Cyber Security

What is the best way to handle 'Out of Scope' assets found during a penetration test?

ST Asked by Steven Clark · 05-06-2024
0 upvotes 3,968 views 0 comments
The question

While performing a network penetration test recently, I discovered a wide-open database that wasn't on the list of IP addresses provided by the client. It clearly belongs to them. Ethically, how should I handle this? Should I test it to show them the risk, or stop immediately because it's out of scope? 

3 answers

0
MA
Answered on 06-06-2024

Ethical hacking is about permission. Without explicit written permission for that specific IP, you are just an unauthorized intruder. Always protect yourself legally first. 

ST 09-06-2024

Margaret is 100% right. The contract is your shield. Touching out-of-scope items is the fastest way to lose your license or end up in court.

0
LI
Answered on 07-06-2024

Stop immediately and do not touch that asset. Testing anything outside the agreed "Rules of Engagement" (ROE) can lead to legal trouble, even if you have good intentions. The correct procedure is to document the IP and the service you noticed and immediately notify your primary point of contact at the client site. Ask them if they would like to include it in the current scope via a formal change order. Professionalism is about sticking to the contract. You’ve done your job by identifying it; let them decide if they want you to exploit it legally. 

0
J
Answered on 08-06-2024

Was the database on the same subnet as the scoped items, or was it on a completely different network? Sometimes the client just forgot to add it to the list during the kickoff meeting. 

WI 10-06-2024

That happens more often than you would think. In my experience, clients are usually grateful when you point out forgotten assets. However, Joseph's point about the subnet is important for your notes. I usually tell them that while I haven't tested it, its presence poses a significant risk to the scoped environment due to potential lateral movement. Always keep your communication in writing via email.

Share your thoughts

Your email address will not be published. Required fields are marked (*)

Professional Counselling Session

Still have questions?
Schedule a free counselling session

Our experts are ready to help you with any questions about courses, admissions, or career paths. Get personalized guidance from industry professionals.

Request a Call Back

Search Online

We Accept

We Accept

Follow Us

"PMI®", "PMBOK®", "PMP®", "CAPM®" and "PMI-ACP®" are registered marks of the Project Management Institute, Inc. | "CSM", "CST" are Registered Trade Marks of The Scrum Alliance, USA. | COBIT® is a trademark of ISACA® registered in the United States and other countries.

World globe icon Country: Canada

Book Free Session