Chapter 1: Quiz — Introduction to Ethical Hacking

Test your understanding of the concepts covered in Chapter 1. This quiz includes both multiple-choice questions and short-answer questions. Try to answer from memory before checking the chapter.

Multiple Choice Questions

Question 1

What is the single most important factor that distinguishes ethical hacking from criminal hacking?

a) The tools used b) The skill level of the hacker c) Explicit, written authorization from the system owner d) Whether the hacker finds any vulnerabilities

Question 2

Which document would a penetration tester carry during a physical security assessment in case they are detained by security personnel?

a) Statement of Work (SOW) b) Non-Disclosure Agreement (NDA) c) Get-Out-of-Jail Letter d) Rules of Engagement (ROE)

Question 3

During which phase of the penetration testing lifecycle would you use Nmap to identify open ports on target systems?

a) Planning and Reconnaissance b) Scanning and Enumeration c) Gaining Access d) Reporting and Remediation

Question 4

According to the IBM Cost of a Data Breach Report 2024, which industry consistently has the highest average breach cost?

a) Financial services b) Technology c) Healthcare d) Government

Question 5

A security researcher discovers a vulnerability in a company's website without authorization, does not exploit it beyond confirming its existence, and reports it to the company. This person is best classified as a:

a) White hat hacker b) Black hat hacker c) Gray hat hacker d) Script kiddie

Question 6

Which certification is most widely recognized for hands-on penetration testing skills and requires a 24-hour practical exam?

a) CEH (Certified Ethical Hacker) b) OSCP (Offensive Security Certified Professional) c) CompTIA Security+ d) CISSP (Certified Information Systems Security Professional)

Question 7

What is the primary difference between a penetration test and a vulnerability assessment?

a) Penetration tests are automated; vulnerability assessments are manual b) Penetration tests attempt to exploit vulnerabilities; vulnerability assessments identify and catalog them c) Vulnerability assessments are more thorough than penetration tests d) Penetration tests only target web applications

Question 8

Which U.S. federal law is the primary statute governing computer crime, originally passed in 1986?

a) HIPAA b) SOX (Sarbanes-Oxley Act) c) CFAA (Computer Fraud and Abuse Act) d) FISMA (Federal Information Security Management Act)

Question 9

In the MedSecure Health Systems environment, which of the following represents the GREATEST security challenge?

a) The use of AWS cloud services b) Incomplete medical device network segmentation c) The deployment of CrowdStrike Falcon EDR d) Multi-factor authentication on VPN

Question 10

Which of the following BEST describes a red team engagement?

a) A compliance-focused vulnerability scan run quarterly b) A broad, adversarial simulation that may target people, physical facilities, and digital infrastructure over an extended period c) A bug bounty program open to external researchers d) An automated penetration test using commercial tools

Short Answer Questions

Question 11

Explain the "attacker vs. defender asymmetry" in cybersecurity. Why does this asymmetry make ethical hacking valuable? (3-5 sentences)

Question 12

A junior penetration tester discovers a SQL injection vulnerability in a client's web application. The injection point leads to a database server that is explicitly listed as out of scope in the engagement documents. Describe the correct course of action and explain why. (3-5 sentences)

Question 13

Describe three ways in which the penetration testing profession has changed from the 1990s to today. Include specific examples such as certifications, platforms, or regulatory requirements. (4-6 sentences)

Question 14

You are explaining the penetration testing lifecycle to a new member of MedSecure's security team. Describe each of the five phases in one sentence each, using a MedSecure-specific example for each phase.

Question 15

List four elements that should be included in a Rules of Engagement document for a penetration test. For each element, explain why it is important, using an example relevant to healthcare testing.

Scenario-Based Questions

Question 16

A startup CEO tells you: "We don't need a pentest. We use AWS and all our data is encrypted. Cloud providers handle security." In 3-5 sentences, explain why this reasoning is flawed and what risks the company still faces.

Question 17

You are a bug bounty hunter who discovers a critical vulnerability in a hospital's patient portal. The vulnerability could expose 100,000 patient records. The hospital does not have a bug bounty program. Describe two possible courses of action and evaluate the ethical and legal implications of each. (5-7 sentences)

Question 18

Explain why a penetration test report is often considered the most important deliverable of the entire engagement. Who are the two primary audiences, and how should the report be tailored to each? (4-6 sentences)

Answer Key

  1. c) Explicit, written authorization from the system owner. Authorization is the defining characteristic that makes hacking "ethical."

  2. c) Get-Out-of-Jail Letter. This signed letter from an authorized executive confirms the tester has permission to conduct the engagement.

  3. b) Scanning and Enumeration. Port scanning with Nmap falls in this phase, where the tester actively probes target systems.

  4. c) Healthcare. Healthcare breaches averaged $9.77 million in 2024, the highest of any industry for the fourteenth consecutive year.

  5. c) Gray hat hacker. The researcher accessed the system without authorization (not white hat) but had no malicious intent and reported the finding (not black hat).

  6. b) OSCP. The OSCP requires passing a 24-hour practical exam and is considered the gold standard for hands-on pentesting skills.

  7. b) Penetration tests attempt to exploit vulnerabilities; vulnerability assessments identify and catalog them without necessarily exploiting.

  8. c) CFAA (Computer Fraud and Abuse Act). Originally passed in 1986, targeting unauthorized access to government and financial computers.

  9. b) Incomplete medical device network segmentation. This allows potentially vulnerable medical devices to communicate with the corporate network, creating a pathway for attackers.

  10. b) A broad, adversarial simulation that may target people, physical facilities, and digital infrastructure over an extended period.

  11. Defenders must protect every system, application, and user — the entire attack surface. Attackers need only find one weakness to succeed. Attackers choose when, where, and how to attack, while defenders must be prepared at all times. This asymmetry means defenders cannot prevent all attacks, making proactive testing essential. Ethical hackers help level this asymmetry by finding weaknesses before malicious actors do.

  12. The tester should immediately stop and not access the out-of-scope database server. They should document the finding — specifically that a SQL injection in the in-scope web application appears to provide a path to the out-of-scope database server. This finding should be reported to the client contact as defined in the communication protocols. The report should recommend that the client authorize additional testing of the database server. Accessing the database, even to "just check," would violate the scope and potentially constitute unauthorized access.

  13. In the 1990s, hacking was largely a subcultural activity with no formal career path. The introduction of certifications like CEH (2003) and OSCP (2006) created professional credentials. Bug bounty platforms like HackerOne (2012) democratized security research globally. Regulatory requirements like PCI DSS (2004) created compliance-driven demand for pentesting. Today, pentesting is a mainstream profession with structured career paths, competitive salaries, and recognized business value.

  14. Planning/Recon: We would meet with MedSecure's CISO to define scope and gather information about their network from public sources. Scanning: We would scan MedSecure's authorized IP ranges to identify open ports and running services on their servers. Exploitation: We would attempt to exploit discovered vulnerabilities, such as a weak password on the patient portal. Post-Exploitation: After gaining access, we would attempt to reach the EHR system to demonstrate the potential impact. Reporting: We would deliver a report to MedSecure's leadership with findings, risk ratings, and remediation recommendations.

  15. (1) Scope definition — specifies exactly which systems can be tested; important in healthcare because some medical devices could endanger patients if disrupted. (2) Testing windows — defines when testing can occur; critical in healthcare where 24/7 operations support patient care. (3) Data handling procedures — specifies how any PHI encountered must be handled to maintain HIPAA compliance. (4) Emergency contact procedures — identifies who to call if testing impacts patient care systems or reveals an active breach.

  16. Cloud providers operate under a shared responsibility model. AWS secures the infrastructure, but the customer is responsible for securing their applications, data, configurations, and access controls. Encryption protects data at rest and in transit, but does not prevent SQL injection, broken authentication, or misconfigured IAM roles. Many of the most devastating breaches have occurred in cloud environments due to customer misconfigurations. A pentest would identify these application-layer and configuration vulnerabilities that no cloud provider can prevent.

  17. One approach is to report the vulnerability through CISA's coordinated vulnerability disclosure process (CVD) or through a platform like HackerOne that facilitates disclosure even without a formal program. This is legally safer because it uses established channels and creates a documented record of good-faith reporting. Another approach is to directly contact the hospital's CISO or IT security team via email, clearly stating you are a security researcher, you found the vulnerability without exploitation, and you want to help them fix it. Both approaches are ethically sound, but the key legal concern is ensuring you did not exceed minimal verification of the vulnerability and that your communication clearly establishes non-malicious intent.

  18. The pentest report translates technical findings into actionable intelligence that drives security improvements. The two primary audiences are executive leadership (CEO, CISO, Board) and technical staff (sysadmins, developers, security engineers). The executive summary should use business language, explain risk in financial and operational terms, and recommend strategic investments. The technical findings should provide sufficient detail — steps to reproduce, evidence, and remediation instructions — so that engineers can verify, prioritize, and fix each vulnerability.