Quiz: Penetration Testing Methodology and Standards

Test your understanding of penetration testing methodologies, engagement planning, and professional standards.

Question 1. Which penetration testing methodology introduces the concept of a Risk Assessment Value (rav) as a quantitative security metric?

A) PTES B) OSSTMM C) OWASP Testing Guide D) NIST SP 800-115

Question 2. PTES defines how many phases in the penetration testing lifecycle?

A) 5 B) 6 C) 7 D) 9

Question 3. Which of the following is NOT one of the five OSSTMM testing channels?

A) Human Security B) Physical Security C) Application Security D) Telecommunications

Question 4. In a gray box penetration test, what level of information does the tester typically receive?

A) No information at all --- only a company name B) Partial information such as network ranges and basic credentials C) Complete information including source code, network diagrams, and architecture documents D) Only the IP address of a single external-facing server

Question 5. According to PCI DSS 4.0 Requirement 11.4, how frequently must segmentation controls be tested for service providers?

A) Annually B) Every six months C) Quarterly D) Monthly

Question 6. What is the primary purpose of a "get-out-of-jail-free" letter during a penetration testing engagement?

A) To provide legal immunity from all computer crime laws B) To identify the tester as authorized and provide a contact for verification C) To allow the tester to exceed the agreed scope if necessary D) To prevent the client from being liable for any testing damage

Question 7. Which CREST certification level is required for leading CHECK assessments of UK government systems?

A) CPSA (Practitioner Security Analyst) B) CRT (Registered Penetration Tester) C) CCT (Certified Tester) with CHECK Team Leader status D) CCSAS (Certified Simulated Attack Specialist)

Question 8. What is the most common cause of failed penetration testing engagements?

A) Insufficient technical skill of the tester B) Poor scoping and pre-engagement planning C) Inadequate tools and software D) Client interference during testing

Question 9. Which of the following should be included in the Rules of Engagement but NOT in the Statement of Work?

A) Cost and payment terms B) Emergency stop procedures and 24/7 contact numbers C) Deliverable list and delivery timeline D) Engagement duration and milestones

Question 10. The OWASP Testing Guide version 4.2 organizes test cases into how many categories?

A) 5 B) 8 C) 11 D) 15

Question 11. During a penetration test, you discover evidence that an actual attacker has already compromised the system you are testing. According to best practices, what should you do FIRST?

A) Continue testing and document the compromise in your report B) Attempt to identify and remove the attacker C) Immediately notify the client per the emergency procedures in the RoE D) Contact law enforcement directly

Question 12. Which framework provides threat intelligence-led penetration testing standards for European financial institutions?

A) PCI DSS B) NIST SP 800-115 C) TIBER-EU D) CIS Controls

Question 13. What is the recommended approach when a client requests that you test additional systems not included in the original scope mid-engagement?

A) Test the additional systems immediately to be helpful B) Decline the request and explain that scope changes are never permitted C) Document the request, update the scope in writing, get updated authorization, then proceed D) Test the additional systems but note in the report that they were out of original scope

Question 14. Phase gates in penetration testing methodology serve what primary purpose?

A) To provide billing milestones for invoicing B) To review progress, verify coverage, and plan the next phase C) To give the client opportunities to cancel the engagement D) To document tool configurations between testing phases

Question 15. PCI DSS penetration testing must include coverage for which of the following, at minimum, for application-layer testing?

A) CIS Benchmarks B) OWASP Top 10 vulnerabilities C) SANS Top 25 software errors D) NIST vulnerability database entries

Question 16. What is the DORA regulation's requirement for Threat-Led Penetration Testing (TLPT) frequency for significant financial entities?

A) Annually B) Every two years C) At least every three years D) Every five years

Question 17. In the context of OSSTMM, what does a rav score above 100 indicate?

A) The system has more vulnerabilities than controls B) The system has critical security failures C) The system has more protection than exposure (above par) D) The testing was incomplete

Question 18. Which of the following is considered a testing pitfall known as "The Trophy Hunter"?

A) Spending too much time on a single interesting vulnerability B) Relying entirely on automated scanning tools C) Focusing only on critical/high findings while ignoring medium/low issues D) Testing systems outside the authorized scope

Answer Key

  1. B) OSSTMM. The Open Source Security Testing Methodology Manual introduces the rav (Risk Assessment Value) as a quantitative metric for measuring operational security.

  2. C) 7. PTES defines seven phases: Pre-engagement Interactions, Intelligence Gathering, Threat Modeling, Vulnerability Analysis, Exploitation, Post-Exploitation, and Reporting.

  3. C) Application Security. OSSTMM's five channels are Human Security, Physical Security, Wireless Communications, Telecommunications, and Data Networks. Application security is not a separate OSSTMM channel.

  4. B) Partial information such as network ranges and basic credentials. Gray box testing provides the tester with some information about the target environment, balancing thoroughness with realism.

  5. B) Every six months. PCI DSS requires service providers to validate segmentation controls every six months, compared to annually for merchants.

  6. B) To identify the tester as authorized and provide a contact for verification. The letter includes the tester's identity, authorization statement, and a phone number for the authorizing executive.

  7. C) CCT (Certified Tester) with CHECK Team Leader status. CHECK Team Leaders must hold CREST CCT certification plus pass additional NCSC assessment.

  8. B) Poor scoping and pre-engagement planning. Inadequate scoping leads to testing the wrong targets, at the wrong depth, or without proper authorization.

  9. B) Emergency stop procedures and 24/7 contact numbers. Emergency procedures are operational details belonging in the RoE, while cost, deliverables, and timeline are contractual elements in the SOW.

  10. C) 11. The OWASP Testing Guide v4.2 organizes tests into 11 categories: Information Gathering, Configuration/Deploy Management, Identity Management, Authentication, Authorization, Session Management, Input Validation, Error Handling, Cryptography, Business Logic, and Client-Side.

  11. C) Immediately notify the client per the emergency procedures in the RoE. Discovering an active breach is an emergency that requires immediate client notification. Do not continue testing, do not attempt remediation, and do not contact law enforcement without client direction.

  12. C) TIBER-EU. The Threat Intelligence-Based Ethical Red Teaming framework was developed by the European Central Bank for financial sector testing.

  13. C) Document the request, update the scope in writing, get updated authorization, then proceed. Scope changes require formal documentation and updated authorization to protect both the tester and the client.

  14. B) To review progress, verify coverage, and plan the next phase. Phase gates are quality checkpoints that ensure structured progress through the testing methodology.

  15. B) OWASP Top 10 vulnerabilities. PCI DSS Requirement 11.4.1 explicitly requires that application-layer penetration tests include, at minimum, the OWASP Top 10.

  16. C) At least every three years. DORA requires significant financial entities to conduct TLPT at least every three years using the TIBER-EU framework.

  17. C) The system has more protection than exposure (above par). A rav above 100 indicates that security controls and protections exceed the system's vulnerabilities and attack surface.

  18. C) Focusing only on critical/high findings while ignoring medium/low issues. The Trophy Hunter pitfall involves pursuing only high-impact findings while neglecting comprehensive coverage.