Sensitive Data Exposure
(C) Broken Authentication
(D) Broken Access Control
Answers
1 B. Bob is performing active reconnaissance, or active information gathering, when using a port scanner to discover ports that are open on a system. See “Information gathering and vulnerability identification.”
2 A. An unknown-environment test (black box test) is when the pentester is given no knowledge of the environment being tested. Review “Pentest strategy.”
3 D. Passive reconnaissance, or passive information gathering, is when the pentester uses public Internet resources to discover information about the target. Check out “Information gathering and vulnerability identification.”
4 C. Organizations may be governed by regulations that force a company to perform penetration tests on a regular basis in order to be compliant. Peruse “Reasons for a pentest.”
5 B. The purpose of the penetration test is to better the security of the organization. Therefore, it is critical the report contains remediation steps on how to improve the security of vulnerable systems. Take a look at “Reporting and communication.”
6 D. It is imperative that you get written authorization to perform the penetration test before doing any testing. Also, be sure to get written authorization from an authorized party such as the business owner or an upper-level manager. It is not enough to get authorization from a local manager. Peek at “Planning and scoping.”
7 C. A partially known-environment test (gray box test) involves giving limited information to the tester so that the tester is more focused on specific targets during the pentest. Look over “Pentest strategy.”
8 A. The third phase of the CompTIA penetration testing process is attacks and exploits. Study “Looking at CompTIA’s Penetration Testing Phases.”
9 B. A script kiddie has limited technical knowledge of the details of the attack and simply runs the tools that are already created. Peek at “Threat actors and threat models.”
10 D. The red team is the name of the penetration testing team that simulates the attacks, while the blue team tries to detect and defend against those attacks. Peek at “Types of assessments.”
11 B. Sensitive Data Exposure (2017 OWASP) is now known as Cryptographic Failures (2021 OWASP) and involves flaws of not protecting sensitive data from unauthorized individuals due to lack of encryption technology. Peek at “Open Web Application Security Project (OWASP).”
Chapter 2
Planning and Scoping
EXAM OBJECTIVES
Good penetration testers know that before starting a penetration test, they must spend time with the customer scoping out the project and setting the rules of engagement. Planning and scoping is a critical phase of the pentest process, as too often penetration testers dive right into trying to compromise systems without giving any thought to the ramifications of their actions. Not planning the penetration test properly can result in crashing the customer’s systems or network (causing loss in production and revenue) and triggering intrusion detection systems. A lack of planning can also create legal problems due to a failure to obtain proper authorization to perform the penetration test.
In this chapter, you learn the importance of planning for the penetration test by jumping into the first phase of the CompTIA penetration testing process: planning and scoping.
Understanding Key Legal Concepts
The CompTIA PenTest+ certification exam is sure to have a few questions regarding the legal concepts surrounding a penetration test that come into play during the planning and scoping phase. The following sections outline the three most important concepts you should be aware of: obtaining written authorization, contract types, and the importance of disclaimers.
Written authorization
It is illegal to hack into systems without proper authorization from the owner of the asset being compromised. As a penetration tester, you have to remember this. Before any pentest can start, you must first get written permission in the form of a signed contract from the customer in order to conduct the work. Once the contract is signed, you then schedule a planning and scoping meeting with the customer so that you can identify the goals for the penetration test, identify what should be tested, and understand how far the testing should go.
It is important to understand that often this authorization cannot come from an office manager, IT manager, or local network administrator, as they are not the owners of the assets being tested. It is critical you get authorization from the owners of the assets, such as the company owner, or from a member of upper-level management who has signing authority.
In addition, virtualization technology in the cloud has become a huge resource for companies to leverage, as it allows a company to get high availability and access to resources from anywhere. During pre-engagement activities and discussions, verify if there are any resources that are in the cloud, because you will need to get authorization from the cloud provider to perform a pentest on the cloud resources.