The first step in most penetration testing engagements is determining what should be tested, or the scope of the assessment. The scope of the assessment determines what penetration testers will do and how their time will be spent.
Determining the scope requires working with the person or organization for whom the penetration test will be performed. Testers need to understand all of the following: why the test is being performed; whether specific requirements such as compliance or business needs are driving the test; what systems, networks, or services should be tested and when; what information can and cannot be accessed during testing; what the rules of engagement for the test are; what techniques are permitted or forbidden; and to whom the final report will be presented.
ASSESSMENT TYPES
Goals-based or objectives-based assessments are conducted for specific reasons. Examples include validation of a new security design, testing an application or service infrastructure before it enters production, and assessing the security of an organization that has recently been acquired.
Compliance-based assessments are designed around the compliance objectives of a law, standard, or other guidance and may require engaging a specific provider or assessor that is certified to perform the assessment.
Red-team assessments are typically more targeted than normal penetration tests. Red teams attempt to act like an attacker, targeting sensitive data or systems with the goal of acquiring data and access. Unlike other types of penetration tests, red-team assessments are not intended to provide details of all of the security flaws a target has. This means that red-team assessments are unlikely to provide as complete a view of flaws in the environment, but they can be very useful as a security exercise to train incident responders or to help validate security designs and practices.
Alternatives to statements of work include statements of objectives (SOOs) and performance work statements (PWSs), both of which are used by the US government
Master services agreement, or MSA, which defines the terms that the organizations will use for future work. This makes ongoing engagements and SOWs much easier to work through, as the overall MSA is referred to in the SOW, preventing the need to renegotiate terms. MSAs are common when organizations anticipate working together over a period of time or when a support contract is created.
Nondisclosure agreements (NDAs) or confidentiality agreements (CAs), which are legal documents that help to enforce confidential relationships between two parties. NDAs protect one or more parties in the relationship and typically outline the parties, what information should be considered confidential, how long the agreement lasts, when and how disclosure is acceptable, and how confidential information should be handled.
Noncompete agreement asks you to agree not to take a job with a competitor or to directly compete with your employer in a future job, and they are often time-limited, with a clause stating that you won’t take a job in the same field for a set period of time. Noncompetes are typically used to limit the chances of a competitor gaining a competitive advantage by hiring you away from your employer, but they have also been used to limit employment choices for staff members.
Understanding Compliance-Based Assessments
Laws and regulations like HIPAA, FERPA, SOX, GLBA, and PCI DSS all have compliance requirements that covered organizations have to meet. That means that compliance-based assessments can bring their own set of special requirements beyond what a typical penetration test or security assessment may involve.
Planning and scoping a penetration test is the first step for most penetration testing engagements. It is important to understand why the penetration test is being planned, and who the target audience of the final report will be. Along the way, you will define and document the rules of engagement, what type of assessment and what assessment strategy you will use, and what is in scope and out of scope.
Không có nhận xét nào:
Đăng nhận xét