Clear understanding of the ethical and legal framework for penetration testing. Discussion of why authorization is critical, importance of scope and rules of engagement, confidentiality of findings, and your commitment to conducting authorized testing only. Understanding that unethical or illegal hacking is harmful and something you wouldn't do.
MediumTechnical
79 practiced
You are preparing a concise Rules of Engagement (RoE) template for a mid-size company's legal and security teams. Draft 8-12 bullet points that cover: scope, testing windows, allowed techniques (e.g., social engineering), safety controls, escalation, data handling, contact points, and termination conditions.
Sample Answer
**Concise Rules of Engagement (RoE) — Penetration Testing (mid-size org)**Below are 10 concise RoE bullets I would provide as the lead penetration tester:- Scope: Target systems, IP ranges, applications, and exclusions listed by asset ID; only assets explicitly authorized in writing are in-scope.- Testing windows: Dates and daily time windows for testing (timezone) and blackout periods (business hours, payroll runs).- Allowed techniques: Authorized techniques (external/internal network tests, web app tests, credentialed scans). Social engineering (phishing, phone) requires explicit, separate approval and script/template review.- Safety controls: No destructive testing (DB corruption, DoS) unless pre-approved in writing; use non-invasive exploitation first and safe flags for exploitation tools.- Credential use: Use provided test accounts or obtain credentials via approved methods; store test creds in approved vault and rotate after engagement.- Data handling: Sensitive data discovered is treated as Confidential; exfiltration only to encrypted storage provided by client; findings redacted per data-retention policy and destroyed after agreed retention period.- Escalation & incident: Immediate contact to designated on-call security/legal if testing triggers outages, suspected data breach, or regulatory impact; provide timeline and remediation hold.- Contact points: Primary and backup contacts for security, IT ops, legal, and executive sponsor with phone and encrypted communication channel (PGP/Signal).- Reporting: Deliver interim critical findings immediately, full report within agreed SLA; include reproducible steps, risk rating, and remediation recommendations.- Termination conditions: Test stops immediately on explicit client request, detection of active compromise by third party, or safety control breach; all actions logged and post-mortem scheduled.I will tailor these bullets to the engagement and put them into a one-page RoE for sign-off.
EasyTechnical
51 practiced
Explain why written authorization is critical before conducting any penetration test. In your answer, cover both legal and ethical risks to the tester and the client, the role of a signed scope and Rules of Engagement (RoE), acceptable forms of authorization (signed contract, authorization letter, Power of Attorney), and what could happen if authorization is not obtained.
Sample Answer
**Why written authorization is critical**Written authorization formally permits actions that would otherwise be illegal. Without it, testing activities (scanning, exploitation, data access) can trigger criminal charges (unauthorized access, wire fraud) and civil liability for both tester and client.**Legal and ethical risks**- Tester risks: criminal prosecution, civil suits, professional sanctions, loss of reputation. Example: aggressive exploitation causing downtime could lead to negligence claims.- Client risks: exposure of sensitive data, breach of regulatory obligations (HIPAA, GDPR), third‑party liability if customers are affected.**Role of signed scope and Rules of Engagement (RoE)**- Scope defines targets, time windows, excluded systems, and success criteria—limits accidental damage.- RoE details allowed techniques (social engineering, physical), escalation paths, safe‑stop conditions, notification contacts, data handling and reporting rules.- Together they provide defense in depth: legal protection and operational safety.**Acceptable forms of authorization**- Signed contract with clear SOW and liability/indemnity clauses- Formal authorization letter on company letterhead naming tester and scope- Power of Attorney for third‑party approvals (when applicable)**Consequences of no authorization**- Criminal charges against tester, client-facing regulators and lawsuits, destroyed trust, forced remediation costs, mandatory disclosure of test results, and evidence suppression in court.Obtain clear, signed authorization and maintain audit trails (emails, signed PDFs) before any test.
EasyTechnical
49 practiced
Describe best practices for storing, transmitting, and disposing of sensitive pentest artifacts (exploit code, credentials, network captures, screenshots). Include specific technical controls (encryption, access control, logs), retention policies, and contractual protections you expect to be in place.
Sample Answer
**Overview (role perspective)** As a penetration tester I treat all artifacts as highly sensitive—they’re attack tools and evidence. My best practices cover secure storage, transmission, controlled access, retention, disposal, and contractual safeguards.**Secure storage & access control** - Store artifacts in encrypted repositories (AES-256 at rest, e.g., LUKS, BitLocker, or encrypted S3 with SSE-KMS). - Enforce least-privilege RBAC and MFA for accounts; use ephemeral credentials where possible. - Keep exploit code and creds in isolated workspaces (VMs/containers) with no internet egress except through monitored jump hosts. - Maintain audit logs (immutable, centralized SIEM) of access, downloads, and execution.**Secure transmission** - Use end-to-end TLS 1.2+/mutual TLS for transfers; prefer SSH with key auth or SFTP over VPN. - Exchange credentials via secure secret managers (HashiCorp Vault, AWS Secrets Manager) with short TTLs.**Retention & disposal** - Retention policy: retain artifacts only as long as needed for validation and reporting (typical 30–90 days unless extended by client). - Secure deletion: overwrite and shred (e.g., srm) or crypto-erase keys; for cloud, delete snapshots and revoke KMS keys.**Contractual protections** - Require explicit scope, data handling SLAs, NDA, data deletion and breach notification clauses, and record-of-destruction. - Specify liability limits, accepted encryption standards, and retention periods in SOW.**Operational controls & evidence hygiene** - Label artifacts, document chain-of-custody, and include reproduction steps in reports rather than raw credentials. - Regularly review and rotate testers’ keys and perform post-engagement audit.
EasyTechnical
55 practiced
Name at least five laws or regulations (international or country-specific) that commonly affect penetration testing engagements and briefly explain how each can influence the engagement's scope, evidence handling, reporting or contractual requirements. Examples to consider: GDPR, HIPAA, CFAA, NIS2, and PCI-DSS.
Sample Answer
**Brief framing (tester perspective)**As a penetration tester I must design engagements that comply with relevant laws/regulations — they shape scope, evidence retention, consent, reporting, and contractual clauses.**Key laws/regulations and impact**- GDPR (EU): Limits processing of personal data — avoid unnecessary PII collection, use data minimization, pseudonymize/test on synthetic data, and include Data Protection Impact Assessment (DPIA) clauses in contracts.- HIPAA (US, healthcare): Protects PHI — requires Business Associate Agreements (BAA), strict logging, encrypted evidence storage, and limited scope to systems holding PHI.- CFAA / Computer Misuse Act (US/UK): Criminalizes unauthorized access — mandates explicit written authorization (timebound, IPs, accounts), approved test windows, and escalation procedures to avoid legal exposure.- PCI-DSS: Protects cardholder data — requires approved testing methodologies, controls around handling PANs, and evidence retention policies compliant with PCI requirements.- NIS2 (EU): Critical infrastructure security — may require notification of incidents discovered during testing, higher assurance levels for critical sectors, and formal reporting to competent authorities.- Local Computer Crime laws (e.g., UK Computer Misuse Act): May impose extra constraints on exploit development or persistence tests; include indemnity and clear rollback/restore plans.**Practical actions**- Include legal authorization, scoping, allowed techniques, data handling, and reporting timelines in the Statement of Work.- Coordinate with legal/clients for BAAs, DPIAs, and breach-notification planning.
EasyTechnical
44 practiced
During reconnaissance you discover an internet-accessible server that appears to belong to the client but is not listed in the signed scope. Describe step-by-step how you would proceed from discovery through documentation and communication. Include what actions you would stop, what minimal information you may record, and how you would escalate to the client.
Sample Answer
**Situation & immediate stance**I stop all active testing against that host the moment I suspect it is in-scope but unsigned. I do not scan, exploit, or pivot through it until scope is clarified and written permission is obtained.**Step‑by‑step actions**1. Record minimal, non-invasive facts: - Timestamp (UTC), observed public IP, reverse DNS (if any), domain/URL, open ports/services visible from passive recon, HTTP title/header, and the discovery method (e.g., passive DNS, search engine, cert transparency). - Capture screenshots and raw tool output (with hashes) for evidence.2. Preserve logs locally and in engagement workspace; mark entries as “Potential scope drift — do not act on.”3. Stop any automated tools that might touch the host (scanners, brute-force, vulnerability checks).4. Cross‑check engagement artifacts (signed scope, IP ranges) and internal inventory to confirm mismatch.5. Escalate to the client using the agreed channel: - Short, factual email/ticket to primary engagement contact and PM: include the minimal facts, evidence attachments, and the impact assessment (e.g., “internet-exposed, could be in-scope”). - Request explicit written clarification: (a) confirm whether host is in scope, (b) provide written authorization to continue if it is, (c) approve denial if it should be excluded.6. Await written direction. If client confirms in-scope, continue under updated scope and document the change. If out-of-scope, block it from testing notes and ensure no further interaction.**Documentation & follow-up**- Log all communications, timestamps, and client responses in the engagement record.- If scope change approved, create an addendum to the test plan signed by client.- If unresolved or client unresponsive and the host appears critical, escalate to the engagement manager and legal/ops for guidance before proceeding.
Unlock Full Question Bank
Get access to hundreds of Ethical and Legal Boundaries interview questions and detailed answers.