You may need to assess for limitations placed on resources such as systems, devices, and data. For example, there may be strict limitations on certain types of systems not being accessible from the Internet.
Limited network access: You may need to ensure that the network is segmented to allow control of a specific type of system that can only access a particular network segment. For example, with PCI DSS, the credit card processing system must be on a separate network segment than regular company systems.
Limited storage access: You may need to assess that the company is controlling access to data and that one specified person has access to sensitive data. Again, looking at PCI DSS, the pentester would validate that access to card data is limited and protected.
It is important to stress that there are clearly defined objectives based on regulations. For example, if the organization is processing credit cards, the organization must be compliant with PCI DSS by following the objectives and requirements set by PCI DSS. (You can view the Requirements and Security Assessment Procedures document at https://www.pcisecuritystandards.org/document_library
.)
Reviewing Key Concepts
This chapter highlights a number of important points to remember when planning and scoping the penetration test. Following is a quick review of some of the key points from this chapter:
Ensure you receive written authorization to perform the penetration test by a signing authority for the company.
Know the different types of contracts you may encounter, such as a SOW, NDA, and MSA.
Ensure you include a disclaimer in the contract with the customer that states the risk of performing a penetration test. It is possible that the tools used could crash a system or network and cause downtime with the company asset.
Ensure you have a clear scope for the penetration test. Include the target IP addresses (both internal and external), a list of the wired and wireless networks and applications to test, and determine whether social engineering is to be performed and whether you are performing an assessment of physical security.
Clearly define the communication path to follow when performing the assessment. Who is the pentest team allowed to communicate the details of the pentest with? Also, be clear that additional assets discovered during the assessment may increase the time and cost of the assessment if the newly discovered asset is to be evaluated as well.
If the organization is performing the assessment for compliance reasons, read up on the requirements of the compliance-based assessment to ensure you follow all goals and requirements.
Prep Test
1. What type of contract outlines the requirements of confidentiality between the two parties and the work being performed?
(A) SOW
(B) NDA
(C) MSA
(D) SLA
2. Bob is performing a penetration test for Company XYZ. During the planning and scoping phase, the company identified two web servers as targets for the penetration test. While scanning the network, Bob identified a third web server. When discussing this new finding with the customer, the customer states that the third server runs critical web applications and needs to be assessed as well. What is this an example of?
(A) Statement of work
(B) Master service agreement
(C) Disclaimer
(D) Scope creep
3. You are drafting the agreement for the penetration test and working on the disclaimer section. What two key points should be covered by the disclaimer? (Choose two.)
(A) Compliance-based
(B) Point-in-time
(C) WSDL document
(D) Comprehensiveness
4. What type of contract is a description of the type of job being performed, the timeline, and the cost of the job?
(A) SOW
(B) NDA
(C) MSA
(D) SLA
5. You have been hired to do the pentest for Company XYZ. You acquired proper written authorization, performed the planning and scoping phase, and are ready to start discovery. You connect your laptop to the customer network and are unable to obtain an IP address from the company DHCP server. Which of the following could be the problem?
(A) MSA
(B) SSID
(C) SOW
(D) NAC
6. You are performing the penetration test for a company and have completed the planning and scoping phase. You wish to do the pentest on the wireless networks. What scoping element would you need?
(A) MSA
(B) NDA
(C) SSID
(D) NAC
7. What type of contract is used to define the terms of the repeat work performed?
(A) MSA
(B) NDA
(C) SOW
(D) NAC
8. You drafted the agreement to perform the penetration test, and you are now looking to have the agreement signed by the customer. Who should sign the agreement on behalf of the customer?
(A) Office manager
(B) IT manager
(C) Security manager
(D) Signing authority
9. You are working on the planning and scoping of the penetration test, and you are concerned that the consultants performing the pentest will be blocked by security controls on the network. What security feature would you look to leverage to allow the pentesters’ systems to communicate on the network?
(A) Blacklisting
(B) Whitelisting
(C) NAC
(D) Certificate pinning
10. You are performing a penetration test for a company that has requested the pentest because it is processing credit card payments from customers. What type of assessment is being performed?
(A) Goal-based assessment
(B) Security-based assessment
(C) Compliance-based assessment
(D) Credit card–based assessment
Answers
1 B. A non-disclosure agreement (NDA) is designed to outline the requirements of confidentiality between two parties and the work performed. See “Understanding Key Legal Concepts.”
2 D. Scope creep is when the scope of the project is modified as the project is being performed. Review “Scope creep.”
3 B, D. The disclaimer should cover the fact that the pentest is a point-in-time assessment and stress that the comprehensiveness of the assessment is based on the scope. Check