CompTIA Security+ (SY0-601) — Question 503

A penetration-testing firm is working with a local community bank to create a proposal that best fits the needs of the bank. The bank's information security manager would like the penetration test to resemble a real attack scenario, but it cannot afford the hours required by the penetration-testing firm. Which of the following would best address the bank's desired scenario and budget?

Answer options

• A. Engage the penetration-testing firm's rea-team services to fully mimic possible attackers.
• B. Give the penetration tester data diagrams of core banking applications in a known-environment test.
• C. Limit the scope of the penetration test to only the system that is used for teller workstations.
• D. Provide limited networking details in a partially known-environment test to reduce reconnaissance efforts.

Correct answer: D

Explanation

Option D is the best choice because it allows for a focused penetration test that simulates a real attack while managing the budget effectively. By providing limited networking details, the bank can reduce the reconnaissance phase, thus saving time and costs. Options A and B require more extensive testing and resources, while option C limits the scope too much, potentially overlooking other vulnerabilities.