A penetration-testing team needs to test the security of electronic records in a company's office. Per the terms of engagement, the penetration test is to be conducted after hours and should not include circumventing the alarm or performing destructive entry. During outside reconnaissance, the team sees an open door from an adjoining building. Which of the following would be allowed under the terms of the engagement?
The penetration test must be conducted after hours without circumventing the alarm or performing any destructive entry. Presenting a false employee ID to the night guard leverages social engineering, which is permissible as it does not involve physical security breaches like prying locks, climbing through windows, or obstructing motion sensors. This aligns with the engagement's terms while assessing the human element of security.
It says after hours and C even says night guard. The others have the possibility of tripping an alarm.
This is the only option without potential alarms.
"to be conducted after hours and should not include circumventing the alarm or performing destructive entry" Option C seems to be the correct answer
Under the terms of the engagement, the penetration-testing team is not allowed to perform destructive entry or circumvent the alarm. Therefore, options A, C, and D would not be allowed. Let's analyze the remaining option: B. Climbing in an open window of the adjoining building: This option does not involve destructive entry or circumventing the alarm, as the window is already open and accessible. If the penetration-testing team can gain access to the company's office through the open window without causing any damage or bypassing security measures, it would likely be allowed under the terms of the engagement. So, the correct answer is B. Climbing in an open window of the adjoining building.
You are breaking and entering through the next building. Unless you have permission from the owner of the next building, I don't think B is the right way to go about this.
Answer C is correct
Given the terms of engagement which specify that the penetration test should be conducted after hours and should not include circumventing the alarm or performing destructive entry, the most appropriate action that would be allowed under these terms is: C. Presenting a false employee ID to the night guard
I chose C too, but when I reread it B wouldn't set the alarm. The window is already open.
What's wrong with you all? A fake ID will not work, just try it and see what happens. Open window is the only answer.
"should not include circumventing the alarm..." Eliminates B and D. "or performing destructive entry." Eliminates A.
The question states to follow the ROE, where you test the security of an office, where the penetration test is "to be conducted after hours and should not include circumventing the alarm or performing destructive entry." Answer C is best because, in the context of information security, social engineering is the psychological manipulation of people into performing actions or divulging confidential information. The action would be to deceive the night guard with falsified employee IDs and permit the testing team into the building. The goal is not to circumvent the alarm, which B and D effectively do. A will perform destructive entry, hence damaging the lock or door jamb by prying the lock open. Likely, the team could have the night guard open the records room door.
B. Climbing in an open window of the adjoining building would be allowed under the terms of the engagement. Since the door was already open, there is no need to forcibly enter the records room or circumvent the alarm. However, it is important to note that it is still important to take caution not to cause any destruction or harm to property during the assessment.
C is correct only option without alarms
But climbing through an open window (that presumably should be closed and alarmed) is still circumventing the alarm