CompTIA CASP+ Practice Test

Which activity is considered "OUT OF SCOPE" for a penetration test?

• A. Testing vulnerabilities in a web application
• B. Conducting social engineering tests
• C. Undertaking network-based denial of service attacks in a production environment
• D. Assessing configuration weaknesses in firewalls

The correct answer is: Undertaking network-based denial of service attacks in a production environment

The activity of undertaking network-based denial of service (DoS) attacks in a production environment is considered "OUT OF SCOPE" for a penetration test because it poses a significant risk to the availability and functionality of critical systems. Penetration testing aims to identify vulnerabilities and weaknesses in a system without causing disruption or harm to the services that users rely on. Conducting a DoS attack, even with the intention of testing security, can lead to unintended consequences such as downtime, data loss, and potential breaches of service level agreements. In a penetration test, activities are typically confined to non-destructive testing, ensuring that the systems being tested remain operational and that there is no negative impact on the business operations. Other forms of testing, such as assessing vulnerabilities in a web application or evaluating configuration weaknesses in firewalls, fall within the acceptable bounds of penetration testing as they focus on identifying weaknesses without necessarily causing harm or disruption. Similarly, social engineering tests do involve manipulation tactics aimed at users but are generally planned with strict boundaries to ensure they do not disrupt operations significantly. The distinction lies in the potential impact on critical services, which makes network-based DoS attacks inappropriate and outside the scope of standard penetration testing practices.