Scribd Logo
Upload

Welcome to Scribd!

  • LPTv4 Module 13 Rules of Engagement

    Uploaded by

    Patrick Manzanza
    121 views12 pages
    dfsddsfs

    Original Title

    LPTv4 Module 13 Rules of Engagement-copy

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    dfsddsfs

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    121 views12 pages

    LPTv4 Module 13 Rules of Engagement

    Uploaded by

    Patrick Manzanza
    dfsddsfs

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 12

    ECSA/LPT

    EC Council
    EC-Council Module XIII
    Rules of Engagement
    g g
    Module Objective

    This module
    Thi d l will
    ill iintroduce
    t d you tto th
    the
    following:

    • Rules of Engagement (ROE) between an organization and


    penetration testers
    • Scope
    p of ROE
    • Steps for framing ROE
    • Clauses in ROE

    Copyright © by EC-Council
    EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
    Module Flow

    Rules of Engagement (ROE) Scope of ROE

    Clauses in ROE Steps for


    f Framing
    i ROE

    Copyright © by EC-Council
    EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
    Rules of Engagement (ROE)

    Rules of engagement (ROE) is the formal permission to


    conduct pen test before starting.

    ROE helps testers to overcome legal, federal, and policy related


    restrictions to use different penetration testing tools and
    techniques.
    q

    Copyright © by EC-Council
    EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
    Scope of ROE

    The ROE should also clearlyy explain


    p the limits associated with the
    security test.

    ROE includes:
    i l d

    • Specific IP addresses/ranges to be tested.


    • Any restricted hosts (i.e., hosts, systems, subnets, not to be tested).
    • A list of acceptable testing techniques (e.g. social engineering, DoS,
    etc.) and tools (password crackers, network sniffers, etc.).
    • Times when testing is to be conducted (e (e.g.,
    g during business hours
    hours,
    after business hours, etc.).
    • Identification of a finite period for testing.

    Copyright © by EC-Council
    EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
    Scope of ROE (cont’d)

    ROE includes:

    • IP addresses of the machines from which penetration testing


    will be conducted so that administrators can differentiate the
    legitimate penetration testing attacks from actual malicious
    attacks.
    • Points of contact for the penetration testing team, the
    targeted systems, and the networks.
    • Measures to prevent law enforcement being called with false
    alarms (created by the testing).
    • Handling of information collected by penetration testing
    team.

    Copyright © by EC-Council
    EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
    Steps for Framing ROE

    Estimate cost, time, and effort that organization can invest

    Decide on desired depth for penetration testing

    Have pre-contract discussions with different pen-testers

    Conduct brainstorming
    g sessions with the top
    p management
    g and
    technical teams
    Copyright © by EC-Council
    EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
    Clauses in ROE

    Li off allowed
    List ll d and
    d prohibited
    hibi d activities:
    i ii

    g
    • Organization mayy allow some activities like p port
    scanning for offline cracking and prohibit others like
    password cracking, SQL injection and DoS attacks

    Definitions of test scope, limitations, and other activities


    for protecting the test team

    Authorization of penetration testers for systems and


    network testing

    Copyright © by EC-Council
    EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
    Clauses in ROE (cont’d)

    D t il about
    Details b t th
    the llevell and
    d reach
    h off pen-test
    t t

    Definition of different type of allowed testing techniques

    Information on activities, such as:

    • Port and service identification


    • Vulnerability scanning
    • S
    Security
    it configuration
    fi ti review
    i
    • Password cracking
    Copyright © by EC-Council
    EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
    Clauses in ROE (cont’d)

    Details
    eta s o
    on how
    ow o
    organizational
    ga at o a data iss ttreated
    eated
    throughout and after the test

    Details on how data should be transmitted during and


    after the test

    Techniques for data exclusion from systems upon


    termination of the test

    Clear guidance on incident handling

    Copyright © by EC-Council
    EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
    Summary

    Rules of engagement is the formal permission to conduct


    the pen-test before starting.

    The scope should also clearly explain the limits associated


    with the security test.

    It prevents activities such as installing and using executable


    files that pose as a greater risk to the system.

    Copyright © by EC-Council
    EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
    Copyright © by EC-Council
    EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

    You might also like