Skip to content

Graded Quiz: Penetration Testing: Attack Phase :Penetration Testing, Threat Hunting, and Cryptography (IBM Cybersecurity Analyst Professional Certificate) Answers 2025

1. Question 1

PCI-DSS compliance requires:

  • ❌ Regular phishing tests

  • Regular external and internal penetration testing

  • ❌ Using cloud data storage

  • ❌ MFA for all users

Explanation: PCI-DSS mandates annual internal + external pen testing to secure cardholder data.

2. Question 2

Best test to find vulnerabilities inside the mobile app:

  • ❌ Network Pen Test

  • Application Pen Test

  • ❌ Hardware Pen Test

  • ❌ Personnel Pen Test

Explanation: Application tests analyze logic, APIs, authentication, storage, and input handling.

3. Question 3

Recommendation after finding chained vulnerabilities:

  • Patch all identified vulnerabilities and implement strict access controls.

  • ❌ Increase transactions

  • ❌ Modify records

  • ❌ Ignore vulnerabilities

Explanation: Chained vulnerabilities often enable privilege escalation.

4. Question 4

Critical step after gaining internal access via outdated Apache server:

  • ❌ Deploy keyloggers

  • ❌ Ignore system

  • ❌ Fix Apache immediately

  • Inform the network administrator immediately

Explanation: Pen testers must report critical findings per rules of engagement.

5. Question 5

Scenario: ex-employee simulation with partial info:

  • Gray-box Testing

  • ❌ Blue-box

  • ❌ Black-box

  • ❌ White-box

Explanation: Gray-box simulates an attacker with limited insider knowledge.

6. Question 6

Discovery of severe vulnerabilities prompts review of:

  • ❌ Resource Allocation

  • ❌ Scope Specification

  • ❌ Communication Plan

  • Risk Assessment

Explanation: Risks must be re-evaluated and prioritized accordingly.

7. Question 7

To identify active devices and IPs:

  • ❌ SSL certificate analysis

  • ❌ Public forums

  • Nmap network scan

  • ❌ Domain registration lookup

Explanation: Nmap performs host discovery and port scanning.

8. Question 8

Passive recon for personnel structure:

  • Use social media platforms to observe employee profiles

  • ❌ Phishing emails

  • ❌ AD enumeration

  • ❌ Port scanning employee devices

Explanation: Passive recon collects info without interacting with the target.

9. Question 9

Identify services running on open ports:

  • ❌ Manual documentation

  • Banner grabbing

  • ❌ VA tool

  • ❌ Traffic sniffing

Explanation: Banner grabbing reveals service type and version.

10. Question 10

Understand how a web app handles inputs:

  • ❌ Network analysis

  • ❌ Source code review

  • ❌ Social engineering

  • Analyze traffic using a web proxy

Explanation: Burp Suite/ZAP reveal request/response handling and input logic.

🧾 Summary Table

Q Correct Answer Key Concept
1 Pen testing (internal + external) PCI-DSS requirement
2 Application Pen Test App-specific flaws
3 Patch vulnerabilities + access control Chained vuln mitigation
4 Inform admin Rules of engagement
5 Gray-box Partial insider knowledge
6 Risk Assessment Re-evaluating discovered risks
7 Nmap network scan Host discovery
8 Social media recon Passive recon
9 Banner grabbing Service identification
10 Web proxy analysis Input & data handling