Penetration Testing Rules of Engagement

Overview:

Security Assessment needs vary from agency to agency. The XSECURITY Penetration Testing Team (XSECURITY offers severa! services that can assist C"#PA$Y X in securing their information techno!ogy assets. Each of these services re%uires some degree of su&&ort from the C"#PA$Y X (system information' access to agency &ersonne! or faci!ities' system(net)or* connections' etc. . Penetration testing too!s and techni%ues can +e invasive' ho)ever' so there needs to +e a c!ear !eve! of understanding of )hat an assessment entai!s' )hat su&&ort is re%uired for assessments' and )hat &otentia! effect each ty&e of assessment may have.
Use of Tools

The Penetration testing activities &erformed +y the XSECURITY Penetration Testing Team inc!ude scanning net)or* assets )ith s&ecific &enetration testing too!s. These too!s chec* system configurations' defau!t settings' security settings(u&dates' net)or* and )or*station services' o&en &orts' and other s&ecific vu!nera+i!ities that might +e uti!i,ed +y intruders or unauthori,ed staff to undermine or +y&ass the security of an agency-s net)or*. They do not access user fi!es' data fi!es' or other &ersona!(confidentia! fi!es' on!y net)or*()or*station fi!es associated )ith system configurations and security. The XSECURITY does &erform .&enetration testing- / that is' test ho) dee& into your net)or* an intruder can go' retrieve confidentia! information' or change system configurations. "ur scans determine )hat vu!nera+i!ities e0ist )ithin the agency net)or* )ith fu!!y e0&!oiting those vu!nera+i!ities. The &ur&ose of a net)or* &enetration testing is to ena+!e system administrators to +etter &rotect systems and ensure the %ua!ity of service.
Required Support from Company X

C"#PA$Y X se!ects the &enetration testing service' or com+ination of services' that +est meet their needs. 1hi!e there is some ana!ytica! and methodo!ogica! over!a& in some &enetration testing services' there is significant difference +et)een others. C"#PA$Y X su&&ort )i!! therefore vary de&ending on the com+ination of services se!ected. In a!! cases' ho)ever' )e )i!! need a signed document giving us authori,ation to &erform the se!ected &enetration testing. Interna! &enetration testing Since this is &erformed onsite' the c!ient needs to &rovide net)or* connections (IP address' su+net mas*' defau!t gate)ay' &referred 2$S server and accounts for the scanning machines. S&ecific net)or* information' such as IP range' ty&es of devices' and net)or* services is a!so re%uired.

E0terna! &enetration testing3 The c!ient must &rovide s&ecific net)or* information inc!uding IP ranges' devices ty&es and services. #odem S)ee&3 The c!ient must &rovide a !ist of &hone(fa0(modem num+ers to test. Pass)ord Assessment3 Co&ies of the a&&ro&riate &ass)ord fi!es )i!! +e re%uired in order to assess &ass)ord strength. Physica! Assessment3 The c!ient must &rovide information regarding &hysica! assets to &rotect' current agency security &o!icies and &rocedures' and arrange access to the faci!ity for the team. Cor&orate Security Cu!ture Assessment3 The XSECURITY Penetration Testing Team )i!! need the c!ient-s !ocation and &ermission to enter the &remises unannounced. This assessment is +est done )ithout &rior *no)!edge +y the c!ient-s staff.
Potential Impa t or Effe t

1ith regards to Interna! and E0terna! &enetration testing a!! the too!s used +y the XSECURITY are o+tained from trusted resources. These too!s are designed to discover vu!nera+i!ities and not to undermine the system they are assessing. The on!y disru&tion to a net)or* might +e a tem&orary denia! of service through &ort scanning' +ut this is very un!i*e!y. (In fact' )e have never caused a denia! of service on any machine )ithout giving am&!e )arning. A Pass)ord Assessment re%uires on!y a fe) minutes of the net)or* administrator-s time and does not invo!ve the net)or* itse!f. 4urthermore' )e on!y use a co&y of the fi!es to reduce the im&act on system resources and !essen the &ossi+i!ity of harming the system. These assessment too!s used are from trusted resources' as )e!!. A #odem S)ee& is genera!!y &erformed at night or on the )ee*end )hen the staff is out of the office. To +e most effective' ho)ever' the s)ee& shou!d +e done during norma! office hours' since unauthori,ed modems )i!! not +e found )hen a host machine is turned off (at night or on )ee*ends . The im&act from a #odem S)ee& is on!y a tem&orary inconvenience for staff mem+ers )ho ans)er their &hone. Even so' the dia!er &rogram imitates fa0 tones to disguise the &hone s)ee&. A Physica! Assessment )i!! at )orst +e a minor disru&tion for a c!ient-s staff' simi!ar to having non5em&!oyees visiting the office. The Cor&orate Security Cu!ture Assessment entai!s o+serving the security a)areness of agency &ersonne!. This necessitates having XSECURITY mem+ers enter the c!ient-s !ocation in an incons&icuous )ay. 6itt!e disru&tion of norma! )or* can +e e0&ected.

XSECURITY Consideration Checklist YES NO DESCRIPTION 7as the XSECURITY ta*en reasona+!e &recautions to ensure that its o)n em&!oyees or the staff of any su+contractor )i!! not ta*e advantage of the o&&ortunity afforded them +y the testing assignment to !ater initiate an unsanctioned attac* against the c!ient8 Is the XSECURITY acce&ta+!e to the organi,ation9s insurance under)riter (if any 8 2oes the XSECURITY agree to +e +ound +y c!ear!y defined (and documented terms of engagement8 2oes the XSECURITY &rovide any *ind of com&ensation if they' as a resu!t of their testing activities' significant!y disru&t the norma! o&eration of the system +eing tested8 2oes the XSECURITY &rovide any *ind of com&ensation (or guarantee if they fai! to detect a security ho!e that is !ater successfu!!y e0&!oited +y an intruder8 2oes the contract )ith the XSECURITY s&ecify )hat ty&es of tests )i!! +e conducted8 E0am&!es )ou!d +e &ing s)ee&s' &ort scans' simu!ated distri+uted denia!5of5service attac*s' fi!e share scans' a&&!ication source code revie)s' su+mitting system commands via a&&!ication in&ut data' and so on. 2oes the contract )ith the XSECURITY s&ecify )hether the XSECURITY )i!! inc!ude recommendations on ho) to fi0 any detected vu!nera+i!ity8 2oes the XSECURITY a!so offer a consu!ting service for im&!ementing any recommendations they might ma*e8 Is the XSECURITY )i!!ing to divu!ge )hat testing too!s (and versions they )i!! use to conduct their tests8 2oes the contract s&ecify )hat head5start information (if any )i!! +e &rovided to the XSECURITY &rior to commencement of the assessment8 E0am&!es inc!ude a com&!ete !ist of net)or* addresses used +y the target site' s&ecific version num+ers of the system soft)are insta!!ed on the target site' or a !ist of services running on the servers !ocated c!osest to the &erimeter fire)a!!. 2oes the contract )ith the XSECURITY s&ecify the duration of the testing effort and under )hat circumstances may testing +e terminated' sus&ended' or e0tended8

XSECURITY Consideration Checklist YES NO DESCRIPTION If the testing is to +e done remote!y' have additiona! tests +een schedu!ed that )i!! test the security of the 1e+ site from an interna! attac*er8