A company hires a cybersecurity consultant to perform penetration tests and review the rules of engagement documents. The consultant notices that one element specifies that the tests should be performed toward only web applications on websites www1.company.com and www2.company.com, with no social engineering attacks and no cross-site scripting attacks. Which element in the document is used for the specification?

IT Questions Bank › Category: Ethical Hacker › A company hires a cybersecurity consultant to perform penetration tests and review the rules of engagement documents. The consultant notices that one element specifies that the tests should be performed toward only web applications on websites www1.company.com and www2.company.com, with no social engineering attacks and no cross-site scripting attacks. Which element in the document is used for the specification?

location of testing
types of allowed or disallowed tests
IP addresses or networks from which testing will originate
the security controls that could potentially detect or prevent testing

Explanation: The rules of engagement document specify the conditions under which the security penetration testing engagement will be conducted. The types of allowed or disallowed tests element in the rules of engagement document should specify specific penetration tests that are allowed or disallowed.

Exam with this question: 2.4.3 Quiz - Planning and Scoping a Penetration Testing Assessment Answers