Penetration testing involves the use of a variety of manual and automated techniques to simulate an attack on an organization’s information security arrangements.
One of the key points when managing testers is to understand what they cannot do. An individual penetration tester – however talented – is unlikely to be an expert in all the different flavors of networks, operating systems and application software, particularly those provided by vendors.
During a goal-oriented penetration test, the environment will be evaluated using similar techniques used by attackers in the wild. With this in mind, the rules of engagement are absolutely critical and must be followed carefully.
During the post-exploitation phase of a penetration test there is a good chance that sensitive data could be disclosed; systems that must follow government regulations may be targeted or passwords that are hard coded may be found.
Be sure to make clients aware of this fact, and prepare the necessary documentation that specifically details what is and what is not acceptable.
In some cases, you may be able to test development environments in tandem with the production environment; if this is the case be sure to look out for password reuse from development to production.
- A pen tester has a clear timeline for the test.
- Act in a professional, ethical manner.
- Always use encryption and sanitize your test machine between tests.
- Adopt a structured, systematic and repeatable process
- Ensure that the results of tests are generated, reported, stored, communicated and destroys in a manner that does not put the organization at a risk.
- Provide constructive, expert remediation advice.
- Maintain an up-to date knowledge of the latest threats and countermeasures – and are given sufficient time to do research.
- Identify root-cause finding.
- Understand the business implications of technical weakness or exploits.
- Provides comprehensive on-going threat analysis, by performing their own research and evaluating a wide range of threat sources, such as SANS, OWASP TOP 10 etc.
- Considers all stage of a potential cyber crime attack, which typically comprises: Reconnaissance, Development of Attack, Extraction of Information and Exploitation of Information.
- Does not use as standard set of tools – but carries out specially tailored, manual tests to help detect unknown vulnerabilities.
- Can evaluate the whole target environment and not just a particular system.
- Carries out full penetration tests (subject to scope statement), rather than just running a set of automated tests using standard tools.
- Provides clear, insightful reporting, presented both for technical specialists and business representatives.
- Protect client information in a professional manner.
- Have signed company and individuals codes of conduct.
- Deals with complaint in a diligent fashion, with agreement that any conflicts can be handled by an independent professional body.
- Can deal with management aspects relating to test set-up.
- Is able to quantify findings and link them to possible impacts on business.
- Have relevant technical capability in the various areas in which tests may be required.
- Tools and methodologies are tested before being used in live tests.
- Individuals involved with the test are subject to security background checks before being permitted to perform testing.
- For progress you should inform what you have completed since the previous meeting.
- For problems you should communicate with the customer any issues that will impact the overall timing of the test.
- It is critical that testing does not begin until this document is signed by the customer.
- Some activities common in penetration tests may violate local laws. For this reason, it is advised to check the legality of common pen test tasks in the location where the work is to be performed.
- All applications with multi-level user roles should be tested with all levels of privileges
- Including Social engineering assessments as part of the penetration testing scope is recommended by the Council as it helps determine the effectiveness of the security awareness program. Although SE is not mandatory.
- All modifications, including configuration changes, executed against a system must be documented. After finishing the intended purpose of the modification, all settings should be returned to their original positions if possible. The list of changes should be given to the client after the engagement to allow them to ensure all changes were properly undone. Changes that could not be returned to their original positions should be clearly differentiated from changes that were successfully reversed.
- A detailed list of actions taken against compromised systems must be kept. The list should include the action taken and the time period in which it occurred. Upon completion, this list should be included as an appendix to the final report.
- Passwords (including those in encrypted form) will not be included in the final report, or must be masked enough to ensure recipients of the report cannot recreate or guess the password. This is done to safeguard the confidentiality of the users the passwords belong to, as well as to maintain the integrity of the systems they protect.
- Any method or device used to maintain access to compromised systems and that could affect the proper operation of the system or whose removal may cause downtime may not be implemented without the prior written consent of the client.
- Any method or device which is used to maintain access to compromised systems must employ some form of user authentication such as digital certificates or login prompts. A reverse connection to a known controlled system is also acceptable.
- All data gathered by the testers must be encrypted on the systems used by the testers.
- Any information included in the report that could contain sensitive data (screenshots, tables, figures) must be sanitized or masked using techniques that render the data permanently unrecoverable by recipients of the report.
- All data gathered will be destroyed once the client has accepted the final report. Method used and proof of destruction will be provided to the client.
- Third party services for password cracking will not be used, nor will there be sharing of any other type of data with third parties without the clients prior consent.
- No logs should be removed, cleared or modified unless specifically authorized to do so by the client in the engagement contract/statement of work. If authorized, the logs must be backed up prior to any changes.
The final outcome of a penetration test should be in the form of a well-documented report which highlights:
- Scope of the test
- Limitations to the test scope
- Details about each tests and vulnerabilities
- Results of the segmentation validation
- Tools used
- Actions required to clean up environment
- Final outcome of the tests
- Re-validation status along with evidence