You are performing a penetration test and have discovered an undocumented file server containing sensitive company data during the assessment. This server is not listed in the provided target list. In keeping with professional conduct regarding the scope, which course of action should you take next?
Immediately disconnect from the network to avoid any further unauthorized interaction
Inform the client of the finding and request a clarification on whether it should be included in the scope of the assessment
Document the finding in your report for post-assessment review but avoid interacting with the server
Run non-aggressive scans on the server to determine if it holds any exploitable vulnerabilities
The correct answer is 'Inform the client of the finding and request a clarification on whether it should be included in the scope of the assessment'. Professional conduct dictates that penetration testers should only engage targets explicitly listed in the scope of work, regardless of the potential for these targets to represent significant security risks. By reporting the out-of-scope discovery to the client and requesting direction, the tester ensures they are not overstepping legal boundaries and maintains the trust relationship with the client. Immediately disconnecting from the network may be considered hasty and does not address the issue responsibly while running non-aggressive scans or documenting the finding without engaging the client overlooks professional communication and may lead to scope creep or unauthorized actions.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does it mean to work within the scope of a penetration test?
Open an interactive chat with Bash
Why is client communication important in a penetration test?
Open an interactive chat with Bash
What are the potential consequences of engaging a system outside the defined scope?