312-50V11 · Question #735
You have just been hired to perform a pen test on an organization that has been subjected to a large-scale attack. The CIO is concerned with mitigating threats and vulnerabilities to totally eliminate
The correct answer is C. Explain to the CIO that you cannot eliminate all risk, but you will be able to reduce risk to. A fundamental principle of risk management is that risk can never be fully eliminated - only identified, reduced, and accepted to a tolerable residual level.
Question
You have just been hired to perform a pen test on an organization that has been subjected to a large-scale attack. The CIO is concerned with mitigating threats and vulnerabilities to totally eliminate risk. What is one of the first things you should do when given the job?
Options
- AEstablish attribution to suspected attackers
- BInterview all employees in the company to rule out possible insider threats
- CExplain to the CIO that you cannot eliminate all risk, but you will be able to reduce risk to
- DStart the wireshark application to start sniffing network traffic.
How the community answered
(37 responses)- A8% (3)
- B3% (1)
- C86% (32)
- D3% (1)
Why each option
A fundamental principle of risk management is that risk can never be fully eliminated - only identified, reduced, and accepted to a tolerable residual level.
Establishing attribution to attackers is a forensic and threat intelligence task that falls outside the standard scope and first steps of a penetration test engagement.
Interviewing all employees to rule out insider threats is neither practical as a first step nor typically within the defined scope of a pen test engagement.
Risk can never be reduced to zero because new threats and vulnerabilities constantly emerge, and the cost of mitigating every conceivable risk is prohibitive. As a pen tester, setting accurate expectations with the CIO is a critical first step to establish scope and realistic goals for the engagement. Informing the CIO that the work will reduce risk to an acceptable residual level aligns with core principles in frameworks like NIST RMF, which formally recognizes that some residual risk always remains.
Launching Wireshark to capture traffic before defining scope, rules of engagement, and obtaining written authorization would be premature and potentially constitute unauthorized interception.
Concept tested: Residual risk and pen test scope expectation setting
Source: https://csrc.nist.gov/projects/risk-management/about-rmf
Topics
Community Discussion
No community discussion yet for this question.