. What is Data Protection Act 1998? - CORRECT ANSWERS 1.) Client must protect customer data under the data protection act therefore so must the testers. Use encrypted storage/transfer mediums (PGP encrypted emails, encrypted disks). 2.) Delete data when no longer required (i.e. pentesters should delete data when final report has been issued, or client has been supplied with data in some cases). What is Police and Justice Act 2006? - CORRECT ANSWERS This act has amendments to the Computer misuse act such that the act now: 1.) Now includes the intent of making a system insecure to allow unauthorised access. 2.) Higher punishment can be applied for breaches of the at (12 months imprisonment E&W). 3.) Section 3 - "modification of computer material" is broadened to cover impairment of computer system, its data, and system/data integrity. The amendment also includes recklessness acts and well as intent. 4.) Also include making, supplying, or obtaining articles for use in computer misuse. So this mainly includes viruses/worms but could equally apply to tools used explicitly for crime. What does SOX stand for? - CORRECT ANSWERS Sarbanes and Oxley (SOX) What is SOX focused on? - CORRECT ANSWERS SOX is that it is primarily focused on the accuracy of financial reporting data. IT security is important under SOX to the extent that it enhances the reliability and integrity of that reporting. What does HIPAA stand for? - CORRECT ANSWERS Health Insurance Portability and Accountability Act (HIPAA) What is HIPAA focused on? - CORRECT ANSWERS The security rules within HIPAA applies to electronic protected health information (EPHI), which is individually identifiable health information (IIHI) in electronic form. Specifically organisations under the rule must maintain reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of their EPHI against any reasonably anticipated risks. What does EPHI stand for? - CORRECT ANSWERS Electronic Protected Health Information What does IIHI stand for? - CORRECT ANSWERS Individually Identifiable Health Information What does PCI stand for? - CORRECT ANSWERS Payment Card Industry (PCI) What is PCI focused on? - CORRECT ANSWERS The PCI Data Security Standard is a security standard that includes requirements for security management, policies and procedures when dealing with payment cards details (debit, credit, prepaid, e-purse, ATM, and POS cards and associated businesses).