1 | Page
CREST CPSA EXAM QUESTIONS WITH CORRECT
ANSWERS (100% CORRECT)
Disadvantages of Black Box Penetration Testing - ANSWER ->-
Particularly, these kinds of test cases are difficult to design
- Possibly, it is not worth, in case designer has already conducted a test case - It
does not conduct everything
White Box Penetration Testing - ANSWER ->A tester is provided a whole range of
information about the systems and/or network such as schema, source code, os
details, ip address, etc.
Advantages of White Box Penetration Testing - ANSWER ->- It ensures that all
independent paths of a module have been exercised
- It ensures that all logical decisions have been verified along with their true and
false value.
- It discovers the typographical errors and does syntax checking
- It finds the design errors that may have occurred because of the difference
between logical flow of the program and the actual execution.
Computer Misuse Act 1990 Highlights - ANSWER ->Section 1:
Unauthorized access to computer material
,4 | Page
Section 2: Unauthorized access with intent to commit or facilitate commission of
further offenses
Section 3: Unauthorized acts with intent to impair, or with recklessness as to
impairing the operation of a computer
Human Rights Act 1998 Highlights - ANSWER ->- The right to life
- The right to respect for private and family life
- The right to freedom of religion and belief
- Your right not to be mistreated or wrongly punished by the state
Consent Information for Penetration Test - ANSWER ->- Name &
Position of the individual who is providing consent
- Authorized testing period - both the date range and hours that testing is
permitted
- Contact information for members of technical staff, who may provide assistance
during the test
- IP addresses or URL that are in scope of testing
- Exclusions to certain hosts, services or areas within application testing
- Credentials that may be required as part of authenticated application testing
Data Protection Act 1998 Highlights - ANSWER ->- Personal data must be
processed fairly and lawfully
- be obtained only for lawful purposes and not processed in any manner
incompatible with those purposes
- be adequate, relevant and not excessive
- be accurate and current
- not be retained for longer than necessary
- be processed in accordance with the rights and freedoms of data subjects - Be
protected against unauthorized or unlawful processing and against accidental
loss, destruction or damage
,5 | Page
Police and Justice Act 2006 Highlights - ANSWER ->- Make amendments to the
computer misuse act 1990
- increased penalties of computer misuse act (makes unauthorized computer
access serious enough to fall under extradition)
- Made it illegal to perform DOS attacks
- Made it illegal to supply and own hacking tools.
- Be careful about how you release information about exploits.
Issues Between Tester and Client - ANSWER ->- The tester is unknown to his
client - so, on what grounds, he should be given access of sensitive data - Who
will take the guarantee of security of lost data?
- The client may blame for the loss of data or confidentiality to tester.
Preventing Legal Issues in Penetration Testing - ANSWER ->- A statement of intent
should be duly signed by both parties
- The tester has the permission in writing, with clearly defined parameters - the
company has the details of its pen tester and an assurance that he would not
leak any confidential data
Scoping a Penetration Test - ANSWER ->- All relevant risk owners
- Technical staff knowledgeable about the target system
- The penetration test team should identify what testing they believe will give a
full picture of the vulnerability status of the estate
- A representative of the penetration test team
- Risk owners should outline any areas of special concern
IP - ANSWER ->The IP (Internet Protocol) is the network layer communications
protocol in the Internet protocol suite used for relaying datagrams across network
boundaries.
TCP - ANSWER ->TCP (Transmission Control Protocol) is a main protocol from the
Internet protocol suite.
, 6 | Page
Task of TCP - ANSWER ->To create a connection between the client and server
before data can be sent.
User Datagram Protocol - ANSWER ->Applications that do not require a reliable
data stream use User Datagram Protocol.
Task of the Internet Protocol - ANSWER ->To deliver packets from the source host
to the destination host based on the IP addresses in the packet headers.
UDP - ANSWER ->Yes, UDP is part of the Internet protocol suite.
SYN in TCP handshake - ANSWER ->SYN is used to initiate and establish a
connection. It also helps you to synchronize sequence numbers between devices.
UDP handshakes - ANSWER ->No, UDP does not perform handshakes.
ACK in TCP handshake - ANSWER ->Helps to confirm to the other side that it has
received the SYN.
SYN-ACK in TCP handshake - ANSWER ->SYN-ACK is a SYN message from the local
device and ACK of the earlier packet.
FIN - ANSWER ->Used to terminate the connection.
Three way handshake - ANSWER ->TCP is known for performing a three way
handshake.
SYN - ANSWER ->SYN stands for Synchronize.
SYN-ACK phrase - ANSWER ->After the SYN and ACK phrases of a TCP handshake,
the next step is SYN-ACK.
CREST CPSA EXAM QUESTIONS WITH CORRECT
ANSWERS (100% CORRECT)
Disadvantages of Black Box Penetration Testing - ANSWER ->-
Particularly, these kinds of test cases are difficult to design
- Possibly, it is not worth, in case designer has already conducted a test case - It
does not conduct everything
White Box Penetration Testing - ANSWER ->A tester is provided a whole range of
information about the systems and/or network such as schema, source code, os
details, ip address, etc.
Advantages of White Box Penetration Testing - ANSWER ->- It ensures that all
independent paths of a module have been exercised
- It ensures that all logical decisions have been verified along with their true and
false value.
- It discovers the typographical errors and does syntax checking
- It finds the design errors that may have occurred because of the difference
between logical flow of the program and the actual execution.
Computer Misuse Act 1990 Highlights - ANSWER ->Section 1:
Unauthorized access to computer material
,4 | Page
Section 2: Unauthorized access with intent to commit or facilitate commission of
further offenses
Section 3: Unauthorized acts with intent to impair, or with recklessness as to
impairing the operation of a computer
Human Rights Act 1998 Highlights - ANSWER ->- The right to life
- The right to respect for private and family life
- The right to freedom of religion and belief
- Your right not to be mistreated or wrongly punished by the state
Consent Information for Penetration Test - ANSWER ->- Name &
Position of the individual who is providing consent
- Authorized testing period - both the date range and hours that testing is
permitted
- Contact information for members of technical staff, who may provide assistance
during the test
- IP addresses or URL that are in scope of testing
- Exclusions to certain hosts, services or areas within application testing
- Credentials that may be required as part of authenticated application testing
Data Protection Act 1998 Highlights - ANSWER ->- Personal data must be
processed fairly and lawfully
- be obtained only for lawful purposes and not processed in any manner
incompatible with those purposes
- be adequate, relevant and not excessive
- be accurate and current
- not be retained for longer than necessary
- be processed in accordance with the rights and freedoms of data subjects - Be
protected against unauthorized or unlawful processing and against accidental
loss, destruction or damage
,5 | Page
Police and Justice Act 2006 Highlights - ANSWER ->- Make amendments to the
computer misuse act 1990
- increased penalties of computer misuse act (makes unauthorized computer
access serious enough to fall under extradition)
- Made it illegal to perform DOS attacks
- Made it illegal to supply and own hacking tools.
- Be careful about how you release information about exploits.
Issues Between Tester and Client - ANSWER ->- The tester is unknown to his
client - so, on what grounds, he should be given access of sensitive data - Who
will take the guarantee of security of lost data?
- The client may blame for the loss of data or confidentiality to tester.
Preventing Legal Issues in Penetration Testing - ANSWER ->- A statement of intent
should be duly signed by both parties
- The tester has the permission in writing, with clearly defined parameters - the
company has the details of its pen tester and an assurance that he would not
leak any confidential data
Scoping a Penetration Test - ANSWER ->- All relevant risk owners
- Technical staff knowledgeable about the target system
- The penetration test team should identify what testing they believe will give a
full picture of the vulnerability status of the estate
- A representative of the penetration test team
- Risk owners should outline any areas of special concern
IP - ANSWER ->The IP (Internet Protocol) is the network layer communications
protocol in the Internet protocol suite used for relaying datagrams across network
boundaries.
TCP - ANSWER ->TCP (Transmission Control Protocol) is a main protocol from the
Internet protocol suite.
, 6 | Page
Task of TCP - ANSWER ->To create a connection between the client and server
before data can be sent.
User Datagram Protocol - ANSWER ->Applications that do not require a reliable
data stream use User Datagram Protocol.
Task of the Internet Protocol - ANSWER ->To deliver packets from the source host
to the destination host based on the IP addresses in the packet headers.
UDP - ANSWER ->Yes, UDP is part of the Internet protocol suite.
SYN in TCP handshake - ANSWER ->SYN is used to initiate and establish a
connection. It also helps you to synchronize sequence numbers between devices.
UDP handshakes - ANSWER ->No, UDP does not perform handshakes.
ACK in TCP handshake - ANSWER ->Helps to confirm to the other side that it has
received the SYN.
SYN-ACK in TCP handshake - ANSWER ->SYN-ACK is a SYN message from the local
device and ACK of the earlier packet.
FIN - ANSWER ->Used to terminate the connection.
Three way handshake - ANSWER ->TCP is known for performing a three way
handshake.
SYN - ANSWER ->SYN stands for Synchronize.
SYN-ACK phrase - ANSWER ->After the SYN and ACK phrases of a TCP handshake,
the next step is SYN-ACK.
