2. Plan & Scope a PenTest

Ref:📕CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

Press the Start button to begin the practice test.

PenTest+ (PT0-002) Chapter 02. Planning and Scoping a Penetration Testing Assessment

1 / 64

What is the goal of implementing Data isolation (also known as network segmentation) in an organization?

A. To avoid unauthorized access.

B. To comply with PCI DSS and other regulations.

C. To protect the cryptographic keys.

D. To ensure secure generation, storage, distribution, use, and destruction of keys.

2 / 64

According to the PCI DSS, which of the following conditions triggers PCI DSS requirements?

A. If the PAN is stored, processed, or transmitted.

B. If the expiration date is stored, processed, or transmitted regardless of the PAN.

C. If cardholder name is stored, processed, or transmitted regardless of the PAN.

D. If service code is stored, processed, or transmitted regardless of the PAN.

3 / 64

What is the role of API documentation in a penetration testing engagement?

A. It provides a definition of legal and regulatory guidelines.

B. It serves as a reference to understand the APIs that are part of the test.

C. It outlines the project management plan and scheduling.

D. It details the financial budgeting or compensation related to the engagement.

4 / 64

Which of the following is NOT accurate regarding PCI DSS and its applicability to PAN?

A. PCI DSS requirements apply if the PAN is stored, processed, or transmitted.

B. PCI DSS requirements apply to all organizations that store, process, or transmit cardholder data and/or sensitive authentication data.

C. If cardholder name and expiration date are stored with the PAN, they must also be protected per PCI DSS.

D. If the PAN is not stored, processed, or transmitted, the account data is not bound by PCI DSS regulations.

5 / 64

Which of the following is NOT a requirement under PCI DSS in relation to stored, processed, or transmitted account data?

A. If the PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply

B. Sensitive authentication data may never be stored post-authorization, even if encrypted

C. Service code and expiration date must be protected only if stored, processed, or transmitted with the PAN or otherwise present in the cardholder data environment

D. The PAN must be stored in a readable format

6 / 64

What is the primary difference between unknown-environment testing and known-environment testing in a penetration testing assessment?

A. The type of software used for the testing

B. The amount and type of information provided to the tester

C. The type of network vulnerabilities that are being tested

D. The type of defenses in place on the system being tested

7 / 64

What is an essential piece of information to document when conducting a penetration testing assessment, specifically with respect to the scope of the assessment?

A. Only the IP address ranges of devices

B. The criteria for a successful penetration test

C. Exclusive use of Burp Suite and OWASP Zed Attack Proxy

D. Information about the types of networks and systems to be tested, application requirements, staff qualifications, and any restrictions or limitations

8 / 64

What is a Bilateral NDA in the context of penetration testing?

A. Only one party discloses confidential information.

B. Both parties share sensitive information with each other.

C. It involves three or more parties, with at least one of the parties disclosing sensitive information.

D. This is a contract to quickly negotiate the work to be performed.

9 / 64

What is an ’allow list’ in the context of planning and scoping a penetration testing assessment?

A. A list of tools that are permitted for use during the penetration testing

B. A list of previous vulnerabilities found in the network

C. A list of applications, systems, or networks that should be tested

D. A list of potential risks associated with the penetration testing

10 / 64

Which of the following statements best describes the term ’allow list’ in the context of a penetration testing engagement?

A. A list of tools and attacks that are allowed to be used

B. A list of applications, systems or networks that are in scope and should be tested

C. A list of potential vulnerabilities that should be explored

D. A list of team members who are allowed to access certain systems

11 / 64

Which one of the following is not a regulatory compliance consideration for penetration testing?

A. Federal Risk and Authorization Management Program (FedRAMP)

B. Payment Card Industry Data Security Standard (PCI DSS)

C. Health Insurance Portability and Accountability Act of 1996 (HIPAA)

D. Global Data Synchronization Network (GDSN)

12 / 64

What is an ’allow list’ in the context of a penetration testing scope?

A. A list of applications, systems, or networks that should not be tested

B. A list of tools that are allowed to be used during the engagement

C. A list of applications, systems, or networks that should be tested

D. A list of potential vulnerabilities that are allowed to be exploited

13 / 64

What is the primary difference between unknown-environment and known-environment penetration testing strategies?

A. The kind of tools used for testing

B. The perspective from which the testing is performed and the amount of information provided to the tester

C. Whether or not the target network support personnel is informed about the test

D. The number of user credentials provided to the tester

14 / 64

What is scope creep in the context of penetration testing?

A. It refers to the acquisition of additional, advanced software tools during the penetration test

B. It refers to the intentional expansion of the scope to uncover more vulnerabilities

C. It refers to the unintentional and uncontrolled growth of the project’s scope

D. It refers to the need to hire additional team members to complete the test

15 / 64

What are some examples of support resources that might be obtained from the organization for a penetration test?

A. GraphQL Documentation and API documentation

B. Source code access and examples of application requests

C. SDK for specific applications and system and network architectural diagrams

D. All of the above

16 / 64

In planning and scoping a penetration testing assessment, what is the meaning of an ’allow list’?

A. A list of tools that are permitted to be used during the test

B. A list of applications, systems, or networks that are in scope and should be tested

C. A list of potential vulnerabilities to be checked during the test

D. A list of personnel allowed to conduct the test

17 / 64

Which of the following is NOT a key concept to address and understand in the planning and preparation phase of a penetration testing engagement?

A. The target audience

B. The rules of engagement

C. Available WiFi networks

D. The overall budget for the engagement

18 / 64

What are some of the key items that should be included in your scope and related documentation for penetration testing?

A. Assets and devices that the penetration tester is allowed to test

B. Information about external or internal target identification

C. All details about first-party and third-party hosted applications

D. All of the above

19 / 64

Why is it important to include disclaimers in your penetration testing documentation?

A. Disclaimers can give the client permission to ignore the vulnerabilities found.

B. Disclaimers can ensure you don’t need to take responsibility for the vulnerabilities found.

C. Disclaimers clarify that the testing was based on the status of the systems at a specific time and that future changes and vulnerabilities cannot be predicted.

D. Disclaimers ensure that the client is responsible for any damage caused by the testing.

20 / 64

What is the importance of adhering to the specific scope of a penetration testing engagement?

A. It defines the correct tools to be used.

B. It provides a list of applications, systems or networks to be tested and those which are not in scope.

C. It helps in identifying the places for carrying out the penetration testing.

D. It assists in conducting background checks of the testing team.

21 / 64

What is the purpose of an SDK in the planning and scoping of a penetration test?

A. To aid the penetration tester in understanding a software framework

B. To provide a way to exploit vulnerable systems

C. To act as a mapping tool for the network

D. To encrypt sensitive data during testing

22 / 64

Which of the following defines whether PCI DSS requirements apply in a cardholder data environment?

A. If the cardholder name is stored, processed, or transmitted.

B. If the PAN (Primary Account Number) is stored, processed, or transmitted.

C. If the expiration date is stored, processed, or transmitted.

D. If the cardholder’s location is stored, processed, or transmitted.

23 / 64

What is considered as one of the potential sources of scope creep in a penetration testing engagement?

A. There is effective communication among stakeholders

B. There is strong change management in the engagement

C. There is clear identification of technical and nontechnical elements required for the test

D. There is poor communication among stakeholders, including your client and your team

24 / 64

Why is proper scoping important in a penetration testing engagement?

A. To define the systems, applications, and networks that will be tested

B. To identify the qualifications and skill sets needed for the test

C. To manage and prevent scope creep

D. All of the above

25 / 64

What aspects should you consider about your target audience when planning a penetration testing engagement?

A. The need for the report

B. The individual or business unit’s authority

C. The purpose of the report

D. All of the above

26 / 64

What elements are typically included in a rules of engagement document for a penetration testing engagement?

A. Recipe for a homemade dinner

B. Newspaper subscription preference

C. Testing timeline, location, and methods of testing

D. Valet parking instructions

27 / 64

What is the main aim of the Payment Card Industry Data Security Standard (PCI DSS) regulation in the context of penetration testing?

A. It ensures the transition from paper records and transactions to electronic records and transactions

B. It verifies the use of cloud service offerings

C. It secures the processing of credit card payments and other types of digital payments

D. It controls the export of personal data outside the EU

28 / 64

What is one of the support resources a pen tester might obtain to accelerate the testing of a specific API?

A. Website traffic data

B. SOAP project files

C. Publicly available social media accounts

D. Organizational charts of the client

29 / 64

Which of the following statements is false regarding PCI DSS requirements in relation to the account data and its storage?

A. PCI DSS requirements apply only if the Primary Account Number (PAN) is stored, processed, or transmitted.

B. If expiration date is stored with the PAN, they too must be protected.

C. Sensitive authentication data can be stored post-authorization if it is encrypted.

D. According to the standards, the PAN must be stored in an unreadable (encrypted) format.

30 / 64

What does the Payment Card Industry Data Security Standard (PCI DSS) apply to?

A. Only to organizations that directly affect the security of cardholder data

B. Only to the systems and processes that handle sensitive authentication data

C. To all system components where account data is stored, processed, or transmitted

D. Only to third parties that manage cardholder data

31 / 64

Which of the following is not mentioned in Chapter 1 as a standard or methodology for penetration testing?

A. Penetration Testing Execution Standard (PTES)

B. Open Source Security Testing Methodology Manual (OSSTMM)

C. Information Systems Security Assessment Framework (ISSAF)

D. Secure Software Development Life Cycle (SSDLC)

32 / 64

Which of the following best describes a Master service agreement (MSA) in the context of a penetration test?

A. It is an agreement where both the tester and the organization share sensitive information with each other.

B. It is a contract used to negotiate the work to be performed and is beneficial for recurring penetration tests.

C. It is a legal contract between the tester and the organization that defines confidential material that should not be disclosed.

D. It is an agreement involving three or more parties where at least one of the parties discloses sensitive information.

33 / 64

Which of the following BEST describes a ’Statement of Work (SOW)’ in relation to a penetration testing engagement?

A. It is a document that describes minimum and/or maximum performance measures of the service such as quality, timeline and cost.

B. It is a legal agreement regarding the handling and protection of sensitive data discovered during the testing.

C. It is a document that outlines activities to be performed during the engagement, including timelines, scopes, and technical requirements.

D. It is a policy that dictates the retention of sensitive customer data after the engagement.

34 / 64

What is the primary purpose of a Service-level Agreement (SLA) in the context of a penetration testing assessment?

A. It outlines the exact technical methods the tester will use.

B. It defines what sensitive data the tester will have access to.

C. It provides the payment schedule for the tester.

D. It provides set expectations related to performance measures of the testing service.

35 / 64

What is an ’allow list’ in the context of a penetration testing scope?

A. A list of legal documents required for the penetration test

B. A list of penetration testing teams who can be hired

C. A list of applications, systems, or networks that are in scope and should be tested

D. A list of potential weaknesses in a system to be checked during the test

36 / 64

What is the responsibility of an organization that uses a third party for managing cardholder data according to PCI DSS?

A. They are only responsible for the security of the data they store, process, or transmit themselves.

B. They are responsible for ensuring their third-party provider is PCI DSS compliant.

C. They are exempt from being PCI DSS compliant since they do not handle the data directly.

D. They can transfer all PCI DSS responsibilities to the third-party provider.

37 / 64

Which of the following is true about regulations concerning the financial sector?

A. Only traditional financial institutions need to comply with regulations like GLBA.

B. Regulation compliance such as GLBA and NYCRR is optional for financial institutions.

C. GLBA mandates that financial organizations undergo periodic penetration testing in their infrastructure.

D. The NY DFS Cybersecurity Regulation requires biannual security penetration testing.

38 / 64

What is the responsibility of an organization that leverages a third party to manage cardholder data according to PCI DSS?

A. The organization needs to ensure that they are compliant with PCI DSS.

B. The organization needs to ensure the third party is compliant with PCI DSS.

C. The organization can leave the compliance for the third party to handle.

D. The organization and the third party shares the compliance responsibility.

39 / 64

Which important element of regulations is often overlooked, extends into the realm of configuration management, and encompasses requirements on password length, password complexity, session timeout, and multifactor authentication?

A. Data isolation

B. Password management

C. Key management

D. Network segmentation

40 / 64

What is the role of a PCI forensic investigator (PFI) as defined by the PCI SSC?

A. Conducts external vulnerability scanning services.

B. Initiates and maintains relationships with merchants for the acceptance of payment cards.

C. Investigates and contains information cybersecurity incidents and breaches involving cardholder data.

D. A business entity that is not a payment brand and that is directly involved in the processing, storage, or transmission of cardholder data.

41 / 64

Which entity is responsible for initiating and maintaining relationships with merchants for the acceptance of payment cards according to the PCI DSS?

A. Approved scanning vendor (ASV)

B. Qualified security assessor (QSA)

C. Acquirer

D. Service Provider

42 / 64

What is the purpose of documenting what systems, applications, and networks will be tested during a penetration testing engagement?

A. To increase the complexity of the penetration test

B. To impress the client with thorough documentation

C. To identify any specific requirements and qualifications needed to perform the test

D. To provide unnecessary details about the engagement

43 / 64

What is an ’allow list’ in the context of penetration testing?

A. A list of legal tools penetration testers are allowed to use during the engagement

B. A list of client-approved background checks for the penetration testing team

C. A list of applications, systems, or networks that are in scope and should be tested

D. A list of specific engagement tasks authorized by the client for the penetration tester

44 / 64

Which type of agreement allows for quick negotiation of work to be performed without the need for renegotiating terms every time, especially beneficial for recurring penetration tests?

A. Master service agreement (MSA)

B. Non-disclosure agreement (NDA)

C. Bilateral Non-disclosure agreement

D. Multilateral Non-disclosure agreement

45 / 64

Which of the following documents specifies the activities to be performed during a penetration testing engagement?

A. Service-level agreement (SLA)

B. Confidentiality agreement

C. Statement of work (SOW)

D. Master service agreement (MSA)

46 / 64

Which one of the following statements accurately describes unknown-environment testing in relation to black-box penetration testing?

A. It involves a tester having extensive information about the network infrastructure of the target.

B. It involves only the use of the source code of a target application.

C. It involves limiting information provided to the tester, often including only the domain names and IP addresses in scope.

D. The network support personnel of the target are always informed about the test happening.

47 / 64

What is the role of the Acquirer as defined in the Payment Card Industry Security Standards Council (PCI SSC)?

A. Initiates and maintains relationships with merchants for the acceptance of payment cards

B. Conducts external vulnerability scanning services

C. Trained and certified to carry out PCI DSS compliance assessments

D. Directly involved in the processing, storage, or transmission of cardholder data

48 / 64

Which organization is responsible for developing Payment Card Industry Data Security Standard (PCI DSS)?

A. Payment Card Industry Security Standards Council (PCI SSC)

B. Visa, Mastercard and American Express

C. Approved Scanning Vendors

D. Qualified Security Assessor

49 / 64

What is the purpose of Simple Object Access Protocol (SOAP) project files in the planning and scoping penetration testing assessment?

A. To demonstrate how an external attacker could compromise your systems

B. To have a reference of what a specific API supports

C. To reveal context by using web application testing tools

D. To obtain software development tools to interact and deploy a software

50 / 64

When performing a penetration test, what is the purpose of a Service-level agreement (SLA)?

A. To disclose all passwords and sensitive data

B. To determine the activities to be performed

C. To define expectations or constraints related to performance measures of the service

D. To list and track miscellaneous items that may cause problems

51 / 64

What does the term ’Key Management’ refer to in the context of a penetration testing assessment?

A. Cycle of generating, storing, and destroying cryptographic keys.

B. Implementation standards including password length and complexity.

C. Network isolation strategy for systems involved in payment card processing.

D. Process of changing default system passwords provided by vendors.

52 / 64

During a penetration testing engagement, what terminology refers to the list of applications, systems, or networks that should not be tested because they are not in the scope?

A. Blacklist

B. Deny list

C. Prohibited list

D. Negative list

53 / 64

What are some important considerations when planning and scoping a penetration testing assessment?

A. Local restrictions and laws

B. Knowledge of the latest hacking tools

C. Understanding of the company’s business model

D. Ability to code in multiple programming languages

54 / 64

Which of the following regulations aims to give citizens control of their personal data, particularly within the European Union?

A. PCI DSS

B. HIPAA

C. FedRAMP

D. GDPR

55 / 64

What is the role of an ASV (approved scanning vendor) in the context of the Payment Card Industry Security Standards Council (PCI SSC)?

A. An ASV is a financial institution that initiates and maintains relationships with merchants for the acceptance of payment cards.

B. An ASV is an entity that accepts payment cards bearing the logos of any of the members of PCI SSC as payment for goods and/or services.

C. An ASV is a business entity that is directly involved in the processing, storage, or transmission of cardholder data.

D. An ASV is an organization approved by the PCI SSC to conduct external vulnerability scanning services.

56 / 64

Which of the following types of non-disclosure agreements (NDAs) is best suited when an external organization to your customer is also engaged in the penetration testing engagement?

A. Unilateral NDA

B. Bilateral NDA

C. Multilateral NDA

D. Master service agreement (MSA)

57 / 64

Which type of Non-disclosure agreement (NDA) involves three or more parties, where at least one of the parties is disclosing sensitive information that should not be disclosed to any entity outside the agreement?

A. Unilateral NDA

B. Bilateral NDA

C. Multilateral NDA

D. MSA NDA

58 / 64

Which of the following regulations should a penetration tester be familiar with when hired to perform a compliance-based assessment for an organization processing credit card payments?

A. General Data Protection Regulation (GDPR)

B. Federal Risk and Authorization Management Program (FedRAMP)

C. Health Insurance Portability and Accountability Act of 1996 (HIPAA)

D. Payment Card Industry Data Security Standard (PCI DSS)

59 / 64

Which role is responsible for carrying out PCI DSS compliance assessments?

A. Acquirer

B. Merchant

C. Service provider

D. Qualified security assessor (QSA)

60 / 64

Which of the following acts modified and expanded the scope and requirements of the Healthcare Sector HIPAA Security Rule?

A. The 2013 Affordable Care Act

B. The 2009 Health Information Technology for Economic and Clinical Health Act (HITECH Act)

C. The 2006 Health Insurance Portability and Accountability Act (HIPAA)

D. The 2003 Patient Protection and Affordable Care Act

61 / 64

Which of the following is NOT a key concept that must be addressed and understood in the planning and preparation phase of a penetration testing engagement?

A. The target audience

B. The rules of engagement

C. The overall budget for the engagement

D. The penetration tester’s favorite color

62 / 64

What are some of the key elements dictated by regulations that a penetration tester should pay attention to during an assessment for compliance?

A. Data segmentation, password management, and key management

B. Data encryption, firewall settings, and antivirus updates

C. Network upgrades, software patches, and hardware maintenance

D. Operating system type, server configurations, and software versions

63 / 64

Which of the following is NOT considered an essential component of a contract for a pen testing engagement?

A. Specifying the services that will be performed

B. Having the contract reviewed by the customer’s legal department

C. The penetration tester’s personal creative expressions

D. Obtaining written authorization from proper signing authorities

64 / 64

In compliance with PCI DSS, which of the following statements is true regarding the protection of account data in a system component?

A. If PAN is transmitted, PCI DSS requirements do not apply.

B. Sensitive authentication data can be stored post-authorization if encrypted.

C. The PAN must be stored in an unreadable (encrypted) format.

D. If the service code is transmitted without PAN, PCI DSS requirements do not apply.

Your score is

Free CompTIA Pentest+ Anki decks are now available!

Click the download button after filling out the form below
to get your free practice exam Anki deck!

2. Plan & Scope a PenTest

Press the Start button to begin the practice test.

Free CompTIA Pentest+ Anki decks are now available!

Related Posts

The Affordable, Hands-On Josh Madakor IT Course that gets Results!

The Affordable, Hands-On Cyber Security that gets Results!

JOIN OUR

NEWSLETTER