CREST CPSA PRACTICE EXAM
Q&A TESTED AND APPROVED!!!
Benefits of External Infrastructure Testing -- ANSWER--- Identifies flaws
within the firewall configuration that could be misused.
- Finds how information could be leaked out from the system
- Suggests how these issues could be fixed
- Prepares a comprehensive report highlighting the security risk of the
networks and suggests solutions
- Ensures overall efficiency and productivity of your business
Advantages of Black Box Testing -- ANSWER--- Test is generally conducted
with the perspective of a user, not the designer
- Verifies contradictions in the actual system and the specifications
Disadvantages of Black Box Penetration Testing -- ANSWER--- Particularly,
these kinds of test cases are difficult to design
- Possibly, it is not worth, in case designer has already conducted a test
case - It does not conduct everything
White Box Penetration Testing -- ANSWER--A tester is provided a whole range
of information about the systems and/or network such as schema, source code,
os details, ip address, etc.
Page 1 of 126
,Advantages of White Box Penetration Testing -- ANSWER--- It ensures that all
independent paths of a module have been exercised
- It ensures that all logical decisions have been verified along with their
true and false value.
- It discovers the typographical errors and does syntax checking
- It finds the design errors that may have occurred because of the difference
between logical flow of the program and the actual execution.
Computer Misuse Act 1990 Highlights -- ANSWER--Section 1: Unauthorized
access to computer material
Section 2: Unauthorized access with intent to commit or facilitate commission
of further offenses
Section 3: Unauthorized acts with intent to impair, or with recklessness as to
impairing the operation of a computer
Human Rights Act 1998 Highlights -- ANSWER--- The right to life
- The right to respect for private and family life
- The right to freedom of religion and belief
- Your right not to be mistreated or wrongly punished by the state
Consent Information for Penetration Test -- ANSWER--- Name & Position of
the individual who is providing consent
Page 2 of 126
,- Authorized testing period - both the date range and hours that testing is
permitted
- Contact information for members of technical staff, who may provide
assistance during the test
- IP addresses or URL that are in scope of testing
- Exclusions to certain hosts, services or areas within application testing
- Credentials that may be required as part of authenticated application
testing
Data Protection Act 1998 Highlights -- ANSWER--- Personal data must be
processed fairly and lawfully
- be obtained only for lawful purposes and not processed in any manner
incompatible with those purposes
- be adequate, relevant and not excessive
- be accurate and current
- not be retained for longer than necessary
- be processed in accordance with the rights and freedoms of data subjects
- Be protected against unauthorized or unlawful processing and against
accidental loss, destruction or damage
Police and Justice Act 2006 Highlights -- ANSWER--- Make amendments to
the computer misuse act 1990
- increased penalties of computer misuse act (makes unauthorized
computer access serious enough to fall under extradition)
Page 3 of 126
, - Made it illegal to perform DOS attacks
- Made it illegal to supply and own hacking tools.
- Be careful about how you release information about exploits.
Another Structure of a Penetration Test -- ANSWER--Reconnaissance
Vulnerability Scanning
Investigation
Exploitation
Structure of a Penetration Test -- ANSWER--Planning and Preparation
Reconnaissance
Discovery
Analyzing information and risks
Active intrusion attempts
Final analysis Report
Preparation
Benefits of a Penetration Test -- ANSWER--- Enhancement of the management
system - Avoid fines
- Protection from financial damage
- Customer protection
Page 4 of 126
Q&A TESTED AND APPROVED!!!
Benefits of External Infrastructure Testing -- ANSWER--- Identifies flaws
within the firewall configuration that could be misused.
- Finds how information could be leaked out from the system
- Suggests how these issues could be fixed
- Prepares a comprehensive report highlighting the security risk of the
networks and suggests solutions
- Ensures overall efficiency and productivity of your business
Advantages of Black Box Testing -- ANSWER--- Test is generally conducted
with the perspective of a user, not the designer
- Verifies contradictions in the actual system and the specifications
Disadvantages of Black Box Penetration Testing -- ANSWER--- Particularly,
these kinds of test cases are difficult to design
- Possibly, it is not worth, in case designer has already conducted a test
case - It does not conduct everything
White Box Penetration Testing -- ANSWER--A tester is provided a whole range
of information about the systems and/or network such as schema, source code,
os details, ip address, etc.
Page 1 of 126
,Advantages of White Box Penetration Testing -- ANSWER--- It ensures that all
independent paths of a module have been exercised
- It ensures that all logical decisions have been verified along with their
true and false value.
- It discovers the typographical errors and does syntax checking
- It finds the design errors that may have occurred because of the difference
between logical flow of the program and the actual execution.
Computer Misuse Act 1990 Highlights -- ANSWER--Section 1: Unauthorized
access to computer material
Section 2: Unauthorized access with intent to commit or facilitate commission
of further offenses
Section 3: Unauthorized acts with intent to impair, or with recklessness as to
impairing the operation of a computer
Human Rights Act 1998 Highlights -- ANSWER--- The right to life
- The right to respect for private and family life
- The right to freedom of religion and belief
- Your right not to be mistreated or wrongly punished by the state
Consent Information for Penetration Test -- ANSWER--- Name & Position of
the individual who is providing consent
Page 2 of 126
,- Authorized testing period - both the date range and hours that testing is
permitted
- Contact information for members of technical staff, who may provide
assistance during the test
- IP addresses or URL that are in scope of testing
- Exclusions to certain hosts, services or areas within application testing
- Credentials that may be required as part of authenticated application
testing
Data Protection Act 1998 Highlights -- ANSWER--- Personal data must be
processed fairly and lawfully
- be obtained only for lawful purposes and not processed in any manner
incompatible with those purposes
- be adequate, relevant and not excessive
- be accurate and current
- not be retained for longer than necessary
- be processed in accordance with the rights and freedoms of data subjects
- Be protected against unauthorized or unlawful processing and against
accidental loss, destruction or damage
Police and Justice Act 2006 Highlights -- ANSWER--- Make amendments to
the computer misuse act 1990
- increased penalties of computer misuse act (makes unauthorized
computer access serious enough to fall under extradition)
Page 3 of 126
, - Made it illegal to perform DOS attacks
- Made it illegal to supply and own hacking tools.
- Be careful about how you release information about exploits.
Another Structure of a Penetration Test -- ANSWER--Reconnaissance
Vulnerability Scanning
Investigation
Exploitation
Structure of a Penetration Test -- ANSWER--Planning and Preparation
Reconnaissance
Discovery
Analyzing information and risks
Active intrusion attempts
Final analysis Report
Preparation
Benefits of a Penetration Test -- ANSWER--- Enhancement of the management
system - Avoid fines
- Protection from financial damage
- Customer protection
Page 4 of 126
