Exam CS0-002 topic 1 question 79 discussion

Why in the world would you just jump straight into a pentest? Some of you really just want to throw a black hoodie on and sit in a dark room and look cool. What are you looking for in your pentest? Whats your scope? You just gonna test everything in the entire company? An initial assessment was done and found the company was lacking security controls. You already know the posture is bad, there is no reason to test anything further at this point. At this point you need to start with a BIA and determine your critical assets that need the protection. A complete inventory must be completed. You do this to firstly ensure you know critical assets but another reason is to ensure you're not spending more money on the protection of an asset than its worth. Once you complete A, then you move to B, review this and it with the outcome from the BIA you can move to D and decide what ports and protocols are needed. Finally you can do the pentest, at this point you'll know the scope of the test and what you need to ensure is properly secured.

Here are my thoughts: A - this is asset management and won't help with determining a companies security posture. B - a good thing to do, but won't reveal the security information needed for this scenario. C - the only answer that could provide needed security information. D - this sounds good, but performing a new baseline while an unknown security breach is occurring would be useless. Should verify the security posture, fix any issues/vulnerabilities, than perform a new baseline.

I say this because the next step to obtain information about the software company's security posture is to review relevant network drawings, diagrams, and documentation. This step helps in understanding the existing network architecture, identifying critical assets, and assessing the overall network design. By reviewing documentation, you can gather insights into the network topology, the placement of security controls, and potentially identify areas of concern. This step is essential for building an initial understanding of the environment before diving into more invasive activities like penetration testing. Developing an asset inventory (Option A) is also crucial, but reviewing network drawings and documentation should precede it. Option C (performing penetration tests) may be premature without a clear understanding of the network, and Option D (baselining the network) can come later in the process after initial documentation review and asset identification.

"After initial assessment" Why would your NEXT step be to do do inventory assessment to see what systems the company has? How did you know security controls are weak, there must have been an assessment of the current systems

Question says "Obtaining information about the software company's security posture" which refers to the process of assessing and understanding the current state of the software company's security measures, practices, and controls. It involves gathering insights into how well the company is protecting its information, systems, and assets from potential threats, vulnerabilities, and attacks. So A is wrong because its purpose is to form the basis for future security assessments and controls. (they are not asking to build a secure architecture and prepare and write down all the assets. they simply ask identify what this company has right now) where B will help identify existing security controls, even if limited. (plain and simple) you can see whats segmented, is there a firewall in between servers, is there a VPN server and much more. I know the question also say "based on an initial assessment" but this initial assessment may have involved a cursory review, observation, or examination of the company's security practices, systems, or controls and not the network topology

Even though the network drawings, diagrams, and documentation are not accurate. Better review the available details. I think immediate next step would be to Review relevant network drawings, diagrams, and documentation.

without knowing your ASSETS , you cannot have a baseline, and without a baseline you cannot have security in general. Start with the basics first especially since you don't know much about the software company. "Initial assessment" is too vague to not go with A. That's my thought at least.

Developing an asset inventory to determine the systems within the software company would be a logical next step to obtain information about the software company's security posture. This would provide a baseline of the company's hardware and software assets, allowing for a better understanding of the scope of the security environment and the potential attack surface. From there, more targeted assessments and testing could be conducted to identify vulnerabilities and improve the security posture.

A. This is if Initial assessment = reviewing diagrams, drawings, docs, etc. You absolutely must have asset inventory before you can scope a pentest.

Answer A - Performing penetration tests against the software company's internal and external networks (option C) is a more aggressive and invasive approach to understanding the security posture of the software company, and should only be done after other less invasive measures have been taken.

When perform pentest before have not information about asset is not logical for me. i going with A.

Has to be A. You aren't going to be able to perform an effective pentest until you know what the system is

Agreeing with the A.'s

I would go with A. What would I be pentesting if I don't know the assets. First I need to know what I have i.e. we have cisco switches, fortigate firewall, XYZ servers runing on XYZ etc.. then I scan/ pentest the assets.. I can't use pentest to know what I have in the organization. I am going with A all the way

They need to establish all of their assets to know what to protect/what is most valuable. A is the first step to take.

Guys, C is the correct answer, the question is "what is the NEXT step that should be completed to OBTAIN INFORMATION ABOUT the software company's security posture", - You'll have to obtain an asset inventory to determine the systems within the software company, since its a newly acquired business - A!

What are you going to pen test if you don't know your asset?