Pre-engagement interactions are all the meetings and documentation that must occur prior to any penetration testing actions. The importance of properly documenting the penetration test cannot be emphasized enough.
Scoping
- How do you know what is to be tested if there is no scope? This essential step documents what systems, applications, processes, etc. that are to be included in the penetration tests. This information will be important especially in hosted environments, where the infrastructure may not be wholly owned by the client. These infrastructure components should be noted and ensured to be excluded from active penetration testing techniques.
Goals
- What is the client trying to accomplish by having the penetration test? The test may be a compliance requirement, testing of implemented controls, or to justify additional spend in protection mechanisms.
Testing Terms and Definitions
- Since many times the client will not be a penetration tester, think about who ultimately the report will go to… CTO, board, other internal IT teams. It is important all involved have the exact same understanding of terms and definitions of terms involved in the penetration test documentation.
Establishing Lines of Communication
- Having a documented communication plan is essential and can be a test saver if there is an issue when testing after hours. It is possible that when testing, a system may crash and the penetration tester or team must have a client contact to communicate with during the test.
Rules of Engagement
- The rules of engagement communicate an agreed approach to the penetration test. This includes items such as when and how the penetration test is to be performed, what systems are permitted to be tested, and how far the penetration tester can go with an exploited target. This will also include the approved times of day to perform testing. Some clients may enforce a certain method to the testing such as Stealth mode, or testing can only use certain types of exploits, perhaps not allowing denial of service attacks, etc.
Capabilities and Technologies Implemented
- Depending on the type of penetration test the documentation of the client incident response capabilities and monitoring capabilities may be discussed or documented prior to test. If the security team or incident response team is being tested this may or may not be included if the challenge to the penetration tester is to get past these “controls” and “capabilities”. The ultimate goal of this type of test should be to correct training and capability deficiencies, not fire the security team. This could be argued…
Protect Yourself
- It is good to have a “get out of jail free” card with you at all times during a penetration test. This is a document that gives the penetration tester permission to perform the penetration test. This must be signed by a senior officer of the client. Additional wording may be added to test documentation that protects the penetration tester from liability if there are adverse affects due to the penetration testing.
n00bpentesting.com 