Chapter 1

Introduction to Ethical Hacking and Penetration Testing

Before we jump into how to perform penetration testing, you first need to understand some core concepts about the “art of hacking” that will help you understand the other concepts discussed throughout this book. For example, you need to understand the difference between ethical hacking and unethical hacking. The tools and techniques used in this field change rapidly, so understanding the most current threats and attacker motivations is also important. Some consider penetration testing an art; however, this art needs to start out with a methodology if it is to be effective. Furthermore, you need to spend some time understanding the different types of testing and the industry methods used. Finally, this is a hands-on concept, and you need to know how to get your hands dirty by properly building a lab environment for testing.

“Do I Know This Already?” Quiz

The “Do I Know This Already?” quiz allows you to assess whether you should read this entire chapter thoroughly or jump to the “Exam Preparation Tasks” section. If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics, read the entire chapter. Table 1-1 lists the major headings in this chapter and their corresponding “Do I Know This Already?” quiz questions. You can find the answers in Appendix A, “Answers to the ‘Do I Know This Already?’ Quizzes and Q&A Sections.”

1. Which kind of penetration test is used by a tester who starts with very little information?

1. Black-box test

2. White-box test

3. Gray-box test

4. Yellow-box test

2. Which of the following would be a characteristic of an ethical hacker?

1. Responsible disclosure

2. Malicious intent

3. Unauthorized access

4. Use of ransomware attack

3. Which of the following terms describes an attack in which the end user’s system hard drive or files are encrypted with a key known only to the attacker?

1. Distributed denial of service

2. Social engineering

3. Ransomware

4. Botnet

4. Which type of threat actor operates with a political or social purpose to embarrass or financially affect the victim?

1. Insider threat

2. Organized crime

3. Hacktivist

4. Nation-state

5. Which type of penetration test would provide the tester with information such as network diagrams and credentials?

1. Black-box test

2. White-box test

3. Gray-box test

4. Green-box test

6. The Mirai botnet is primarily made up of which type of devices?

1. Windows workstations

2. Mac OS X workstations

3. IoT devices

4. Linux workstations

7. Which is not a typical requirement for a penetration testing lab environment?

1. Closed network

2. Snapshots

3. Internet access

4. Health monitoring

8. Which of the following is a good method for validating the findings of a penetration test?

1. Using practice targets

2. Using multiple tools of the same kind

3. Using virtual devices

4. Using multiple operating systems

9. What penetration testing methodology was created by Pete Herzog?

1. ISSAF

2. OSSTMM

3. Penetration Testing Framework

4. PCI penetration testing guidance

10. Which penetration testing methodology was created for the purpose of providing a minimum level of security requirements for handling credit card information?

1. ISSAF

2. OSSTM

3. Penetration Testing Framework

4. PCI penetration testing guidance

Foundation Topics

Understanding Ethical Hacking and Penetration Testing

So, what are ethical hacking and penetration testing?

If you are reading this book and have an interest in taking the PenTest+ exam, you most likely already have some understanding of what these concepts are, so we don’t cover the very basics of them. However, we do want to discuss the differences between these two terms and why ethical hacking and penetration testing are so important in securing our environments.

What Is the Difference Between Ethical Hacking and Nonethical Hacking?

The term ethical hacker, describes a person who acts as an attacker and evaluates the security posture of a computer network for the purpose of minimizing risk. The NIST Computer Security Resource Center defines a hacker as an “unauthorized user who attempts to or gains access to an information system.” Now, we all know that the term hacker has been used in many different ways and has many different definitions. Most people in a computer technology field would consider themselves hackers by the simple fact that they like to tinker. This is obviously not a malicious thing. So, the key factor here in defining ethical versus nonethical hacking is that the latter involves malicious intent. A security researcher looking for vulnerabilities in products, applications, or web services is considered an ethical hacker if he or she responsibly discloses those vulnerabilities to the vendors or owners of the targeted research. However, the same type of “research” performed by someone who then uses the same vulnerability to gain unauthorized access to a target network/system would be considered a nonethical hacker. We could even go so far as to say that someone who finds a vulnerability and discloses it publicly without working with a vendor is considered a nonethical hacker—because this could lead to the compromise of networks/systems by others who use this information in a malicious way.

The truth is that as an ethical hacker, you use the same tools to find vulnerabilities and exploit targets as do nonethical hackers. However, as an ethical hacker, you would typically report your findings to the vendor or customer you are helping to make more secure. You would also try to avoid performing any tests or exploits that might be destructive in nature. An ethical hacker’s goal is to analyze the security posture of a network’s or system’s infrastructure in an effort to identify and possibly exploit any security weaknesses found and then determine if a compromise is possible. This process is called security penetration testing or ethical hacking.

Why Do We Need to Do Penetration Testing?

So, why do we need penetration testing? Well, first of all, as someone who is responsible for securing and defending a network/system, you want to find any possible paths of compromise before the bad guys do. For years we have developed and implemented many different defensive techniques (for instance, antivirus, firewalls, intrusion prevention systems [IPSs], anti-malware). We have deployed defense-in-depth as a method to secure and defend our networks. But how do we know if those defenses really work and whether they are enough to keep out the bad guys? How valuable is the data that we are protecting, and are we protecting the right things? These are some of the questions that should be answered by a penetration test. If you build a fence around your yard with the intent of keeping your dog from getting out, maybe it only needs to be 4 feet tall. However, if your concern is not the dog getting out but an intruder getting in, then you need a different fence—one that would need to be much taller than 4 feet. Depending on what you are protecting, you might also want razor wire on the top of the fence to deter the bad guys even more. When it comes to information security, we need to do the same type of assessments on our networks and systems. We need to determine what it is we are protecting and whether our defenses can hold up to the threats that are imposed on them. This is where penetration testing comes in. Simply implementing a firewall, an IPS, anti-malware, a VPN, a web application firewall (WAF), and other modern security defenses isn’t enough. You also need to test their validity. And you need to do this on a regular basis. As you know, networks and systems change constantly. This means the attack surface can change as well, and when it does, you need to consider reevaluating the security posture by way of a penetration test.

Understanding the Current Threat Landscape

The current threat landscape is actually a tricky subject to discuss. The main reason is that it changes so frequently. For instance, 2017 saw a huge increase in the number of ransomware attacks—and it has even been dubbed “the year of ransomware.” One of the greatest challenges in our industry is that we must keep up with the latest trends and try to foresee the future so that we can properly build defenses. Yes, we need to be prepared for zero-day attacks. The current threat actors are more sophisticated and agile than ever before. Our defenses must be able to utilize threat intelligence and automation to detect and mitigate these threats quickly and effectively.

The following sections take a look at some of the greatest cyber threats we face today. In 2016, a group known as The Shadow Brokers became famous for leaking a number of zero-day attacks that were supposedly stolen from the U.S. National Security Agency. We bring up this group because of how it affected the threat landscape in the following years. One of the most well-known and most damaging exploits The Shadow Brokers disclosed was the EternalBlue remote code execution exploit, which attacked a Server Message Block (SMB) vulnerability on Windows operating systems. Microsoft released a critical security bulletin named MS17-010 in 2017 to resolve the vulnerabilities. However, many users did not take this seriously enough and were slow to apply the patches provided by Microsoft. This unfortunately gave way to one of the biggest ransomware attacks seen thus far.

Ransomware

The WannaCry ransomware was unleashed on networks around the world in 2017. It directly utilized the EternalBlue exploit to spread via SMB. It initially infected a machine listening on SMB on an external network. From there it had the capability to pivot and attempt to connect to other random hosts over SMB port 445. If it found another device exposed and vulnerable to EternalBlue, it would infect that machine and start the process over. Some botnet trackers indicate that it affected more than 350,000 IPs globally. That is probably a very low estimate, considering that many affected computers were probably shut down right away or could not reach back out to the Internet. Luckily, the malware was not written very well, and a security researcher was able to identify a kill switch. The way this worked is that when WannaCry started up, it would try to connect to a specific domain. If it could resolve the domain, it would terminate. By identifying and registering this domain, the researcher was able to essentially kill the further spread of WannaCry—at least until a newer version was unleashed.

WannaCry may have been one of the largest and most effective ransomware attacks of 2017, but it was not the only one. There were, of course, additional strains of the WannaCry exploit that continued to make their way around the Internet. We also saw others, such as NotPetya, Crysis, and Locky to name a few.

IoT

Another major area of attack is on IoT devices. We have all heard for years that many IoT devices are not secure for various reasons. In 2016 we began to see how these seemingly insignificant devices on our networks could be turned against us or others on the Internet. The attack on the DynDNS service in 2016 was unprecedented at the time. It pulverized the DynDNS service with a very high-volume distributed denial-of-service (DDoS) attack. This attack disrupted many popular websites, including Amazon, Netflix, and Twitter. Of course, this helped it gain some notoriety in the media. But what concerned many security professionals was where the DDoS source traffic was coming from. This time it wasn’t compromised Windows systems; it was IoT devices, many of them IP cameras and DVR devices. Any device that is infected by Mirai will reach out and scan the Internet for additional IoT devices that it can compromise. It utilizes factory default usernames and passwords to connect to the devices and infect them with its source code. The beauty of this type of malware is that it allows the device to continue working as normal, so the attacker can use it when needed for a DDoS attack or whatever it wants, and the end user has no clue; this is much different from the ransomware attacks we have already discussed. Of course, Mirai is not the only IoT-based DDoS attack we have seen. Many more have occurred. However, Mirai opened the eyes of many people, who then began to take a much more serious approach to deploying IoT devices on their networks.

Of course, these are just a few of the threats that we face today. The threats continuously change because the threat actors are constantly working to bypass the defenses we put in place and find other ways to take advantage of the vulnerabilities in our networks and systems. We need to focus on the threat actors to determine what the next threat will be—and we need to understand who they are in order to understand how to defend against them.

Threat Actors

“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”

—Sun Tzu, The Art of War

So, who is it that’s causing all this trouble? Of course, there are various motivations for cyber attacks. These motivations are often monetary, but they may also be political. The following are the most common types of malicious attackers we see today:

• Organized crime: In 2016 the cybercrime industry took over the number-one spot, previously held by the drug trade, for the most profitable illegal industry. As you can imagine, it has attracted a new type of cybercriminal. Just as it did back in the days of Prohibition, organized crime goes were the money is. Organized crime consists of very well-funded and motivated groups that will typically use any and all of the latest attack techniques. Whether that is ransomware or data theft, if it can be monetized organized crime will used it.

• Hacktivists: This type of threat actor is not motivated by money. Hactivists are looking to make a point or to further their beliefs, utilizing cybercrime as their method of attack. These types of attacks are often carried out by stealing sensitive data and then revealing it to the public for the purpose of embarrassing or financially affecting a target.

• State-sponsored attackers: Cyber war and cyber espionage are two terms that fit into this category. Many believe that the next Pearl Harbor will occur in cyberspace. That’s one of the reasons the United States declared cyberspace to be one of the operational domains that U.S. forces would be trained to defend (see the 2011 U.S. Department of Defense document “Strategy for Operating in Cyberspace,” at https://csrc.nist.gov/CSRC/media/Projects/ISPAB/documents/DOD-Strategy-for-Operating-in-Cyberspace.pdf).

• Insider threats: An insider threat is a threat that comes from inside an organization. The motivations of these types of actors are normally different from those of many of the other common threat actors. Insider threats are often normal employees who are tricked into divulging sensitive information or mistakenly clicking on links that allow attackers to gain access to their computers. However, they could also be malicious insiders who are possibly motivated by revenge or money.

Exploring Penetration Testing Methodologies

The process of completing a penetration test varies based on many factors. The tools and techniques used to assess the security posture of a network or system also vary. The networks and systems being evaluated are often highly complex. Because of this, it is very easy when performing a penetration test to go off scope. This is where testing methodologies come in.

Why Do We Need to Follow a Methodology for Penetration Testing?

As just mentioned, scope creep is one reason for utilizing a specific methodology; however, there are many other reasons. For instance, when performing a penetration test for a customer, you must show that the methods you plan to use for testing are tried and true. By utilizing a known methodology, you are able to provide documentation of a specialized procedure that has been used by many people.

Penetration Testing Methods

There are, of course, a number of different types of penetration tests. Often they are combined in the overall scope of a penetration test; however, they can also be performed as individual tests as well. The following is a list of some of the most common terms used for the types of penetration tests today:

• Web application tests: Web application testing focuses on testing for security weaknesses in a web application. These weaknesses can include but are not limited to misconfigurations, input validation issues, injection issues, and logic flaws. Because a web application is typically built on a web server with a back-end database, the testing scope normally includes the database as well. However, it focuses on gaining access to that supporting database through the web application compromise. A great resource that we mention a number of times in this book is the Open Web Application Security Project (OWASP).

• Network infrastructure tests: Testing of the network infrastructure can mean a few things. For the purposes of this book, we say it is focused on evaluating the security posture of the actual network infrastructure and how it is able to help defend against attacks. This often includes the switches, routers, firewalls, and supporting resources, such as authentication, authorization, and accounting (AAA) servers and IPSs.

• Wireless network tests: A penetration test on wireless infrastructure is similar to a network infrastructure test. It may sometimes be included in the scope of a network infrastructure test. However, additional types of tests would be performed. For instance, a wireless security tester would attempt to break into a network via the wireless network either by bypassing security mechanisms or breaking the cryptographic methods used to secure the traffic. Testing the wireless infrastructure helps an organization to determine weaknesses in the wireless deployment as well as the exposure. It often includes a detailed heat map of the signal disbursement.

• Physical facility tests: Many penetration testers find the physical aspect of testing to be the most fun because they are essentially being paid to break into the facility of a target. This type of test can help expose any weaknesses in the physical perimeter as well as any security mechanisms that are in place, such as guards, gates, and fencing. The result should be an assessment of the external physical security controls.

• Social engineering tests: The majority of compromises today start with some kind of social engineering attack. This could be a phone call, an email, a website, an SMS message, and so on. For this reason, it is important to test how your employees handle these types of situations. This type of test is often omitted from the scope of a penetration testing engagement mainly because it primarily involves testing people instead of the technology. In most cases, management does not agree with this type of approach. However, it is important to get a real-world view of the latest attack methods. The result of a social engineering test should be to assess the security awareness program so that you can enhance it. It should not be to identify individuals who fail the test. One of the tools that we talk more in a later chapter is the Social-Engineer Toolkit (SET), created by Dave Kennedy. This is a great tool for performing social engineering testing campaigns.

When talking about penetration testing methods, you are likely to hear the terms black-box, white-box, and gray-box testing. These terms are used to describe the perspective from which the testing is performed, as well as the amount of information that is provided to the tester:

• Black-box tests: In a black-box penetration test, the tester is typically provided only a very limited amount of information. For instance, the tester may be provided only the domain names and IP addresses that are in scope for a particular target. The idea of this type of limitation is to have the tester start out with the perspective that an external attacker might have. Typically, an attacker would first determine a target and then begin to gather information about the target, using public information, and gaining more and more information to use in attacks. The tester would not have prior knowledge of the target’s organization and infrastructure. Another aspect of black-box testing is that sometimes the network support personnel of the target may not be given information about exactly when the test is taking place. This allows for a defense exercise to take place as well, and it also eliminates the issue of a target preparing for the test and not giving a real-world view of how the security posture really looks.

• White-box tests: In a white-box penetration test, the tester starts out with a significant amount of information about the organization and its infrastructure. The tester would normally be provided things like network diagrams, IP addresses, configurations, and a set of user credentials. If the scope includes an application assessment, the tester might also be provided the source code of the target application. The idea of this type of test is to identify as many security holes as possible. In a black-box test, the scope may be only to identify a path into the organization and stop there. With white-box testing, the scope would typically be much broader and include internal network configuration auditing and scanning of desktop computers for defects. Time and money are typically deciding factors in the determination of which type of penetration test to complete. If a company has specific concerns about an application, a server, or a segment of the infrastructure, it can provide information about that specific target to decrease the scope and the amount of time spent on the test but still uncover the desired results. With the sophistication and capabilities of adversaries today, it is likely that most networks will be compromised at some point, and a white-box approach is not a bad option.

• Gray-box tests: A gray-box penetration test is somewhat of a hybrid approach between black- and white-box methods. With gray-box testing, the testers may be provided credentials but not full documentation of the network infrastructure. This would allow the testers to still provide results of their testing from the perspective of an external attacker’s point of view. Considering the fact that most compromises start at the client and work their way throughout the network, a good approach would be a scope where the testers start on the inside of the network and have access to a client machine. Then they could pivot throughout the network to determine what the impact of a compromise would be.

Surveying Penetration Testing Methodologies

There are a number of penetration testing methodologies that have been around for a while and continue to be updated as new threats emerge. The following is a list of some of the most common:

• Penetration Testing Execution Standard (PTES): PTES involves seven distinct phases:

  • Pre-engagement interactions

  • Intelligence gathering

  • Threat modeling

  • Vulnerability analysis

  • Exploitation

  • Post-exploitation

  • Reporting

PTES is currently in version 1.0, and 2.0 is in the works. It provides information about types of attacks and methods, and it also provides information on the latest tools available to accomplish the testing methods outlined.

For more information about PTES, see http://www.pentest-standard.org.

• PCI penetration testing guidance: The PCI DSS (Payment Card Industry Data Security Standard) was created for the purpose of providing a minimum level of security requirements for handling credit card information. It was originally introduced in 2008, so it has been around for a while and has gone through a number of modifications over the years. The version 3.2 document made a point of distinguishing between a vulnerability scan and a penetration test. It also details specifically what the scope of a PCI penetration test should include. Please visit the PCI DSS website (at https://www.pcisecuritystandards.org) to obtain the latest version of their penetration testing guidance document.

• Penetration Testing Framework: The Penetration Testing Framework focuses on the hands-on aspects of penetration testing. It is designed in an HTML format that provides links to many tools in each of the following main categories:

  • Network footprinting (reconnaissance)

  • Discovery and probing

  • Enumeration

  • Password cracking

  • Vulnerability assessment

  • AS/400 auditing

  • Bluetooth-specific testing

  • Cisco-specific testing

  • Citrix-specific testing

  • Network backbone

  • Penetration

  • Server-specific testing

  • VoIP security

  • Wireless penetration

  • Physical security

  • Final report template

The Penetration Testing Framework can be found at http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html.

• NIST Special Publication (SP) 800-115: NIST SP 800-115 is a document created by the National Institute of Standards and Technology for the purpose of providing organizations with guidelines on planning and conducting information security testing. It superseded the previous standard document, SP 800-42. SP 800-115, published in September 2008, is considered an industry standard for penetration testing guidance and is called out in PCI DSS 3.0.

• Open Source Security Testing Methodology Manual (OSSTMM): The OSSTMM, developed by Pete Herzog, has been around a long time. Distributed by the Institute for Security and Open Methodologies (ISECOM), its goal is to provide a document that lays out repeatable and consistent security testing. It is currently in version 3, and version 4 is currently in draft status. The OSSTMM has the following key sections:

  • Operational Security Metrics

  • Trust Analysis

  • Work Flow

  • Human Security Testing

  • Physical Security Testing

  • Wireless Security Testing

  • Telecommunications Security Testing

  • Data Networks Security Testing

  • Compliance Regulations

  • Reporting with the Security Test Audit Report (STAR)

The OSSTMM can be found at http://www.isecom.org/research/osstmm.html.

• OWASP Testing Project: The OWASP Testing Project is a comprehensive guide focused on web application testing. It is a compilation of many years of work by OWASP members. It covers the high-level phases of web application security testing and also digs deeper into the actual testing methods used. For instance, it goes as far as providing strings for testing cross-site scripting (XSS) and SQL injection attacks. From a web application security testing perspective, it is the most detailed and comprehensive guide available. The OWASP Testing Project is available at https://www.owasp.org/index.php/OWASP_Testing_Project.

The following resources are useful for understanding the different penetration testing methodologies available in the industry:

• Penetration Testing Execution Standard (PTES): http://www.pentest-standard.org/index.php/Main_Page

• NIST 800-2115 references: http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf

• Penetration Testing Framework: http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html

• Information Systems Security Assessment Framework (ISSAF): https://sourceforge.net/projects/isstf/

• PCI DSS Requirement: https://www.pcisecuritystandards.org/pdfs/infosupp_11_3_penetration_testing.pdf

Building Your Own Lab

When it comes to penetration testing, a proper lab environment is very important. The way this environment looks depends on the type of testing you are doing. The types of tools used in a lab also vary based on different factors. We discuss tools in more detail in Chapter 9, “Penetration Testing Tools.” Here we only touch on some of the types of tools used in penetration testing. Whether you are performing penetration testing on a customer network, your own network, or a specific device, you always need some kind of lab environment to use for testing. For example, when testing a customer network, you will most likely be doing the majority of your testing against the customer’s production or staging environments because these are the environments a customer is typically concerned about securing properly. Because this might be a critical network environment, you must be sure that your tools are tried and true—and this is where your lab testing environment comes in. You should always test your tools and techniques in your lab environment before running them against a customer network. There is no guarantee that the tools you use will not break something. In fact, many tools are actually designed for breaking things. You therefore need to know what to expect before unleashing tools on a customer network. When testing a specific device or solution that is only in a lab environment, there is less concern about breaking things. With this type of testing, you would typically use a closed network that can easily be reverted if needed.

Figure 1-1 illustrates the topology for a typical penetration testing lab environment.

Requirements and Guidelines for Penetration Testing Labs

Now let’s dig a bit deeper into what a penetration testing lab environment might look like and some best practices for setting up such a lab. The following is a list of requirements for a typical penetration testing environment:

• Closed network: You need to ensure controlled access to and from the lab environment and restricted access to the Internet.

• Virtualized computing environment: This allows for easy deployment and recovery of devices being tested.

• Realistic environment: If you are staging a testing environment, it should match the real environment as closely as possible.

• Health monitoring: When something crashes, you need to be able to determine why it happened.

• Sufficient hardware resources: You need to be sure that a lack of resources is not the cause of false results.

• Multiple operating systems: Many times you will want to test or validate a finding from another system. It is always good to test from different operating systems to see if the results differ.

• Duplicate tools: A great way to validate a finding is to run the same test with a different tool to see if the results are the same.

• Practice targets: You need to practice using your tools. To do this, you need to practice on targets that are known to be vulnerable.

What Tools Should You Use in Your Lab?

Chapter 9 is dedicated to penetration testing tools. Therefore, this section only scratches the surface. Basically, the tools you use in penetration testing depend on the type of testing you are doing. If you are doing testing on a customer environment, you will likely be evaluating various attack surfaces. This could be network infrastructure, wireless infrastructure, web servers, database servers, Windows systems, or Linux systems, for example. Network infrastructure–based tools might include tools for sniffing or manipulating traffic, flooding network devices, and bypassing firewalls and IPSs. For wireless testing purposes, you might use tools for cracking wireless encryption, de-authorizing network devices, and performing man-in-the-middle attacks. When testing web applications and services, you can find a number of automated tools built specifically for scanning and detecting web vulnerabilities, as well as manual testing tools such as interception proxies. Some of these same tools can be used to test for database vulnerabilities (such as SQL injection vulnerabilities). For testing the server and client platforms in the environment, a number of automated vulnerability scanning tools can also be used to identify things such as outdated software and misconfigurations. With a lot of development targeting mobile platforms, there is a much greater need for testing these applications and the servers that support them. For this you need another set of tools specific to testing mobile applications and the back-end APIs that they typically communicate with. And you should not forget about fuzzing tools, which are normally used for testing the robustness of protocols.

What if You Break Something?

Being able to recover your lab environment is important for many reasons. As discussed earlier, when doing penetration testing, you will break things; sometimes when you break things, they do not recover on their own. For instance, when you are testing web applications, some of the attacks you send will input bogus data into form fields, and that data will likely end up in the database, so your database will be filled with this bogus data. Obviously, if it is a production environment, this is not a good thing. The data being input can also be of malicious nature, such as scripting and injection attacks. This can cause corruption of the database as well. Of course, you know that this would be an issue in a production environment. It is also an issue in a lab environment if you do not have an easy way to recover. Without a quick recovery method, you would likely be stuck rebuilding your system under test. This can be time-consuming, and if you are doing this for a customer, it can affect your overall timeline.

Using some kind of virtual environment is ideal as it offers snapshot and restore features for the system state. Sometimes this is not possible, though. For example, you may be testing a system that cannot be virtualized. In such a case, having a full backup of the system or environment is required. This way, you can quickly be back up and testing if something gets broken—because it most likely will. After all, you are doing penetration testing.

Exam Preparation Tasks

As mentioned in the section “How to Use This Book” in the Introduction, you have a couple choices for exam preparation: the exercises here, Chapter 11, “Final Preparation,” and the exam simulation questions in the Pearson Test Prep software online.

Review All Key Topics

Review the most important topics in this chapter, noted with the Key Topics icon in the outer margin of the page. Table 1-2 lists these key topics and the page number on which each is found.

Define Key Terms

Define the following key terms from this chapter and check your answers in the glossary:

ethical hacker

nonethical hacker

vulnerability

penetration testing

malware

threat actors

IoT

ransomware

scanning

social engineering

zero-day attack

threat

insider threat

vulnerability scanning

Q&A

The answers to these questions appear in Appendix A. For more practice with exam format questions, use the Pearson Test Prep software online.

1. Your company needs to determine if the security posture of its computing environment is sufficient for the level of exposure it receives. You determine that you will need to have a penetration test completed on the environment. You would like the testing to be done from the perspective of an external attacker. Which type of penetration test would be best?

1. White-box test

2. Gray-box test

3. Purple-box test

4. Black-box test

2. In 2017 a number of attacks resulted in the end users’ data being encrypted and/or stolen and then held by the attacker for payment. Which type of attack is this?

1. Distributed denial of service

2. Social engineering

3. Ransomware

4. SQL injection

3. A person who hacks into a computer network in order to test or evaluate its security, rather than with malicious or criminal intent is considered a(n) __________.

4. The main difference between an ethical hacker and a nonethical hacker is that a nonethical hacker has ________.

5. Which type of threat actor would have the primary intent of monetary gain?

1. Hacktivist

2. Organized crime

3. State-sponsored

4. Insider threat

6. Your company has an Internet-facing website that is critical to its daily business. Which type of penetration test would you prioritize?

1. Social engineering test

2. Wireless test

3. Network test

4. Web application test

7. Which penetration testing methodology is focused on web application penetration testing?

1. Open Source Security Testing Methodology Manual (OSSTMM)

2. OWASP Testing Project

3. NIST SP 800-115

4. Information Systems Security Assessment Framework (ISSAF)

8. You are hired to complete a penetration test. The customer gives you only a domain name and IP address as the target information. Which type of penetration test are is the customer asking you to perform?

1. White-box test

2. Gray-box test

3. Black-box test

4. Brown-box test

9. You are performing a penetration test for a customer. You identify a client machine that is downloading the contents of the customer database, which stores the customer’s intellectual property. You then identify an employee who is exporting the data to a USB drive. Which type of threat actor is this likely to be?

1. Organized crime

2. State sponsored

3. Hacktivist

4. Insider threat

10. A potential customer is looking to test the security of its network. One of the customer’s primary concerns is the security awareness of its employees. Which type of test would you recommend that the company perform as part of the penetration test?

1. Social engineering testing

2. Wireless testing

3. Network testing

4. Web application testing