Soft Skills & Assessment Management

Question 1

Benefits of pen testing to the client

Answer 1

Gives an outline to prevent risk in a structured and optimal way

Shows a list of vulnerabilities in the target environment and risks associated

Question 2

5 pen testing phases

Answer 2

Reconnaissance
Scanning
Vulnerability assessment
Exploitation
Reporting

Question 3

Black Box Format

Answer 3

Pen tester doesn’t know anything about the app or environment

Question 4

Grey Box Format

Answer 4

Pen tester has some information and possibly given some user access for testing

Question 5

White Box Format

Answer 5

Pen tester has all infrastructure info, possibly even relevant source code.
With source code and static code analysis, the pen tester can use vulnerabilities found to attack

Question 6

Computer Misuse Act 1990

Answer 6

1. Unauthorised access to computer material
2. Unauthorised access with intent to commit or facilitate commission of further offences
3. Unauthorised acts with intent to impair or with recklessness as to impairing, operation of computer, etc

3ZA. Unauthorised acts causing or creating risk of serious damage

3A. Making, supplying or obtaining articles for use in offence under section 1, 3 or 3ZA

Question 7

The Data Protection Act 2018

Answer 7

Everyone responsible for using personal data has to ensure data is:
- used fairly, lawfully and transparently
- used for specified, explicit purposes
- handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage

• There is stronger legal protection for more sensitive information such as biometrics

Question 8

Police and Justice Act 2006

Answer 8

Clause 39: Increased penalty etc, for offence of unauthorised access to computer material

Clause 40: Unauthorised acts with intent to impair operation of computer etc

Clause 41: Making, supplying or obtaining articles for use in computer misuse offences

Clause 42: Transitional and saving provision

e.g. DoS is an offence

Question 9

Human Rights Act 1998

Answer 9

• Your right to respect for private and family life
• Protection of property

Question 10

Understanding, Explaining and Managing Risk

What are some additional risks that pen testing can present?

Answer 10

• Personal data is accessed - Make sure it’s part of the agreed scope. The person reviewing pen test results may not be authorised to view the personal data found
• Denial of Service conditions - ensure dev team have backups or contingency plans available. if test done on productions, perhaps do pen test at night or when usage is low
• Remove all payloads you put in. - any config files that changed, change them back. Best to have dev team do reverts
• Do not use tools you don’t understand - tools found online could be useful, but may contain malware. The tool may function causing unexpected behaviours.