Unethical Behaviors in Penetration Testing SOW

CE.

The two behaviors that would be considered unethical based on the information provided in the SOW are C and D.

C. Failing to share with the client critical vulnerabilities that exist within the client architecture to appease the client's senior leadership team: Penetration testing is conducted to identify vulnerabilities and weaknesses in the client's network, system, or application. The primary objective is to find and report all vulnerabilities so that the client can take remediation steps to improve their security posture. Failing to report critical vulnerabilities to the client's senior leadership team would compromise the security of the client's assets and data, and thus, it would be considered an unethical practice.

D. Seeking help with the engagement in underground hacker forums by sharing the client's public IP address: Seeking help with the engagement in underground hacker forums by sharing the client's public IP address would be considered unethical and illegal. Such actions would expose the client's network to potential attacks and compromise their security. The penetration tester has a responsibility to maintain the confidentiality and integrity of the client's information and data. Seeking help from underground hacker forums would not only violate the SOW but also break ethical and legal codes of conduct.

The other options are ethical and comply with the SOW.

A. Utilizing proprietary penetration-testing tools that are not available to the public or to the client for auditing and inspection: There is no issue with using proprietary penetration-testing tools as long as they comply with the SOW and do not violate any ethical or legal codes of conduct. The penetration tester has the responsibility to ensure that the tools used are effective and do not harm the client's network or systems.

B. Utilizing public-key cryptography to ensure findings are delivered to the CISO upon completion of the engagement: Using public-key cryptography to deliver findings to the CISO would ensure the confidentiality and integrity of the information being shared. This would be considered an ethical practice as it would comply with the SOW and ensure that the client's information is not compromised.

E. Using a software-based erase tool to wipe the client's findings from the penetration tester's laptop: Using a software-based erase tool to wipe the client's findings from the penetration tester's laptop is an ethical practice as it would ensure that the client's confidential information is not exposed to unauthorized parties. The SOW requires the penetration tester to dispose of all findings by erasing them in a secure manner, and using a software-based erase tool would comply with this requirement.

F. Retaining the SOW within the penetration tester's company for future use so the sales team can plan future engagements: Retaining the SOW within the penetration tester's company for future use so the sales team can plan future engagements is ethical as long as it complies with the SOW and does not violate any ethical or legal codes of conduct. However, the SOW states that network diagrams, logical and physical asset inventory, and employees' names are to be treated as client confidential, and thus, these details should not be retained for future use.