1What is the primary objective of the Planning and Scoping phase in penetration testing?
A.To define the rules of engagement, objectives, and boundaries of the test
B.To exploit known vulnerabilities in the target system
C.To perform active scanning of the network perimeter
D.To generate the final report for the stakeholders
Correct Answer: To define the rules of engagement, objectives, and boundaries of the test
Explanation:
Planning and Scoping is the initial phase where the tester and the client agree upon the objectives, scope, Rules of Engagement (RoE), and legal constraints before any technical activity begins.
Incorrect! Try again.
2Which of the following best describes a Black Box penetration test?
A.The tester has partial knowledge, such as user credentials but no network diagrams
B.The tester has full knowledge of the network infrastructure and source code
C.The tester works alongside the internal security team to audit systems
D.The tester has zero prior knowledge of the target system, simulating an external attacker
Correct Answer: The tester has zero prior knowledge of the target system, simulating an external attacker
Explanation:
A Black Box test simulates a real-world attack where the ethical hacker has no internal information about the target organization.
Incorrect! Try again.
3In the context of the CIA Triad, penetration testing primarily seeks to ensure that security controls maintain:
A.Cost, Insurance, and Assessment
B.Compliance, Inspection, and Auditing
C.Confidentiality, Integrity, and Availability
D.Control, Identity, and Authorization
Correct Answer: Confidentiality, Integrity, and Availability
Explanation:
The CIA Triad stands for Confidentiality, Integrity, and Availability. Penetration testing evaluates how well a system protects these three pillars of information security.
Incorrect! Try again.
4Which document is essential to obtain before starting any penetration testing activities to avoid legal liability?
A.Software License Agreement
B.Vulnerability Scan Report
C.Written Authorization (Get Out of Jail Free card)
D.Service Level Agreement (SLA)
Correct Answer: Written Authorization (Get Out of Jail Free card)
Explanation:
Written authorization from the system owner is mandatory to distinguish penetration testing from illegal hacking. It is often colloquially called a "Get Out of Jail Free" card.
Incorrect! Try again.
5In a White Box penetration test, which of the following is typically provided to the tester?
A.Network diagrams, source code, and IP addressing schemes
B.Only the company name
C.Physical access badges only
D.Only a URL to the public website
Correct Answer: Network diagrams, source code, and IP addressing schemes
Explanation:
White Box testing (or Crystal Box) involves providing the tester with full details of the system to ensure comprehensive coverage, including internal logic and configurations.
Incorrect! Try again.
6What distinguishes a Vulnerability Assessment from a Penetration Test?
A.Vulnerability assessments are manual; penetration tests are automated
B.Vulnerability assessments take longer to complete than penetration tests
C.There is no difference; the terms are interchangeable
D.Vulnerability assessments identify potential flaws; penetration tests attempt to exploit them to verify risk
Correct Answer: Vulnerability assessments identify potential flaws; penetration tests attempt to exploit them to verify risk
Explanation:
A vulnerability assessment lists potential weaknesses (often automated), whereas a penetration test actively exploits those weaknesses to understand the depth and impact of the breach.
Incorrect! Try again.
7Which regulatory standard applies specifically to organizations handling credit card information?
A.PCI-DSS
B.GDPR
C.HIPAA
D.FERPA
Correct Answer: PCI-DSS
Explanation:
The Payment Card Industry Data Security Standard (PCI-DSS) mandates security testing, including penetration testing, for organizations that process, store, or transmit credit card data.
Incorrect! Try again.
8According to the PTES (Penetration Testing Execution Standard), which phase immediately follows Pre-engagement Interactions?
A.Post-Exploitation
B.Reporting
C.Intelligence Gathering
D.Exploitation
Correct Answer: Intelligence Gathering
Explanation:
After Pre-engagement Interactions (Planning/Scoping), the PTES methodology moves to Intelligence Gathering (Reconnaissance) to collect data about the target.
Incorrect! Try again.
9What is the purpose of the Rules of Engagement (RoE) document?
A.To list the specific exploits that will be used
B.To report the findings of the test after completion
C.To define how the test will be conducted, constraints, timeline, and communication channels
D.To detail the cost and payment terms of the contract
Correct Answer: To define how the test will be conducted, constraints, timeline, and communication channels
Explanation:
The RoE establishes the logistics, boundaries, and permissible actions during the test to ensure safety and alignment with organizational goals.
Incorrect! Try again.
10Which of the following implies a Gray Box testing approach?
A.The tester acts as an authenticated user with limited knowledge of the backend
B.The tester has Administrator access to all servers
C.The tester has no knowledge of the system
D.The tester audits the physical security of the building only
Correct Answer: The tester acts as an authenticated user with limited knowledge of the backend
Explanation:
Gray Box testing strikes a balance, giving the tester partial knowledge (like user credentials) to simulate an insider threat or an attacker who has breached the perimeter.
Incorrect! Try again.
11When defining Scope, what does the term "Out-of-Scope" refer to?
A.Vulnerabilities that cannot be patched
B.Assets or systems that must explicitly not be tested or touched
C.Systems that have critical vulnerabilities
D.Tools that the tester is not allowed to use
Correct Answer: Assets or systems that must explicitly not be tested or touched
Explanation:
Out-of-Scope assets are those the client has excluded from the test to prevent downtime, legal issues, or because they belong to third parties.
Incorrect! Try again.
12Which type of team is responsible for defending the network during a penetration test exercise?
A.White Team
B.Red Team
C.Purple Team
D.Blue Team
Correct Answer: Blue Team
Explanation:
The Blue Team is the internal security staff responsible for monitoring, detecting, and responding to the attacks generated by the Red Team (testers).
Incorrect! Try again.
13What is a Purple Team exercise?
A.A test focused solely on wireless networks
B.A collaborative effort where Red and Blue teams work together to improve detection and defense
C.A physical security assessment combined with social engineering
D.A test conducted strictly by government auditors
Correct Answer: A collaborative effort where Red and Blue teams work together to improve detection and defense
Explanation:
Purple Teaming involves knowledge sharing between attackers (Red) and defenders (Blue) to maximize the learning outcome and improve security posture instantly.
Incorrect! Try again.
14In the context of Risk Management, how is Risk typically calculated conceptually?
A.
B.
C.
D.
Correct Answer:
Explanation:
Risk is commonly defined as the likelihood of a Threat exploiting a Vulnerability resulting in a specific Impact to the organization.
Incorrect! Try again.
15Which standard is specifically known as the Open Source Security Testing Methodology Manual?
A.NIST SP 800-115
B.OWASP
C.ISO 27001
D.OSSTMM
Correct Answer: OSSTMM
Explanation:
OSSTMM is a peer-reviewed methodology for security testing that focuses on operational security and metrics.
Incorrect! Try again.
16Why is Passive Reconnaissance preferred in the early stages of a stealthy penetration test?
A.It generates a large amount of network traffic
B.It relies on public information and does not alert the target's IDS/IPS
C.It involves direct interaction with the target system
D.It exploits vulnerabilities immediately
Correct Answer: It relies on public information and does not alert the target's IDS/IPS
Explanation:
Passive reconnaissance involves gathering info from public sources (OSINT) without sending packets to the target, thus avoiding detection.
Incorrect! Try again.
17What is a critical Environmental Consideration when planning a penetration test on a SCADA or Industrial Control System (ICS)?
A.These systems are often fragile; active scanning may cause physical damage or safety hazards
B.These systems are usually robust and can handle heavy scanning traffic
C.These systems handle high-speed video streaming
D.These systems are always connected to the internet
Correct Answer: These systems are often fragile; active scanning may cause physical damage or safety hazards
Explanation:
SCADA/ICS environments often use legacy hardware where standard network scanning can cause latency or crashes, leading to real-world physical safety risks.
Incorrect! Try again.
18Which US regulation requires healthcare organizations to secure Protected Health Information (PHI)?
A.GLBA
B.HIPAA
C.FISMA
D.SOX
Correct Answer: HIPAA
Explanation:
The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for protecting sensitive patient data.
Incorrect! Try again.
19During the Scoping phase, why is it important to identify Third-Party providers (e.g., Cloud hosts, ISPs)?
A.To ensure they are ignored completely
B.To hack them instead of the client
C.To ask them for free software
D.To obtain necessary permission, as testing their infrastructure without consent is illegal
Correct Answer: To obtain necessary permission, as testing their infrastructure without consent is illegal
Explanation:
If a client's data sits on AWS, Azure, or a managed ISP, the tester typically needs to ensure the testing falls within the provider's acceptable use policy or obtain specific authorization.
Incorrect! Try again.
20What is the NIST Special Publication that acts as a Technical Guide to Information Security Testing and Assessment?
A.NIST SP 800-30
B.NIST SP 800-37
C.NIST SP 800-53
D.NIST SP 800-115
Correct Answer: NIST SP 800-115
Explanation:
NIST SP 800-115 provides guidelines for planning and conducting technical information security testing and assessments.
Incorrect! Try again.
21Which test type focuses on the human element of security?
A.Social Engineering
B.Network Sniffing
C.Buffer Overflow
D.SQL Injection
Correct Answer: Social Engineering
Explanation:
Social Engineering involves manipulating people into divulging confidential information or performing actions that compromise security.
Incorrect! Try again.
22In the context of scoping, what is a Blackout Window?
A.A period when the power is turned off
B.A specific time period where no testing is allowed due to critical business operations
C.The time when Black Box testing is conducted
D.A tool used to block network traffic
Correct Answer: A specific time period where no testing is allowed due to critical business operations
Explanation:
A Blackout Window is defined in the schedule to prevent testing during high-traffic or critical business hours (e.g., end-of-quarter processing).
Incorrect! Try again.
23What is the main advantage of an Internal penetration testing team?
A.They bring a completely unbiased external perspective
B.They do not require any rules of engagement
C.They have deep contextual knowledge of the organization's culture and systems
D.They are cheaper than automated tools
Correct Answer: They have deep contextual knowledge of the organization's culture and systems
Explanation:
Internal teams understand the business context and network intimately, allowing for continuous testing, though they may lack the fresh perspective of external consultants.
Incorrect! Try again.
24Which phase involves cleaning up artifacts, removing user accounts created during the test, and restoring settings?
A.Post-Exploitation / Restoration
B.Reconnaissance
C.Vulnerability Mapping
D.Pre-engagement
Correct Answer: Post-Exploitation / Restoration
Explanation:
After the test, the environment must be restored to its original state to prevent leaving backdoors or clutter that could be exploited by real attackers.
Incorrect! Try again.
25Which organization manages the Common Vulnerability Scoring System (CVSS)?
A.FBI
B.NSA
C.FIRST.org
D.Google
Correct Answer: FIRST.org
Explanation:
The Forum of Incident Response and Security Teams (FIRST) maintains the CVSS, a free and open industry standard for assessing the severity of computer system security vulnerabilities.
Incorrect! Try again.
26If a client requests a penetration test but forbids the use of automated scanners to prevent noise, this constraint is part of:
A.The invoice
B.The CVSS score
C.The Post-Mortem
D.The Rules of Engagement (RoE)
Correct Answer: The Rules of Engagement (RoE)
Explanation:
Restrictions on tools and techniques are explicitly defined in the Rules of Engagement.
Incorrect! Try again.
27Which of the following is an example of Open Source Intelligence (OSINT)?
A.Scanning the target's firewall ports
B.Looking up employee email addresses on LinkedIn
C.Intercepting internal phone calls
D.Cracking the Wi-Fi password
Correct Answer: Looking up employee email addresses on LinkedIn
Explanation:
OSINT involves gathering data from publicly available sources (like social media, WHOIS records, search engines) without engaging the target systems.
Incorrect! Try again.
28What is the difference between Production and Staging environments in the context of scoping?
A.Staging is more secure than Production
B.Production is for developers; Staging is for customers
C.There is no difference
D.Production is live data; Staging is a replica for testing
Correct Answer: Production is live data; Staging is a replica for testing
Explanation:
Clients often prefer testing on a Staging (test) environment to avoid crashing the live (Production) system, though Staging may not perfectly mirror Production security controls.
Incorrect! Try again.
29Which legal concept requires the pentester to keep client findings secret?
A.Chain of Custody
B.Statement of Work (SOW)
C.Indemnification Clause
D.Non-Disclosure Agreement (NDA)
Correct Answer: Non-Disclosure Agreement (NDA)
Explanation:
An NDA is a legal contract that outlines confidential material, knowledge, or information that the parties wish to share with one another but restrict access to third parties.
Incorrect! Try again.
30In the OWASP Top 10, what does OWASP stand for?
A.Organization for Web Authentication and Security Pentesters
B.Official Wireless Access Security Protocol
C.Online Wide Assessment of Security Procedures
D.Open Web Application Security Project
Correct Answer: Open Web Application Security Project
Explanation:
OWASP is a nonprofit foundation that works to improve the security of software, famous for its Top 10 list of web application vulnerabilities.
Incorrect! Try again.
31What is the primary goal of Physical Penetration Testing?
A.To test the firewall throughput
B.To check if the air conditioning is working
C.To ensure the website loads fast
D.To access the facility, server room, or workstations physically to compromise security
Correct Answer: To access the facility, server room, or workstations physically to compromise security
Explanation:
Physical pentesting evaluates physical security controls like locks, cameras, guards, and badges.
Incorrect! Try again.
32Which term describes a limitation where the tester cannot perform Denial of Service (DoS) attacks?
A.Scope Creep
B.Compliance Failure
C.Rules of Engagement Constraint
D.White Box Requirement
Correct Answer: Rules of Engagement Constraint
Explanation:
Prohibiting DoS attacks is a standard constraint in the Rules of Engagement to ensure business continuity.
Incorrect! Try again.
33During the planning phase, defining Communication Paths ensures:
A.The client knows who to contact if the test causes a critical outage
B.The media is informed of the test
C.The tester can ask the client for passwords
D.The tester can blog about the findings
Correct Answer: The client knows who to contact if the test causes a critical outage
Explanation:
Establishing emergency contacts and escalation paths is vital so issues can be resolved immediately if testing disrupts operations.
Incorrect! Try again.
34What is Scope Creep?
A.A method of physical entry
B.The gradual expansion of the project's goals or boundaries beyond the original agreement
C.The process of analyzing results
D.A type of slow network scan
Correct Answer: The gradual expansion of the project's goals or boundaries beyond the original agreement
Explanation:
Scope creep occurs when unauthorized or unplanned changes to the testing scope are added without adjusting the timeline, budget, or authorization.
Incorrect! Try again.
35Which testing methodology focuses heavily on the business logic and data flow?
A.Physical Testing
B.Wireless Testing
C.Application Logic Testing
D.Network Layer Testing
Correct Answer: Application Logic Testing
Explanation:
Application testing focuses on how the application handles data and logic, looking for flaws like business logic errors, rather than just infrastructure faults.
Incorrect! Try again.
36ISO/IEC 27001 is a standard for:
A.Medical Record Storage
B.Wireless Encryption
C.Payment Card Processing
D.Information Security Management Systems (ISMS)
Correct Answer: Information Security Management Systems (ISMS)
Explanation:
ISO 27001 is the international standard that sets out the specification for an information security management system (ISMS).
Incorrect! Try again.
37In a Double-Blind test:
A.Both the tester and the client know everything
B.The tester knows nothing, and the client's security team is unaware of the test
C.The test is done twice
D.Two testers work simultaneously
Correct Answer: The tester knows nothing, and the client's security team is unaware of the test
Explanation:
Double-blind tests simulate a real attack most accurately because the defenders (Blue Team) are not warned, testing their genuine reaction time and procedures.
Incorrect! Try again.
38What is the Statement of Work (SOW)?
A.A list of vulnerabilities found
B.A formal document defining the timeline, deliverables, and payment for the project
C.A manual for the testing software
D.A code snippet used for exploitation
Correct Answer: A formal document defining the timeline, deliverables, and payment for the project
Explanation:
The SOW acts as the contract outlining the specific work to be performed, timelines, and business arrangements.
Incorrect! Try again.
39If a pentester discovers evidence of a previous, ongoing criminal compromise during a test, what should they do?
A.Hack the criminal back
B.Include it in the final report next month
C.Stop the test immediately and notify the client's point of contact
D.Delete the evidence to clean the system
Correct Answer: Stop the test immediately and notify the client's point of contact
Explanation:
Finding an actual breach requires immediate cessation of testing to preserve the chain of custody and allow the client to initiate Incident Response.
Incorrect! Try again.
40Which of the following is an example of Active Reconnaissance?
A.Browsing the company website
B.Port scanning using Nmap
C.Searching WHOIS records
D.Reading employee blogs
Correct Answer: Port scanning using Nmap
Explanation:
Active reconnaissance involves sending data packets to the target system (scanning) which interacts with the target's infrastructure and can be detected.
Incorrect! Try again.
41What does FEDRAMP standardize?
A.Security assessment and authorization for cloud products used by US federal agencies
B.European data privacy
C.Password complexity rules
D.Credit Card processing fees
Correct Answer: Security assessment and authorization for cloud products used by US federal agencies
Explanation:
The Federal Risk and Authorization Management Program (FedRAMP) provides a standardized approach to security assessment for cloud service offerings used by the US government.
Incorrect! Try again.
42Which scanning type identifies open ports and services?
A.Port Scanning
B.Social Engineering
C.Phishing
D.Vulnerability Scanning
Correct Answer: Port Scanning
Explanation:
Port scanning (enumeration) identifies which ports are open and what services are listening on them.
Incorrect! Try again.
43In the context of the Cyber Kill Chain, which phase corresponds to the actual execution of malicious code on the target?
A.Actions on Objectives
B.Reconnaissance
C.Weaponization
D.Exploitation
Correct Answer: Exploitation
Explanation:
The Exploitation phase involves triggering the weaponized code against a vulnerability to gain access.
Incorrect! Try again.
44Why is Shodan a relevant tool in the planning phase?
A.It generates reports
B.It cracks passwords
C.It is a virus scanner
D.It is a search engine for Internet-connected devices
Correct Answer: It is a search engine for Internet-connected devices
Explanation:
Shodan allows testers to find devices (servers, cameras, IoT) belonging to the organization that are exposed to the internet, aiding in reconnaissance.
Incorrect! Try again.
45What is Lateral Movement?
A.Moving physically from one office to another
B.Moving deeper into a network from a compromised host to access other resources
C.Escalating privileges on a single machine
D.Exfiltrating data out of the network
Correct Answer: Moving deeper into a network from a compromised host to access other resources
Explanation:
Lateral movement is the technique of using a compromised system to attack other systems within the same network.
Incorrect! Try again.
46A Targeted Testing approach generally means:
A.Testing without any authorization
B.Random testing of all systems
C.The IT team and the pentester work together to test a specific system
D.Testing only on weekends
Correct Answer: The IT team and the pentester work together to test a specific system
Explanation:
Targeted testing (often also called 'lights-on' approach) keeps the IT team informed so they can monitor the specific attack vectors being tested.
Incorrect! Try again.
47Which of the following represents a Technical constraint in scoping?
A.Legal restrictions
B.Bandwidth limitations or unstable network connections
C.Budget limitations
D.Holiday schedules
Correct Answer: Bandwidth limitations or unstable network connections
Explanation:
Technical constraints relate to the hardware/software environment, such as limited bandwidth preventing high-speed scanning.
Incorrect! Try again.
48What is the primary focus of GDPR compliance testing?
A.Protecting US Government Data
B.Ensuring credit card transactions are fast
C.Protecting the privacy and personal data of EU citizens
D.Securing medical devices
Correct Answer: Protecting the privacy and personal data of EU citizens
Explanation:
The General Data Protection Regulation (GDPR) focuses on data protection and privacy for individuals within the European Union.
Incorrect! Try again.
49When is the Chain of Custody relevant in penetration testing?
A.When writing the invoice
B.When handling physical evidence or forensic data found during a test
C.When scheduling the test
D.When ordering lunch
Correct Answer: When handling physical evidence or forensic data found during a test
Explanation:
Chain of Custody documents who held, handled, or transferred evidence to ensure it remains admissible in legal proceedings if a crime is discovered.
Incorrect! Try again.
50Mathematically, in the CVSS v3.1 equations, the Base Score is a function of:
A.
B.
C.
D.
Correct Answer:
Explanation:
The CVSS Base Score is derived from metrics representing the Exploitability (how easy it is to hack) and the Impact (consequences to CIA).