For the PenTest+ certification exam, remember that you must obtain a signature from a proper signing authority to perform the penetration test. Also remember to check if any resources are hosted by third parties such as an ISP or cloud provider because you will need third-party provider authorization to test those resources.
Contracts and agreements
Before starting the penetration test and typically before you start scoping out the project, you need to take care of the legal concepts by ensuring the correct contracts are in place. You will receive a signed contract that is essentially hiring you for the pentest service. These contracts are designed to protect the contractor from liability if something goes wrong with the penetration test, and protect the customer from sensitive data leakage on the part of the contractor.
The CompTIA PenTest+ certification exam refers to the following types of contracts and agreements:
SLA: A service-level agreement (SLA) is a contract between a service provider and the customer as to the expected level of service that should be received. The level of service could be measured in bandwidth, uptime, or quality of service expected.
Confidentiality: A confidentiality agreement is an agreement to keep details private between the two parties. The confidentiality agreement identifies information that should be kept private to the two parties involved and for how long the information is to be kept private. As it relates to penetration testing, the customer may have the pentester sign a confidentiality agreement that indicates the pentester is not to disclose information about the customer’s environment and the results of the penetration test to anyone. A confidentiality agreement is also known as a non-disclosure agreement (NDA).
SOW: A statement of work (SOW) is a contract created by the penetration testing company that specifies the type of work its pentesters are providing, the timeline for performing the work, the cost of the work, the payment schedule, and any terms and conditions covering the work.
MSA: A master service agreement (MSA) is a useful contract if you are performing repeat work for a company. The MSA acts as a standard boiler plate contract for the business relationship between the contractor and customer saving time when repeat work is needed from the contractor. With the MSA, you can define the terms of the work in the MSA and then refer to that from the SOW for each reoccurring engagement. Examples of terms in the MSA include payment terms, working conditions, remediation processes, and ownership of intellectual property.
NDA: A non-disclosure agreement (NDA) is a common document outlining the importance of confidentiality in regard to the relationship of the two parties and the work performed. It identifies what information should be kept confidential and how confidential information should be handled. The NDA is created by the customer and given to the contractor to sign. The NDA is designed to protect the confidentiality of sensitive information that the contractor may come across while doing the penetration test.
Disclaimers
During the pre-engagement discussions and in the SOW, it is important to include two disclaimers that outline two important points about the penetration test.
First, you should have a disclaimer that states that the penetration test is a point-in-time assessment — meaning you have tested against known vulnerabilities and exploits as of the current date. As time goes on and new software and systems are installed on the network, your assessment would not have tested those new items.
Second, you should have a disclaimer that indicates that the comprehensiveness of the penetration test is based on the types of tests authorized by the customer and the known vulnerabilities at the time. For example, if the customer requests that no denial of service (DoS) attacks are performed (which is common), your penetration test would not have tested how the company stands up against a DoS attack. This disclaimer will help protect you if the customer is hit with a DoS attack after the penetration test is performed.
Scoping the Project
During the pre-engagement activities, it is important to have an initial meeting with the customer that allows you to discuss the scope of the project and get an understanding of what the customer’s goals are for the penetration test.
When preparing for the initial meeting with the customer, you should plan out scoping questions that will help you understand the magnitude of the project. Some common questions to ask when determining the scope of the pentest are:
What is the goal of the penetration test? (Why is it being done?)
Is the penetration test going to test internal systems, external systems, or both?
What are the Internet Protocol (IP) ranges of the internal and external systems that are being tested?
What are the internal and external domain names of the systems to be tested?
Does the company own the systems using those IP addresses?
Are there any systems hosted by third-party companies such as an ISP or a cloud provider?
What applications and services will be tested?
What types of tests are to be performed? For example, are you testing physical security and/or social engineering, and are DoS attacks allowed?
If performing an unknown-environment (or black box) test, which is discussed in Chapter 1, the penetration tester is typically responsible for discovering target services, and some would say the target IP addresses. The important point here to remember is that you want the customer to give you the target IP addresses and domain names so that you can be sure you have proper authorization to perform testing on those systems. If it is up to the pentester to discover the IP addresses, especially external IP addresses, the tester runs the risk of performing the penetration test on an unauthorized IP address or system owned by someone else.
Target list/in-scope assets
As you scope out the penetration test, you need to determine what company assets are the in-scope assets for the penetration test. In-scope assets are targets during the penetration test. Following are examples of targets for a penetration test:
Wireless networks: Determine what wireless SSIDs are to be targeted in the penetration test.