9. Reporting and Communication

Explanation: Mandatory annual audits do not fall into the category of operational controls mentioned in the passage. Operational controls are implemented by people, focus on day-to-day operations, and ensure that management policies are followed during intermediate-level operations. Examples given in the text include job rotation, time-of-day restrictions, mandatory vacations, and user training.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 9 in PDF)

Explanation: After a penetration test, it is crucial to ensure that cleanup efforts have been successful and that no residual effects remain on the client’s systems. Therefore, the client or system owner should validate the cleanup efforts to verify that all test-related data and tools have been properly removed. This helps in maintaining the security and integrity of the systems under test.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 194 in PDF)

Explanation: Knowing who your report audience is can help you adjust the complexity of language and technical jargon. You need to present the report in such a way that all technical levels can understand your results and see value in your deliverable. The executive summary should be clear and concise while the technical details will be covered in other sections of the report.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 9 in PDF)

Explanation: The text emphasizes that clients may require you to report critical findings at the time of discovery, instead of waiting until the final report. This helps to address major vulnerabilities as quickly as possible.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 37 in PDF)

Explanation: Face recognition is a type of biometric control that verifies a person’s identity based on their physical features. It is often used in securing physical premises.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 9 in PDF)

Explanation: System hardening is a technical control method that involves applying security best practices, patches, and other configurations to remediate or mitigate the vulnerabilities found in systems and applications. This process includes closing unnecessary open ports and services, removing unnecessary software, and disabling unused ports.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 125 in PDF)

Explanation: While a penetration testing report includes the executive summary, a glossary of terms, and methodology, there is no portion of the report providing detailed instructions on how to repeat the exploit. While the report may provide information necessary to address and mitigate the vulnerability, it does not guide individuals to perform the exploit themselves.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 45 in PDF)

Explanation: Parameterized queries and sanitizing user input can prevent a variety of vulnerabilities such as cross-site scripting, cross-site request forgery, SQL injection, command injection, XML external entities, and other vulnerabilities.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 27-28 in PDF)

Explanation: Dradis can ingest the results from many of the penetration testing tools used and help produce reports in various formats. It has the flexibility of add-ons and also allows users to create their own.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 9 in PDF)

Explanation: User traffic monitoring, while potentially useful in a cybersecurity context, is not explicitly listed as a technical control within the text.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 9 in PDF)

Explanation: The text specifically mentions that ’indicators of prior compromise’, which refers to signs that an attacker has likely already compromised the system, should be immediately communicated to the client during a penetration test.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 9 in PDF)

Explanation: Technical controls can include a wide range of mitigations and remediations such as system hardening, user input sanitization, multifactor authentication, password encryption, process-level remediation, patch management and others mentioned in the text.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 22 in PDF)

Explanation: Post-Engagement Cleanup is an important activity that must be considered after delivering a penetration testing report to a client. This includes the removal of any residual effects and cleaning up any systems that were tested.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 33 in PDF)

Explanation: RBAC or Role-based access control is an administrative control where access permissions are based on specific roles or functions instead of particular user or group accounts. Administrators assign access rights and permissions to roles, which are further associated with users.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page N/A in PDF)

Explanation: The Secure Software Development Life Cycle involves incorporation of security best practices, policies, and technologies within the standard Software Development Life Cycle in order to detect and remediate vulnerabilities. It is not about password complexities, user roles or the overall protective policies of an organization.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 9 in PDF)

Explanation: In the context given, multi-factor authentication is not mentioned as a physical control. Physical controls mentioned include the Access control vestibule, Video surveillance, and Biometric controls.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 9 in PDF)

Explanation: A penetration testing report is a comprehensive document that includes all aspects of the testing process. It begins with the executive summary that provides a brief overview of the scope and major findings. This is followed by detailed sections on the scope, methodology used, findings including CVSS scores of vulnerabilities, remediation, and conclusion. An appendix consisting of references and a glossary of terms is also included.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 9 in PDF)

Explanation: Having a good communication channel with a client during a penetration testing engagement is important to avoid scope creep, to have someone to go to in case of an emergency, and to keep the client updated about the progress of the engagement. Information must be effectively communicated to ensure that all parties involved understand the process, the potential issues, and the recommendations.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 9 in PDF)

Explanation: Job rotation as an operational control is implemented to allow individuals in an organization to learn new skills and get more exposure to other security technologies and practices by rotating from one team to another or from one role to a different one.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 182 in PDF)

Explanation: The term ’false positive’ is used to describe a situation in which a security device alerts to a potential attack, but there is actually no malicious activity taking place. This could lead to unwarranted investigations and potentially overlooking real security threats.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 9 in PDF)

Explanation: Client satisfaction surveys are not mentioned in the text as an operational control for improving security operations. They are typically used for feedback and quality assurance but do not inherently contribute to security operations.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 9 in PDF)

Explanation: User data does not typically play a part in penetration testing reports. The focus is more on the scope, methodologies, findings, and vulnerabilities of the system or network being tested.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 9 in PDF)

Explanation: Key rotation is the process of retiring an encryption key and replacing it by generating a new cryptographic key. Rotating keys at regular intervals allows you to reduce the attack surface and meet industry standards and compliance.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 188 in PDF)

Explanation: The report contents should always be considered as highly classified and distributed only on a need-to-know basis to ensure security. The distribution should have controls such as numbered copies and tracked distribution. If a report has to be transferred over a network, it should be encrypted.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 214 in PDF)

Explanation: An employee performance review is not typically included in a penetration testing report. The report primarily focuses on the details of the penetration testing process and its findings, such as the scope of the test, methodology, findings and risk ratings, remediations suggested, and an executive summary.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 29 in PDF)

Explanation: In RBAC, administrators grant access rights and permissions to roles, not directly to user or group accounts. Each user is then associated with a role and they inherit the permissions assigned to that role.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 48 in PDF)

Explanation: As a pen tester, it is important to document and have written proof of the client’s acceptance of your report and related deliverables. This is part of professional practice and ensures clarity and mutual understanding of findings and subsequent actions.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 9 in PDF)

Explanation: Patch management refers to the process of distributing, installing, and applying software updates. This could be recommended as a means of remediating vulnerabilities found in systems and applications following a pen test.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 9 in PDF)

Explanation: A penetration testing report does not typically contain a ’Project timeline’ section. The purpose of a penetration testing report is more towards providing information about the scope, details of the methodology used, findings, and remediation steps, among other things, and not about the timeline of the project.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 101-103 in PDF)

Explanation: Multifactor authentication requires two or more factors of authentication, such as a password and a one-time verification code. This measure increases the robustness of the authentication process and reduces the chances of an unauthorized access. Therefore, it is recommended as a measure to mitigate vulnerabilities.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 9 in PDF)

Explanation: According to the text, successful cybersecurity policies establish what must be done and why it must be done — but not how to do it. Therefore, providing detailed technical instructions is not a characteristic of a good cybersecurity policy.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page Not in PDF)

Explanation: The text does not recommend the use of unencrypted passwords as a method of technical control. In fact, it is mentioned that passwords, tokens, API credentials, and similar authentication data should always be encrypted for better security.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 32 in PDF)

Explanation: These are the activities included in a post-report delivery of a penetration test as described in the text. These activities are essential for a comprehensive and professional follow-up after the delivery of the penetration testing report.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 111 in PDF)

Explanation: The penetration testing report does not often include blue team recommendations. Instead, it focuses on describing the scope of the test, the methodology used, the vulnerabilities found, the CVSS scores of those vulnerabilities and remediation approaches among other details.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 168 in PDF)

Explanation: A penetration testing report includes various sections such as executive summary, scope details, methodologies used, findings of vulnerabilities along with their CVSS scores, and suggestions for mitigation and remediation. However, it does not typically include the client’s budgetary constraints.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 56 in PDF)

Explanation: Major software updates are not specifically mentioned as a trigger for communication during a penetration test. However, critical findings, status reports and indicators of prior compromises should be communicated with the client.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 9 in PDF)

Explanation: According to the text, an important post-report delivery activity for a penetration tester is to destroy any client sensitive data as agreed in the pre-engagement activities.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 9 in PDF)

Explanation: Restoring the database to a previous state after a penetration test is commonly used to clean up the false or harmful data that might have been input during the testing process. It’s essential in ensuring that the system’s database doesn’t retain this erroneous data.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 9 in PDF)

Explanation: The information derived from tools and vulnerability scanning might not show the actual risk to the environment. Thorough analysis and understanding of the environment are necessary to understand the actual risk, and this understanding should be effectively conveyed in the final report. This can highlight vulnerabilities that automated systems may miss and provide an accurate rating based on the risk to the actual environment.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 128-130 in PDF)

Explanation: After the delivery of the penetration testing report, the tester should perform cleanup tasks that include restoring databases to a previous state if they contain any injected data or malicious scripts from the testing. This is to ensure that the system is clean and back to its normal state after the testing.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 9 in PDF)

Explanation: The Common Vulnerability Scoring System (CVSS) uses three different metric groups when determining the score of a vulnerability. These are the Base metric group (includes exploitability metrics and impact metrics), Temporal metric group (includes exploit code maturity, remediation level, and report confidence), and the Environmental metric group (includes modified base metrics, and confidentiality, integrity, and availability requirements).

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 10 in PDF)

Explanation: All the options listed are examples of technical controls mentioned in the text that can be used to mitigate and remediate vulnerabilities. System hardening involves applying security best practices. Input sanitization is recommended to mitigate and prevent vulnerabilities such as cross-site scripting. Multifactor authentication (MFA) is a more robust authentication process. Password encryption protects authentication data. Patch management involves the distribution and application of software updates. Key rotation involves retiring an encryption key and generating a new one.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 92-95 in PDF)

Explanation: The excerpt does not mention the inclusion of legal disclaimers in the typical sections of a penetration testing report. These sections usually consist of components like an executive summary, scope details, the methodology used during testing, findings (using a scoring system such as CVSS for vulnerability assessment), a remediation plan, a conclusion summarizing findings and recommendations, and an appendix of relevant terms and references.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 82 in PDF)

Explanation: Job rotation allows employees to rotate from one team to another or from one role to a different one, which allows individuals to learn new skills and get more exposure to other security technologies and practices.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 9 in PDF)

Explanation: Operational controls focus on the day-to-day operations and strategies, ensuring that the organization’s management policies are followed effectively during intermediate-level operations.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 117 in PDF)

Explanation: The text states that poor change management and ineffective identification of the technical and nontechnical elements required for the penetration test can lead to scope creep. It also mentions that poor communication among stakeholders can contribute to it.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 9 in PDF)

Explanation: The excerpt does not mention Secure File Transfer Protocol (SFTP) as a technical control recommendation in the ’Reporting and Communication’ section of a penetration test. The technical controls discussed include system hardening, user input sanitization, and network segmentation, among others.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 57-59 in PDF)

Explanation: The passage doesn’t indicate that a penetration tester should immediately communicate low-risk vulnerabilities to their client. The tester should report critical findings and indicators of prior compromises immediately, and provide status reports per client’s instructions.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 9 in PDF)

Explanation: In the post-report phase, the text does not list ’Data encryption process’ as an activity. Activities detailed in this phase include client acceptance, lessons learned, follow-up actions/retest, attestation of findings, and a data destruction process.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 9 in PDF)

Explanation: The error message from a failed exploit often indicates which files need to be cleaned up, giving the tester a specific direction for their post-engagement cleanup activities.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 9 in PDF)

Explanation: Data acquisition is not considered a post-report activity. Post-report activities include client acceptance, lessons learned, follow-up actions or retest, attestation of findings, and data destruction process.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 31 in PDF)

Explanation: The CVSS provides a method for calculating a score for the seriousness of a threat, with scores ranging from 0 to 10. It uses three metric groups to determine these scores, which can help prioritize the impact of each vulnerability found during a penetration test. This method of threat severity scoring can help the customer understand the business impact of the vulnerabilities.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 25-26 in PDF)

Explanation: In the presented passage, multifactor authentication (MFA) is recommended as a technical control, not single-factor authentication. MFA requires validation with two or more factors, thus making it harder for an attacker to gain unauthorized access.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 15 in PDF)

Explanation: VPN implementation is a type of network security control, not a physical control measure. Physical controls such as access control vestibules, biometric controls, and video surveillance refer to concrete, physical measures taken to prevent unauthorized access to sensitive locations or materials.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 9 in PDF)

Explanation: The text mentions as the contacts during a penetration testing engagement: the primary contact, the technical contacts, and the emergency contacts. Marketing contacts are not mentioned as necessary for this particular engagement.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 9 in PDF)

Explanation: In the context provided, Role-based access control (RBAC) is an administrative control where access permissions are given based on roles or functions within an organization. Each user is tied to a role and inherits the permissions of that role.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 9 in PDF)

Explanation: A professional penetration testing report only includes factual data based on tests and findings, such as the methodology used, CVE and CVSS scores for vulnerabilities found, and a business impact analysis. It does not include personal opinions or biased statements.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 159-162 in PDF)

Explanation: The findings and recommendations section of a penetration testing report should be detailed and technical. This section is what IT teams, information security teams, and developers will use to address the issues identified during the testing phase. The report should include sufficient information to recreate the issue and identify exactly where the code changes need to be applied.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 9 in PDF)

Explanation: The text does not mention the lack of testing tools as a potential contributor to scope creep in a penetration testing engagement. It does identify poor change management, ineffective identification of technical and non-technical elements required for the test, and poor communication among stakeholders as potential causes of scope creep.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 9 in PDF)

Explanation: Antivirus software is not a physical control, it is a type of software designed to detect and destroy computer viruses. Other mentioned elements, such as video surveillance, access control vestibule, and biometric controls are all examples of physical controls designed to prevent unauthorized physical access to sensitive locations or material.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 9 in PDF)

Explanation: According to the provided text, the post-report delivery activities a pen tester should follow are: • Client acceptance: Having written documentation of your client’s acceptance of your report and related deliverables. • Lessons learned: Analyzing and presenting any lessons learned during the penetration testing engagement. • Follow-up actions/retest: Taking care of any action items in an agreed appropriate time frame if a client asks you to retest different applications or systems after you provide the report. • Attestation of findings: Providing clear acknowledgement proving that the assessment was performed and reporting your findings. • Data destruction process: Destroying any client sensitive data as agreed in the pre-engagement activities.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 13 in PDF)