2.4.3 Quiz — Planning and Scoping a Penetration Testing Assessment

Ahmad Jammal
7 min readOct 4, 2023

--

This is a write up for the Second quiz you will encounter on Cisco’s Ethical Hacker course, please attempt to study the given material, and only refer to this after you attempt the quiz at least once.

the first six questions review your knowledgeability on both legal entities and legal programs which have been set in place to regulate data privacy.

The original intent of the Health Insurance Portability and Accountability Act (HIPAA) was to simplify and standardize healthcare administrative processes. The U.S. Department of Health and Human Services (HHS) was instructed to develop and publish standards to protect individual electronic health information while permitting appropriate access and use by healthcare providers and other entities. A cybersecurity professional must fully understand HIPAA before performing a compliance-based assessment.

Federal Risk and Authorization Management Program (FedRAMP) provides a standardized approach to U.S. government security authorizations for cloud service offerings.

General Data Protection Regulation (GDPR) is European legislation associated with personal data privacy. GDPR includes strict rules around the processing of data and privacy. Due to its effectiveness and abilities, GDPR extends to manage data regardless of whether in Europe, the US, or any part of the world.

The U.S. Gramm-Leach-Bliley Act (GLB Act) applies to all financial services organizations, regardless of size. The Federal Trade Commission (FTC) is responsible for enforcing GLBA

In the healthcare sector, a healthcare clearinghouse is an entity that processes nonstandard health information it receives from another entity into a standard format.

In the healthcare sector, a health plan is an entity that provides payment for medical services, such as health insurance companies, HMOs, government health plans, or government programs that pay for healthcare, such as Medicare, Medicaid, military, and veteran programs.

The primary account number (PAN) is the defining factor in the applicability of PCI DSS requirements. PCI DSS requirements apply if the PAN is stored, processed, or transmitted.

the next couple of questions inquire about cryptographic methods used for the security of your information.

The payment card account data consists of cardholder data and sensitive authentication data. Cardholder data includes the primary account number, cardholder name, expiration date, and service code. Sensitive authentication data includes a full magnetic strip or equivalent data on a chip, CAV2/CVC2/CVV2/CID code, and PINs/PIB blocks.

from here till the end of the quiz, you’ll be asked about what kind of documentation is required for different stages of the penetration testing process, what type of things you will need to disclose, as well as some questions about API’s.

An employee performing penetration testing should be aware of any local restrictions. Countries may have specific country limitations and local laws that may restrict whether the employee can perform some tasks as a penetration tester. The employee must always have clear documentation from the client indicating that permission to perform the testing is granted.

A service-level agreement (SLA) is a well-documented expectation or constraint related to one or more of the penetration testing service’s minimum and maximum performance measures (such as quality, timeline, and cost).

A statement of work (SOW) is a document that specifies the details of the activities to be performed during a penetration testing engagement. It can be used to define some of the elements:

  • Project (penetration testing) timelines, including the report delivery schedule
  • The scope of the work to be performed
  • The location of the work (geographic location or network location)
  • Special technical and nontechnical requirements
  • Payment schedule

With a unilateral NDA, only one party discloses certain information to the other party, and the information must be kept protected and not disclosed. In this case, the company must provide sufficient information for the consultant to perform penetration tests to assess government regulation compliance. The company would ask the consultant to sign a unilateral non-disclosure agreement to protect the internal private information.

The contract is one of the most important documents in a pen testing engagement. It specifies the terms of the agreement and how the consultant will get paid, and it provides clear documentation of the services that will be performed.

The party performing work in a penetration testing engagement may add a disclaimer in the pre-engagement documentation and in the final report to disclaim the limited responsibility and reliability. Cybersecurity threats are always changing, and new vulnerabilities are discovered daily. No software, hardware, or technology is immune to security vulnerabilities, no matter how much security testing is conducted. One example of a disclaimer is that the penetration testing report is intended only to provide documentation and that the hiring company will determine the best way to remediate any vulnerabilities.

The rules of engagement document specify the conditions under which the security penetration testing engagement will be conducted. Examples of the elements that are typically included in the rules of engagement document are:

  • Testing timeline
  • Location of testing
  • Preferred method of communication
  • The time window of the testing
  • The security controls that the cloud potentially detects or prevent test
  • IP addresses or networks from which testing will originate
  • Types of allowed or disallowed tests

The rules of engagement document specify the conditions under which the security penetration testing engagement will be conducted. The types of allowed or disallowed tests element in the rules of engagement document should specify specific penetration tests that are allowed or disallowed.

Web Services Description Language (WSDL) is an XML-based language used to document a web service’s functionality.

GraphQL is a query language for APIs. It is also a server-side runtime language for executing queries using a type system a user defines for the data.

The system and network architectural diagrams can be very beneficial for penetration testers to help them to document and define what systems are in scope during the testing.

Scope creep is a project management term that refers to the uncontrolled growth of the scope of a project. Causes of scope creep include:

  • poor change management in the penetration testing engagement
  • ineffective identification of what technical and nontechnical elements will be required for the penetration test
  • poor communication among stakeholders, including your client and your team

The first step in validating the scope of an engagement is to question the client and review contracts. The consultant must understand the target audience for the penetration testing report. The consultant should also understand the subjects, business units, and any other entity such a penetration testing engagement will assess.

Pretty Good Privacy (PGP) keys or Secure/Multipurpose Internet Mail Extensions (S/MIME) keys can enforce email security by encrypting email exchanges. Secure Copy Protocol (SCP) or Secure File Transfer Protocol (SFTP) can transfer files securely over the network. HTTPS provides secure communication between web browsers and web servers.

In unknown-environment testing (formerly called black-box penetration testing), the consultant is typically provided only a very limited amount of information, for example, only the domain names and IP addresses that are in scope for a particular target. This type of limitation is to have the consultant start with the perspective that an external attacker might have.

The key difference between unknown-environment testing and known-environment testing is the amount of information provided to the consultant. In typical unknown-environment testing, only a very limited amount of information would be provided to the consultant. This type of limitation is to have the consultant start with the perspective that an external attacker might have. In typical known-environment testing (formerly known as white-box penetration testing), the consultant starts with significant information about the organization and its infrastructure. Other factors could be the same or similar to both testing types.

I hope you found this writeup useful, and best of luck on your ethical hacking journey!

--

--

No responses yet