2.5 Legal and Ethical Compliance
Before a penetration test can begin, there are a few key documents that must be filled out and agreed on. What are they? (5)
- Scope of Work (SoW) -Rules of Engagement (RoE) -Master Service Agreement (MSA) -Non-Disclosure Agreement (NDA) -Permission to Test.
what are the 4 common policies that most organizations define?
- password -update frequency -sensitive data handling -BYOD
Which of the following best describes a non-disclosure agreement? A document that defines if the test will be a white box, gray box, or black box test and how to handle sensitive data. A common legal contract outlining confidential material that will be shared during the assessment. A contract where parties agree to most of the terms that will govern future actions. A very detailed document that defines exactly what is going to be included in the penetration test.
A common legal contract outlining confidential material that will be shared during the assessment. - and what restrictions are placed on it. This contract basically states that anything the tester finds cannot be shared except with the people specified in the document.
Non-disclosure agreement (NDA)
A common legal contract that outlines confidential material or information that will be shared during a security assessment and what restrictions are placed on information.
Which of the following best describes a master service agreement? Defines if the test will be a white box, gray box, or black box test and how to handle sensitive data. Used as a last resort if the penetration tester is caught in the scope of their work. A contract where parties agree to the terms that will govern future actions. A very detailed document that defines exactly what is going to be included in the penetration test.
A contract where parties agree to the terms that will govern future actions.
Master service agreement (MSA)
A contract where parties agree to the terms that will govern future actions. This makes future services and contracts easier to handle and define.
Rules of engagement (RoE)
A document that defines exactly HOW the work will be carried out. -whether test will be white box, gray, or black box test -explicitly state how to handle sensitive data -include procedure to notify IT team if need to
Permission to test
A document that explains what the penetration tester is doing and that their work is authorized. This document is sometimes referred to as the Get Out Of Jail Free Card.
Heather is working for a cybersecurity firm based in Florida. She will be conducting a remote penetration test for her client, who is based in Utah. Which state's laws and regulations will she need to adhere to? Both companies will need to adhere to Florida's laws. Both companies will need to adhere to Utah's laws. Heather will adhere to Florida's laws, and the client will adhere to Utah's laws. A lawyer should be consulted on which laws to adhere to and both parties agree.
A lawyer should be consulted on which laws to adhere to and both parties agree.
Scope of work (SoW)
A very detailed document that defines exactly what is going to be included in the penetration test. This document is also referred to as the statement of work.
Hannah is working on the scope of work with her client. During the planning, she discovers that some of the servers are cloud-based servers. Which of the following should she do? Not worry about this fact and test the servers. Get a non-disclosure agreement. Add the cloud host to the scope of work. Tell the client she can't perform the test.
Add the cloud host to the scope of work.
Which of the following best describes the Wassenaar Arrangement? An agreement between 41 countries to enforce similar export controls for weapons, including intrusion software. A law that defines the security standards for any organization that handles cardholder information. Standards that ensure medical information is kept safe and is only shared with the patient and medical professionals. A law that defines how federal government data, operations, and assets are handled.
An agreement between 41 countries to enforce similar export controls for weapons, including intrusion software.
Wassenaar Arrangement
An agreement between 41 countries to hold similar export controls on weapons, including banning some and requiring licensing for others, like intrusion software. -n 2013, the legislation was amended to include intrusion software. This has led to a lot of issues in the cybersecurity field.
Yesenia was recently terminated from her position, where she was using her personal cell phone for business purposes. Upon termination, her phone was remotely wiped. Which of the following corporate policies allows this action? BYOD policy Corporate policy Password policy Update policy
BYOD policy
What are the rules and regulations defined and put in place by an organization called? Corporate policies Rules of engagement Scope of work Master service agreement
Corporate policies; rules and regulations that are defined and put in place by an organization. As part of the risk assessment and penetration test, these policies should be reviewed and tested.
Which of the following best describes the rules of engagement document? Used as a last resort if the penetration tester is caught in the scope of their work. A contract where parties agree to most of the terms that will govern future actions. A very detailed document that defines exactly what is going to be included in the penetration test. Defines if the test will be a white box, gray box, or black box test and how to handle sensitive data.
Defines if the test will be a white box, gray box, or black box test and how to handle sensitive data.
United States Code Title 18, Chapter 47, Section 1029 deals with which of the following? Fraud and related activity involving computers. Fraud and related activity regarding identity theft. Fraud and related activity involving access devices. Fraud and related activity involving electronic mail.
Fraud and related activity involving access devices.; An access device is defined as any application or hardware that is created specifically to generate any type of access credentials.
During an authorized penetration test, Michael discovered his client's financial records. Which of the following should he do? Sell the records to a competitor. Ignore the records and move on. Continue digging and look for illegal activity. Make a backup of the records for the client.
Ignore the records and move on.
During a penetration test, Mitch discovers the following on a client's computer. Instructions for creating a bomb Emails threatening a public official Maps to the officials home and office Which of the following actions should he take? Stop the test, inform the client, and let them handle it. Delete the files and continue with the penetration test. Immediately stop the test and report the finding to the authorities. Ignore the files and continue with the penetration test.
Immediately stop the test and report the finding to the authorities. If, during the scope of the penetration test, the hacker discovers evidence of illegal activity, they are legally obligated to report the evidence to the appropriate authorities.
Which of the following is a common corporate policy that would be reviewed during a penetration test? Meeting policy Parking policy Password policy Purchasing policy
Password policy
During a penetration test, Dylan is caught testing the physical security. Which document should Dylan have on his person to avoid being arrested? Permission to test Master service agreement Scope of work Rules of engagement
Permission to test; The permission to test is used as a last resort if the penetration tester is caught in the scope of their work. This get-out-of-jail-free card explains what the tester is doing and that his work is authorized
Bring your own device (BYOD)
Policies that govern an organization's rules and regulations regarding support of employee-owned smart phones, tablets, and similar devices.
During a penetration test, Heidi runs into an ethical situation she's never faced before and is unsure how to proceed. Which of the following should she do? Ignore the situation and just move on. Trust her instincts and do what she feels is right. Talk with her friend and do what they suggest. Reach out to an attorney for legal advice.
Reach out to an attorney for legal advice.
Which of the following policies would cover what you should do in case of a data breach? Update frequency policy Sensitive data handling policy Password policy Corporate data policy
Sensitive data handling policy; The policy for handling sensitive data should detail who has access to data, how data is secured, and what to do if an unauthorized person gains access to the data.
in a cloud-based system, who owns the it? the client or the cloud hosting provider?
the cloud hosting provider owns them
cloud-based systems require some extra steps before penetration testing can begin. What are they?
the cloud provider must also authorize the penetration test and will need to approve the scope of work. If the cloud provider doesn't approve, the penetration tester can be held liable for unauthorized access.
True or False: Many of the programs and tools ethical hacker uses on the job are also used for malicious purposes.
true
True or False: third-party systems can cause a lot of issues for the penetration tester.
true
