LPTv4 Module 13 Rules of Engagement

ECSA/LPT

-

Module XIII

Rules of En a ement

Module Objective s mo u e w following:

n ro uce you o

e

• Rules of Engage Engagement ment (ROE) (ROE) between between an organiz organization ation and penetration testers • Sco e of ROE • Step Stepss for for fram framin ing g ROE ROE • Cla Clauses uses in ROE ROE

EC-Council

Copyright © by EC-Council  All Rights Reserved. Reproduction is Strictly Prohibited

Module Flow 

Rules of Engagement (ROE)

Clauses in ROE

EC-Council

Scope of ROE

Steps or Framing ROE

Copyright © by EC-Council  All Rights Reserved. Reproduction is Strictly Prohibited

Rules of Engagement (ROE)

conduct pen test before starting. ROE helps testers to overcome legal, federal, and policy related restrictions to use different penetration testing tools and techni ues.

EC-Council

Copyright © by EC-Council  All Rights Reserved. Reproduction is Strictly Prohibited

Scope of ROE The The ROE ROE shou should ld als also o clea clearl rl ex lain lain the the lim limit itss ass assoc ocia iate ted d with with the the security test.

  nc nc u es: • Specific Specific IP addresses addresses/ran /ranges ges to be be tested. tested. • ny rest restric ricted ted hosts hosts (i.e (i.e., ., host hosts, s, syst systems ems,, subn subnets ets,, not not to be teste tested). d). • A list of acceptable acceptable testing techniques (e.g. social engineering, DoS, etc.) and tools (password crackers, network sniffers, etc.). . ., , after business hours, etc.). • Identific Identification ation of a finite finite period period for testing. testing.

EC-Council

Copyright © by EC-Council  All Rights Reserved. Reproduction is Strictly Prohibited

Scope of ROE (cont’d) ROE includes:

 will be conducted so that administrators can differentiate differentiate the legitimate penetration testing attacks from actual malicious attacks. • Points Points of contact contact for for the penetratio penetration n testing testing team, the targeted systems, and the networks. • Measures Measures to prevent prevent law enforcement enforcement being called called with false alarms (created by the testing). • Handling Handling of informatio information n collecte collected d by penetratio penetration n testing testing team.

EC-Council

Copyright © by EC-Council  All Rights Reserved. Reproduction is Strictly Prohibited

Steps for Framing ROE Esti Estima mate te cost cost time time and and eff effor ortt that that or aniz anizat atio ion n can can inve invest st

Decide on desired depth for penetration testing

Have pre-contract discussions with different pen-testers

Conduct brainstorming sessions with the top management and technical teams EC-Council

Copyright © by EC-Council  All Rights Reserved. Reproduction is Strictly Prohibited

Clauses in ROE st o a owe an pro

te act v t es es:

• Or anization ma allow some activities like ort scanning for offline cracking and prohibit others like passwo ssword rd crack rackin ing, g, SQL SQL inje inject ctio ion n and DoS atta ttacks cks Definitions of test scope, limitations, and other activities for protecting the tes estt team

 Authorization of penetration testers for systems and

EC-Council

Copyright © by EC-Council  All Rights Reserved. Reproduction is Strictly Prohibited

Clauses in ROE (cont’d) e a s a ou

e eve an reac o pe pen- es

Definition of different type of allowed testing techniques

Information on activities, such as: • Port Port and and serv servic icee ident identif ific icat atio ion n • Vuln Vulner erab abil ilit ity y scan scannin ning g • ecur ty con gurat on rev ew   • Pass Passwo word rd crac cracki king ng EC-Council

Copyright © by EC-Council  All Rights Reserved. Reproduction is Strictly Prohibited

Clauses in ROE (cont’d) Detail Detailss on how how or aniza anizatio tional nal data data is is treate treated d throughout and after the test

Details on how data should be transmitted during and after the test

Techniques for data exclusion from systems upon termination of the test

EC-Council

Copyright © by EC-Council  All Rights Reserved. Reproduction is Strictly Prohibited

Summary 

Rules of engagement is the formal permission to conduct the pen-test before starting.

The scope should also clearly explain the limits associated  with the security test. test.

It prevents activities such as installing and using executable executable files that pose as a greater risk to the system.

EC-Council

Copyright © by EC-Council  All Rights Reserved. Reproduction is Strictly Prohibited

EC-Council

Copyright © by EC-Council  All Rights Reserved. Reproduction is Strictly Prohibited