A penetration testing firm is scoping a test for a financial institution. The client insists that the test only be performed on systems located in the corporate headquarters, excluding cloud-based infrastructure and remote branch offices. Which of the following should the penetration tester emphasize during the scoping discussion?
Trap 1: The test will include social engineering of remote employees
Social engineering is not mentioned in the scope and is not directly related to the exclusion of cloud and branch infrastructure.
Trap 2: The test can only be performed during off-hours
Off-hours testing is a scheduling detail, not the primary concern regarding scope coverage.
Trap 3: The tester will require VPN access to the corporate network
VPN access is a technical requirement but does not address the risk of excluding cloud and branch systems.
- A
The test will include social engineering of remote employees
Why wrong: Social engineering is not mentioned in the scope and is not directly related to the exclusion of cloud and branch infrastructure.
- B
The exclusion of cloud infrastructure may leave critical assets untested
Correct. Emphasizing the risk of untested critical assets helps the client understand the scope limitation's impact on overall security assurance.
- C
The test can only be performed during off-hours
Why wrong: Off-hours testing is a scheduling detail, not the primary concern regarding scope coverage.
- D
The tester will require VPN access to the corporate network
Why wrong: VPN access is a technical requirement but does not address the risk of excluding cloud and branch systems.