During a penetration test, you identify a misconfiguration that exposes sensitive data. According to best practices, what is the most appropriate step to take in terms of communication?
Include the sensitive data exposure in the next scheduled status report.
Save the finding for the final report to prevent causing alarm during the test.
Immediately notify the primary or emergency contact to discuss the finding.
Wait until the presentation of findings to demonstrate the full impact of the misconfiguration.
When sensitive data exposure is discovered during a penetration test, it is vital to immediately communicate this finding to the primary contact or another predetermined emergency contact. This ensures that the organization is aware of the data breach risk and can take swift action to mitigate it before it can be exploited by actual attackers. Communicating lesser findings or deferring to a status report would not convey the urgency of the situation, and waiting until the presentation of findings could result in unnecessary exposure time.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is it important to notify the primary contact immediately after finding a misconfiguration?
Open an interactive chat with Bash
What are some best practices for communicating findings during a penetration test?
Open an interactive chat with Bash
What could be the potential consequences of not addressing the sensitive data exposure promptly?