2. Plan & Scope a PenTest

Explanation: Documentation is a crucial aspect of a penetration testing engagement. It helps identify the specific requirements and qualifications necessary to complete the test. This includes what systems, applications, and network segments will be tested, as well as any specific resources that may be needed, based on the technical aspects defined within the scope.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 22-25 in PDF)

Explanation: The Gramm-Leach-Bliley Act (GLBA) explicitly mandates that financial organizations undergo periodic penetration testing in their infrastructure. Penetration testing is a simulated cybersecurity attack on a computer system that looks for security weaknesses.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 33 in PDF)

Explanation: The Payment Card Industry Data Security Standard (PCI DSS) specifically targets the security of credit card and digital payments processing. If a penetration tester is dealing with an organization that processes credit card payments, they would need to be familiar with PCI DSS, so as to verify the organization’s compliance with the regulation.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 12 in PDF)

Explanation: The correct response is that all account data handling organizations are required to comply with PCI DSS irrespective of whether PAN is handled or not. This includes cardholder names, service codes, and expiration dates, as they also form part of the cardholder’s data.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 2 in PDF)

Explanation: The scope of the engagement clearly provides a list of what needs to be tested, what can be tested and what cannot be tested. This acts as a guide for the ethical hacker about the company’s specific requirements. This list of applications, systems or networks to be tested is often referred to as a penetration testing scope ’allow list’. While a ’deny list’ specifies the entities that should not be tested.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 9 in PDF)

Explanation: The Global Data Synchronization Network (GDSN) is a network of interoperable data pools enabling collaborating users to exchange product data. It is not related to compliance regulations in penetration testing, and thus it’s not a part of regulatory compliance considerations during a penetration testing engagement.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 30 in PDF)

Explanation: In the context of planning and scoping a penetration testing assessment, SOAP project files serve as a reference to understand the capabilities of a specific API. This knowledge can be beneficial for a tester as they conduct their testing, allowing for a more accurate and nuanced assessment.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page (page_number) in PDF)

Explanation: A Statement of Work (SOW) is a document that specifics the activities to be performed during a penetration testing engagement. It defines elements such as the project timelines, scope of work, location of work, technical and non-technical requirements, payment schedule, and other miscellaneous items.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 2 in PDF)

Explanation: While knowing the available WiFi networks may be useful in some instances, it is not listed as a key concept in the planning and preparation phase of a penetration testing engagement. The key concepts mentioned include: target audience, rules of engagement, communication escalation path and channels, available resources and requirements, overall budget, specific disclaimers, technical constraints, and resources available to the pen tester.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 20 in PDF)

Explanation: An SLA is primarily designed to set expectations and constraints related to key performance measures such as quality, timeline, and cost associated with the penetration testing service. It acts as a commitment between the service provider and the client, and may also include penalties for underperformance or noncompliance. SLAs are important for managing client expectations and clarifying what is expected from the service.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 47 in PDF)

Explanation: In the context of a penetration test, an ’allow list’ refers to a list of applications, systems, or networks that the penetration testing team is authorized to test. This list defines the scope of the security audit and ensures all parties involved understand what is being tested.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 20 in PDF)

Explanation: An ’allow list’ is mentioned in the context of the scoping phase of penetration testing. It refers to a list of applications, systems, or networks that are within the scope and should therefore be tested during the engagement.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 2 in PDF)

Explanation: In unknown-environment testing, the tester starts with limited information, much like an external attacker would. In known-environment testing, the tester is given a lot of information about the organization and its infrastructure.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 26 in PDF)

Explanation: The penetration tester’s personal creative expressions are not considered an essential part of a contract for a pen testing engagement. Rather, a contract usually includes specifications of the services to be performed, how the penetration tester will get paid, and the responsibilities and restrictions associated with the handling of collected data and other sensitive information.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 23 in PDF)

Explanation: A Qualified security assessor (QSA) is an individual who has been trained and certified to carry out compliance assessments according to the standards and regulations of the PCI DSS.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 13 in PDF)

Explanation: A multilateral NDA involves three or more parties, with at least one of them disclosing sensitive information that should not be disclosed to any entity outside the agreement. This type of NDA is suitable when an external organization to your customer is also involved in the penetration testing engagement.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 12 in PDF)

Explanation: A Software Development Kit (SDK) is a collection of software development tools that help the penetration tester understand certain specialized applications and hardware platforms within the organization being tested.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 23-24 in PDF)

Explanation: In the context of penetration testing, a Statement of Work (SOW) is a document that outlines the activities to be performed during the engagement. It provides detailed information on the project timelines, the scope of the work, the location of the work, any special technical or non-technical requirements, the payment schedule, and any other miscellaneous items that may need to be tracked.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 28 in PDF)

Explanation: In the context of a penetration testing assessment, ’Key Management’ refers to the secure generation, storage, distribution, use, and destruction of cryptographic keys. This process is vital for the effective use of cryptography for security because keys are a critical component: if they fall into the wrong hands, the strongest encryption algorithm can provide no security.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 22 in PDF)

Explanation: From the definitions provided in the passage, the Acquirer is the entity that initiates and maintains relationships with merchants for the acceptance of payment cards.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 2 in PDF)

Explanation: An ’allow list’ in planning and scoping a penetration testing assessment typically refers to the list of applications, systems, or networks that are in scope for the testing and should be subjected to the penetration test.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 14 in PDF)

Explanation: SOAP project files are one of the mentioned resources that could help a penetration tester by providing a good reference of what a specific API can support. This could significantly speed up the testing process.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 2 in PDF)

Explanation: The General Data Protection Regulation (GDPR) is designed to give individuals in the European Union (EU) more control over their personal data. It applies to organizations located within the EU, and also to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. It regulates how personally identifying information is processed, stored, and destroyed.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 10 in PDF)

Explanation: The Secure Software Development Life Cycle (SSDLC) was not mentioned in the provided text as a standard or methodology used for penetration testing. It is a more general framework for developing secure software.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 2 in PDF)

Explanation: A Service-level Agreement (SLA) is a documented expectation or constraint related to performance measures of the penetration testing service, such as quality, timeline, and cost.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 4 in PDF)

Explanation: According to the provided text, unknown-environment testing (also known as black-box penetration testing) is a form of testing where the tester is provided with very limited information. They may only be given the domain names and IP addresses associated with their target in order to mimic the perspective of an external attacker.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page page in PDF)

Explanation: All of the given points are indeed elements that should be part of the scoping documentation for a penetration test. This includes the assets and devices to be tested, whether you are testing for vulnerabilities to external or internal attacks, and details about where the apps are hosted – whether it’s a first-party, third-party, or cloud hosting service.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 2 in PDF)

Explanation: In project management, scope creep refers to the uncontrolled expansion of project’s scope, beyond its original objectives, without corresponding increases in resources, time, or budget. In the context of penetration testing, scope creep could arise due to poor change management, ineffective identification of technical and nontechnical requirements, or poor communication among stakeholders.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 12 in PDF)

Explanation: In the context of a penetration testing engagement, scope creep often arises due to ineffective identifications, poor change management, and most crucially, poor communication among all parties involved. A lack of effective communication can lead to misunderstanding or misconceptions about the scope of the testing, leading to uncontrolled growth (creep) of the project’s scope.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 34-35 in PDF)

Explanation: In penetration testing, an ’allow list’ is a list of applications, systems, or networks that have been identified as in scope for the test and therefore should be tested. This term essentially defines the boundaries of the testing and guides which parts of the client’s environment the testers should focus on.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page N/A in PDF)

Explanation: Under PCI DSS, it is expressly stated that the primary account number (PAN) must be stored in an unreadable, not readable, format. This typically means it is encrypted to protect against unauthorized access.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 23 in PDF)

Explanation: PCI DSS requirements apply if the PAN is stored, processed, or transmitted. The PAN is the defining factor in the applicability of PCI DSS requirements.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 10 in PDF)

Explanation: API documentation provides information about various types of APIs, their standards, functionality, and how they operate. This can be very beneficial for a penetration tester who needs to understand what a specific API supports and how it can be targeted during the test.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 7 in PDF)

Explanation: Even when a third party is managing cardholder data, the primary organization is still responsible for ensuring that third party is compliant with PCI DSS.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 12 in PDF)

Explanation: Most regulations including PCI DSS mandate data isolation or network segmentation, solid password management strategies (including password length, complexity, session timeout, and multifactor authentication), and key management. These are important aspects a penetration tester should verify during an assessment.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 33 in PDF)

Explanation: Proper scoping is important for several reasons. It helps define which systems, applications, and networks that will be included in the penetration test. It aids in identifying the specific qualifications and skill sets that will be needed to effectively conduct the test. It also allows the testing team to manage scope creep, avoiding unexpected increases in workload and complexity.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 14 in PDF)

Explanation: An ’allow list’ in a penetration testing scope refers to a list of applications, systems, or networks that are in scope and should be tested. This list is often prepared in the scoping phase, during the target selection process, with the hiring company or appropriate stakeholders.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page Page in PDF)

Explanation: Testers must take into account local restrictions and laws, including privacy laws like the GDPR and CCPA, as well as the specific technological and operational limitations of the organization being tested. They need clear documentation indicating permission to perform the testing.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page unknown in PDF)

Explanation: The text mentions that the Primary Account Number (PAN) is the defining factor in the applicability of PCI DSS requirements. Those requirements apply if the PAN is stored, processed, or transmitted. If the PAN is not engaged in any of those three conditions, the PCI DSS requirements do not apply.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 2 in PDF)

Explanation: Password management is often overlooked but is crucial for a strong security posture. It extends beyond merely setting good passwords, including aspects of configuration management, enforcing complexity and length requirements for passwords, implementing timeout sessions, and adopting multifactor authentication.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 2 in PDF)

Explanation: In the context of a penetration testing engagement, an ’allow list’ is a list of applications, systems, or networks that are in scope and should be tested. This is a critical component of the scoping phase, ensuring that the penetration tester focuses on the correct elements of the client’s environment.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 21-22 in PDF)

Explanation: As per the given text, a PCI Forensic Investigator (PFI) is explained as a person trained and certified to investigate and contain information cybersecurity incidents and breaches that involve cardholder data.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 28 in PDF)

Explanation: A deny list is specifically used to refer to applications, systems, or networks that are not in the scope and therefore should not be tested during the penetration testing engagement. This helps to maintain the boundaries of the scope and uphold the agreement between the professional penetration tester and the client.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page page_number in PDF)

Explanation: For successful scope planning, it’s not enough to just identify the systems to be tested – you also need to understand any relevant application programming interfaces(APIs), what types of networks will be in scope, and details about your team’s expertise and qualifications. You also need to be aware of any restrictions, for example, those put in place by third-party hosting or cloud providers.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 18-20 in PDF)

Explanation: The favorite color of the penetration tester is irrelevant to the preparation and planning phase of a penetration testing engagement. The planning and preparation phase requires understanding of the target audience, rules of engagement, and the budget for the engagement among others.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 2 in PDF)

Explanation: A multilateral NDA involves three or more parties. At least one of the parties discloses sensitive information, and this information should not be disclosed to any outside entity. It’s used when an organization external to your customer (e.g., business partner, service provider) should also be engaged in the penetration testing engagement.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 6 in PDF)

Explanation: According to the PCI DSS, any organization that uses a third party to manage cardholder data has the full responsibility of ensuring that the third party is compliant with PCI DSS.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 22 in PDF)

Explanation: Sensitive authentication data should never be stored post-authorization, even if it is encrypted. This helps improve the security and confidentiality of cardholder’s sensitive data.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page Page in PDF)

Explanation: While all mentioned aspects like the need for the report by a specific entity or individual, understanding the authority of the receiving party and knowing the main purpose of the report individually are important elements during the preparation phase of a pen testing engagement, collectively they ensure a well-rounded understanding of the target audience.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 22 in PDF)

Explanation: The Acquirer in the context of the PCI SCC is referred to as an “acquiring bank” or an “acquiring financial institution,” an entity that initiates and maintains relationships with merchants for the acceptance of payment cards.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page Not in PDF)

Explanation: In an unknown-environment test, the tester is only given limited information, like domain names or IP addresses, and no further knowledge about the organization’s infrastructure. They may not even know when the test is taking place. In a known-environment test, however, the tester is provided with a substantial amount of information about the organization and its infrastructure, including network diagrams, IP addresses, configurations, user credentials, and potentially even the source code of the target application.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 2 in PDF)

Explanation: All listed resources including GraphQL Documentation, API documentation, source code access, examples of application requests, SDKs for specific applications, and system and network architectural diagrams can be valuable tools for a penetration tester.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 7 in PDF)

Explanation: The ’Rules of Engagement’ document for a penetration testing engagement typically includes elements such as testing timeline, the window and location of the testing, the preferred methods of communication during the testing, any security controls that could potentially detect or prevent the testing, the specific IP addresses or networks from where the testing will be conducted, and the specific types of tests that are allowed or disallowed.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page Chapter in PDF)

Explanation: The nature of cybersecurity is such that threats and vulnerabilities are always emerging. Therefore, a penetration test, while thorough, can only identify the vulnerabilities that exist at the time of testing. A disclaimer can help clarify this to the client and establish that the responsibility of dealing with future vulnerabilities does not lie with the tester.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 10 in PDF)

Explanation: According to the PCI DSS requirements, the PAN (Primary Account Number) must be stored in an unreadable or encrypted format. This is a measure to protect cardholder data in the system component.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 5 in PDF)

Explanation: In the context of the Payment Card Industry Security Standards Council (PCI SSC), an ASV (approved scanning vendor) is an organization that is approved by the PCI SSC to carry out external vulnerability scanning services. This means that they are endorsed to scan systems and networks for vulnerabilities that could be exploited by attackers.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 22 in PDF)

Explanation: The HIPAA Security Rule was indeed modified and expanded by the 2009 Health Information Technology for Economic and Clinical Health Act (HITECH Act). The text specifically states the HITECH Act as a piece of legislation that has had this effect.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page Page in PDF)

Explanation: Payment Card Industry Data Security Standard (PCI DSS) regulation is primarily designed to secure the processing of credit card payments and other types of digital payments. PCI DSS specifications, documentation, and resources provide guidelines and checklists on the security measures a client or organization must have in place to guard against unauthorized access and cyber threats.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 16-17 in PDF)

Explanation: The PCI DSS applies to all system components where account data – comprising of both cardholder data and sensitive authentication data – is stored, processed, or transmitted. Any organization that directly or indirectly affects the security of cardholder data must adopt this standard.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 28 in PDF)

Explanation: A Bilateral NDA, also known as a mutual or two-way NDA, involves both parties (in this context, the penetration tester and the organization) sharing sensitive information with each other that should remain confidential and not disclosed to outside entities.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 2 in PDF)

Explanation: A Master Service Agreement (MSA) allows for quick negotiation of work for repeated tasks such as recurring penetration tests without having to renegotiate terms every time.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 13 in PDF)

Explanation: Master service agreements are contracts used to quickly negotiate the work to be performed. They are particularly beneficial for recurring penetration tests as the terms do not have to be renegotiated every time the same tester is rehired.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 2 in PDF)

Explanation: The goal of implementing Data isolation (also known as network segmentation) in organizations is to comply with PCI DSS and other regulations. This involves creating a completely isolated network that includes all systems involved in payment card processing.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 12 in PDF)

Explanation: The Payment Card Industry Security Standards Council (PCI SSC) was formed by major payment card brands to develop the PCI DSS. This standard must be adopted by any organization that handles cardholder data.

Ref: CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

(Page 2 in PDF)