PrepAway - Latest Free Exam Questions & Answers

Which of the following is a penetration testing method?

Which of the following is a penetration testing method?

PrepAway - Latest Free Exam Questions & Answers

A.
Searching the WHOIS database for administrator contact information

B.
Running a port scanner against the target’s network

C.
War driving from a target’s parking lot to footprint the wireless network

D.
Calling the target’s helpdesk, requesting a password reset

Explanation:
A penetration test is a proactive and authorized attempt to evaluate the security of an IT infrastructure by
safely attempting to exploit system vulnerabilities, including OS, service and application flaws, improper
configurations, and even risky end-user behavior. Such assessments are also useful in validating the
efficacy of defensive mechanisms, as well as end-users’ adherence to security policies.
Penetration testing evaluates an organization’s ability to protect its networks, applications, endpoints and
users from external or internal attempts to circumvent its security controls to gain unauthorized or
privileged access to protected assets. Test results validate the risk posed by specific security
vulnerabilities or flawed processes, enabling IT management and security professionals to prioritize
remediation efforts. By embracing more frequent and comprehensive penetration testing, organizations
can more effectively anticipate emerging security risks and prevent unauthorized access to critical
systems and valuable information.
Penetration tests are not always technically clever attempts to access a network. By calling the target’s
helpdesk and requesting a password reset, if they reset the password without requiring proof that you
are authorized to request a password change, you can easily gain access to the network.
Incorrect Answers:
A: The WHOIS database lists the administrative contacts for domain names such as comptia.com. This
information is freely available to anyone. Searching the WHOIS database for administrator contact
information is not a penetration test. You are not attempting to access a network or system by searching
the WHOIS database.
B: Running a port scanner against the target’s network would determine a list of ports open on the
firewall. While this could be classed as the reconnaissance part of a penetration test, by running the port
scan, you are not actively attempting to access the network.
C: Footprinting the wireless network (measuring the range of the wireless network) is not a penetration
test. By performing this action, you are not attempting to access a network or system.

http://www.coresecurity.com/penetration-testing-overview


Leave a Reply