Effective CISSP Questions

You are conducting penetration testing for a customer with a tight schedule. You are now trying to gain control over a server in the DMZ. Which of the following is least likely to happen? (Wentz QOTD)
A. Scan ports using nmap
B. Gather host information using nslookup
C. Send ICMP messages with routes using ping
D. Install the weapon payload and reboot to take effect

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. Install the weapon payload and reboot to take effect.

Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams, and an informative reference for security professionals.

Pen Testing Methodologies
Pen Testing Methodologies

Business Mindset

All the four options in this question may occur in a penetration test. However, pen-testing should avoid disrupting business operations. Rebooting a system will hinder availability and service level; before doing so, pen-testing rules of engagement should be considered.

Because of the nature and the intent of penetration testing, such testing in a production environment during normal business hours may impact business operations, and attempts to avoid disruption may increase the time, resources and complexity of the testing. This is especially important for high availability systems that may be impacted by penetration testing in a production environment. To avoid disruptions and to speed up testing, a separate environment that is identical to the production environment may be used for testing instead of the production environment.

Source: PCI-DSS Information Supplement: Penetration Testing Guidance

Penetration Testing and Rules of Engagement

In military jargon, “Rules of Engagement” are the laws of war, the rules set forth that dictate the conditions and limitations under which military forces will initiate or continue an engagement.

Penetration Testing is a simulated offensive attack on a set of resources (sounds a little militaristic) and the rules of engagement (ROE) are meant to dictate the conditions and limitations under which the penetration tester will initiate or continue and engagement.

Source: Emagined Security


您正在為客戶進行一個時程緊迫的雙盲(double-blind)滲透測試。你目前正試圖控制DMZ中的一台伺服器。以下哪種情況最不可能發生? (Wentz QOTD)
A. 使用nmap掃描端口(port)
B. 使用nslookup收集主機信息
C. 使用ping發送帶有路由的ICMP訊息
D. 安裝武器載荷(payload)並重啟生效

Leave a Reply