Sabtu, 19 Agustus 2017

Pre-Engagement Interactions

Pre-engagement interactions are all the meetings and documentation that must occur prior to any penetration testing actions. The importance of properly documenting the penetration test cannot be emphasized enough.
 
Since we're talking about penetration testing and not hacking, we need to first have a conversation with our client (target) to find out what they want from the test.  Given that we're the good guys we should only be doing this type of testing after we have a customer requesting a test of their systems.

Like most things there are different levels of a penetration test.  It could be as simple as testing a specific set of IP addresses, a single physical location, or even just one web application.  Or the testing could be as complex as performing a full simulation of an attack and do exactly what a real attacker would do.

The complexity will also be guided by how much information the client gives us.  If this is a smaller assessment they may give us all the information we need; username/password, IP addresses, etc.  This would be known as a "white box" test.  On the other end of the spectrum there is what's known as a "black box" test.  In this scenario little to no information is given, and we must go gather all the information ourselves.  The client may also choose to limit the number of internal people who know about the test.  This gives the added advantage of testing their response mechanisms.

Regardless of the complexity of the test, you should require a written and signed document giving us permission to perform these tests.  Since some of our actions can boarder on illegal activities, it is extremely important to have written permission from you customer up front, before beginning any work.
 
Scoping
  • How do you know what is to be tested if there is no scope? This essential step documents what systems, applications, processes, etc. that are to be included in the penetration tests. This information will be important especially in hosted environments, where the infrastructure may not be wholly owned by the client. These infrastructure components should be noted and ensured to be excluded from active penetration testing techniques.
Goals
  • What is the client trying to accomplish by having the penetration test? The test may be a compliance requirement, testing of implemented controls, or to justify additional spend in protection mechanisms.
Testing Terms and Definitions
  • Since many times the client will not be a penetration tester, think about who ultimately the report will go to… CTO, board, other internal IT teams. It is important all involved have the exact same understanding of terms and definitions of terms involved in the penetration test documentation.
Establishing Lines of Communication
  • Having a documented communication plan is essential and can be a test saver if there is an issue when testing after hours. It is possible that when testing, a system may crash and the penetration tester or team must have a client contact to communicate with during the test.
 
Rules of Engagement
  • The rules of engagement communicate an agreed approach to the penetration test. This includes items such as when and how the penetration test is to be performed, what systems are permitted to be tested, and how far the penetration tester can go with an exploited target. This will also include the approved times of day to perform testing. Some clients may enforce a certain method to the testing such as Stealth mode, or testing can only use certain types of exploits, perhaps not allowing denial of service attacks, etc.
 
Capabilities and Technologies Implemented
  • Depending on the type of penetration test the documentation of the client incident response capabilities and monitoring capabilities may be discussed or documented prior to test. If the security team or incident response team is being tested this may or may not be included if the challenge to the penetration tester is to get past these “controls” and “capabilities”. The ultimate goal of this type of test should be to correct training and capability deficiencies, not fire the security team. This could be argued…
 
Protect Yourself
  • It is good to have a “get out of jail free” card with you at all times during a penetration test. This is a document that gives the penetration tester permission to perform the penetration test. This must be signed by a senior officer of the client. Additional wording may be added to test documentation that protects the penetration tester from liability if there are adverse affects due to the penetration testing.

General Questions

Network Penetration Test

  1. Why is the customer having the penetration test performed against their environment?
  2. Is the penetration test required for a specific compliance requirement?
  3. When does the customer want the active portions (scanning, enumeration, exploitation, etc...) of the penetration test conducted?
    1. During business hours?
    2. After business hours?
    3. On the weekends?
  4. How many total IP addresses are being tested?
    1. How many internal IP addresses, if applicable?
    2. How many external IP addresses, if applicable?
  5. Are there any devices in place that may impact the results of a penetration test such as a firewall, intrusion detection/prevention system, web application firewall, or load balancer?
  6. In the case that a system is penetrated, how should the testing team proceed?
    1. Perform a local vulnerability assessment on the compromised machine?
    2. Attempt to gain the highest privileges (root on Unix machines, SYSTEM or Administrator on Windows machines) on the compromised machine?
    3. Perform no, minimal, dictionary, or exhaustive password attacks against local password hashes obtained (for example, /etc/shadow on Unix machines)?

Web Application Penetration Test

  1. How many web applications are being assessed?
  2. How many login systems are being assessed?
  3. How many static pages are being assessed? (approximate)
  4. How many dynamic pages are being assessed? (approximate)
  5. Will the source code be made readily available?
  6. Will there be any kind of documentation?
    1. If yes, what kind of documentation?
  7. Will static analysis be performed on this application?
  8. Does the client want fuzzing performed against this application?
  9. Does the client want role-based testing performed against this application?
  10. Does the client want credentialed scans of web applications performed?

Wireless Network Penetration Test

  1. How many wireless networks are in place?
  2. Is a guest wireless network used? If so:
    1. Does the guest network require authentication?
    2. What type of encryption is used on the wireless networks?
    3. What is the square footage of coverage?
    4. Will enumeration of rogue devices be necessary?
    5. Will the team be assessing wireless attacks against clients?
    6. Approximately how many clients will be using the wireless network?

Physical Penetration Test

  1. How many locations are being assessed?
  2. Is this physical location a shared facility? If so:
    1. How many floors are in scope?
    2. Which floors are in scope?
  3. Are there any security guards that will need to be bypassed? If so:
    1. Are the security guards employed through a 3rd party?
    2. Are they armed?
    3. Are they allowed to use force?
  4. How many entrances are there into the building?
  5. Is the use of lock picks or bump keys allowed? (also consider local laws)
  6. Is the purpose of this test to verify compliance with existing policies and procedures or for performing an audit?
  7. What is the square footage of the area in scope?
  8. Are all physical security measures documented?
  9. Are video cameras being used?
    1. Are the cameras client-owned? If so:
      1. Should the team attempt to gain access to where the video camera data is stored?
  10. Is there an armed alarm system being used? If so:
    1. Is the alarm a silent alarm?
    2. Is the alarm triggered by motion?
    3. Is the alarm triggered by opening of doors and windows?

Social Engineering

  1. Does the client have a list of email addresses they would like a Social Engineering attack to be performed against?
  2. Does the client have a list of phone numbers they would like a Social Engineering attack to be performed against?
  3. Is Social Engineering for the purpose of gaining unauthorized physical access approved? If so:
    1. How many people will be targeted?
It should be noted that as part of different levels of testing, the questions for Business Unit Managers, Systems Administrators, and Help Desk Personnel may not be required. However, in the case these questions are necessary, some sample questions can be found below.

Questions for Business Unit Managers

  1. Is the manager aware that a test is about to be performed?
  2. What is the main datum that would create the greatest risk to the organization if exposed, corrupted, or deleted?
  3. Are testing and validation procedures to verify that business applications are functioning properly in place?
  4. Will the testers have access to the Quality Assurance testing procedures from when the application was first developed?
  5. Are Disaster Recovery Procedures in place for the application data?

Questions for Systems Administrators

  1. Are there any systems which could be characterized as fragile? (systems with tendencies to crash, older operating systems, or which are unpatched)
  2. Are there systems on the network which the client does not own, that may require additional approval to test?
  3. Are Change Management procedures in place?
  4. What is the mean time to repair systems outages?
  5. Is any system monitoring software in place?
  6. What are the most critical servers and applications?
  7. Are backups tested on a regular basis?
  8. When was the last time the backups were restored?

1 komentar:

  1. Pen Test Diary: Pre-Engagement Interactions >>>>> Download Now

    >>>>> Download Full

    Pen Test Diary: Pre-Engagement Interactions >>>>> Download LINK

    >>>>> Download Now

    Pen Test Diary: Pre-Engagement Interactions >>>>> Download Full

    >>>>> Download LINK Po

    BalasHapus