Appendix A Flashcards
What is a White Box Test
Where all background and system information is provided
What is a Black Box Test
Where only basic or no information is provided except the company name
What is a Grey Box Test
A combination of White box and Black box testing, the tester has partial knowledge
What are the 5 stages of an assessment
1) Scoping : Working with the client to agree on a scope which meets their security requirements.
2) Reconnaissance : Gathering as much information as possible about the target.
3) Assessment : Carrying out vulnerability scans and manual testing.
4) Reporting : Analyse findings and write them up
5) Presenting : Presenting the information to the client
How is Unauthorised access to computer material punishable as per the Computer Misuse Act 1990
Unauthorised access to computer material - punishable by 6 months imprisonment or a fine “not exceeding level 5 on the standard scale” (currently £5000)
How is Unauthorised access with intent to commit or facilitate comission of further offences punishable as per the Computer Misuse Act 1990
Unauthorised access with intent to commit or facilitate commission of further offences - punishable by 12 months / maximum fine on summary conviction or 5 years/fine on indictment
How is Unauthorised modification of computer material punishable as per the Computer Misuse Act 1990
Unauthorised modification of computer material - punishable by 12 months / maximum fine on summary conviction or 5 years / fine on indictment
What Article of the Human Rights Act 1998 is applicable to a penetration test
Article 8 of the Human Rights Act - Right to respect for private and family life:
Everyone has the right to respect for his private and family life, his home and his correspondence.
There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.
What aspects of the Data Protection Act are applicable to Penetration Testing
Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
What sections of the Police and Justice act 2006 are relevant to Penetration Testing
Sections 35-38
Increased penalties of Computer Misuse Act (Makes unauthorised computer access serious enough to fall under extradition).
Makes it illegal to perform DoS attacks.
Makes it illegal to supply and own hacking tools.
Be careful about how you release information about exploits.