Читать книгу CompTIA Pentest+ Certification For Dummies - Glen E. Clarke - Страница 77

Earlier in this chapter, I discuss the importance of including a disclaimer in the SOW, and I want to stress again that as the penetration tester, you need to make the risk of performing a penetration test clear to the customer (in discussion and in the contract). Make sure the customer accepts those risks before starting the penetration test, as risk acceptance is critical to protecting yourself from legal action.

Some key points to communicate with the customer in relation to the acceptance of risk of the penetration test are:

 Tools are used to try to compromise the security of the company’s systems.

 Although you have tested the tools and are using tools that have not crashed your test systems, the tools could have unpredictable results in different environments due to different software and configurations that you may not have had in your test environment.

 Stress that although you will not try to crash systems, the risk is there that systems may crash.

 Verify that the customer has recent backups of the systems being assessed.

It is also important to verify the customer’s tolerance to the impact the assessment will have on the company’s systems. Here are some questions you can ask to verify the customer’s acceptance of the impact of the assessment:

 Is the customer aware and okay with the fact that you are hacking into the company’s systems when performing the penetration test?

 Does the customer accept that the system may fail if you run exploits against the system? If the customer is not willing to accept the crashing of a system, you may want to do a vulnerability assessment instead of a penetration test. The vulnerability assessment will review the configuration of the systems and run a vulnerability scan to determine how exposed the system is, but not actually try to hack the system.

 If a system fails due to the penetration test, how long will it take to recover a failed system?

 How long can the business survive without the asset or system in question? How much downtime is the customer willing to accept if it does occur?

Ensure the customer understands the risks of having a penetration test performed. It is possible that a pentest could crash a system or network and cause it to be offline for some time.