Chapter 2: Penetration Test

Planning and Engagement

Key concepts during penetration test planning
and engagement [1] [2]
• Key concepts to address and understand in the planning and
engagement phase:
• Regulatory and compliance considerations
• The target audience
• Contracts and Documentation
• The communication escalation path and communication
channels
• The available resources and requirements
• The overall budget for the engagement
• Any specific disclaimers
• Any technical constraints
• Professionalism and Integrity
Governance, Risk and Compliance Concepts [2]
• Governance, risk and compliance (GRC) describes the
processes, tools and strategies that organizations use to
address compliance with industry regulations, enterprise risk
management, and internal governance.
• Penetration tests are often used to examine risk and comply
with legal and regulatory requirements for testing.
• Pentests practically evaluate an organization’s security
regarding their processing and handling of protected data.
Governance, Risk and Compliance Concepts [2]
Regulatory and Compliance Consideration:
• Laws that may affect penetration testing vary across
countries, regions and localities, such as states or even cities.
• Laws may affect what tools you are allowed to use, whether
or not certain type of cryptography can be exported, an even
what activities are permitted during a pentest.
• Scoping should consider what laws apply to the target as well
as what corporate policies affect testing.
• Compliance-based penetration testing evaluates adherence
to these policies, laws and regulations.
• Compliance requirements may affect how a penetration test
must be conducted, how frequently tests must occur, and
who is allowed to conduct testing.
Governance, Risk and Compliance Concepts [1]
Regulatory and Compliance Consideration:
• Compliance-based Penetration Test verify and audit the
security posture of organization and make sure the
organization is compliant with specific regulations, such as
the following (1/2):
• Payment Card Industry Data Security Standard (PCI DSS)
• Aims to secure the processing of credit card payments
and other types of digital payments.
• Health Insurance Portability and Accountability Act of
1996 (HIPAA)
• To protect individual’s electronic health information
while permitting appropriate access and use of that
information by healthcare providers and other entities.
Governance, Risk and Compliance Concepts [1]
Regulatory and Compliance Consideration:
• Compliance-based Penetration Test verify and audit the
security posture of organization and make sure the
organization is compliant with specific regulations, such as
the following (2/2):
• Federal Risk and Authorization Management Program
(FedRAMP)
• The U.S federal government uses this standard to
authorize the use of cloud service offerings.
Governance, Risk and Compliance Concepts [1]
PCI DSS:
• To protect cardholders against misuse of their personal information and
to minimize payment card channel losses, the major payment card
brands (Visa, MasterCard, Discover, and American Express) formed the
Payment Card Industry Security Standards Council (PCI SSC) and
developed the Payment Card Industry Data Security Standard (PCI DSS).
• PCI DSS must be adopted by any organization that transmits, processes,
or stores payment card data or that directly or indirectly affects the
security of cardholder data.
• Any organization that leverages a third party to manage cardholder has
the full responsibility of ensuring that this third party is compliant with PCI
DSS.
• The payment cards brands can levy fines and penalties against
organizations that do not comply with requirements and/or can revoke
their authorization to accept payment cards.
Governance, Risk and Compliance Concepts [1]
PCI DSS (Key Terms):
• Acquirer (acquiring bank / acquiring financial institution)
• Entity that initiates and maintains relationship with
merchants for the acceptance of payment cards.
• ASV (approved scanning vendor)
• An organization approved by the PCI SSC to conduct
external vulnerability scanning services.
• Merchant
• An entity that accepts payment cards bearing the logos
of any of the members of PCI SSC (American Express,
Discover, MasterCard or Visa) as payment of goods
and/or services
• PAN (primary account number)
• A payment card number that is up to 19 digits long
Governance, Risk and Compliance Concepts [1]
PCI DSS (Key Terms):
• Payment brand
• Brands such as Visa, MasterCard, Amex or Discover
• PCI forensic investigator (PFI)
• A person trained and certified to investigate and contain
information cybersecurity incidents and breaches
involving cardholder data.
• Qualified security assessor
• An individual trained and certified to carry out PCI DSS
compliance assessments
Governance, Risk and Compliance Concepts [1]
PCI DSS (Key Terms):
• Service provider
• A business entity that is not a payment brand and that is
directly involved in the processing, storage or
transmission of cardholder data.
• Eg managed service providers that provide managed
firewalls, intrusion detection and other services, and
hosting providers and other entities.
• Entities such as telecommunication companies that only
provide communication links without access to the
application layer of the communication link are excluded
Governance, Risk and Compliance Concepts [1]
Regulatory and Compliance Consideration:
• Also be familiar with different privacy-related regulations, such
as:
• General Data Protection Regulation (GDPR) – regarded as
the global standard
• Strict rules around processing of data and privacy
• To strengthen and unify data protection for the
individuals within the European Union (EU), while
addressing the export of personal data outside the EU.
• To give citizens control of their personal data.
Governance, Risk and Compliance Concepts [1]
Regulatory and Compliance Consideration:
• Also be familiar with different privacy-related regulations, such
as:
• Malaysia Personal Data Protection Act 2010
• regulates the collection, possession, processing and use
of personal data, and it will ensure that there are
adequate measures for the security, privacy and
handling of personal information.
• Violators of the act are liable for a fine of up to
M$200,000 (US$61,000), a jail term of up to two years,
or both.
Source:
https://www.proquest.com/docview/357158697/fulltext/D2671CA7F9D24E97P
Q/1
Governance, Risk and Compliance Concepts [2]
Regulatory and Compliance Consideration:
• Three types of data during compliance-based penetration
tests:
• Personally identifiable information (PII) or personal
information
• Eg national identifier, name, postal address, bank
account numbers, e-mail addresses
• Protected health information (PHI)
• Eg medical diagnoses, provider visit details or other
attributes that define an individual’s health or health
care.
• Cardholder data (CHD) → Payment Card Industry Data
Security Standards (PCI-DSS)
• Account numbers, authentication data for financial
transactions, customer data
Target Audience Types [2]
Target audience for a pen test report should be determined as
different sorts of pen test engagements will have different sets of
stakeholders. Typically, the stakeholders consists of the followings:
• Executive Management (Senior Management)
• Responsible for an organization’s overall goals and success
• Written authorization is needed before a pentest can be conducted
• Contracting or Legal Department
• Review and enforce legal and contractual commitments for all parties
involved in the engagement
• Security Personnel communicating about organizational security
• IT department policies and responding to incidental outages
(account lockouts, disruption of services)
• Pentesters
• Main role is to identify weaknesses of the company’s infra/system and
simulate attacks
 Contracts and Documentation [2]
• Contracts are mutual agreements that are enforceable by law
and require an authorized representative from each party
(i.e., contract signing authority) to sign the contract.
• These agreements hold two or more parties liable to specific
obligations that shall or shall not be done.
• They may consider environmental differences and impose
certain terms and conditions, such as local and national
government restrictions and corporate (organizational)
policies.

19
 Contracts and Documentation [2]
Legal Restrictions
• Penetration testing may be done in a different country where
there may be specific country limitations and local laws that
may restrict whether you can perform some tasks as a
penetration tester.
• Penetration testing laws vary from country to country. Some
penetration testers have been accused and even arrested for
allegedly violating the Computer Fraud and Abuse Act of
America Section 1030(a)(5)(B).
• Must always have permission to test document to perform the
testing.
• Any legal restrictions must be carefully discussed to be
included in SOW.

20
 Contracts and Documentation [2]
Legal Restrictions
• Export restrictions: prohibit the exporting of certain goods and
services to other countries, such as U.S. export laws
prohibiting the exporting of certain encryption technology.
• Local and national governmental restrictions: It is highly
probable that governmental restrictions control the use of
technology and tools used during the pen testing process.
This includes not only the technology and tools, but also the
information gathered by the testers and even the actual
process of exploiting computer systems, such as port
scanning. Penetration testers also have to go through
extensive background check to get security clearance.
• Corporate or organizational policies: may subject users and
service vendors of the environment to background checks.

21
 Contracts and Documentation [2]
• CompTIA identifies five key contracts and documents:
• Master Services Agreement (MSA)

• Nondisclosure Agreement (NDA)

• Statement of Work (SOW)

• Rules of Engagement (RoE)

• Permission to Test

22
 Contracts and Documentation [2]
Contract type Description

Master Overarching contract reached between two

services or more parties where each party agrees to
agreement most terms that govern all other future
(MSA) transactions and agreements, such as
payment terms, product warranties, IP
ownership, dispute resolution, allocation of
risk and indemnification, CSR, business
ethics, network and facility access.
Non- A confidentiality agreement that protects a
disclosure business’s competitive advantage by
agreement protecting its proprietary information and
(NDA) intellectual property.

23
 Contracts and Documentation [1] [2]
Contract type Description

Statement of • Formal document that outlines project-

work specific work to be executed by a service
(SOW) vendor for an organization.
• SOW can be a standalone document or
can be part of a MSA.
• Explains the problem to be solved, the
work activities, the project deliverables,
and the timeline for when the work is to
be completed.

24
 Contracts and Documentation – SOW [2]
Item Description
Purpose Reason for the project

Scope of Work Describe the work activities to be completed

Location of Work Where the work will be performed

Period of The timeline for the project

performance
Deliverables Defines the project artifacts and due dates
schedule
Applicable industry Relevant criteria that must be followed
standards

25
 Contracts and Documentation – SOW [2]
Item Description
Acceptance Criteria Conditions that must be satisfied

Special Travel, workforce requirements (certifications,

Requirements education)
Payment schedule Negotiated schedule of payment (possibly
derived from MSA)

26
27
Contracts and Documentation - Rules of Engagement [1] [2]

• A document that outlines how the pen testing is to be

conducted and describes the expectations of the client and
the rights and limitations of the test team.
• The Rules of Engagement (RoE) clarifies items from the SOW
• Can be part of the SOW or treated as a separate document.
• The document requires sign-off from the service vendor, as
well as the client, to show that the baseline expectations
have been set and agreed upon, but it is not always subject
to the same legal review as an MSA or an SOW.
• Cloud service provider approvals may also need to be added
as an appendix to the RoE, if applicable.
• RoE is established before starting a pentest.
Contracts and Documentation - Rules of Engagement [1]

Component Description
Scope • More elaboration about the scope of testing as stated in the
SOW

Testing Timeline • A clear enumeration of the tasks that are to be performed.

• Indicates individuals or teams responsible for performing pen
test tasks.
• Can be used as a progress indicator,
• Can be adjusted to account for any unexpected events.
• in a Gantt chart format.
Eg: three weeks from 6 March 2023 to 26 March 2023

Location of the • The location of the test team in relation to the client
testing organization.
• Remote technology to access multiple locations,
• Amount of travel required.
Eg: Company’s headquarters in Kuala Lumpur, Malaysia
Contracts and Documentation - Rules of Engagement [1] [2]

Component Description
Time window of the When the actual test begins, are there constraints on
testing the days and times that the testing can be performed?
Eg. 9:00 am to 5:00 pm EST
Preferred method of Eg. Final report and weekly status update meetings
communication and Any findings or in the event of any issue, need to follow
escalation path the agreed communication escalation path (who and
how to contact)
The security controls that Eg. Intrusion prevention systems (IPSs), firewalls, data
could potentially detect loss prevention (DLP) systems
or prevent testing

IP addresses or networks Eg. 10.10.1.0/24, 192.168.66.66, 10.20.15.123

from which testing will
originate
Applicable industry Eg. Need to adhere to PCI DSS, HIPAA, GDPR, etc
standards
Contracts and Documentation - Rules of Engagement [1] [2]

Component Description
Types of allowed or What's being tested, and what is not?
disallowed tests Define the acceptable actions, such as social engineering
and physical security tasks.
If invasive attacks, such as DoS attacks, brute force,
automated fuzzing are part of the testing, are there any
restrictions on their use?

Eg. Testing only web applications (abc.org). No social

engineering attacks are allowed. No SQL injection attacks are
allowed in the production environment. SQL injection is only
allowed in the development and staging environment at:
• appl-dev.abc.org
• appl2-dev.abc.org
 Contracts and Documentation [2]
Contract type Description

Permission to • Documents that grant permission to test

Test must be signed by someone with authority
over the assets being tested.
• The authority must be legally able to bless
the terms of testing on behalf of the asset
owners in all contracts and documentation.
• Set clear expectations that pen testers are
not held liable for system instability or
crashes and that the tester will perform
due diligence to avoid damage to systems
as part of testing.
• Pentesters also have to do their part to
ensure all approval are obtained from the
right authority
32
Scoping and Requirements [1]
• One of the most important elements of the pre-engagement
tasks with any penetration testing engagement.
• Carefully identify and document all systems, applications,
and networks that will be tested, but also determine any
specific requirements and qualifications needed to perform
the test.
• Must include what types of networks and assets will be
tested.
• Can include whether using unknown-environment testing or
known-environment testing
• The scope is clearly documented in SOW.
Scoping and Requirements [1]
Scope Creep
• Scope creep is a project management term that refers to the
uncontrolled growth of a project’s scope.
• Scope creep can put a company out of business.

• Might encounter scope creep in the following situations:

• When there is poor change management in the

penetration testing engagement.
• When there is ineffective identification of what technical
and non-technical elements will be required for the
penetration test
• When there is a poor communication among stakeholders,
including your client and your own team
Scoping and Requirements [1]
Scope Creep
• If a client is satisfied with the work the pentester is doing, the
client may seek request to perform additional testing or
technical work. To avoid scope creep, change management
and clear communication are crucial. If agreeable by both
parties, a new SOW to be signed.
 Communication Planning [2]
• Communication is an important part of ensuring successful
pentest.
• Communication plan to cover when a pentester should
communicate, what a pentester should communicate and to
whom the pentester should communicate, and how it should
be communicated.
• May include on-call numbers for testing that occurs outside
of normal business hours, escalation phone numbers for
emergencies, and direct contact information for client
stakeholders and pentesters to be shared with both parties.

43
 Communication Planning [2]
Communication Paths
• A communication escalation path will need to be properly defined
in the RoE to help remedy issues that may arise during testing.
• An escalation path define a chain of command and helps resolve
and manage conflict.
• In the event a critical service or system goes down during testing,
the pentest team will already know which buttons to dial on the
phone to let someone in the chain of command know what
happened.
• Possible impacts if communication escalation path is missing or
not indicating the right person in the RoE to address issues during
penetration testing :
• More time taken to find the right person to seek advice, guidance or
approval
• Impact business operations, which may lead to business loss

44
 Communication Planning [2]
Communication Triggers

• Important indicators of when the pentester (or pentest team)

should reach out to the customer.
• Critical findings
• Publicly exploitable vulnerability from outside the
firewall that anyone on the Internet can exploit
• Malware, malicious binaries and services running on
servers
• Local accounts to access servers that were not
created by pentesters or clients
• Completing certain stages (testing activities or milestones)
in the engagement

45
 Communication Planning [2]
Communication Triggers

• Important indicators of when the pentester (or pentest team)

should reach out to the customer.
• Embarking upon a potentially risky test (eg SQL injection
against a production web applicaton)
• Possible indicators of prior compromise
• Anything else that results in the need for goal adjustment.

46
Support Resources [1]
The goal of a pen test plan is to clearly define the parameters of the
pen test engagement.
Establishing what resources will be made available to the testing
team and what requirements are expected from the testing team is
integral in defining these parameters.
Support Resource Description

1. Application Programming Interface (API) documentation:

SOAP (Simple Object Access Protocol)
project files
OpenAPI documentation (formerly
Swagger documentation)
WSDL (Web Services Description
Language) documents
WADL (Web Application Description
Language)
An API standard that relies on XML and related
schemas.XML-based specifications are governed
by XML Schema Definition (XSD) documents.
A modern framework of API documentation and
development for REST APIs that is now the basis
of the OpenAPI specification (OAS).
WSDL is an XML-based language that is used to
document the functionality of a web service
WADL is an XML-based language for describing
web applications
Support Resources [1]
Support Resource
2. SDK (Software
Development Kit) for specific
applications
3. Source code access
4. Example of application
requests
5. System and Network
Architectural diagrams
Description
Documentation for a collection of development tools that
support the creation of applications for a certain platform.
Access to the source code of applications to be tested if
allowable by organizations
May be able to reveal context by using web application
testing tools such as proxies like Burp Suite and the OWASP
Zed Attack Proxy (ZAP).
Visual representation of an application’s system and
network architecture can reveal points of weakness in the
app's construction, while network maps can help identify
those hosts that might be good potential access points.
Budget [1]
• Budget and return on investment (ROI) are discussed
between client side and tester side in penetration testing.
• Client’s questions:
• How do I explain the overall cost of penetration testing to
my boss?
• Why do we need penetration testing if we have all the
security technical and nontechnical controls in place?
• How do I build in penetration testing as a success factor?
• Can I do it myself?
• How do I calculate the ROI for the penetration testing
engagement?
Budget [1]
• Tester’s questions:
• How do I account for all items of the penetration testing
engagement to avoid going over budget?
• How do I do pricing?
• How can I clearly show ROI to my client?
Disclaimers [1]
• Advisable to add disclaimers to pre-engagement
documentation and final report to protect the parties involved
in the engagement.
• Examples of disclaimers:
• point-in-time assessment clause might be included in the plan.
Disclaimers [1]
• Examples of disclaimers:
• No software, hardware, technology is immune to security
vulnerabilities, no matter how much security testing is conducted as
cybersecurity threats are always changing and new vulnerabilities are
discovered daily.
• Penetration testing report is intended to provide documentation –
client will determine the best way to remediate any vulnerabilities
• Penetration testing report cannot and does not protect against
personal or business loss as a result of use of the applications or
systems described therein.
• No warranties, representations, or legal certifications concerning the
applications or systems that were or will be tested.
Technical Constraints [1]
Examples of technical constraints faced during a pen test
engagement:
• Areas and technologies that cannot be tested due to
operational limitations:
• A legacy server is considered too fragile to withstand
denial-of-service or buffer overflow attacks.
• Worry of disrupting a production database if launch SQL
injection attacks
• Attacking a website hosted by a third party might be too
disruptive to the provider's other customers.
• Limitation of skill sets

• Limitation of known exploits

Professionalism and Integrity [1]
• Many scenarios in which an ethical hacker (penetration tester)
should demonstrate professionalism and integrity (1/3):
• Background checks of penetration testing teams

• A client may require pen test teams to undergo careful

background checks, depending on environment and
engagement.
• Adherence to specific scope of engagement

• Pentesters must adhere to the scope of “allow list” – a

list of applications, systems, or networks that are in
the scope.
• Identification of criminal activity and immediate reporting
of breaches/criminal activities
Professionalism and Integrity [1]
• Many scenarios in which an ethical hacker (penetration tester)
should demonstrate professionalism and integrity (2/3):
• Limiting the use of tools to a particular engagement

• Some tools may bring down network or not permitted

due to legal reasons.
• Limiting invasiveness based on scope

• Some tools and attacks could be detrimental and

extremely disruptive for client’s systems and mission.
• Confidentiality of data/information

• The data/information that was found during

penetration testing, must be kept confidential at all
cost.
Professionalism and Integrity [1] [2]
• Many scenarios in which an ethical hacker (penetration tester)
should demonstrate professionalism and integrity (3/3):
• Risks to the professional.

• If a pen tester does not adhere to the best practices,

he or she may be subject to different fines and/or
criminal charges.
• Companies or individuals conducting professional
penetration testing often have at least general
business liability insurance.
• Some companies still take action against the
companies conducting professional penetration
testing as they may not understand the short lifecycle
of the validity of a penetration test result.
Reference
[1] Omar Santos. 2022. CompTIA PenTest+ PT0-002. Pearson IT
Certification
[2] Ray Nutting. 2022. CompTIA PenTest+ Certification All-in-One
Exam Guide (Exam PT0-002) 2nd Edition. McGraw-Hill Education.