nerdexam
EC-Council

312-50V11 · Question #735

You have just been hired to perform a pen test on an organization that has been subjected to a large-scale attack. The CIO is concerned with mitigating threats and vulnerabilities to totally eliminate

The correct answer is C. Explain to the CIO that you cannot eliminate all risk, but you will be able to reduce risk to. A fundamental principle of risk management is that risk can never be fully eliminated - only identified, reduced, and accepted to a tolerable residual level.

Information Security and Ethical Hacking Fundamentals

Question

You have just been hired to perform a pen test on an organization that has been subjected to a large-scale attack. The CIO is concerned with mitigating threats and vulnerabilities to totally eliminate risk. What is one of the first things you should do when given the job?

Options

  • AEstablish attribution to suspected attackers
  • BInterview all employees in the company to rule out possible insider threats
  • CExplain to the CIO that you cannot eliminate all risk, but you will be able to reduce risk to
  • DStart the wireshark application to start sniffing network traffic.

How the community answered

(37 responses)
  • A
    8% (3)
  • B
    3% (1)
  • C
    86% (32)
  • D
    3% (1)

Why each option

A fundamental principle of risk management is that risk can never be fully eliminated - only identified, reduced, and accepted to a tolerable residual level.

AEstablish attribution to suspected attackers

Establishing attribution to attackers is a forensic and threat intelligence task that falls outside the standard scope and first steps of a penetration test engagement.

BInterview all employees in the company to rule out possible insider threats

Interviewing all employees to rule out insider threats is neither practical as a first step nor typically within the defined scope of a pen test engagement.

CExplain to the CIO that you cannot eliminate all risk, but you will be able to reduce risk toCorrect

Risk can never be reduced to zero because new threats and vulnerabilities constantly emerge, and the cost of mitigating every conceivable risk is prohibitive. As a pen tester, setting accurate expectations with the CIO is a critical first step to establish scope and realistic goals for the engagement. Informing the CIO that the work will reduce risk to an acceptable residual level aligns with core principles in frameworks like NIST RMF, which formally recognizes that some residual risk always remains.

DStart the wireshark application to start sniffing network traffic.

Launching Wireshark to capture traffic before defining scope, rules of engagement, and obtaining written authorization would be premature and potentially constitute unauthorized interception.

Concept tested: Residual risk and pen test scope expectation setting

Source: https://csrc.nist.gov/projects/risk-management/about-rmf

Topics

#risk management#penetration testing scope#risk reduction#security consulting

Community Discussion

No community discussion yet for this question.

Full 312-50V11 Practice