150 Chapter 6 ■ Security Assessment and Testing (Domain 6)
For questions 98–100, please refer to the following scenario. NIST Special Publication
800-115, the Technical Guide to Information Security Testing and Assessment, provides
NIST’s process for penetration testing. Use this image as well as your knowledge of pen-
etration testing to answer the questions.Planning DiscoveryReportingAdditional DiscoveryAttackSource: NIST SP 800-115.- Which of the following is not a part of the discovery phase?
A. Hostname and IP address information gathering
B. Service information capture
C. Dumpster diving
D. Privilege escalation - NIST specifies four attack phase steps: gaining access, escalating privileges, system brows-
ing, and installing additional tools. Once attackers install additional tools, what phase will
a penetration tester typically return to?
A. Discovery
B. Gaining access
C. Escalating privileges
D. System browsing - Which of the following is not a typical part of a penetration test report?
A. A list of identified vulnerabilities
B. All sensitive data that was gathered during the test
C. Risk ratings for each issue discovered
D. Mitigation guidance for issues identified