PT0-002 Question #183: Real Exam Question with Answer & Explanation

Question

Which of the following situations would require a penetration tester to notify the emergency contact for the engagement?

Options

• AThe team exploits a critical server within the organization.
• BThe team exfiltrates PII or credit card data from the organization.
• CThe team loses access to the network remotely.
• DThe team discovers another actor on a system on the network.

Explanation

The discovery of an unauthorized third-party actor on a client's system is an emergency situation requiring immediate notification. This indicates a potential real-world breach or ongoing malicious activity that the client needs to address promptly, beyond the scope of the penetration test itself.

Common mistakes.

• A. Exploiting a critical server is often an expected part of a penetration test, assuming it's within the agreed-upon scope and rules of engagement, and is a finding rather than an emergency requiring immediate stop-the-world notification.
• B. Exfiltrating PII or credit card data, if within scope to demonstrate impact, would be a significant finding but might not always trigger an emergency notification unless it was unintentional or exceeded agreed parameters.
• C. Losing remote access to the network is a technical challenge for the penetration testing team, affecting their ability to continue, but does not typically pose an immediate, uncontained threat to the client's systems necessitating an emergency contact notification.

Concept tested. Rules of engagement - emergency notification

Reference. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-115.pdf

No community discussion yet for this question.