PenTest+ Module 3: Pre-Engagement Activities
Call Kai
Learn
Practice Test
Spaced Repetition
Match
Flashcards
Knowt Play1/35
There's no tags or description
Looks like no tags are added yet.
Name | Mastery | Learn | Test | Matching | Spaced | Call with Kai |
|---|
No analytics yet
Send a link to your students to track their progress
36 Terms
Pre-Engagement Activities
Basic tasks that set the stage for a successful penetration test
Regulations
Legally binding mandates which demand strict adherence to data protection rules
General Data Protection Regulation (GDPR)
Imposes strict rules on data processing and movement within the EU and for businesses or companies dealing with EU citizens’ data
Gramm-Leach-Bliley Act (GLBA)
Plays an important role in protecting the privacy of individuals’ financial information held by financial institutions
Health Insurance Portability and Accountability Act (HIPAA)
Regulates the confidentiality and security of healthcare information in the US
Standards
Established by all of the important industry players, embodying the collective knowledge of best practices for cybersecurity
Payment Card Industry Data Security Standard (PCI DSS)
Serves as a benchmark for best practices in securing payment card data information
ISO/IEC 27000 Series
Provides specifications for implementing, maintaining, and improving information security management systems
Stakeholder Alignment
Ensures that everyone, from technical teams to executive leadership, understands the objectives and outcomes of a penetration test
Network Assessments
Crucial for evaluating the security of an organization’s entire network as a whole
Wireless Assessments
Focus on the security of wireless networks
Application Assessments
Target the security of specific applications, whether developed in-house or acquired from third parties
Mobile Assessments
Acknowledge the unique security challenges posed by mobile computing
Web Assessments
Scrutinize web applications and websites for vulnerabilities such as SQL injection, cross-site scripting, and security misconfigurations
Cloud Assessments
Evaluate the security posture of cloud based services and infrastructure
API Assessments
Focus on the security of application programming interfaces, which are critical for the integration of different software systems and services
Non-Disclosure Agreements (NDAs)
A legally binding contract that establishes a confidential relationship between the parties involved
Master Service Agreements (MSAs)
Sets the foundational terms of the business relationship between a service provider and the client
Project scope
Payment details
Confidentiality clauses
Liability Issues
Streamlines the process by eliminating the need for separate contracts for each new project or phase
Statement of Work (SoW)
Details the specifics of the project or service provided, it outlines the objectives, deliverables, scope of work, timelines, payment schedules, and responsibilities of each party
Terms of Service (ToS)
Govern the use of the services provided by the PenTest firm
Authorization Letters
Essential for formally granting permission to the penetration testing team to conduct simulated cyberattacks against the organization’s systems
Mandatory Reporting
A critical aspect of penetration testing that dictate how and when findings must be disclosed
Risks to the Penetration Tester
Penetration testing involves proving and exploiting security vulnerabilities, which can lead to unintended consequences
Establishment of an Escalation Path
Should clearly outline the chain of command and communication protocols
Exclusions
Specifically designated areas or elements within the scope of the penetration test that are off-limits
Test Cases
Predefined scenarios developed by the penetration testing team to systematically evaluate the security of the system
Testing Windoq
Refers to the specific timeframe agreed upon by both parties during which the pen-test activities will occur
Goal Reprioritization
Allows for changes in the test’s priorities, it acknowledges that penetration testing is a dynamic process
Business Impact Analysis
Conducted to assess the potential consequences for the client if the vulnerabilities identified during the penetration test can be exploited by a malicious actor
Aims to clarify the link between the findings and how they affect that particular business
CIDR (Classless Inter-Domain Routing) Ranges
Method used to allocate IP addresses and route Internet traffic
Example: CIDR block 192.168.100.0/24 is 192.168.100.1-192.168.100.254
Domains
Human-readable addresses used to access websites on the Internet, and they play an important role in external penetration testing
IPs
Represent specific nodes or servers within a network or on the Internet
URLs (Uniform Resource Locators)
Point to specific resources on the Internet or an internal network, often directing traffic to particular pages or services within a domain
Shared Responsibility Model
This model lays out the different roles and responsibilities of various stakeholders involved in keeping a hosted environment secure
Means the hosting provider secures the infrastructure, while the customer secures their data and applications
Hosting Providers
Secure the infrastructure that runs all the services offered to customers
Penetration Testers
Their main job is to find vulnerabilities that threat actors could exploit and test the effectiveness of security controls