The primary reason for periodic penetration testing of Internet-facing applications is to identify vulnerabilities in the system, because this will help to improve the security and resilience of the applications and the data they process. A penetration test is a simulated cyberattack that aims to exploit the weaknesses and gaps in the security of an application or a system. A penetration test can reveal the vulnerabilities that may not be detected by other methods, such as automated scanning or code review. A penetration test can also measure the impact and severity of the vulnerabilities, as well as the effectiveness of the existing controls and defenses. A penetration test can also provide recommendations and solutions to remediate the vulnerabilities and prevent future attacks. Internet-facing applications are programs and services that are accessible from the internet, such as web applications, APIs, cloud services, or VPN gateways. Internet-facing applications are exposed to a variety of cyber threats, such as denial-of-service attacks, SQL injection attacks, cross-site scripting attacks, or credential stuffing attacks. These threats can compromise the confidentiality, integrity, and availability of the applications and the data they handle. Therefore, periodic penetration testing of Internet-facing applications is essential to identify vulnerabilities in the system and to protect the applications and the data from cyberattacks. References = Web Application Penetration Testing: A Practical Guide - Bright Security1, The Basics of Web Application Penetration Testing | Turing2, Periodic Penetration Testing: What is the best pentesting frequency ...

Explanation/Reference:
Explanation:
Risk register primarily contains the following:
List of identified risks: A reasonable description of the identified risks is noted in the risk register. The

description includes event, cause, effect, impact related to the risks identified. In addition to the list of identified risks, the root causes of those risks may appear in the risk register.
List of potential responses: Potential responses to a risk may be identified during the Identify Risks

process. These responses are useful as inputs to the Plan Risk Responses process.
Incorrect Answers:
B: This is not a valid content of risk register.
A risk register is an inventory of risks and exposure associated with those risks. Risks are commonly found in project management practices, and provide information to identify, analyze, and manage risks. Typically a risk register contains:
A description of the risk

The impact should this event actually occur

The probability of its occurrence

Risk Score (the multiplication of Probability and Impact)

A summary of the planned response should the event occur

A summary of the mitigation (the actions taken in advance to reduce the probability and/or impact of the

event)
Ranking of risks by Risk Score so as to highlight the highest priority risks to all involved.

C: Risk register do contain the summary of mitigation, but only after the applying risk response. Here in this scenario you are in risk identification phase, hence mitigation techniques cannot be documented at this situation.

Section: Volume C
Explanation:
Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Phishing attacks are a type of to social engineering attack and are best defended by end-user awareness training.
Incorrect Answers:
A: An intrusion detection system does not protect against phishing attacks since phishing attacks usually do not have a particular pattern or unique signature.
B: Application hardening does not protect against phishing attacks since phishing attacks generally use e-mail as the attack vector, with the end-user as the vulnerable point, not the application.
D: Certain highly specialized spam filters can reduce the number of phishing e-mails that reach the inboxes of user, but they are not as effective in addressing phishing attack as end-user awareness.

Section: Volume D
Explanation