Mock Test

20
[Duration: 40 minutes]

STUDENT’S DECLARATION OF ORIGINALITY

By submitting this report, I declare that this submitted work is free from all forms of plagiarism
and for all intents and purposes is my own properly derived work. I understand that I have to
bear the consequences if I fail to do so.

GOH KAH POOI

Name

20WMR00716
Student ID

RIS
Programme

G1
Tutorial
Group

ANGEL
Signature

23/7
Date

This is an open book assessment. Answer with your own words using proper and grammatically
correct sentence. Failing to do so, examiner has the right not to award marks.

Google Plagiarism Checker will be used to determine whether your work is a plagiarized work.
Examiner has the final judgement based on the originality report.
Do not re-submit your answer script beyond the given timeframe. There are timestamps
recorded for all your turn-in answer script. Any answers submitted or re-submitted after the
given timeframe, examiner has the right not to mark your answer script.

Legal Issues in Penetration Testing - SecurityCurrent

Learning Outcomes to be assessed:

Q1: CLO1: Explain the differences between vulnerability assessment and penetration
testing, and various methodologies used. (C4,PLO2)

Q2: CLO2: Explain the professional duties and the legal aspects of being a licensed
penetration tester. (A3, PLO11)

Answer Q1 and Q2 based on the following scenario.

Assume that you are a senior security consultant of a penetration testing provider company and you have
been assigned to mentor a junior penetration tester who has just joined the company in less than 2
months’ time. His name is Dino. The company is adopting the Penetration Testing Execution Standard
(PTES) which comprises of seven main stages, which begins with pre-engagement interactions, followed
by intelligence gathering, threat modelling, vulnerability analysis, exploitation, post exploitation and
reporting. At this moment, assume that you have been tasked to do pre-engagement interactions with a
potential client from a local private hospital which is Love and Care Hospital. You ask the junior
penetration tester to join the meeting with the potential client to discuss about the scoping of a
penetration test engagement.

Q1. During the meeting with the potential client, you find that Dino does not show (10
interest during the discussion. After the meeting, when you ask him why he marks)
does not show interest, his reply is he finds that doing pre-engagement
discussion is a waste of time. He claimed that he can hack the hospital
system within a short time without going through such a long meeting. As the
mentor of the penetration tester, how would you advise Dino? Elaborate your
advice and reasons to him.

I will tell him about the importance of Rules of Engagement for Pen testing. It is a the first
stage of PTES and this discussion is to directly meet with client to discuss the scope of
engagement.

If the scope of the penetration testing is not spelled out 讲清楚 clearly, there is a danger of
finding confidential information that the client ( love and care hospital) will not want the
company to have are the penetration testing what may disrupt 破坏 the system of the hospital
system, if refering to this case. Worst case is it affects the daily operation of the hospital
which may affect human life if safety expect is not taken into consideration

The exact timing of penetration testing is also critical. In effect, there’s no right on down time
for a X as the operation of the X must be fully functioning 24/7 as human life is in stake 事关
重 大 if anything happened to the system. Therefore, after using the system, we need to
conduct a complete analysis 进行全面的分析 based on the historical data to find out the least
use of Wish Timing (such as at night).

Contingency, plan has to be discussed if something went wrong to have clear communication
path to get necessary advise of the nest course of actions.

Last but not least, a clear understanding of the penetration testing requirements and clear
boundaries of what needs to be done must be agreed by both client of the hospital and
penetration testing company to have a high success rate of the penetration testing work and
at the same time, to protect penetration testing company from legal lawsuit if something
unexpected happened as long as the penetration testing company has done their due
diligence 尽职调查

I will also tell him about the component of Temporal restrictions for testing , for example,
When the test will start and any constraint for this testing. What can he do it during hospital
(Love and Care) working hours or after working hour.

make sure the testing is Transparency, like what information will be provided prior to the
start of the engagement. Only the client of hospital (Love and Care) will know about the pen
testing at client side. He shall not keep the test secretly or sell info to the third party,

The scope test boundaries which what can he tested, what cannot be test and shall not go
beyond the scope even if a client hospital (Love and Care) site has been ddos by attackers,
he should immediately report to the leader.

Location of the test team which what amount of travel requires, and the restriction of the test
travel location boundaries, whether can he do it remotely or do on-site.

Also train my junior to check in regularly with their lead, especially when starting and
finishing a task. Check in with their lead if they face anything unusual or outside the scope for
their task. Do not make any decision outside the scope of his task without authorization from
the lead. And shall alert me immediately if any problem comes up.

Q2. Despite the advice given to Dino as shown in Q1, Dino was (10
found conducting active reconnaissance (ie port scanning) to the marks)
hospital website without your approval. What will be your next
 course of action to resolve this issue ethically and
professionally? Include your justification 正 当 理 由 and
assumption in your answer.

In this case, the assumption here is that the penetration testing company has not
signed any contractual agreement with the client from love and care hospital.

If Dino has violated the ethics of an information security professional and has
committed a very serious offense by not getting approval from his employer and his
employers potential client.

I as the mentor for Dino, I have to collect evidence to show proof that he has
committed an ethical action by going through the device that Dino used to do
scanning and go through network device log 记录 to show the date and time that the
device used by Dino in accessing the hospital website (eg. Look at source and
destination IP address). This information is to be used as a strong supporting
evidence when Dino is confronted 面对 about this matter.

Dino has to be called for a disciplinary meeting to confront 解 决 him with all the
evidence and give him chances to explain, if any before any decision by the
committee on his case. He may be terminated or company may file a police report if
the case is found to be serious.

2nd answer:

I will write everything in detail about the test we did and the vulnerabilities we found
and also what Dino did in the report. Conducting active reconnaissance is an
unethical action and it made a lot the company’s IT security team and we did not
inform the client before we started doing the penetration testing. Therefore we must
report what we did to client in order to resolve this issue

Please shut the following is a good method for validating the finding of penetration tests

Using multiple tools of the same kind

General terms for future agreement and condition such as payment schedule intellectual
property ownership and dispute resolution are typically addressed in which contractual
document between a penetration tester and their client?
Master service agreement

An ethical hacker is hired to test the security of the Business Network. The C hash is given no
prior knowledge of the network and has a specific framework in which to work, defining
boundaries non disclosure agreement and the completion date. Which of the following is true
statement.

Whitehead is attempting a black box test

What is the process by which risks associated with organization information system are
identified, qualified, and addressed?

threat modeling

which of the following is an element of pre engagement tasks?

Creating the SOW

Signing an NDA

Establishing different communication path