Appendix A

Question 1

What is a White Box Test

Answer 1

Full Knowledge - Where all background and system information is provided

Question 2

What is a Black Box Test

Answer 2

No Knowledge - Where only basic or no information is provided except the company name

Question 3

What is a Grey Box Test

Answer 3

Some Knowledge - A combination of White box and Black box testing, the tester has partial knowledge

Question 4

What are the 5 stages of an assessment

Answer 4

1) Scoping : Working with the client to agree on a scope which meets their security requirements.
2) Reconnaissance : Gathering as much information as possible about the target.
3) Assessment : Carrying out vulnerability scans and manual testing.
4) Reporting : Analyse findings and write them up
5) Presenting : Presenting the information to the client

Question 5

How is Unauthorised access to computer material punishable as per the Computer Misuse Act 1990

Answer 5

Unauthorised access to computer material - punishable by 6 months imprisonment or a fine “not exceeding level 5 on the standard scale” (currently £5000)

Question 6

How is Unauthorised access with intent to commit or facilitate comission of further offences punishable as per the Computer Misuse Act 1990

Answer 6

Unauthorised access with intent to commit or facilitate commission of further offences - punishable by 12 months / maximum fine on summary conviction or 5 years/fine on indictment

Question 7

How is Unauthorised modification of computer material punishable as per the Computer Misuse Act 1990

Answer 7

Unauthorised modification of computer material - punishable by 12 months / maximum fine on summary conviction or 5 years / fine on indictment

Question 8

What Article of the Human Rights Act 1998 is applicable to a penetration test

Answer 8

Article 8 of the Human Rights Act - Right to respect for private and family life:

Everyone has the right to respect for his private and family life, his home and his correspondence.

There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

Question 9

What aspects of the Data Protection Act are applicable to Penetration Testing

Answer 9

Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

Question 10

What sections of the Police and Justice act 2006 are relevant to Penetration Testing

Answer 10

Sections 35-38

Increased penalties of Computer Misuse Act (Makes unauthorised computer access serious enough to fall under extradition).

Makes it illegal to perform DoS attacks.

Makes it illegal to supply and own hacking tools.

Be careful about how you release information about exploits.