When using a structured approach to PenTesting, each step will serve a purpose with the goal of testing an
infrastructure's defenses by identifying and exploiting any known vulnerabilities. List the four main steps of the
CompTIA Pen Testing process.
Planning and scoping
Information gathering and vulnerability scanning
Attacks and exploits
Reporting and communication
Threat actors follow the same main process of hacking as a professional PenTester: Reconnaissance, Scanning,
Gain Access, Maintain Access, and Cover Tracks. What steps are added during a structured PenTest?
1) Planning and scoping along with 3) Analysis and reporting.
Part of completing a PenTesting exercise is following the imposed guidelines of various controls, laws, and
regulations. Summarize Key takeaways of PCI DSS.
Payment Card Industry Data Security Standard (PCI DSS) specifies the controls that must be in place to
securely handle credit card data. Controls include methods to minimize vulnerabilities, employ strong access
control, along with consistently testing and monitoring the infrastructure.
,With PCI DSS a merchant is ranked according to the number of transactions completed in a year. Describe a
Level 1 merchant.
A Level 1 merchant is a large merchant with over six million transactions a year.
With PCI DSS, a Level 1 merchant must have an external auditor perform the assessment by an approved _____.
Qualified Security Assessor (QSA).
Another regulation that affects data privacy is GDPR, which outlines specific requirements on how consumer
data is protected. List two to three components of GDPR.
Require consent means a company must obtain your permission to share your information.
Rescind consent allows a consumer to opt out at any time.
Global reach—GDPR affects anyone who does business with residents of the EU and Britain.
Restrict data collection to only what is needed to interact with the site.
Violation reporting—a company must report a data breach within 72 hours.
What should a company with over 250 employees do to be compliant with the GDPR?
Under GDPR, any company with over 250 employees will need to audit their systems and take rigorous steps
to protect any data that is processed within their systems, either locally managed or in the cloud.
,Describe some of the resources available at NIST.
NIST has many resources for the cybersecurity professional that include the Special Publication 800 series,
that deals with cyber security policies, procedures, and guidelines.
Discuss the significance of NIST SP 800-115.
NIST SP 800-115 is the "Technical Guide to Information Security Testing and Assessment" and contains a great
deal of relevant information about PenTesting planning, techniques, and related activities.
Explain how the MITRE ATT&CK Framework provides tools and techniques specific to PenTesting.
Once in the MITRE ATT&CK framework, you will see many columns in the matrix that describe various tasks
that are completed during the PenTest.
Compare and contrast CVE and CWE.
The CWE is a dictionary of software-related vulnerabilities maintained by the MITRE Corporation that includes
a detailed list of weaknesses in hardware and software. CVE refers to specific vulnerabilities of particular
products.
, A couple of your colleagues thought it might be a good idea to share some guidance on how the team should
conduct themselves during the PenTesting process. What topics should be covered so that all members
exhibit professional behavior before, during and after the PenTest?
The team will need to clearly understand that they are to maintain confidentiality before, during, and after a
PenTest exercise. Once the testing begins the team will want to proceed with care and notify the team lead if
they have observed any illegal behavior.
The team is involved with planning a PenTest exercise for 515support.com. Management is concerned that the
loading dock is vulnerable to a social engineering attack, whereby someone can gain access to the building
by asking someone who is on a smoking break. Prior to conducting the tests, what should the team do to
prepare for the test.
Who will notify security personnel that the team is using a social engineering exercise to gain access into the
building?
How many individuals should be testing to see if this type of exploit is possible?
Can you provide a nonworking key card to make the ploy more believable?
infrastructure's defenses by identifying and exploiting any known vulnerabilities. List the four main steps of the
CompTIA Pen Testing process.
Planning and scoping
Information gathering and vulnerability scanning
Attacks and exploits
Reporting and communication
Threat actors follow the same main process of hacking as a professional PenTester: Reconnaissance, Scanning,
Gain Access, Maintain Access, and Cover Tracks. What steps are added during a structured PenTest?
1) Planning and scoping along with 3) Analysis and reporting.
Part of completing a PenTesting exercise is following the imposed guidelines of various controls, laws, and
regulations. Summarize Key takeaways of PCI DSS.
Payment Card Industry Data Security Standard (PCI DSS) specifies the controls that must be in place to
securely handle credit card data. Controls include methods to minimize vulnerabilities, employ strong access
control, along with consistently testing and monitoring the infrastructure.
,With PCI DSS a merchant is ranked according to the number of transactions completed in a year. Describe a
Level 1 merchant.
A Level 1 merchant is a large merchant with over six million transactions a year.
With PCI DSS, a Level 1 merchant must have an external auditor perform the assessment by an approved _____.
Qualified Security Assessor (QSA).
Another regulation that affects data privacy is GDPR, which outlines specific requirements on how consumer
data is protected. List two to three components of GDPR.
Require consent means a company must obtain your permission to share your information.
Rescind consent allows a consumer to opt out at any time.
Global reach—GDPR affects anyone who does business with residents of the EU and Britain.
Restrict data collection to only what is needed to interact with the site.
Violation reporting—a company must report a data breach within 72 hours.
What should a company with over 250 employees do to be compliant with the GDPR?
Under GDPR, any company with over 250 employees will need to audit their systems and take rigorous steps
to protect any data that is processed within their systems, either locally managed or in the cloud.
,Describe some of the resources available at NIST.
NIST has many resources for the cybersecurity professional that include the Special Publication 800 series,
that deals with cyber security policies, procedures, and guidelines.
Discuss the significance of NIST SP 800-115.
NIST SP 800-115 is the "Technical Guide to Information Security Testing and Assessment" and contains a great
deal of relevant information about PenTesting planning, techniques, and related activities.
Explain how the MITRE ATT&CK Framework provides tools and techniques specific to PenTesting.
Once in the MITRE ATT&CK framework, you will see many columns in the matrix that describe various tasks
that are completed during the PenTest.
Compare and contrast CVE and CWE.
The CWE is a dictionary of software-related vulnerabilities maintained by the MITRE Corporation that includes
a detailed list of weaknesses in hardware and software. CVE refers to specific vulnerabilities of particular
products.
, A couple of your colleagues thought it might be a good idea to share some guidance on how the team should
conduct themselves during the PenTesting process. What topics should be covered so that all members
exhibit professional behavior before, during and after the PenTest?
The team will need to clearly understand that they are to maintain confidentiality before, during, and after a
PenTest exercise. Once the testing begins the team will want to proceed with care and notify the team lead if
they have observed any illegal behavior.
The team is involved with planning a PenTest exercise for 515support.com. Management is concerned that the
loading dock is vulnerable to a social engineering attack, whereby someone can gain access to the building
by asking someone who is on a smoking break. Prior to conducting the tests, what should the team do to
prepare for the test.
Who will notify security personnel that the team is using a social engineering exercise to gain access into the
building?
How many individuals should be testing to see if this type of exploit is possible?
Can you provide a nonworking key card to make the ploy more believable?
