nerdexam
EC-Council

312-50V10 · Question #472

One of the Forbes 500 companies has been subjected to a large scale attack. You are one of the shortlisted pen testers that they may hire. During the interview with the CIO, he emphasized that he want

The correct answer is C. Explain to the CIO that you cannot eliminate all risk, but you will be able to reduce risk to. Risk can never be fully eliminated - it can only be reduced to an acceptable level - so a professional pen tester must set accurate expectations with stakeholders before beginning any engagement.

Information Security and Ethical Hacking Fundamentals

Question

One of the Forbes 500 companies has been subjected to a large scale attack. You are one of the shortlisted pen testers that they may hire. During the interview with the CIO, he emphasized that he wants to totally eliminate all risks. What is one of the first things you should do when hired?

Options

  • AInterview all employees in the company to rule out possible insider threats.
  • BEstablish attribution to suspected attackers.
  • CExplain to the CIO that you cannot eliminate all risk, but you will be able to reduce risk to
  • DStart the Wireshark application to start sniffing network traffic.

How the community answered

(23 responses)
  • A
    4% (1)
  • B
    9% (2)
  • C
    87% (20)

Why each option

Risk can never be fully eliminated - it can only be reduced to an acceptable level - so a professional pen tester must set accurate expectations with stakeholders before beginning any engagement.

AInterview all employees in the company to rule out possible insider threats.

Interviewing all employees to find insider threats is a valid activity during an engagement but is not the first priority - correcting the client's fundamental misunderstanding of risk management must come first to define the scope properly.

BEstablish attribution to suspected attackers.

Attribution is valuable in incident response and threat intelligence but is a later-stage activity and does not address the CIO's flawed premise that all risk can be eliminated.

CExplain to the CIO that you cannot eliminate all risk, but you will be able to reduce risk toCorrect

A fundamental principle of information security risk management is that zero risk is unattainable; every system has residual risk after controls are applied. A responsible pen tester must immediately correct this misconception with the CIO before the engagement begins, establishing realistic goals around risk reduction rather than elimination. Failing to set this expectation early can lead to scope creep, unrealistic deliverables, and damaged professional credibility.

DStart the Wireshark application to start sniffing network traffic.

Launching Wireshark to capture network traffic without an established scope, authorization, and rules of engagement violates proper pen testing methodology and could itself be illegal without written permission.

Concept tested: Risk management fundamentals and stakeholder expectation setting

Source: https://www.nist.gov/publications/guide-conducting-risk-assessments

Topics

#risk management#risk reduction#penetration testing scope#security consulting

Community Discussion

No community discussion yet for this question.

Full 312-50V10 Practice