A company becomes concerned when the security alarms are triggered during a penetration test.
Which of the following should the company do NEXT?
A company becomes concerned when the security alarms are triggered during a penetration test.
Which of the following should the company do NEXT?
When a company becomes concerned after security alarms are triggered during a penetration test, the first and most logical step is to deconflict with the penetration tester. This process involves confirming with the tester whether their activities are the cause of the alarms. It is crucial to perform this check before initiating an incident response to avoid unnecessary resource expenditure on what might be a false alarm. Assuming the alert is from the penetration test without confirmation could be dangerous, and halting the test immediately might disrupt planned productivity without solving the issue. Therefore, deconflicting with the pentester ensures an efficient and proper understanding of the situation before any further actions are taken.
B. Conduct an incident response. The company should conduct an incident response to determine the cause of the security alarm trigger. It is important to investigate the issue to determine whether it is related to the penetration test or if there is an actual security breach. Halting the penetration test, deconflicting with the penetration tester, or assuming the alert is from the test without investigating could potentially put the company at risk.
i rescind this one answer - lets go with C
De-conflict
De-confliction: When performing a penetration test, you may need to implement procedures to prevent the security team from conflicting with the penetration test. For example, the IT security team may block systems that generate suspicious traffic from accessing the network. When performing your penetration test, your system may be flagged as being suspicious and as a result may be blocked.
Deconflict with the pentester.
CORRECT ANSWER IS DE-CONFLICT
Answer should be C.
I think C, the when the Pen test creates an alarm, no need to create an incident response for every alarm, just check deconflict with the pentester
C. Deconflict with the penetration tester: Before taking any further action, it is crucial to confirm whether the triggered security alarms are part of the authorized penetration testing activities. This ensures that there is no misunderstanding and that legitimate testing activities are not mistaken for actual security incidents. Analysis of Other Options: A. Halt the penetration test: Halting the test immediately may be unnecessary and could disrupt the planned activities. It should only be considered if deconfliction confirms that the alerts are not part of the test or if there is an immediate threat. B. Conduct an incident response: Conducting a full incident response may be premature if the alarms are indeed part of the penetration test. Deconfliction should occur first. D. Assume the alert is from the penetration test: Making assumptions without confirmation could be dangerous if the alerts are actually from a real security incident.
First you start the Incidence Response, then you may deconflict..
C gets you to the quickest answer if it was the pen-tester or not. Going with Incident Response can waist time and resources when a simple call to de-conflict can get you the correct answer faster. If the pen-tester states that it wasn't him you can then start incident response if it was you can still document but you know the answer to what happened.
When security alarms are triggered during a penetration test, it is possible that a real security incident has occurred. Therefore, the company should conduct an incident response to investigate the alarms and determine whether any actual security breach has taken place.
I think the answer is C here. Since they need to validate with pentester if the pentester triggered alarms or
CCCCCCCCCCC is correct
i believe doing incident response should be the default in any case because usually teams are supposed to respond anyway. Once they identify (and dont wait around if pentester may not be quickly reachable) they can deconflict whether what they found is what the pentester is testing or if it is outside the scope (where then they dont even need to deconflict with the pentester). Incident response first makes the most sense, you never know when a hacker is aware of a pentest going on at a company (because he already compromised them) and decides to use the event as cover for actual damage.
Wouldn't the company need to investigate the alarm so that they can then deconflict? And isn't investigating an alarm a "response," so to speak? Full-blown response, no, but... CompTIA is fun.
To not waste time it would be best to consult with Pentester to confirm the actions, before conducting IR.
C is correct Deconflict with the pentester.
The company should Next conduct an incident response. An incident response is a process that helps the company investigate and identify the source of the security alarms that were triggered to determine whether it was a false alarm or a genuine threat. If it is determined that the alert is from the penetration test, then the company can work with the penetration tester to deconflict or adjust the testing parameters as needed. Deconflicting with the penetration tester should not be done first because it is important to investigate the source of the alert and determine whether it is a false alarm or a genuine threat before making any changes to the testing parameters. An incident response process helps the company do this, and it is the best course of action to take first in order to determine the cause of the security alarms.
i think C is the answer
In situations like these, you follow procedure. you first follow the incident response by opening a ticket based on the event generated. Since an IDS is most likely to have triggered this event, you open the ticket and investigate. Then you check if there's any pen tests happening that week/day, and only then you check with the pentest. Regardless of the reason, you never know an alert is an attack or a pentest until you've followed the incident response process. Then you can close the ticket/ignore the allwer once you've gotten confirmation from the pentester.
I think the answer is C here. Since they need to validate with pentester if the pentester triggered alarms or
C is 100% corrrrrect answer