Final CPSA Exam Questions & Answers(SCORED A)

A1) Pentest structure - ANSWER-Reconnaissance (i.e. find live hosts, sweeping, find services, scanning, banner matching, find vulnerabilities). Target prioritisation (e.g. assess servers rather than printers). Testing of services and exploitation if applicable. Consult/Confirm with customer if ok to exploit. Inform customer of any high risk issues that need addressing immediately. A1) Project Lifecycle - ANSWER-Data Gathering / Scoping / Briefing. Testing. Report Writing. Debriefing A2) Computer Misuse Act 1990 - ANSWER-The Act defines 3 specific offences: 1. Unauthorised access to computer material (that is, a program or data). 6 months or Level 5 fine (£5000 currently). 2. Unauthorised access to a computer system with intent to commit or facilitate the commission of a serious crime. 5 years, max fine. 3. Unauthorised modification of computer material. 5 years, max fine. In general: You must not test a system without prior authorisation (e.g. as agreed in written scope/contract). You should never test without informing the client beforehand. Amended by Part 5 of Police and Justice Act 2006. A2) Police and Justice Act 2006 - ANSWER-An amendment and update to the Computer Misuse Act 1990 in Part 5 of the Police and Justice Act 2006 are: Section 35. Unauthorised access to computer material. Section 36. Unauthorised acts with intent to impair operation of computer, etc. Section 37. Making, supplying or obtaining articles for use in computer misuse offences. Section 38. Transitional and saving provision. In general: Part V includes a few sections on Computer Misuse Act 1990. Provision for DoS as an offence. Increased penalties. Making available tools to the Internet. Dual-use tools liable. A2) Human Rights Act 1998 - ANSWER-Lots of general human rights involved such as right to marry, discrimination, privacy, slavery, guilty etc. Human Rights Act 1998 is relevant to Computer usage as: "Protects the right of individuals against unreasonable disruption of and intrusion into their lives, while balancing this individual right with those of others." In general: Article 8: Right to respect for private and family life. Right to privacy. With Acceptable Usage Policy (AUP), you waive the right to privacy on network. A2) Data Protection Act 1998 - ANSWER-In general: Deals with PII (Personal Information ID). Data about identifiable users should only be used for the purpose intended. Should not make a local copy (e.g. HR Database)