CompTIA Pentest+ Certification For Dummies. Glen E. Clarke

Чтение книги онлайн.

       Question the client and review contracts: Before moving to the information gathering phase, be sure you review the scope of the assessment with the client and review the signed contracts.

       Time management: Review the timeline of the penetration testing and be sure to review the times during the day that you are allowed to perform testing. Customers may require the pentest be performed during the day so that someone is available to handle any incidents that may arise (such as a system crash). Each step of the way verify your timeline to ensure the project is on track.

       Perform background checks of the penetration testing team. Ensure you perform background checks and criminal records checks on all members of the penetration testing team.

       Adhere to the specific scope of engagement. Ensure the scope of the engagement is followed at all times. It is important to monitor adherence to the scope throughout the penetration test.

       Identify criminal activity. During a penetration test always keep a close eye out for any criminal activity against the target.

       Report breaches and/or criminal activity immediately. If you notice a prior security breach on a target or any criminal activity against a target, pause the penetration test and immediately report the evidence of a prior compromise or criminal activity to the client.

       Limit the use of tools to a particular engagement. Ensure you limit the use of tools used during a penetration test to the tools that should be used based on the scope of the test. For example, if the RoE states that there should be no DoS attacks against systems, then ensure none of the tools are DoS tools.

       Limit invasiveness based on scope. Remember to limit the type of testing to testing that matches the scope of the engagement.

       Maintain confidentiality of data and information. Always maintain confidentiality of the penetration test including data and information found and the results of the penetration test.

       Fees/fines: If you do not follow the scope of the engagement or follow the RoE, you may find yourself in a legal battle and you may end up paying fines and fees based on damage done.

       Criminal charges: Hacking into systems without proper authorization is illegal. This includes penetration testing. If you do not get permission from an authorized individual, such as the owner of the asset, you could find that criminal charges are laid against you.

       Ensure you receive written authorization to perform the penetration test by a signing authority for the company.

       Know the different types of contracts you may encounter, such as a SOW, NDA, and MSA.

       Ensure you include a disclaimer in the contract with the customer that states the risk of performing a penetration test. It is possible that the tools used could crash a system or network and cause downtime with the company asset.

       Ensure you have a clear scope for the penetration test. Include the target IP addresses (both internal and external), a list of the wired and wireless networks and applications to test, and determine whether social engineering is to be performed and whether you are performing an assessment of physical security.

       Clearly define the communication path to follow when performing the assessment. Who is the pentest team allowed to communicate the details of the pentest with? Also, be clear that additional assets discovered during the assessment may increase the time and cost of the assessment if the newly discovered asset is to be evaluated as well.

       If the organization is performing the assessment for compliance reasons, read up on the requirements of the compliance-based assessment to ensure you follow all goals and requirements.