Читать книгу CompTIA Pentest+ Certification For Dummies - Glen E. Clarke - Страница 47
Answers
Оглавление1 B. Bob is performing active reconnaissance, or active information gathering, when using a port scanner to discover ports that are open on a system. See “Information gathering and vulnerability identification.”
2 A. An unknown-environment test (black box test) is when the pentester is given no knowledge of the environment being tested. Review “Pentest strategy.”
3 D. Passive reconnaissance, or passive information gathering, is when the pentester uses public Internet resources to discover information about the target. Check out “Information gathering and vulnerability identification.”
4 C. Organizations may be governed by regulations that force a company to perform penetration tests on a regular basis in order to be compliant. Peruse “Reasons for a pentest.”
5 B. The purpose of the penetration test is to better the security of the organization. Therefore, it is critical the report contains remediation steps on how to improve the security of vulnerable systems. Take a look at “Reporting and communication.”
6 D. It is imperative that you get written authorization to perform the penetration test before doing any testing. Also, be sure to get written authorization from an authorized party such as the business owner or an upper-level manager. It is not enough to get authorization from a local manager. Peek at “Planning and scoping.”
7 C. A partially known-environment test (gray box test) involves giving limited information to the tester so that the tester is more focused on specific targets during the pentest. Look over “Pentest strategy.”
8 A. The third phase of the CompTIA penetration testing process is attacks and exploits. Study “Looking at CompTIA’s Penetration Testing Phases.”
9 B. A script kiddie has limited technical knowledge of the details of the attack and simply runs the tools that are already created. Peek at “Threat actors and threat models.”
10 D. The red team is the name of the penetration testing team that simulates the attacks, while the blue team tries to detect and defend against those attacks. Peek at “Types of assessments.”
11 B. Sensitive Data Exposure (2017 OWASP) is now known as Cryptographic Failures (2021 OWASP) and involves flaws of not protecting sensitive data from unauthorized individuals due to lack of encryption technology. Peek at “Open Web Application Security Project (OWASP).”