100% satisfaction guarantee Immediately available after payment Both online and in PDF No strings attached
logo-home
Final CPSA Exam Questions with Complete Solutions Graded A+ $14.49   Add to cart

Exam (elaborations)

Final CPSA Exam Questions with Complete Solutions Graded A+

 6 views  0 purchase
  • Course
  • CREST CPSA
  • Institution
  • CREST CPSA

Final CPSA Exam Questions with Complete Solutions Graded A+

Preview 4 out of 59  pages

  • August 29, 2024
  • 59
  • 2024/2025
  • Exam (elaborations)
  • Questions & answers
  • CREST CPSA
  • CREST CPSA
avatar-seller
Dants
Final CPSA Exam
Questions and
Complete Solutions
Graded A+
Denning [Date] [Course title]

,A1) Benefits of pentesting - Answer: Manage risk. Increase business continuity. Minimise client-side
attacks. Protect clients, partners and third-parties. Comply with regulation.



A1) Pentest structure - Answer: Reconnaissance (i.e. find live hosts, sweeping, find services, scanning,
banner matching, find vulnerabilities). Target prioritisation (e.g. assess servers rather than printers).
Testing of services and exploitation if applicable. Consult/Confirm with customer if ok to exploit. Inform
customer of any high risk issues that need addressing immediately.



A1) Project Lifecycle - Answer: Data Gathering / Scoping / Briefing. Testing. Report Writing. Debriefing



A2) Computer Misuse Act 1990 - Answer: The Act defines 3 specific offences: 1. Unauthorised access to
computer material (that is, a program or data). 6 months or Level 5 fine (£5000 currently). 2.
Unauthorised access to a computer system with intent to commit or facilitate the commission of a
serious crime. 5 years, max fine. 3. Unauthorised modification of computer material. 5 years, max fine.
In general: You must not test a system without prior authorisation (e.g. as agreed in written
scope/contract). You should never test without informing the client beforehand. Amended by Part 5 of
Police and Justice Act 2006.



A2) Police and Justice Act 2006 - Answer: An amendment and update to the Computer Misuse Act 1990
in Part 5 of the Police and Justice Act 2006 are: Section 35. Unauthorised access to computer material.
Section 36. Unauthorised acts with intent to impair operation of computer, etc. Section 37. Making,
supplying or obtaining articles for use in computer misuse offences. Section 38. Transitional and saving
provision. In general: Part V includes a few sections on Computer Misuse Act 1990. Provision for DoS as
an offence. Increased penalties. Making available tools to the Internet. Dual-use tools liable.



A2) Human Rights Act 1998 - Answer: Lots of general human rights involved such as right to marry,
discrimination, privacy, slavery, guilty etc. Human Rights Act 1998 is relevant to Computer usage as:
"Protects the right of individuals against unreasonable disruption of and intrusion into their lives, while
balancing this individual right with those of others." In general: Article 8: Right to respect for private and
family life. Right to privacy. With Acceptable Usage Policy (AUP), you waive the right to privacy on
network.



A2) Data Protection Act 1998 - Answer: In general: Deals with PII (Personal Information ID). Data about
identifiable users should only be used for the purpose intended. Should not make a local copy (e.g. HR
Database)

,A2) Handling Data (6 catergories) - Answer: Data classification set by uk.gov. Important for CHECK
member to know the protective marking of test/report. 1. NPM — Non Protective Marking. 2. PROTECT
— Not sensitive enough to make classification. Sensitive but not high risk. 3. RESTRICTED — Pentests are
usually RESTRICTED as a minimum 4. CONFIDENTIAL — (Prejudical). 5. SECRET — (Serious Injuries). 6.
TOP SECRET (EGD).



A4) 5 Principles of Risk Management - Answer: Assess risk and determine needs. Establish a central
management focus. Implement appropriate policies and related controls. Promote awareness. Monitor
and evaluate policy and control effectiveness.



A3) Sensible scoping questions (7) - Answer: 1. What technologies are being used? 2. Can we get access
to the application (Web Application)? 3. How many users are there? 4. How many pages are there? Are
they dynamic or static? 5. What are you expecting us to find? 6. Will this be a white box or black box
test? 7. Will the testing be onsite or remote?



B1) OSI - Answer: Open Standards Interconnection (OSI) developped by International Standards
Organisation (ISO)



B1) OSI Model. What and stages? - Answer: Model is set of 7 layers that define the different stages that
data must go through to travel from one device to another over a network. {7} Application, {6}
Presentation, {5} Session, {4} Transport, {3} Network, {2} Data Link, {1} Physical. Higher layers more
specific, lower layers more generic. Please Do Not Tell Sales People Anything.



B1) Physical Layer - Answer: Physical layer defines electrical and physical specifications for devices, i.e.
relationship between a device and a transmission medium (e.g. copper or fibre optical cable,
Shielded/unshielded twisted pair, 10Base-2, 10Base-T, 100Base-TX, 1000B-T, RJ45, Coaxial, Fibre-optical
cables, Copper cables)



B1) Data Link Layer - Answer: Data Link layer provides means to transfer data between network entities
using a common addressing format. Data Link layer has Logical Link Control (LLC) sublayer for
multiplexing several network protocols (e.g. IP, IPX, Decnet and Appletalk) to coexist in multipoint
network. Data Link layer has Media Access Control (MAC) sublayer for addressing and terminal/network
nodes to communicate within a multiple access network. MAC address, PPP, HDLC, ADCCP.



B1) Network Layer - Answer: Network layer provides means of transferring data from a source host on
one network to a destination host on a different network. IP Address, ARP, IPv4, IPv6, ICMP, IPX, RIP,
IKE.

, B1) Transport Layer - Answer: Transport layer provides transparent transfer of data using connection-
oriented data stream support, reliability, flow control, and multiplexing. Port Number, TCP, UDP, SCTP.



B1) Session Layer - Answer: Session layer provides mechanism for opening, closing and managing a
session between end-user application processes, i.e., a semi-permanent dialogue. SOCKS, TLS-PSK, TLS-
SRP.



B1) Presentation Layer - Answer: Presentation layer is responsible for the delivery and formatting of
information to the application layer for further processing or display. MIME, Netware Core Protocol,
XML.



B1) Application Layer - Answer: Application layer is outermost layer where user interact directly with
the software application. FTP, SSH, Telnet, SMTP, IMAP, POP, HTTP, HTTPS, RTP, BOOTP, SNMP, NTP.



B1) TCP/IP Model Layers - Answer: TCP/IP model is basically a shorter version of the OSI model. Consists
of four instead of seven layers. Application, Transport, Network and Link. TCP Application layer is like
Application, Presentation and Session of OSI. TCP Transport aka 'Host-to-host transport' is Transport in
OSI. TCP Network aka 'Internet Layer' is Network OSI. TCP Link aka 'Network Access' is Data Link and
Physical OSI.



B1) TCP/IP Transport and Application Layer - Answer: Transport Layer is a convenient application
programming interface to internet hosts. Application Layer contains all protocols and methods that fall
into the realm of process-to-process communications across an IP network.



B1) IPv4 - Answer: IPv4 uses a 32-bit address for its Internet addresses. That means it can provide
support for 2^32 IP addresses in total â around 4.29 billion



B1) IPv6 Size and Advantages - Answer: IPv6 utilizes 128-bit Internet addresses. No more NAT. No more
private address collisions. More efficient, many other benefits. Leading zeros can be omitted. The double
colon (::) can be used once in the text form of an address, to designate any number of 0 bits.



B1) TCP Characteristics (3) - Answer: 1) Transmission Control Protocol/Internet Protocol. 2) It is
specifically designed as a model to offer highly reliable and end-to-end byte stream over an unreliable
network. 3) A TCP connection is established with the help of three-way handshake. It is a process of

The benefits of buying summaries with Stuvia:

Guaranteed quality through customer reviews

Guaranteed quality through customer reviews

Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.

Quick and easy check-out

Quick and easy check-out

You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.

Focus on what matters

Focus on what matters

Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!

Frequently asked questions

What do I get when I buy this document?

You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.

Satisfaction guarantee: how does it work?

Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.

Who am I buying these notes from?

Stuvia is a marketplace, so you are not buying this document from us, but from seller Dants. Stuvia facilitates payment to the seller.

Will I be stuck with a subscription?

No, you only buy these notes for $14.49. You're not tied to anything after your purchase.

Can Stuvia be trusted?

4.6 stars on Google & Trustpilot (+1000 reviews)

79223 documents were sold in the last 30 days

Founded in 2010, the go-to place to buy study notes for 14 years now

Start selling
$14.49
  • (0)
  Add to cart