PT0-001 Question #161: Real Exam Question with Answer & Explanation

Question

Options

• AReport the incident to the tester's immediate manager and follow up with the client immediately
• BReport the incident to the clients Chief Information Security Officer (CISO) immediately and alter
• CReport the incident to the client's legal department and then follow up with the client's security
• DMake note of the anomaly, continue with the penetration testing and detail it in the final report

Explanation

Discovering indicators of prior compromise during a pentest is an out-of-scope incident that requires immediate escalation through the tester's management chain and notification to the client.

Common mistakes.

• B. Contacting the client's CISO directly without first notifying the tester's own manager bypasses the contractual chain of command established in the rules of engagement and may violate the terms of the engagement.
• C. Routing the initial notification through the client's legal department introduces significant delay when a potentially active threat demands immediate containment action.
• D. Deferring documentation of a compromise to the final report is dangerous because an active threat actor may continue causing harm during the remaining test period, and immediate escalation is always required when live indicators of compromise are found.

Concept tested. Incident escalation procedures during penetration testing

Reference. http://www.pentest-standard.org/index.php/Reporting

No community discussion yet for this question.