0
Youve just been hired to perform a pen test on an organization that has been subjected to a large-scale attack. The CIO is concerned with mitigating threats and vulnerabilities to totally eliminate risk.
What is one of the first things you should do wh
en given the job?
A. Explain to the CIO that you cannot eliminate all risk, but you will be able to reduce risk to acceptable levels.
B. Interview all employees in the company to rule out possible insider threats.
C. Establish attribution to suspected att
ackers.
D. Start the wireshark application to start sniffing network traffic.
The goals of penetration tests are:
Determine feasibility of a particular set of attack vectors
Identify high-risk vulnerabilities from a combination of lower-risk vul
nerabilities exploited in a particular sequence
Identify vulnerabilities that may be difficult or impossible to detect with automated network or application vulnerability scanning software
Assess the magnitude of potential business and operational impacts
of successful attacks
Test the ability of network defenders to detect and respond to attacks
Provide evidence to support increased investments in security personnel and technology
References: