WGU D153 -CompTIA PTO-002 Penetration
Testing and Vulnerability Analysis with
Questions and Answers| Latest Update 2025|
Verified Answers
A security professional is researching the latest vulnerabilities that have been released.
Where is a good resource they can go to in order to look at these?
CVSS
CVE
NVD
ISSAF
NVD (National Vulnerability Database)
To learn more about the vulnerabilities, you can often click on CVE names, which have
hyperlinks to the record in the National Vulnerability Database (NVD).
Once there, you can read more details.
As vulnerabilities are identified, they are first rated as to the severity using the Common
Vulnerability Scoring System (CVSS). The score is derived using a set of metrics, which helps in
prioritizing vulnerabilities.
The information from the CVSS is fed into the Common Vulnerabilities and Exposures (CVE). The
CVE is a listing of all publicly disclosed vulnerabilities.
The ISSAF contains a list of 14 documents that relate to PenTesting, such as guidelines on
business continuity and disaster recovery along with legal and regulatory compliance.
,A new penetration tester is creating a summary of their first upcoming process and wants to
follow the standard process. What step takes place after planning?
Scanning
Recon
Gaining access
Analysis
Recon
Reconnaissance is next and focuses on gathering as much information about the target as
possible. This process includes searching information on the Internet, using Open-Source
Information Gathering Tools (OSINT), and websites.
Scanning is a critical phase as it provides more information about available network resources.
Scanning identifies live hosts, listening ports, and running services.
Gaining access occurs after the team has gathered information on the network. In this phase,
the team will attempt to gain access to the system, to see how deep into the network they can
travel.
Analysis occurs after the team has completed the exercise, and will go through the results of all
activities, analyze the findings, and derive a summary of their risk rating.
A penetration tester has been contracted to do a test for a hospital and is looking at
computerized electronic patient records. What are these referred to as?
HIPAA
e-PHI
CCPA
GDPR
,e-PHI
Computerized electronic patient records are referred to as electronic protected health
information (e-PHI). With HIPAA, the e-PHI of any patient must be protected from exposure, or
the organization can face a hefty fine.
The Health Insurance Portability and Accountability Act (HIPAA) is a law that mandates rigorous
requirements for anyone that deals with patient information.
The California Consumer Privacy Act (CCPA) was enacted in 2020 and outlines specific
guidelines on how to appropriately handle consumer data.
In 2018 the EU enacted the General Data Protection Regulation (GDPR), which outlines specific
requirements on how consumer data is protected.
A project manager is reviewing the scope of a penetration test. Which of the following is least
likely to be included?
Location
Target exclusions
Framework
Tools
Framework
The penetration testing framework is not likely to be included in scoping discussions. However,
this can be beneficial outside the scope.
The details of the PenTest may also include other restrictions such as possible technical or
location constraints. For example, there may be a legacy system that has had several issues
with automated scanning.
, The legal documents will define what locations, systems, applications, or other potential targets
are to be included or excluded.
In some cases, the use of tools is defined by some governing body that outlines specifically
what the team is to use when conducting the test.
A project manager is preparing documentation that covers recurring costs and any
unforeseen additional charges that may occur during a project without the need for an
additional contract. Which of the following should they prepare?
SOW
MSA
SLA
NVD
The Master Service Agreement (MSA)
The Master Service Agreement (MSA) is a contract that establishes guidelines for any business
documents executed between two parties. It can be used to cover recurring costs and any
unforeseen additional charges.
The Statement of Work (SOW) is a document that defines the expectations for a specific
business arrangement. It typically includes a list of deliverables, responsibilities of both parties,
and others.
A service-level agreement (SLA) is a contract that outlines the detailed terms under which a
service is provided, including reasons the contract may be terminated.
To learn more about the vulnerabilities, you can often click on CVE names, which have
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller Examsplug. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $14.49. You're not tied to anything after your purchase.
