A penetration tester discovers passwords in a publicly available data breach during the reconnaissance phase of the penetration test. Which of the following is the best action for the tester to take?
Upon discovering passwords in a publicly available data breach during the reconnaissance phase, the most ethical and constructive action for the penetration tester is to contact the client and inform them of the breach. This approach allows the client to take necessary actions to mitigate any potential risks, such as forcing password resets or enhancing their security measures. Adding the passwords to a report appendix (option A) without context or action could be seen as irresponsible, while doing nothing (option B) neglects the tester's duty to inform the client of potential threats. Using the passwords in a credential stuffing attack (option D) without explicit permission as part of an agreed testing scope would be unethical and potentially illegal.
Moon
4 months agoBrock
4 months agoStephen
3 months agoFrancoise
4 months agoVenita
4 months agoSheridan
4 months agoLajuana
4 months agoProvidencia
4 months agoDomingo
5 months agoAbel
5 months agoBambi
4 months agoShizue
4 months agoLajuana
5 months agoMarjory
5 months agoNan
4 months agoJohnna
4 months agoMurray
4 months agoRoyal
4 months ago