Penetration Testing and Vulnerability Analysis - D332 Questions and Answers (100% Pass)

1 | P a g e | © copyright 2024/2025 | Grade A+




Penetration Testing and
Vulnerability Analysis - D332
Questions and Answers (100% Pass)
How do you calculate Risk?


✓ Risk = Threat x Vulnerability




Describe unified threat management (UTM)


✓ All-in-one security appliances and agents that combine the functions

of a firewall, malware scanner, intrusion detection, vulnerability

scanner, data loss prevention, content filtering, and so on.




Describe OWASP


✓ Open Web Application Security Project: A framework for testing during

each phase of the development cycle. Publishes a Top Ten

vulnerabilities list, with a focus on Web Applications.




Describe NIST




Master01 | October, 2024/2025 | Latest update

, 1 | P a g e | © copyright 2024/2025 | Grade A+

✓ United States (U.S.) National Institute of Standards and Technology

(NIST): Develops computer security standards used by US federal

agencies and publishes cybersecurity best practice guides and

research.




What is NIST SP 800-115?


✓ "Technical Guide to Information Security Testing and Assessment."




Describe OSSTMM


✓ Open-source Security Testing Methodology Manual (OSSTMM): this

manual outlines every area of an organization that needs testing, as

well as goes into details about how to conduct the relevant tests.




OSSTMM doesn't provide the tools needed to accomplish a complete

PenTesting exercise, but it does cover other areas, such as Human Security

and Physical Security testing.




Describe ISSAF




Master01 | October, 2024/2025 | Latest update

, 1 | P a g e | © copyright 2024/2025 | Grade A+

✓ Information Systems Security Assessment Framework (ISSAF): Open

Source .rar file, a collection of 14 documents related to Pen Testing

(incldues includes a Security Assessment Contract, Request for Proposal

and Reporting templates)




Describe PTES


✓ Penetration Testing Execution Standard (PTES) has seven main sections

that provide a comprehensive overview of the proper structure of a

complete PenTest. ex. pre-engagement interactions, threat modeling,

vulnerability analysis, exploitation, and reporting.




Explain MITRE ATT&CK


✓ ATT&CK (Adversarial Tactics, Techniques & Common Knowledge): non-

profit, sponsored by US-CERT and DHS, containing specific adversary

tactics, techniques, and procedures




Explain CVSS


✓ Common Vulnerability Scoring System (CVSS): A risk management

approach to quantifying vulnerability data and then taking into

account the degree of risk to different types of systems or information.




Explain CVE

Master01 | October, 2024/2025 | Latest update

, 1 | P a g e | © copyright 2024/2025 | Grade A+

✓ Common Vulnerabilities and Exposures (CVE): The information in a

CVSS is fed into a CVE, with the format CVE-[YEAR]-[NUMBER] and an

explanation of the vulnerability. CVE = SPECIFIC vulnerabilities o

particular products. Most CVEs contain links to the NVD (National

Vulnerability Database) where you can find out more info about the

vulnerabilities.




Explain CWE


✓ Common Weakness Enumeration (CWE): MITRE Database of hardware

and software weaknesses. CWE = dictionary of software-related

vulnerabilities that details software & hardware weaknesses.




What are important considerations when PenTesting a company's web

applications and services?


✓ The client will provide a percentage / discrete value of total number of

web pages or forms that require user interaction to test.




The team should obtain a variety of roles and permissions so each role can

be tested (user, etc.)




What are examples of assets when determining scope of the test?



Master01 | October, 2024/2025 | Latest update