Your company has hired a third party company to conduct a penetration test. Your CIO would like to know if exploitation of critical business systems is possible. The two requirements the company has are:

(1) The tests will be conducted on live, business functional networks. These networks must be functional in order for business to run and cannot be shut down, even for an evaluation.
(2) The company wants the most in depth test possible. While conducting the penetration test, the tester discovers a critical business system is currently compromised.

What should the tester do?

A.
Note the results in the penetration testing report

B.
Immediately end the penetration test and call the CIO

C.
Remove the malware

D.
Shut the system down

Explanation:
Answer B is correct; when discovering a live malicious intrusion, the penetration tester should immediately end the penetration test and notify the client of the intrusion.

Incorrect Answers and Explanations: A, C, and D: Answers A, C, and D are incorrect. Noting the results is not enough: system integrity, and data integrity and confidentiality are compromised or at risk; immediate action is required. Removing the malware may cause more damage and/or alert the attackers to the penetration testers presence. Attackers may become more malicious if they believe they have been discovered. Shutting the system down will harm availability (and possibly integrity), and will destroy any evidence that exists in memory.