Notes

Sec3 - Pre-Engagement Activities

3 min read

Pre-Engagement Activities

  • Basic tasks to prepare for a penetration test
  • Break down complexities of test preparation
  • Ensure alignment, legality, and success

Regulations & Standards

Regulations

  • Legal mandates for data protection and testing processes
  • GDPR
    • Applies in the EU and to EU citizens’ data
    • Requires explicit consent, DPIAs, DPO appointment
    • Fines up to 4% of global turnover or €20 M
  • Gramm-Leach-Bliley Act (GLBA)
    • US law protecting financial information
    • Mandates encryption, access controls, ongoing assessments
  • HIPAA
    • US healthcare data privacy and security
    • Requires physical, administrative, technical safeguards
    • Encryption, secure access controls, regular audits
    • Fines 50 000 per violation (up to $1.5 M annually)

Standards

  • Voluntary but best-practice frameworks
  • PCI DSS
    • Secures payment card data: network security, access controls, logging
    • Fines 100 000 per month until compliance
  • ISO/IEC 27000 Series
    • ISMS framework for information security management

Stakeholder Alignment

  • Ensure all parties (technical teams to executives) share goals, budget, timelines
  • Example: GLBA compliance for a financial client
  • Ongoing training, debriefings, and audits to maintain alignment

Summary

  • Regulations and standards guide test processes and ethics
  • Stakeholder alignment ties objectives to business and compliance needs
  • Testers must uncover vulnerabilities while upholding legal and ethical requirements

Types of Assessments

  • Network: topology review, firewall configuration, policy alignment
  • Wireless: encryption checks, rogue AP detection, attack simulation
  • Application: code and dependency review for vulnerabilities
  • Mobile: data leakage, session handling, storage security
  • Web: SQL injection, XSS, misconfigurations
  • Cloud: provider controls, resource configuration (e.g., S3 buckets)
  • API: authentication, authorization, data validation checks

Types of Agreements

  • NDA: confidentiality of test findings
  • MSA: overarching service terms (scope, payment, liability)
  • SoW: project details (objectives, deliverables, timelines)
  • ToS: usage rules for testing services and proprietary tools

Key Points

  • NDA protects sensitive information
  • MSA streamlines recurring engagements
  • SoW clarifies project expectations
  • ToS governs service usage and tool protection

Legal & Ethical Considerations

  • Authorization Letter: defines scope, validity, data handling, reporting
  • Mandatory Reporting: secure disclosure, legal exceptions, counsel consultation
  • Risk Awareness: assess potential damage, implement safeguards (e.g., rate limiting)
  • Escalation Path: predefined contacts and procedures for incidents

Key Points

  • Authorization: clearly define permitted activities
  • Reporting: maintain confidentiality and legal compliance
  • Risk: minimize unintended impact
  • Escalation: know whom to contact for issues

Rules of Engagement

  • Exclusions: list off-limits systems (e.g., live transaction platforms)
  • Test Cases: predefined scenarios based on known threats
  • Testing Window: agreed timeframes to limit operational impact
  • Goal Reprioritization: adjust focus as new vulnerabilities emerge
  • Business Impact Analysis: assess consequences of exploited findings

Key Points

  • Exclusions prevent accidental disruption
  • Test cases ensure systematic coverage
  • Testing windows align with business needs
  • Reprioritization targets the highest-risk issues
  • Impact analysis links vulnerabilities to business risk

Target Selection

  • CIDR: defines IP ranges (e.g., 192.168.100.0/24)
  • Domains: target DNS and public-facing resources
  • IP Addresses: individual hosts for port/service scanning
  • URLs: specific endpoints for web-app testing

Key Points

  • CIDR ensures full network coverage
  • Domains reveal subdomain and DNS weaknesses
  • IPs are potential entry points
  • URLs focus on precise application vulnerabilities

Shared Responsibility Model

  • Hosting Providers: secure data centers, network, hardware, virtualization
  • Customers: secure OS, applications, patching, configs, data encryption
  • Penetration Testers: audit controls, simulate attacks, report findings
  • Third-Party Providers: secure integration software and updates

Cloud Provider Services

  • AWS: Trusted Advisor, Inspector
  • Azure: Security Center, Advisor
  • GCP: Security Command Center, Cloud Armor

Example Scenario

  • E-commerce on Azure:
    • Azure secures infrastructure
    • Customer secures VMs, apps, databases
    • Tester evaluates web app and network
    • Payment gateway provider ensures PCI DSS compliance

Key Points

  • Providers handle infrastructure security
  • Customers manage their software and data security
  • Testers identify and validate vulnerabilities
  • Third parties must maintain ongoing product security

Graph View