the customer does business with those companies.
Verifying Acceptance to Risk
Earlier in this chapter, I discuss the importance of including a disclaimer in the SOW, and I want to stress again that as the penetration tester, you need to make the risk of performing a penetration test clear to the customer (in discussion and in the contract). Make sure the customer accepts those risks before starting the penetration test, as risk acceptance is critical to protecting yourself from legal action.
Some key points to communicate with the customer in relation to the acceptance of risk of the penetration test are:
Tools are used to try to compromise the security of the company’s systems.
Although you have tested the tools and are using tools that have not crashed your test systems, the tools could have unpredictable results in different environments due to different software and configurations that you may not have had in your test environment.
Stress that although you will not try to crash systems, the risk is there that systems may crash.
Verify that the customer has recent backups of the systems being assessed.
It is also important to verify the customer’s tolerance to the impact the assessment will have on the company’s systems. Here are some questions you can ask to verify the customer’s acceptance of the impact of the assessment:
Is the customer aware and okay with the fact that you are hacking into the company’s systems when performing the penetration test?
Does the customer accept that the system may fail if you run exploits against the system? If the customer is not willing to accept the crashing of a system, you may want to do a vulnerability assessment instead of a penetration test. The vulnerability assessment will review the configuration of the systems and run a vulnerability scan to determine how exposed the system is, but not actually try to hack the system.
If a system fails due to the penetration test, how long will it take to recover a failed system?
How long can the business survive without the asset or system in question? How much downtime is the customer willing to accept if it does occur?
Scheduling the Pentest and Managing Scope Creep
Scheduling and scope creep are two important points to remember for the CompTIA PenTest+ certification exam as well as when you conduct a penetration test in the real world.
Scheduling
When discussing the details of the pentest with the customer during the pre-engagement phase, be sure to determine when the penetration test is to occur. Generally, pentests are scheduled to occur during any of the following timeframes:
During work hours (for example, 8 a.m. to 5 p.m.)
After work hours (for example, 6 p.m. to 6 a.m.)
On weekends (for example, 8 a.m. to 12 a.m.)
When preparing the budget, be sure to have a schedule set up for how long it will take to perform the penetration test. Table 2-1 illustrates a sample schedule, but know that the schedule will vary depending on the size of the organization being assessed and the number of resources you have available to perform the penetration test.
TABLE 2-1 A Sample Pentest Schedule
| Activity | Activity Name | Duration(Days) |
|---|---|---|
| 1 | Initial preparation | 3 |
| 2 | Planning and scoping | 3 |
| 3 | Kick-off meeting | 1 |
| 4 | Initial assessment of environment | 3 |
| 5 | Information gathering | 5 |
| 6 | Vulnerability assessment | 5 |
| 7 | Exploitation of systems | 5 |
| 8 | Physical security assessment | 3 |
| 9 | Wireless security assessment | 3 |
| 10 | Post-exploitation | 3 |
| 11 | Clean-up | 3 |
| 12 | Report preparation | 5 |
| 13 | Report delivery and project closing | 1 |
Scope creep
An important discussion to have during the planning and scoping phase of the penetration test is how to handle scope creep. Scope creep occurs when the size of the project — in this case the penetration test — continues to change or grow as the project continues. As the consulting pentester, scope creep is a nightmare, as you have given a quote to the customer on the cost to perform the penetration test based on how long you estimate the pentest will take. The length of time is dependent on the number of targets defined for the project, and if that changes while the penetration test is occurring, the cost will go up! Increased costs typically do not sit well with the customer, so be very clear at the start that the cost is for the targets that have been defined within the scope of the project and that any newly discovered targets that arise while the penetration test is occurring will be an additional cost. Make sure the pentest team knows who to contact when a new target has been discovered during the pentest that was not
