CSIT 188 Midterm Exam Questions and Answers All Correct

CSIT 188 Midterm Exam Questions and Answers All Correct Tom is running a penetration test in a web application and discovers a flaw that allows him to shut down the web server remotely. What goal of penetration testing has Tom most directly achieved? A. Disclosure B. Integrity C. Alteration D. Denial - Answer-D. Tom's attack achieved the goal of denial by shutting down the web server and prevent-ing legitimate users from accessing it. Brian ran a penetration test against a school's grading system and discovered a flaw that would allow students to alter their grades by exploiting a SQL injection vulnerability. What type of control should he recommend to the school's cybersecurity team to prevent students from engaging in this type of activity? A. Confidentiality B. Integrity C. Alteration D. Availability - Answer-B. By allowing students to change their own grades, this vulnerability provides a pathway to unauthorized alteration of information. Brian should recommend that the school deploy integrity controls that prevent unauthorized modifications. Edward Snowden gathered a massive quantity of sensitive information from the National Security Agency and released it to the media. What type of attack did he wage? A. Disclosure B. Denial C. Alteration D. Availability - Answer-A. Snowden released sensitive information to individuals and groups who were not autho-rized to access that information. That is an example of a disclosure attack. Assuming no significant changes in an organization's cardholder data environment, how often does PCI DSS require that a merchant accepting credit cards conduct penetration testing? A. Monthly B. Semiannually C. Annually D. Biannually - Answer-C. PCI DSS requires that organizations conduct both internal and external penetration tests on at least an annual basis. Organizations must also conduct testing after any signifi-cant change in the cardholder data environment. Which one of the following is NOT a benefit of using an internal penetration testing team? A. Contextual knowledge B. Cost C. Subject matter expertise D. Independence - Answer-D. The use of internal testing teams may introduce conscious or unconscious bias into the penetration testing process. This lack of independence is one reason organizations may choose to use an external testing team. Which one of the following is NOT a reason to conduct periodic penetration tests of systems and applications? A. Changes in the environment B. Cost C. Evolving threats D. New team members - Answer-B. Repeating penetration tests periodically does not provide cost benefits to the organiza-tion. In fact, it incurs costs. However, penetration tests should be repeated because they can detect issues that arise due to changes in the tested environment and the evolving threat landscape. The use of new team members also increases the independence and value of sub-sequent tests. Rich recently got into trouble with a client for using an attack tool during a penetration test that caused a system outage. During what stage of the penetration testing process should Rich and his clients have agreed upon the tools and techniques that he would use during the test? A. Planning and Scoping B. Information Gathering and Vulnerability Identification C. Attacking and Exploiting D. Reporting and Communication Results - Answer-A. During the Planning and Scoping phase, penetration testers and their clients should agree upon the rules of engagement for the test. This should result in a written statement of work that clearly outlines the activities authorized during the penetration test. Which one of the following steps of the Cyber Kill Chain does not map to the Attacking and Exploiting stage of the penetration testing process? A. Weaponization B. Reconnaissance C. Installation D. Actions on Objectives - Answer-B. The Reconnaissance stage of the Cyber Kill Chain maps to the Information Gathering and Vulnerability Identification step of the penetration testing process. The remaining six steps of the Cyber Kill Chain all map to the Attacking and Exploiting phase of the penetra-tion testing process. Beth recently conducted a phishing attack against a penetration testing target in an attempt to gather credentials that she might use in later attacks. What stage of the penetration test-ing process is Beth in? A. Planning and Scoping B. Attacking and Exploiting C. Information Gathering and Vulnerability Identification D. Reporting and