312-50V10 · Question #399
An ethical hacker for a large security research firm performs penetration tests, vulnerability tests, and risk assessments. A friend recently started a company and asks the hacker to perform a penetra
The correct answer is B. Ask the employer for authorization to perform the work outside the company.. Before performing any outside security work, an ethical hacker employed by a firm must obtain explicit authorization from their employer to avoid conflicts of interest and policy violations.
Question
An ethical hacker for a large security research firm performs penetration tests, vulnerability tests, and risk assessments. A friend recently started a company and asks the hacker to perform a penetration test and vulnerability assessment of the new company as a favor. What should the hacker's next step be before starting work on this job?
Options
- AStart by foot printing the network and mapping out a plan of attack.
- BAsk the employer for authorization to perform the work outside the company.
- CBegin the reconnaissance phase with passive information gathering and then move into active
- DUse social engineering techniques on the friend's employees to help identify areas that may be
How the community answered
(23 responses)- A4% (1)
- B78% (18)
- C13% (3)
- D4% (1)
Why each option
Before performing any outside security work, an ethical hacker employed by a firm must obtain explicit authorization from their employer to avoid conflicts of interest and policy violations.
Footprinting and planning an attack without authorization is illegal and unethical - no technical work can begin before all legal and contractual prerequisites are satisfied.
An ethical hacker employed by a security research firm is bound by their employment agreement, which typically prohibits performing competing or outside professional work without prior written consent. Performing a penetration test for a friend without employer authorization could violate the employment contract, create liability for the employer, and breach professional ethics codes. The correct first step is always to seek formal employer approval before accepting any outside engagement.
Beginning reconnaissance, even passively, constitutes starting the engagement without resolving the authorization conflict with the hacker's employer, which must be addressed first.
Social engineering techniques are an active attack phase and cannot be initiated before proper authorization from both the employer and the target organization is obtained.
Concept tested: Ethical hacker employer authorization for outside engagements
Source: https://www.eccouncil.org/wp-content/uploads/2022/09/CEH-Exam-Blueprint-v4.0.pdf
Topics
Community Discussion
No community discussion yet for this question.