CompTIA Pentest+ (Answered) 2023/2024
Methodology
__ is a system of methods used in a particular area of study or activity.
Pentest Methodology
__:
1. Planning & Scoping
2. Info Gathering & Vulnerability ID
3. Attacks & Exploits
4. Reporting & Communication
NIST SP 800-115 Methodology
_...
CompTIA Pentest+ (Answered) 2023/2024
Methodology
__ is a system of methods used in a particular area of study or activity.
Pentest Methodology
__:
1. Planning & Scoping
2. Info Gathering & Vulnerability ID
3. Attacks & Exploits
4. Reporting & Communication
NIST SP 800-115 Methodology
__:
1. Planning
2. Discovery
3. Attack
4. Reporting
Planning a Penetration Test
__, Questions to ask:
▪ Why Is Planning Important?
▪ Who is the Target Audience?
▪ Budgeting
▪ Resources and Requirements
▪ Communication Paths
▪ What is the End State?
▪ Technical Constraints
▪ Disclaimers
Planning a Penetration Test - Budgeting
__:
▪ Controls many factors in a test
▪ If you have a large budget, you can perform a more in-depth test
__● Increased timeline for testing
__● Increased scope
__● Increased resources (people, tech, etc.)
Planning a Penetration Test - Resources and Requirements
__:
▪ What resources will the assessment require?
▪ What requirements will be met in the testing?
__● Confidentiality of findings
__● Known vs. unknown vulnerabilities
__● Compliance-based assessment
Planning a Penetration Test - Communication Paths
__:
▪ Who do we communicate with about the test?
,▪ What info will be communicated and when?
▪ Who is a trusted agent if testing goes wrong?
Planning a Penetration Test - What is the End State?
__:
▪ What kind of report will be provided after test?
▪ Will you provide an estimate of how long remediations would take?
Planning a Penetration Test - Technical Constraints
__:
▪ What constraints limited your ability to test?
▪ Provide the status in your report
__● Tested
__● Not Tested
__● Can't Be Tested
Planning a Penetration Test - Disclaimers
__:
▪ Point-in-Time Assessment
__● Results were accurate when the pentest occurred
▪ Comprehensiveness
__● How complete was the test?
__● Did you test the entire organization or only specific objectives?
Rules of Engagement (RoE)
__ are detailed guidelines and constraints regarding the execution of information
security testing.
The __ is established before the start of a security test, and gives the test team
authority to conduct defined activities without the need for additional permissions.
Rules of Engagement (RoE) Overview
__:
▪ Timeline
▪ Locations
▪ Time restrictions
▪ Transparency
▪ Test boundaries
RoE: Timeline
__:
▪ How long will the test be conducted?
_● A week, a month, a year
▪ What tasks will be performed and how long will each be planned for?
RoE: Locations
,__:
▪ Where will the testers be located?
_● On-site or remote location
▪ Does organization have numerous locations?
▪ Does it cross international borders?
RoE: Time Restrictions
__:
▪ Are there certain times that aren't authorized?
▪ What about days of the week?
▪ What about holidays?
RoE: Transparency
__:
▪ Who will know about the pentest?
▪ Will the organization provide resources to the testers (white box test)?
RoE: Boundaries
__:
▪ What will be tested?
▪ Is social engineering allowed to be used?
▪ What about physical security testing?
▪ How invasive can the pentest be?
Legal Concepts (1)
__ are laws and regulations regarding cyber-crime vary from country to country, check
the local laws before conducting an assessment.
Legal Concepts (2)
__ refers to consulting your attorney before performing any penetration testing work to
ensure you are within the legal bounds for the countries laws where you are operating.
Crimes and Criminal Procedure
__:
▪ Hacking is covered under United States Code, Title 18, Chapter 47,
Sections 1029 and 1030
§ 1029 Fraud & related activity w/ access devices
__:
▪ Prosecute those who knowingly and with intent to defraud produce, use, or traffic in
one or more counterfeit access devices.
▪ Access devices can be an application or hardware that is created specifically to
generate any type of access credentials
§ 1030 Fraud and related activity with computers
, __:
▪ Covers just about any computer or device connected to a network
▪ Mandates penalties for anyone who accesses a computer in an unauthorized manner
or exceeds one's access rights
▪ Can be used to prosecute employees using capability and accesses provided by their
company to conduct fraudulent activity
Obtain Written Authorization
__:
▪ White hat hackers always get permission
▪ This is your get out of jail free card...
▪ Penetration tests can expose confidential information so permission must be granted
▪ Third-party authorization when necessary
__● Ex: from a Cloud service provider
Third-Party Authorization
__:
▪ If servers and services are hosted in the cloud, you must request permission from the
provider prior to conducting a penetration test
__● Ex: from a Cloud service provider
Pentest Contracts
__:
▪ Statement of Work (SOW)
▪ Master Service Agreement (MSA)
▪ Non-Disclosure Agreement (NDA)
Statement of Work (SOW)
__ is a formal document stating scope of what will be performed during a penetration
test.
▪ Clearly states what tasks are to be accomplished during an engagement
Master Service Agreement (MSA)
__ is a contract where parties agree to most of the terms that will
govern future actions.
▪ High level contract between a service provider and a client that specifies details of the
business arrangement
Non-Disclosure Agreement (NDA)
__ is a legal contract outlining confidential material or information that will be shared
during the assessment and what restrictions are placed on it.
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller ACADEMICAIDSTORE. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $15.49. You're not tied to anything after your purchase.