nerdexam
EC-Council

312-50V9 · Question #212

You are performing a penetration test. You achieved access via a buffer overflow exploit and you proceed to find interesting data, such as files with usernames and passwords. You find a hidden folder

The correct answer is A. Report immediately to the administrator. Penetration testers are legally and ethically required to immediately report any sensitive personal or financial information discovered during an engagement, and any unauthorized use of that data is a criminal offense.

Introduction to Ethical Hacking

Question

You are performing a penetration test. You achieved access via a buffer overflow exploit and you proceed to find interesting data, such as files with usernames and passwords. You find a hidden folder that has the administrator's bank account password and login information for the administrator's bitcoin account. What should you do?

Options

  • AReport immediately to the administrator
  • BDo not report it and continue the penetration test.
  • CTransfer money from the administrator's account to another account.
  • DDo not transfer the money but steal the bitcoins.

How the community answered

(25 responses)
  • A
    92% (23)
  • B
    4% (1)
  • C
    4% (1)

Why each option

Penetration testers are legally and ethically required to immediately report any sensitive personal or financial information discovered during an engagement, and any unauthorized use of that data is a criminal offense.

AReport immediately to the administratorCorrect

Professional penetration testers operate under a signed rules of engagement and an ethical code that mandates reporting all sensitive findings - including financial credentials - to the authorized stakeholder immediately upon discovery. Retaining, exploiting, or concealing such information violates the engagement contract and constitutes unauthorized access or fraud under computer crime statutes such as the CFAA.

BDo not report it and continue the penetration test.

Failing to report discovered financial credentials violates professional ethics, the rules of engagement, and potentially federal laws governing unauthorized possession of financial account information.

CTransfer money from the administrator's account to another account.

Transferring funds from the administrator's account is wire fraud and computer fraud - serious criminal felonies that no authorization from a penetration test scope can legalize.

DDo not transfer the money but steal the bitcoins.

Stealing cryptocurrency is theft and a criminal offense regardless of the method or currency type; the absence of a traditional bank transfer does not remove criminal liability.

Concept tested: Penetration tester ethics and rules of engagement compliance

Source: https://www.eccouncil.org/code-of-ethics/

Topics

#penetration testing ethics#responsible disclosure#ethical conduct#scope of engagement

Community Discussion

No community discussion yet for this question.

Full 312-50V9 Practice