ExamTopics Logo
Mail Us[email protected]
Menu
Comptia Discussions
exam questions

Exam PT0-001 All Questions

View all questions & answers for the PT0-001 exam
Go to Exam

Exam PT0-001 topic 1 question 85 discussion

Actual exam question from CompTIA's PT0-001
Question #: 85
Topic #: 1
[All PT0-001 Questions]

A penetration test was performed by an on-staff junior technician. During the test, the technician discovered the web application could disclose an SQL table with user account and password information. Which of the following is the MOST effective way to notify management of this finding and its importance?

  • A. Document the findings with an executive summary, recommendations, and screenshots of the web application disclosure.
  • B. Connect to the SQL server using this information and change the password to one or two non-critical accounts to demonstrate a proof--of-concept to management.
  • C. Notify the development team of the discovery and suggest that input validation be implemented with a professional penetration testing company.
  • D. Request that management create an RFP to begin a formal engagement with a professional penetration testing company.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by mr_robot at March 25, 2020, 4:39 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
boblee
Highly Voted 4 years, 10 months ago
sybex is bad. the answer is A.
upvoted 9 times
ftoon
3 years, 11 months ago
A is wrong, the pen test must not disclose any sensitive info in the report, I think B is good for a junior pen test to prove his work to the management
upvoted 2 times
kamaluchi
3 years, 9 months ago
the report typically does contain sensitive information as its purpose is to document what was discovered
upvoted 3 times
...
...
...
kloug
Most Recent 2 years, 2 months ago
AAAAAAAA
upvoted 1 times
...
miabe
2 years, 9 months ago
Selected Answer: A
looks good to me
upvoted 1 times
...
cvMikazuki
3 years, 6 months ago
sybex is bad. the answer is A.
upvoted 1 times
...
nakres64
4 years ago
This is an important vulnerability and needs to be solved immediately. For a junior technician best answer is D IMO.
upvoted 1 times
nakres64
4 years ago
I am wrong. A is correct.
upvoted 4 times
...
...
EZPASS
4 years, 4 months ago
I agree. I believe the best answer is A.
upvoted 2 times
...
TestBanger
4 years, 5 months ago
notify management with an executive summary plus anything in the ROE - that's all the C level wants
upvoted 2 times
...
Marlon_Franco22
4 years, 7 months ago
best answer is A
upvoted 1 times
...
danishnafay
4 years, 9 months ago
To notify management A is the best option. D is part of recommendations, so I’m my opinion A includes D.
upvoted 3 times
...
maps7
5 years ago
the question says which of the following is the 'Most effective way of notifying management of these findings and its importance' i think the answer is A then after that if need be to Request management to create RFP we can do that after doing A.
upvoted 3 times
...
mr_robot
5 years, 1 month ago
PenTest+ Practice Tests Book - SYBEX D. In this scenario, since the testing was performed by an on-staff junior administrator, it may be in the company’s best interest to create a request for proposal (RFP) from a professional penetration testing company to agree with the assessments and to give the company any vulnerability findings. An RFP is a document that solicits proposal, often made through a bidding process.
upvoted 2 times
D1960
5 years, 1 month ago
May not be a bad idea for management, after being notified, to put together an RFP. But an RFP is not a way to notify management of a potential problem. Note the question: Which of the following is the MOST effective way to notify management of this finding and its importance?
upvoted 2 times
mr_robot
5 years ago
Agree with you D1960. Personally I would choose A but the book says otherwise. The question from the book is: A junior technician in an organization’s IT department runs a penetration test on a corporate web application. During testing, the technician discovers that the application can disclose a SQL table with all user account and password information. How should the technician notify management? A. The technician should connect to the SQL server using this information and change the passwords of a few noncritical accounts to demonstrate a proof of concept to management. B. The technician should document the findings using an executive summary including recommendations and screenshots to provide to management. C. The technician should notify the development team of the discovery and suggest that input validation be enforced on the web application’s SQL query strings. D. The technician should request that management create a request for proposal (RFP) to begin a formal engagement with a professional penetration testing company.
upvoted 1 times
D1960
4 years, 12 months ago
You may be right. If you read the answers carefully, it says the the tech should request that management create an RFP. It does not say that an RFP be used to notify management. The question and answers are very poorly worded. The question asks for the most "effective **way** to notify management" not what should be suggested to management. Answer "A" sort of makes sense. But documenting something does necessarily mean that will be passed to management. Also, the tech did not do a pentest, he/she just stumbled across a problem, so I'm not sure if a formalized report with an executive summary would make sense.
upvoted 1 times
mr_robot
4 years, 11 months ago
Actually the tech already did a pentest on the system. "A penetration test was performed by an on-staff junior technician..." but maybe because he is a junior technician and after notifying the findings to the business using steps from A, he would suggest the executives to request a RFP with a professional company so they can confirm and suggest remediation solutions? But as maps7 wrote, that does not answer the main question "Which of the following is the MOST effective way to notify management of this finding and its importance?", so it's a really trick one. Who should we trust, the Sybex book or common sense?
upvoted 2 times
...
...
...
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago