D484 PENETRATION TESTING COURSE STUDY GUIDE WESTERN
GOVERNORS’ UNIVERSITY.
1. Administrative security measures implemented to monitor the adher-
controls ence to organizational policies and procedures. Those
include activities such as hiring and termination policies,
employee training along with creating business continuity
and incident response plans.
2. Physical con- restrict, detect and monitor access to specific physical ar-
trols eas or assets. Methods include barriers, tokens, biomet-
rics or other controls such as ensuring the server room
doors are properly locked, along with using surveillance
cameras and access cards.
3. Technical or logi- automate protection to prevent unauthorized access or
cal controls misuse, and include Access Control Lists (ACL), and
Intrusion Detection System (IDS)/ Intrusion Prevention
System (IPS) signatures and antimalware protection that
are implemented as a system hardware, software, or
firmware solution.
4. What is the pri- Reduce overall risk by taking proactive steps to reduce
mary goal of Pen- vulnerabilities.
Testing?
5. Principle of Basic principle of security stating that something should
Least Privilege be allocated the minimum necessary rights, privileges, or
information to perform its role.
6. Risk Likelihood and impact (or consequence) of a threat actor
exercising a vulnerability.
7. Threat represents something such as malware or a natural dis-
aster, that can accidentally or intentionally exploit a vul-
nerability and cause undesirable results.
8. Vulnerability is a weakness or flaw, such as a software bug, system
flaw, or human error. A vulnerability can be exploited by a
threat
9. Risk Analysis is a security process used to assess risk damages that
can affect an organization.
, D484 PENETRATION TESTING COURSE STUDY GUIDE WESTERN
GOVERNORS’ UNIVERSITY.
10. Unified Threat All-in-one security appliances and agents that combine
Management the functions of a firewall, malware scanner, intrusion de-
(UTM) tection, vulnerability scanner, data loss prevention, con-
tent filtering, and so on.
11. Main steps of the Planning and scoping, Reconnaissance, Scanning, Gain-
structured Pen- ing Access, Maintaining Access, Covering Tracks, Analy-
Testing Process: sis, Reporting
12. Unauthorized A hacker operating with malicious intent.
Hacker
13. Payment Card In- Information security standard for organizations that
dustry Data Se- process credit or bank card payments.
curity Standard
(PCI DSS)
14. An organization Maintain secure infrastructure using dedicated appli-
must do the fol- ances and software to monitor and prevent attacks. Imple-
lowing in order to ment best practices like changing default passwords, edu-
protect cardhold- cating users on email safety, and continuously monitoring
er data: for vulnerabilities with updated anti-malware protection.
Enforce strict access controls through the principle of
least privilege and regularly test and monitor networks.
15. PCI DSS Level 1 Large merchant with over six million transactions a year
and external auditor by a Qualified Security Assessor
(QSA), must complete a RoC.
, D484 PENETRATION TESTING COURSE STUDY GUIDE WESTERN
GOVERNORS’ UNIVERSITY.
16. PCI DSS Level 2 merchant with one to six million transactions a year, must
complete a RoC.
17. PCI DSS Level 3 merchant with 20000 to one million transactions a year
18. PCI DSS Level 4 small merchant with under 20000 transactions a year
19. General Data Provisions and requirements protecting the personal data
Protection Regu- of European Union (EU) citizens. Transfers of personal
lation (GDPR) data outside the EU Single Market are restricted unless
protected by like-for-like regulations, such as the US's
Privacy Shield requirements.
20. GDRP Compo- Require consent, Rescind Consent, Global reach, Re-
nents: strict data collection, Violation reporting
21. Stop Hacks and is a law that was enacted in New York state in March 2020
Improve Elec- to protect citizens data. The law requires companies to
tronic Data Secu- bolster their cybersecurity defense methods to prevent a
rity (SHIELD) data breach and protect consumer data.
22. California Con- was enacted in 2020 and outlines specific guidelines
sumer Privacy on how to appropriately handle consumer data. To en-
Act (CCPA) sure that customer data is adequately protected, vendors
should include PenTesting of all web applications, internal
systems along with social engineering assessments.
23. Health Insur- is a law that mandates rigorous requirements for anyone
ance Portability that deals with patient information. Computerized elec-
and Accountabil- tronic patient records are referred to as electronic pro-
ity Act (HIPAA) tected health information (e-PHI). With HIPAA, the e-PHI
of any patient must be protected from exposure, or the
organization can face a hefty fine.
24. Open Web Appli- A charity and community publishing a number of secure
cation Security application development resources.
Project (OWASP)
25. NIST