A penetration tester joins the assessment team in the middle of the assessment. The client has asked the team, both verbally and in the scoping document, not to test the production networks. However, the new tester is not aware of this request and proceeds to perform exploits in the production environment. Which of the following would have MOST effectively prevented this misunderstanding?
The most effective prevention for this misunderstanding is requiring all testers to review the scoping document carefully. This ensures that everyone involved in the assessment is aware of the client's requests and the scope of the assessment. Making sure that all team members, including those who join mid-assessment, thoroughly understand the scoping document is crucial in avoiding such oversights. This approach addresses the issue by emphasizing the importance of communication and documentation review, thus reducing the chances of similar misunderstandings in the future.
In this scenario, the issue is a lack of communication and understanding of the constraints and boundaries set by the client. The most effective way to prevent this misunderstanding would have been to ensure that all members of the assessment team, including those joining mid-assessment, are fully aware of the requirements and restrictions defined in the scoping document. Option B, "Requiring all testers to review the scoping document carefully," directly addresses this issue by making sure that everyone involved in the assessment is aware of the client's requests and the scope of the assessment. Therefore, option B would have been the most effective way to prevent this misunderstanding.
"BEST" = most effective. BEST at preventing this exact situation would be to DENY ALL, rather than "Read and follow rules". 0% vs 1%, 0% wins.
I agree
It's B, the testers should read the documentations before getting into an engagement.
To me answer is B. Lets say you have testers who get sick and can no longer perform but the company has others on hand who can step in to continue the test and meet company SOW. You would allow that new tester with the understanding that they are briefed like all the current testers and they read the required documents.
"The client has asked the team, both verbally and in the scoping document, not to test the production networks. However, the new tester is not aware of this request"This means that it was already written in the scoping document and the pentester missed it anyway. So just saying "read it more caefully next time still leaves the chance it will be missed in future. If you go with D you remove the risk of this entirely. Additionally the client asked verbally. Had someone not have joined halfway through the pentest then they would likely have been there to hear this request in person, so despite missing it in the scoping document they still would've been aware of the restriction. Another thing that steers me towards D
Surely D is the BEST? Just because they read it carefully doesn't mean it won't happen again due to user error. If you don't let people join mid-way through that removes the risk entirely rather than mitigating it
Agree.
That's the reason a SOW is signed so everybody knows what to do and what the rules are. It is part of the job to follow the rules. What if you have a member of the existing team that gets sick, another one resigns and another one dies. You will continue the assessment -3 people and hope for the best because you believe that joining mid-assessment is out of question. Funny! :)
It's part of a Pen Tester job to follow the rules laid out in the SOW.
The MOST effective prevention for this misunderstanding is: B. Requiring all testers to review the scoping document carefully D. Prohibiting testers from joining the team during the assessment: This is too restrictive and hinders flexibility. New team members can be valuable, but proper onboarding and communication are crucial. Requiring a thorough review of the scoping document ensures all testers, including those joining mid-assessment, are aware of the boundaries and limitations of the testing. This document should explicitly state the exclusion of the production environment.
__BBB__