Investigate access controls is correct because an exposed administrative interface suggests a potential misconfiguration that could lead to unauthorized access. Ignore the finding is incorrect because it represents a potential risk. Close port 80 is incorrect because that is a remediation step, not analysis. Perform wireless analysis is incorrect because it is unrelated. OBJ. 3.2

OBJ 5.3 - Cross-account resources can be exploited during exfiltration by transferring data to an external account under the attacker's control, making detection and attribution more challenging. This tactic leverages permissions between accounts to move sensitive data out of the victim's environment. Other options, such as creating encrypted tunnels or distributing payloads across accounts, are unrelated to exfiltration, while hiding data within the same account does not take advantage of cross-account permissions. OBJ. 5.3

Packet crafting is correct because Ben is manually constructing network packets with specific header fields and flag combinations to test how firewalls and IDS solutions respond to nonstandard or suspicious traffic patterns. Protocol fuzzing is incorrect because it involves sending malformed or unexpected protocol data to identify application or protocol parsing vulnerabilities rather than precisely shaping packet headers to test filtering logic. Signal jamming is incorrect because it disrupts wireless communication by creating radio interference and does not involve manipulating packet structure. Spoofing is incorrect because it focuses on falsifying identity attributes such as IP or MAC addresses, whereas this scenario centers on deliberate packet structure manipulation to evaluate defensive controls. OBJ. 4.7

OBJ 1.1: A technical constraint is any item that is specifically excluded from the penetration test engagement. In general, these constraints will be technical in nature. For example, a legacy server may be considered too fragile to withstand denial of service or buffer overflow attacks. Other technical constraints may focus on the tools used based on the cost that would be involved. For example, it may be too costly to perform a USB key drop in the parking lot of a remote data center, so there may be a technical constraint to only allow remote attacks during the engagement. OBJ. 1.1 

While a malicious employee or insider could use all of the methods listed to obtain another user's passwords, shoulder surfing is the MOST likely to be used. Shoulder surfing is a type of social engineering technique used to obtain personal identification numbers (PINs), passwords, and other confidential data by looking over the victim's shoulder. Since a malicious employee or insider can work close to their victims (other users), they could easily use this technique to collect the victimized users' passwords. An on-path attack is an attack where the attacker secretly relays and possibly alters the communications between two parties who believe they are directly communicating with each other. The attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection. The attacker will intercept all relevant messages passing between the two victims and inject new ones. Tailgating is a social engineering technique to gain access to a building by following someone unaware of their presence. Phishing is an email-based social engineering attack in which the attacker sends an email from a supposedly reputable source, such as a bank, to try to elicit private information from the victim. Phishing attacks target an indiscriminate large group of random people. OBJ. 4.8

OBJ 4.1: A low-level diagram provides a granular view of the network, but without analyzing the attack paths, it’s challenging to prioritize effectively. Conducting an attack path analysis allows Bill to assess the potential impact of exploiting each vulnerability, ensuring that his efforts focus on the most critical weaknesses. The other options either lack strategic focus or do not fully utilize the information provided by the scenario. OBJ. 4.1

Social engineering is correct because the attacker is manipulating users into voluntarily disclosing sensitive information through deception rather than exploiting a technical vulnerability. Social engineering relies on psychological manipulation and trust exploitation. Bluesnarfing is incorrect because it involves unauthorized data access over Bluetooth using technical exploitation methods. On-path (formerly man-in-the-middle) is incorrect because it involves intercepting or modifying communications between systems, not directly tricking users. Evil twin is incorrect because it involves setting up a rogue wireless access point to intercept traffic, which is a technical wireless attack rather than direct human manipulation. OBJ. 4.8

Modify the script to perform multiple ping attempts for each device is correct because some systems may drop initial ICMP requests due to rate limiting, power-saving states, or transient packet loss. Implementing multiple attempts increases reliability and reduces false negatives during validation. Filtering out non-responding devices is incorrect because ICMP filtering or temporary packet loss does not necessarily indicate that a device is offline. Implementing reverse DNS lookups does not address non-responsiveness and only resolves hostnames for responding IP Addresses. Re-running the original scan with aggressive timing may increase packet loss or detection risk and does not directly improve ICMP validation reliability. OBJ. 3.2

OBJ 1.1:Each member of the penetration testing team should be evaluated to ensure they possess the appropriate certifications and experience required to perform the engagement. Team members should also have recent background checks, which may include credit and criminal history, depending on organizational requirements.

For engagements involving sensitive environments, such as government or defense systems, valid security clearances may also be required.

The team must not begin testing or searching for vulnerabilities without prior written authorization. Therefore, they should not include any discovered vulnerabilities in their RFP response. OBJ. 1.1

Restore the original firewall settings from backups is correct because returning the device to its validated pre-engagement configuration ensures that temporary rule modifications, exposed ports, and altered access control entries do not persist in production. Document all changes made during the test is incorrect because documentation supports reporting and accountability but does not itself remediate the risk introduced by temporary rule changes. Leave the changes in place and inform the customer of the required changes is incorrect because it leaves the environment in a weakened state. Reinstall the firewall software and add the appropriate updates is incorrect because a full reinstallation is unnecessary when a known-good configuration backup can be restored safely and efficiently. OBJ. 5.4