CompTIA Pentest+ Certification For Dummies. Glen E. Clarke

Чтение книги онлайн.

СКАЧАТЬ is illegal to hack into systems without proper authorization from the owner of the asset being compromised. As a penetration tester, you have to remember this. Before any pentest can start, you must first get written permission in the form of a signed contract from the customer in order to conduct the work. Once the contract is signed, you then schedule a planning and scoping meeting with the customer so that you can identify the goals for the penetration test, identify what should be tested, and understand how far the testing should go.

       The planning and scoping phase of the penetration testing process is also known as the pre-engagement phase. In this phase you want to be sure to get authorization that allows the organization’s systems to be tested and compromised.

      It is important to understand that often this authorization cannot come from an office manager, IT manager, or local network administrator, as they are not the owners of the assets being tested. It is critical you get authorization from the owners of the assets, such as the company owner, or from a member of upper-level management who has signing authority.

       If some of the company resources are being hosted by a third-party company, you must get authorization from that third party as well. For example, if the company’s website is hosted on its ISP’s web server, or the ISP hosts the domain name system (DNS) service for the company, it is important to get authorization from the ISP if you are going to perform penetration testing on those resources. If you do not get authorization to perform the penetration test on those systems, you must ensure they are not in the scope of the penetration test.

      In addition, virtualization technology in the cloud has become a huge resource for companies to leverage, as it allows a company to get high availability and access to resources from anywhere. During pre-engagement activities and discussions, verify if there are any resources that are in the cloud, because you will need to get authorization from the cloud provider to perform a pentest on the cloud resources.

       For the PenTest+ certification exam, remember that you must obtain a signature from a proper signing authority to perform the penetration test. Also remember to check if any resources are hosted by third parties such as an ISP or cloud provider because you will need third-party provider authorization to test those resources.

      Contracts and agreements

Before starting the penetration test and typically before you start scoping out the project, you need to take care of the legal concepts by ensuring the correct contracts are in place. You will receive a signed contract that is essentially hiring you for the pentest service. These contracts are designed to protect the contractor from liability if something goes wrong with the penetration test, and protect the customer from sensitive data leakage on the part of the contractor.

      The CompTIA PenTest+ certification exam refers to the following types of contracts and agreements:

       SLA: A service-level agreement (SLA) is a contract between a service provider and the customer as to the expected level of service that should be received. The level of service could be measured in bandwidth, uptime, or quality of service expected.

       Confidentiality: A confidentiality agreement is an agreement to keep details private between the two parties. The confidentiality agreement identifies information that should be kept private to the two parties involved and for how long the information is to be kept private. As it relates to penetration testing, the customer may have the pentester sign a confidentiality agreement that indicates the pentester is not to disclose information about the customer’s environment and the results of the penetration test to anyone. A confidentiality agreement is also known as a non-disclosure agreement (NDA).

       SOW: A statement of work (SOW) is a contract created by the penetration testing company that specifies the type of work its pentesters are providing, the timeline for performing the work, the cost of the work, the payment schedule, and any terms and conditions covering the work.

       MSA: A master service agreement (MSA) is a useful contract if you are performing repeat work for a company. The MSA acts as a standard boiler plate contract for the business relationship between the contractor and customer saving time when repeat work is needed from the contractor. With the MSA, you can define the terms of the work in the MSA and then refer to that from the SOW for each reoccurring engagement. Examples of terms in the MSA include payment terms, working conditions, remediation processes, and ownership of intellectual property.

       NDA: A non-disclosure agreement (NDA) is a common document outlining the importance of confidentiality in regard to the relationship of the two parties and the work performed. It identifies what information should be kept confidential and how confidential information should be handled. The NDA is created by the customer and given to the contractor to sign. The NDA is designed to protect the confidentiality of sensitive information that the contractor may come across while doing the penetration test.

       For the PenTest+ certification exam, be familiar with the different types of contracts and agreements, and know that they are usually signed before the scoping discussion.

      Disclaimers

      During the pre-engagement discussions and in the SOW, it is important to include two disclaimers that outline two important points about the penetration test.

      First, you should have a disclaimer that states that the penetration test is a point-in-time assessment — meaning you have tested against known vulnerabilities and exploits as of the current date. As time goes on and new software and systems are installed on the network, your assessment would not have tested those new items.

      Second, you should have a disclaimer that indicates that the comprehensiveness of the penetration test is based on the types of tests authorized by the customer and the known vulnerabilities at the time. For example, if the customer requests that no denial of service (DoS) attacks are performed (which is common), your penetration test would not have tested how the company stands up against a DoS attack. This disclaimer will help protect you if the customer is hit with a DoS attack after the penetration test is performed.

       Your agreement should also make it clear that a penetration test uses hacking tools that a hacker would use, and although you have tested these tools, it is possible that they could have unpredictable results due to the additional software installed on the systems or the configuration of the systems. Unpredictable results in this case is referring to the fact that it is possible that the target systems could crash and be unavailable. For example, I have heard cases where performing a vulnerability scan of the network caused the print servers to drop off the network. This is not something that happens all the time, but the point is that different products from different vendors respond differently to the scanning and attack tools. One way to help prevent disruption on the network is to perform the penetration test on virtual machines within a test environment that are copies of the production systems.

       Ensure you have a disclaimer in the agreement that specifies that the pentest is a point-in-time assessment and that the comprehensiveness is based on the scope of the assessment.

СКАЧАТЬ