PenTest+ Practice Tests Book - SYBEX
C. - A statement of work (SOW) defines what work will be done during an engagement. A SOW is a document that defines the purpose of the test, what tests will be done, what will be created, the timeline for the test to be completed, the price for the testing, and any additional terms and conditions.
Well, if you go throug the SANS Rules of Engagment Worksheet
Only Attacker IP's are mentioned.
https://sansorg.egnyte.com/dl/bF4I3yCcnt/?
So i would go with the Statement of Work
Pay attention to the actual question fellas. This says "which of the following would define the target list?".
They're throwing you off with that addition peice and your brain is going straight to scope creep. The question itself has NOTHING to do with scope creep. The question is a simple "where would this be defined" and it's definitely part of the ROE doc.
I think this is actually a question about scope creep. If this was a real world scenario then the pen tester would need to know more about the new targets, which sort of swings the process round to the start. I'd say this would mean revisiting the statement of works
The rules of engagement are established BEFORE testing begins and are usually not modified. If the test has begun and new requirements are added, they will be included in the SOW. So I think the answer is C.
A - Rules of Engagement – This is the meat of the document, and these rules are crucial to reveal in detail, as they provide the dos and do nots of testing. They contain a lot of important project specifics such as special testing parameters, requested rules the testing team should abide by, and disclosures about testing that can help protect the client. Below are some of the different things captured and detailed in this section:
Treatment of sensitive information during the project
How project status updates will be communicated
Emergency contact information
Handling of a sensitive and critical vulnerability
Steps taken if a prior compromise is uncovered
Security controls impact and specifics
IP addresses of testing machines for monitoring/whitelisting
Requirements for third-party hosting provider approvals to test
In-scope targets, including the IP addresses and URLs
Any specific compromise goals (i.e. Material and Non-public information, Credit Card Data)
Specific web-forms to be avoided
upvoted 4 times
...
This section is not available anymore. Please use the main Exam Page.PT0-001 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
boblee
Highly Voted 4 years, 10 months agomr_robot
Highly Voted 5 years agoD1960
4 years, 11 months agokloug
Most Recent 2 years, 2 months agomiabe
2 years, 9 months agomiabe
2 years, 9 months agocontender
3 years, 4 months agoAriel235788
3 years, 6 months agoMrRiver
3 years, 7 months agoversun
3 years, 10 months agononyabiz
3 years, 10 months agoRedbyNight
4 years, 2 months agoTheThreatGuy
4 years, 3 months agogoldengodiva
4 years, 4 months agoharej8
4 years, 11 months ago