Glen E. Clarke

CompTIA PenTest+ Certification For Dummies


Скачать книгу

rel="nofollow" href="#ulink_7b114975-47ae-589b-998e-a2ff3f291499">Planning and scoping.”

      7 C. A gray box test involves giving limited information to the tester so that the tester is more focused on specific targets during the pentest. Look over “Pentest strategies.”

      8 A. The third phase of the CompTIA penetration testing process is attacks and exploits. Study “Looking at CompTIA’s Penetration Testing Phases.”

      9 B. A script kiddie has limited technical knowledge of the details of the attack and simply runs the tools that are already created. Peek at “Threat actors and threat models.”

      10 D. The red team is the name of the penetration testing team that simulates the attacks, while the blue team tries to detect and defend against those attacks. Peek at “Types of assessments.”

      Planning and Scoping

      EXAM OBJECTIVES

       Understanding key legal concepts

       Scoping the project and identifying the rules of engagement

       Defining targets and ensuring acceptance to risk

       Scheduling and handling scope creep

      Good penetration testers know that before starting a penetration test, they must spend time with the customer scoping out the project and setting the rules of engagement. Planning and scoping is a critical phase of the pentest process, as too often penetration testers dive right into trying to compromise systems without giving any thought to the ramifications of their actions. Not planning the penetration test properly can result in crashing the customer’s systems or network (causing loss in production and revenue) and triggering intrusion detection systems. A lack of planning can also create legal problems due to a failure to obtain proper authorization to perform the penetration test.

      In this chapter, you learn the importance of planning for the penetration test by jumping into the first phase of the CompTIA penetration testing process: planning and scoping.

      The CompTIA PenTest+ certification exam is sure to have a few questions regarding the legal concepts surrounding a penetration test that come into play during the planning and scoping phase. The following sections outline the three most important concepts you should be aware of: obtaining written authorization, contract types, and the importance of disclaimers.

      Written authorization

      It is illegal to hack into systems without proper authorization from the owner of the asset being compromised. As a penetration tester, you have to remember this. Before any pentest can start, you must first get written permission in the form of a signed contract from the customer in order to conduct the work. Once the contract is signed, you then schedule a planning and scoping meeting with the customer so that you can identify the goals for the penetration test, identify what should be tested, and understand how far the testing should go.

      Remember The planning and scoping phase of the penetration testing process is also known as the pre-engagement phase. In this phase you want to be sure to get authorization that allows the organization’s systems to be tested and compromised.

      It is important to understand that often this authorization cannot come from an office manager, IT manager, or local network administrator, as they are not the owners of the assets being tested. It is critical you get authorization from the owners of the assets, such as the company owner, or from a member of upper-level management who has signing authority.

      Warning If some of the company resources are being hosted by a third-party company, you must get authorization from that third party as well. For example, if the company’s website is hosted on its ISP’s web server, or the ISP hosts the domain name system (DNS) service for the company, it is important to get authorization from the ISP if you are going to perform penetration testing on those resources. If you do not get authorization to perform the penetration test on those systems, you must ensure they are not in the scope of the penetration test.

      In addition, virtualization technology in the cloud has become a huge resource for companies to leverage, as it allows a company to get high availability and access to resources from anywhere. During pre-engagement activities and discussions, verify if there are any resources that are in the cloud, because you will need to get authorization from the cloud provider to perform a pentest on the cloud resources.

      Fortheexam For the PenTest+ certification exam, remember that you must obtain a signature from a proper signing authority to perform the penetration test. Also remember to check if any resources are hosted by third parties such as an ISP or cloud provider because you will need third-party provider authorization to test those resources.

      Contracts

      The CompTIA PenTest+ certification exam refers to three main types of contracts:

       SOW: A statement of work (SOW) is a contract created by the penetration testing company that specifies the type of work its pentesters are providing, the timeline for performing the work, the cost of the work, the payment schedule, and any terms and conditions covering the work.

       MSA: A master service agreement (MSA) is a useful contract if you are performing repeat work for a company. The MSA acts as a standard boiler plate contract for the business relationship between the contractor and customer saving time when repeat work is needed from the contractor. With the MSA, you can define the terms of the work in the MSA and then refer to that from the SOW for each reoccurring engagement. Examples of terms in the MSA include payment terms, working conditions, remediation processes, and ownership of intellectual property.

       NDA: A non-disclosure agreement (NDA) is a common document outlining the importance of confidentiality in regard to the relationship of the two parties and the work performed. It identifies what information should be kept confidential and how confidential information should be handled. The NDA is created by the customer and given to the contractor to sign. The NDA is designed to protect the confidentiality of sensitive information that the contractor may come across while doing the penetration test.

      Fortheexam For the PenTest+ certification exam, be familiar with the three different types of contracts, and know that they are usually signed before the scoping discussion.

      Disclaimers

      During the pre-engagement discussions and in the SOW, it is important to include