Читать книгу CompTIA PenTest+ Certification For Dummies - Glen E. Clarke - Страница 58

A key point to discuss is the confidentiality of the updates given and the results of the penetration test. Determine with the customer who are the authorized persons to receive updates on the progress of the penetration test, who to go to in case of emergency, and who the penetration results (the report) should go to. Be clear that you will be unable to communicate details of the penetration test to anyone not on this authorized list.

You should also set up a secure communication channel so that all communications in regard to the penetration test are encrypted. This includes the actual report file as well. Be sure that the report file is encrypted so that unauthorized persons cannot view the file. You could use the Secure Shell protocol (SSH) for secure file transfers, or a tool like GNU Privacy Guard for Windows (Gpg4win) to encrypt files and email messages. You can download the latest version of Gpg4win from www.gpg4win.org. Figure 2-1 shows how you can encrypt a file with Gpg4win on a Windows system.

FIGURE 2-1: Encrypting a file in Windows Explorer with Gpg4win.

Remember to encrypt the penetration testing report and all communication with the customer that pertains to the penetration testing report.