SY0-501 Question #394: Real Exam Question with Answer & Explanation

Question

A security analyst is attempting to break into a client's secure network. The analyst was not given prior information about the client, except for a block of public IP addresses that are currently in use. After network enumeration, the analyst's NEXT step is to perform:

Options

• Aa gray-box penetration test.
• Ba risk analysis.
• Ca vulnerability assessment.
• Dan external security audit.
• Ea red team exercise.

Explanation

After starting with public IP addresses and performing network enumeration, the analyst has gained partial information about the target, making a gray-box penetration test the appropriate next step to simulate an attacker with some internal knowledge.

Common mistakes.

• B. Risk analysis is a post-assessment activity that evaluates the impact and likelihood of identified vulnerabilities, not a direct testing step following network enumeration.
• C. While a vulnerability assessment identifies weaknesses, a gray-box penetration test is a more comprehensive next step that involves actively attempting to exploit those vulnerabilities based on the partial information gathered.
• D. An external security audit is a formal review of security controls, often compliance-driven, and is distinct from the active, hands-on penetration testing methodology described.
• E. A red team exercise is a comprehensive, objective-based simulation of a real-world attack against an organization's entire defense, which is typically a larger-scale engagement than the immediate next step after initial enumeration.

Concept tested. Penetration testing methodologies (black-box, gray-box, white-box)

Reference. https://learn.microsoft.com/en-us/azure/security/fundamentals/pen-testing

No community discussion yet for this question.