Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

ECSA - Certified Security Analyst > 2 - Pen Testing Scope and Engagement > Flashcards

2 - Pen Testing Scope and Engagement Flashcards

1
Q

What are the Pre-Engagement activities?

A
  • Prepare Response Requirements
  • Identify Scope, Approach and Methodology
    • List of goals, teams, Types of tests, what tests, depth
  • Determine Project Desirables
    • Report to be delivered, schedule,
  • Determine Project Schedule
  • Understanding Staffing Requirements
    • Team Staffing
  • Propose Detailed and Itemized Pricing
    • Estimate cost
  • Submit Proposal
  • Set Rules of Engagement (ROE)
    • Brainstorming with stakeholders, contact info of everyone, timeline for engagement
  • Handle Legal Issues in Engagement
    • Rules of Behavior, Get out of Jail free card, create NDA’s
  • Prepare for Test
    • Kickoff Meeting, engagement letter and log, list of tools used, Hardware/Software requirements, request previous test results
  • Handle Scope Creeping during Pen Test
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the contents of an RFP?

A
  • Purpose: what are the goals?
  • Technical & Contractual Contact: Contact details of whom to contact for various portions of the test
  • Schedule of Events: Time table of events
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

How should an RFP be structured?

A
  • Executive Summary: High level synopsis
  • Project Deliverables: Types of reports you will provide
  • Itemized Pricing: How will you charge
  • Team Strength: Bio and experience of team members
  • Approach and Methodology: Detailed testing procedures
  • Project Management: Method and approach of how project will be managed
  • References: References of similar work done
  • Company Briefing: About your company
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

How do you scope a pen test?

A

Scoping helps define clear objectives and helps prevent collateral damage from intrusive scans or exploits

  • Determine Goal and Objectives (Test Plan, limitations, schedule)
  • Have a scoping meeting
    • Review RFP
    • questionnaires on Network Pen Testing, social engineering, web apps and wireless networks
  • Identify Type of Testing to be carried out
    • Black box/White box, announced/unannounced
    • Identify areas of Infrastructure (Network, Application, Social Engineering, etc.)
    • Identify Targets to be Tested (IP addresses, network ranges, domains, devices)
    • Identify Items to be Tested (Servers, Workstations & Desktops, Network Devices)
    • Identify Targets that require Dealing with 3rd Parties (CSP, ISP, MSSP)
    • Identify Targets that require Dealing with other Countries (Review and verify laws of that country)
    • Understand Client Assessment Requirements (Testing times, time frame, checklists)
    • List Tests that will not be carried out
    • Decide on Desired Depth of Test (will provide idea of how much time, resources, and cost test will be)
  • Determining Project Deliverables:
    • How will Final Report be delivered (PDF, HTML, Hard Copy?)
    • What types of reports will be delivered (Network Test, Client-side, Web Application)
  • Determining Project Schedule:
    • Agree on Start and End Date
  • Understanding Staffing Requirements
    • Identify group of experts required on the pen testing team
  • Proposing Detailed and Itemized Pricing
    • Estimate cost for engagement (fees are hourly or daily?; Salary is handled by chief pen tester and distributed to team; cost is based on number of man-days)
  • Submitting proposal
    • Prepare an executive summary
    • Create a draft after talking to experts on the team
    • Draft with expected response requirements
    • Submit proposal before the due date specified by the client
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are Rules of Engagement (ROE)?

A
  • The formal permission to conduct pen testing.
  • Provides “top level” guidance for conducting the pen testing
  • Helps testers overcome legal, federal, and policy related restrictions to use different pen testing tools and techniques
  • Defines how testing should be performed
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What directives are the Rules of Engagement based on?

A
  • Establishing Communication Lines:
    • Who are key/emergency contacts (Risk manager, DBA, network admin)
    • Conduct a teleconference with Target Point-of-Contact (TPOC) to set up engagement docs, etc.
  • Timeline:
    • Defines activities of engagement
    • Metrics for Time Estimation (Amount of experience of tester, overhead)
    • Draft a timeline
    • Start of Project
    • Project Milestones
    • Project Completion
    • Work Breakdown Structure or Task List
    • Breaks down tasks into its component tasks
    • Tasks must be measurable and deliverable
    • Details of test schedule must be documented in a separate deliverable and generated with assistance of project scheduling tool
  • Time/Location:
    • Identify reporting time scales
    • Identify Office space/location where your team will work
  • Frequency:
    • Frequency of meetings
    • Pen Tester should keep the client continuously informed about project (weekly, daily, etc.)
  • Evidence Handling
  • Time of Day to Conduct Testing:
    • Business Hours
    • After business hours
    • Weekends
  • Identify Who can Help:
    • Identify human resources required to carry out successful test
    • Admins (Network, Application, Database, Security)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are some legal considerations during a Pen Testing engagement?

A
  • Hire a lawyer who understands technology and related matters to assist in legal documents
    • Have lawyer vet anything before you sign
  • Contract must be drafted by lawyer
  • Define “Rules of Behavior”
    • An agreement that outlines the framework for external and internal pen testing
    • Testers will not be held responsible for unintentional interruptions and loss or damage to equipment
    • Get-Out-of-Jail-Free card
  • List the Permitted Items
    • What items does a tester need explicit permission first before testing
  • NDA’s
    • Testers will not disclose any info divulged by client
  • Define Liability Issues:
    • Penalties imposed by laws
    • Breach of contract
    • Negligence Claim: Company acted negligently and there is a breach that results in damages
  • Define Limitations of Contract:
    • Should be confidential
    • Provider can use team of experts
  • Obtain Liability insurance
  • Verify there is no conflict of interests with teammates and company
  • List known waivers or exemptions
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What components should a Pen Testing contract have?

A
  • Non-Disclosure clause
  • Objectives
  • Fees and project schedule
  • Sensitive info
  • Confidential info
  • Indemnification clause and Dispute Resolution
  • Reporting and Responsibilities
  • Scope
  • Performance standards
  • Ownership and License
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

How can you prepare for Test?

A
  • Review Engagement Letter
    • Set up folders to store data
    • Determine services provided
    • Create a system to maintain data
    • All docs must have name of client
  • Create Engagement Log
    • Records all important activities
  • Kickoff Meeting
    • Outline Goals and clarify expectations
    • Attended by sponsor, stakeholders, Tiger team conducting the assessment
  • Prepare Statement of Work (SOW)
    • Authorizes work to be performed
    • Defines objectives, actions, and interactions between tester and client
    • Defines deliverables and limitations
    • Provides ROE
  • Identify Security Tools Required
  • Identify Hardware/Software configuration that is required
  • Prepare Test Plan
    • A well developed project plan is said to have completed half of the actual task.
  • Hardware/Software Requirements
  • Assign Resources
  • Send Internal Control Questionnaires (ICQ) to Client
  • Request previous pen testing results
  • Create Data Use Agreement (if required)
    • Governs disclosure and use of data in HCUP databases
  • Conduct a Working Teleconference
  • Send final Engagement Control Docs for signature
  • Obtain Pen Testing Permission from stakeholders
  • Obtain special permission from law enforcement if necessary
  • Obtain Temp ID’s if necessary
  • Gather background/history of organization
  • Get familiar with client premise and environment
  • Identify Local Equipment Required
  • Conduct Mission Briefing
    • Give team members info and time to prepare for engagement
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are the contents of a test plan?

A
  • Project definition
  • Project goal
  • Test objective
  • Scope
  • Schedule and Location
  • Resource and Budget Limitations
  • Legal and Regulatory Issues
  • Success Factors
  • Assumptions
  • Analysis and Reviews
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is scope creep? How do you guard against it?

A
  • Occurs when a client asks you to include other tests in between, beyond the scope of initial engagement
  • Refuse, ask for more money, if customer agrees to extra time and money then do it
How well did you know this?
1
Not at all
2
3
4
5
Perfectly

ECSA - Certified Security Analyst (12 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions