Читать книгу CompTIA Pentest+ Certification For Dummies - Glen E. Clarke - Страница 62

As part of the planning and scoping phase of the CompTIA penetration testing process, it is important to define the rules of engagement (RoE) for the penetration test. The “rules of engagement” refer to any restrictions and details in regard to how the customer wants the penetration test performed. Following are some points covered by the rules of engagement:

 The timeline for the penetration test: Determine the start date and the end date of the penetration test based on a schedule for each task and phases being performed.

 When testing is to be performed (time of day): Define the hours of the day testing is permitted. This could be during work hours, non-work hours, or on weekends.

 Types of allowed and disallowed tests: Ensure that the RoE specifies what types of tests are allowed during a penetration test and any tests that are not allowed. For example, many companies would not want a DoS attack to be performed during a penetration test, so a DoS attack should be added to the RoE as a disallowed test.

 What to test (locations, targets, services, and applications): Identify what resources or targets will be tested. This includes the office locations, target systems, target services and applications, and the accounts to be targeted.

 How the results should be reported: The details and results of the penetration tests, such as the vulnerabilities associated with each system, are highly sensitive. Define what method of communication is acceptable to communicate the pentest details and results. Communication should be encrypted, whether it is sent via email or on a disk.

 Who should contact the pentest team: Define who is allowed to communicate with the pentest team during the penetration test.

 How frequently updates should be communicated: Define who the pentest team is to go to with updates on the progress of the penetration test and how often updates should be communicated.

 Authorization to perform the pentest: Verify that you have signed authorization to perform the penetration test.

 Legal considerations with third parties: Verify whether any of the systems or services are hosted by a third party such as an ISP or cloud provider. If a third party is used to host services, verify that you have authorization from the third party to perform the pentest.

 Security controls that could shun the pentest: Verify whether the pentest team can expect to be blocked or shunned by security controls such as firewalls, intrusion prevention systems, and blacklisting on the network. These controls can limit the pentest and increase the time to perform the penetration test.

 Whether security controls should be tested: Discuss whether you should be testing the effectiveness of the security controls in place. For example, should you report on whether the company security team was able to detect and respond to information gathering, footprinting attempts, scanning and enumeration, and attacks on systems?