engineering testing questions
Is social engineer testing part of the pentest?
Does the customer have email addresses for social engineering?
Does the customer have phone numbers for social engineering?
Testing questions for IT staff
Are there fragile systems that are easy to crash?
What is the mean time to repair from a system outage?
What are the business-critical servers and applications?
Are backups tested regularly?
Is there a disaster recovery procedure in place for devices and systems being tested?
When was the last backup performed?
Identifying the Rules of Engagement
As part of the planning and scoping phase of the CompTIA penetration testing process, it is important to define the rules of engagement for the penetration test. The “rules of engagement” refer to any restrictions and details in regard to how the customer wants the penetration test performed. Following are some points covered by the rules of engagement:
The timeline for the penetration test: Determine the start date and the end date of the penetration test based on a schedule for each task and phases being performed.
When testing is to be performed: Define the hours of the day testing is permitted. This could be during work hours, non-work hours, or on weekends.
What to test — locations, targets, services, and applications: Identify what resources or targets will be tested. This includes the office locations, target systems, target services and applications, and the accounts to be targeted.
How the results should be reported: The details and results of the penetration tests, such as the vulnerabilities associated with each system, are highly sensitive. Define what method of communication is acceptable to communicate the pentest details and results. Communication should be encrypted, whether it is sent via email or on a disk.
Who should contact the pentest team: Define who is allowed to communicate with the pentest team during the penetration test.
How frequently updates should be communicated: Define who the pentest team is to go to with updates on the progress of the penetration test and how often updates should be communicated.
Authorization to perform the pentest: Verify that you have signed authorization to perform the penetration test.
Legal considerations with third parties: Verify whether any of the systems or services are hosted by a third party such as an ISP or cloud provider. If a third party is used to host services, verify that you have authorization from the third party to perform the pentest.
Security controls that could shun the pentest: Verify whether the pentest team can expect to be blocked or shunned by security controls such as firewalls, intrusion prevention systems, and blacklisting on the network. These controls can limit the pentest and increase the time to perform the penetration test.
Whether security controls should be tested: Discuss whether you should be testing the effectiveness of the security controls in place. For example, should you report on whether the company security team was able to detect and respond to information gathering, footprinting attempts, scanning and enumeration, and attacks on systems?
Target audience and reason for the pentest
During the pre-engagement activities, it is important to determine the target audience for the penetration test and the reason the pentest is being performed. Many companies state that the primary goal of the penetration test is to verify that their systems are secure by seeing how they hold up to real-world attacks. Another goal may be to see how the security team (known as the blue team) defends against the attacks, and to verify the effectiveness of the security controls in place (such as intrusion detection systems and firewalls). As a secondary goal, the company may need to be compliant to regulations stating that the company must have a penetration test performed regularly.
It is important to know why the pentest is being performed, but also who it is being performed for. The pentest report will need to be written to satisfy the goals of the pentest and be written to include information for the intended audience. For example, upper-level management may just want an executive summary that states how the company held up to the pentest, while the network administrators and security team may want more details on the vulnerabilities that still exist within their systems.
Communication escalation path
In addition to determining the target audience for the penetration test and the reason the pentest is being performed, it is also important to determine who the penetration testing team is to communicate with during the pentest. This includes determining when updates are delivered to the contact person and also who to contact when there is an emergency (such as a system or network crashes due to the pentest).
Following are some common questions you can ask during the pre-engagement phase to determine communication paths:
How frequently should updates on the progress of the penetration test be communicated?
Who is the main point of contact in the company for communication updates?
Are the penetration testers allowed to talk to network administrators and the security team, or is this a silent pentest?
Who should be the point of contact in case of emergency?
As a pentester you also want to be sure you have collected proper contact information in case there is an emergency, such as a system goes down or an entire network segment goes down. Following is the key information you should collect about the customer in case of emergency:
Name of the company contact
Job title and responsibility of the contact
Does the contact have authorization to discuss details of the pentest activities?
Office phone number, mobile phone number, and home phone number of the contact
Resources
