Professional Documents
Culture Documents
Chapter 2 Penetration Test Planning and Engagement
Chapter 2 Penetration Test Planning and Engagement
19
Contracts and Documentation [2]
Legal Restrictions
• Penetration testing may be done in a different country where
there may be specific country limitations and local laws that
may restrict whether you can perform some tasks as a
penetration tester.
• Penetration testing laws vary from country to country. Some
penetration testers have been accused and even arrested for
allegedly violating the Computer Fraud and Abuse Act of
America Section 1030(a)(5)(B).
• Must always have permission to test document to perform the
testing.
• Any legal restrictions must be carefully discussed to be
included in SOW.
20
Contracts and Documentation [2]
Legal Restrictions
• Export restrictions: prohibit the exporting of certain goods and
services to other countries, such as U.S. export laws
prohibiting the exporting of certain encryption technology.
• Local and national governmental restrictions: It is highly
probable that governmental restrictions control the use of
technology and tools used during the pen testing process.
This includes not only the technology and tools, but also the
information gathered by the testers and even the actual
process of exploiting computer systems, such as port
scanning. Penetration testers also have to go through
extensive background check to get security clearance.
• Corporate or organizational policies: may subject users and
service vendors of the environment to background checks.
21
Contracts and Documentation [2]
• CompTIA identifies five key contracts and documents:
• Master Services Agreement (MSA)
• Permission to Test
22
Contracts and Documentation [2]
Contract type Description
23
Contracts and Documentation [1] [2]
Contract type Description
24
Contracts and Documentation – SOW [2]
Item Description
Purpose Reason for the project
25
Contracts and Documentation – SOW [2]
Item Description
Acceptance Criteria Conditions that must be satisfied
26
27
Contracts and Documentation - Rules of Engagement [1] [2]
Component Description
Scope • More elaboration about the scope of testing as stated in the
SOW
Location of the • The location of the test team in relation to the client
testing organization.
• Remote technology to access multiple locations,
• Amount of travel required.
Eg: Company’s headquarters in Kuala Lumpur, Malaysia
Contracts and Documentation - Rules of Engagement [1] [2]
Component Description
Time window of the When the actual test begins, are there constraints on
testing the days and times that the testing can be performed?
Eg. 9:00 am to 5:00 pm EST
Preferred method of Eg. Final report and weekly status update meetings
communication and Any findings or in the event of any issue, need to follow
escalation path the agreed communication escalation path (who and
how to contact)
The security controls that Eg. Intrusion prevention systems (IPSs), firewalls, data
could potentially detect loss prevention (DLP) systems
or prevent testing
Component Description
Types of allowed or What's being tested, and what is not?
disallowed tests Define the acceptable actions, such as social engineering
and physical security tasks.
If invasive attacks, such as DoS attacks, brute force,
automated fuzzing are part of the testing, are there any
restrictions on their use?
43
Communication Planning [2]
Communication Paths
• A communication escalation path will need to be properly defined
in the RoE to help remedy issues that may arise during testing.
• An escalation path define a chain of command and helps resolve
and manage conflict.
• In the event a critical service or system goes down during testing,
the pentest team will already know which buttons to dial on the
phone to let someone in the chain of command know what
happened.
• Possible impacts if communication escalation path is missing or
not indicating the right person in the RoE to address issues during
penetration testing :
• More time taken to find the right person to seek advice, guidance or
approval
• Impact business operations, which may lead to business loss
44
Communication Planning [2]
Communication Triggers
45
Communication Planning [2]
Communication Triggers
46
Support Resources [1]
The goal of a pen test plan is to clearly define the parameters of the
pen test engagement.
Establishing what resources will be made available to the testing
team and what requirements are expected from the testing team is
integral in defining these parameters.
Support Resource Description
SOAP (Simple Object Access Protocol) An API standard that relies on XML and related
project files schemas.XML-based specifications are governed
by XML Schema Definition (XSD) documents.
OpenAPI documentation (formerly A modern framework of API documentation and
Swagger documentation) development for REST APIs that is now the basis
of the OpenAPI specification (OAS).
WSDL (Web Services Description WSDL is an XML-based language that is used to
Language) documents document the functionality of a web service
WADL (Web Application Description WADL is an XML-based language for describing
Language) web applications
Support Resources [1]