Final CPSA updated 2022 Questions and Answers

A1) Benefits of pentesting Manage risk. Increase business continuity. Minimise client-side attacks. Protect clients, partners and third-parties. Comply with regulation. A1) Pentest structure Reconnaissance (i.e. find live hosts, sweeping, find services, scanning, banner matching, find vulnerabilities). Target prioritisation (e.g. assess servers rather than printers). Testing of services and exploitation if applicable. Consult/Confirm with customer if ok to exploit. Inform customer of any high risk issues that need addressing immediately. A1) Project Lifecycle Data Gathering / Scoping / Briefing. Testing. Report Writing. Debriefing A2) Computer Misuse Act 1990 The Act defines 3 specific offences: 1. Unauthorised access to computer material (that is, a program or data). 6 months or Level 5 fine (£5000 currently). 2. Unauthorised access to a computer system with intent to commit or facilitate the commission of a serious crime. 5 years, max fine. 3. Unauthorised modification of computer material. 5 years, max fine. In general: You must not test a system without prior authorisation (e.g. as agreed in written scope/contract). You should never test without informing the client beforehand. Amended by Part 5 of Police and Justice Act 2006. A2) Police and Justice Act 2006 An amendment and update to the Computer Misuse Act 1990 in Part 5 of the Police and Justice Act 2006 are: Section 35. Unauthorised access to computer material. Section 36. Unauthorised acts with intent to impair operation of computer, etc. Section 37. Making, supplying or obtaining articles for use in computer misuse offences. Section 38. Transitional and saving provision. In general: Part V includes a few sections on Computer Misuse Act 1990. Provision for DoS as an offence. Increased penalties. Making available tools to the Internet. Dual-use tools liable. A2) Human Rights Act 1998 Lots of general human rights involved such as right to marry, discrimination, privacy, slavery, guilty etc. Human Rights Act 1998 is relevant to Computer usage as: "Protects the right of individuals against unreasonable disruption of and intrusion into their lives, while balancing this individual right with those of others." In general: Article 8: Right to respect for private and family life. Right to privacy. With Acceptable Usage Policy (AUP), you waive the right to privacy on network. A2) Data Protection Act 1998 In general: Deals with PII (Personal Information ID). Data about identifiable users should only be used for the purpose intended. Should not make a local copy (e.g. HR Database) A2) Handling Data (6 catergories) Data classification set by . Important for CHECK member to know the protective marking of test/report. 1. NPM — Non Protective Marking. 2. PROTECT — Not sensitive enough to make classification. Sensitive but not high risk. 3. RESTRICTED — Pentests are usually RESTRICTED as a minimum 4. CONFIDENTIAL — (Prejudical). 5. SECRET — (Serious Injuries). 6. TOP SECRET (EGD). A4) 5 Principles of Risk Management Assess risk and determine needs. Establish a central management focus. Implement appropriate policies and related controls. Promote awareness. Monitor and evaluate policy and control effectiveness. A3) Sensible scoping questions (7) 1. What technologies are being used? 2. Can we get access to the application (Web Application)? 3. How many users are there? 4. How many pages are there? Are they dynamic or static? 5. What are you expecting us to find? 6. Will this be a white box or black box test? 7. Will the testing be onsite or remote? B1) OSI Open Standards Interconnection (OSI) developped by International Standards Organisation (ISO) B1) OSI Model. What and stages? Model is set of 7 layers that define the different stages that data must go through to travel from one device to another over a network. {7} Application, {6} Presentation, {5} Session, {4} Transport, {3} Network, {2} Data Link, {1} Physical. Higher layers more specific, lower layers more generic. Please Do Not Tell Sales People Anything. B1) Physical Layer Physical layer defines electrical and physical specifications for devices, i.e. relationship between a device and a transmission medium (e.g. copper or fibre optical cable, Shielded/unshielded twisted pair, 10Base-2, 10Base-T, 100Base-TX, 1000B-T, RJ45, Coaxial, Fibre-optical cables, Copper cables) B1) Data Link Layer Data Link layer provides means to transfer data between network entities using a common addressing format. Data Link layer has Logical Link Control (LLC) sublayer for multiplexing several network protocols (e.g. IP, IPX, Decnet and Appletalk) to coexist in multipoint network. Data Link layer has Media Access Control (MAC) sublayer for addressing and terminal/network nodes to communicate within a multiple access network. MAC address, PPP, HDLC, ADCCP. B1) Network Layer Network layer provides means of transferring data from a source host on one network to a destination host on a different network. IP Address, ARP, IPv4, IPv6, ICMP, IPX, RIP, IKE. B1) Transport Layer Transport layer provides transparent transfer of data using connection-oriented data stream support, reliability, flow control, and multiplexing. Port Number, TCP, UDP, SCTP. B1) Session Layer Session layer provides mechanism for opening, closing and managing a session between end-user application processes, i.e., a semi-permanent dialogue. SOCKS, TLS-PSK, TLS-SRP. B1) Presentation Layer Presentation layer is responsible for the delivery and formatting of information to the application layer for further processing or display. MIME, Netware Core Protocol, XML. B1) Application Layer Application layer is outermost layer where user interact directly with the software application. FTP, SSH, Telnet, SMTP, IMAP, POP, HTTP, HTTPS, RTP, BOOTP, SNMP, NTP. B1) TCP/IP Model Layers TCP/IP model is basically a shorter version of the OSI model. Consists of four instead of seven layers. Application, Transport, Network and Link. TCP Application layer is like Application, Presentation and Session of OSI. TCP Transport aka 'Host-to-host transport' is Transport in OSI. TCP Network aka 'Internet Layer' is Network OSI. TCP Link aka 'Network Access' is Data Link and Physical OSI.