Your company sells toys online worldwide. A web-based E-Commerce system developed in-house and deployed to a public cloud supports the business. As a security professional, you suggest penetration testing should be conducted. Which of the following is your most concern?
A. The decision of employment of internal or external penetration test team
B. The capability and experience of the penetration test team
C. The procedure that the penetration test team asks for permission to conduct penetration testing
D. The escalation path to the senior management if testing takes down the system

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. The procedure that the penetration test team asks for permission to conduct penetration testing.

Incident Prioritization and Notification

When conducting penetration tests, the attack should be detected and responded to by the IR team. An incident should be prioritized and notified to appropriate parties and levels according to the incident response (IR) plan.

NOT all incidents, including the system breakdown, are required to be reported to senior management. It’s the core concept of incident prioritization.

Legal Ramifications

However, pen-testing teams must always ask for permission to conduct the testing. If not, it’s common to trap the pen-testing teams into legal cases.
I included many legal cases in this post.

Feedback

The question appears to be written from the perspective of the company that wants to hire a penetration tester. Do they really care more about the potential tester’s engagement process than their compentency?

Source: @GS from https://discord.gg/sQXvRR

The competency of the pentesting team is crucial. It’s an excellent answer to this question. I suggest “C. The procedure that the pentesting team asks for permission to conduct pentesting” as the answer to overstress the importance of engagement rules for pentesting teams.

• Competency is evaluated in almost every procurement of pentesting services if they are outsourced. It is nearly a routine selection criteria, and the acquisition is typically conducted by procurement staff, not the security professional. That’s why it won’t be the most concern as far as I am concerned.
• However, the engagement process and rules can be project-based (vary from project to project) and have a higher risk. They are often overlooked in practice.

We had a real case of pentesting leading to the disruption of the banking system in Taiwan. A pentesting team was authorized to start testing at 03:00 PM, but it starts one hour earlier. Unfortunately, the exploitation results in a system disruption. The senior management was really upset about this incident. The pentesting team was dismissed, and the project manager was blamed.

I revised the question from “Which of the following is the most concern?” to “Which of the following is your most concern?” so that it looks more consultative and reflects my suggested answer is just a suggestion.

References

• How do I run security assessments or penetration tests on AWS?
• How Do I Fill Out The AWS Penetration Testing Request Form?
• Penetration Testing in the AWS Cloud: What You Need to Know
• Amazon Web Services will no longer require security pros running penetration tests on their cloud-based apps to get permission first
• Legal Issues in Penetration Testing
• Security Researchers Whose ‘Penetration Test’ Involved Breaking And Entering Now Facing Criminal Charges
• Iowa paid a security firm to break into a courthouse, then arrested employees when they succeeded
• Miscommunication led to arrests during a midnight physical security test.
• Recent DOJ Hacker Charges a Reminder: Do Network Penetration Testing, Patching for Cyber Security
• New Documents About Pentesters Jailed for Courthouse Break-In