CAS-002 Question #580: Real Exam Question with Answer & Explanation

The correct answer is C: Conduct a black box penetration test. A black box penetration test simulates a real external attacker with no prior knowledge of the internal environment, directly validating whether an outsider can breach organizational defenses. This is the only option that actively confirms exploitability from an external perspect

Question

An organization must comply with a new regulation that requires the organization to determine if an external attacker is able to gain access to its systems from outside the network. Which of the following should the company conduct to meet the regulation's criteria?

Options

AConduct a compliance review
BConduct a vulnerability assessment
CConduct a black box penetration test
DConduct a full system audit

Explanation

A black box penetration test simulates a real external attacker with no prior knowledge of the internal environment, directly validating whether an outsider can breach organizational defenses. This is the only option that actively confirms exploitability from an external perspective.

Common mistakes.

A. A compliance review evaluates whether existing controls align with policy or regulatory requirements on paper but does not actively test whether an attacker could actually breach the systems.
B. A vulnerability assessment identifies and catalogues weaknesses but stops short of active exploitation, so it cannot confirm whether an external attacker would successfully gain access through those weaknesses.
D. A full system audit examines system configurations and controls for accuracy and alignment with policy but does not simulate real-world external attack scenarios or validate exploitability.

Concept tested. Black box penetration testing for external threat validation

Reference. https://csrc.nist.gov/publications/detail/sp/800-115/final

Community Discussion

No community discussion yet for this question.

Full CAS-002 Practice