LPTv4 Module 13 Rules of Engagement_NoRestriction

ECSA/LPT

EC CouncilEC-Council Module XIII

Rules of Engagementg g

Module Objective

Thi d l ill i t d t th This module will introduce you to the following:

• Rules of Engagement (ROE) between an organization and penetration testers

• Scope of ROEp• Steps for framing ROE• Clauses in ROE

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Module Flow

Rules of Engagement (ROE) Scope of ROE

f iSteps for Framing ROEClauses in ROE



Rules of Engagement (ROE)

Rules of engagement (ROE) is the formal permission to Rules of engagement (ROE) is the formal permission to conduct pen test before starting.

ROE helps testers to overcome legal, federal, and policy related restrictions to use different penetration testing tools and techniques.q



Scope of ROE

The ROE should also clearly explain the limits associated with the y psecurity test.

ROE i l d

• Specific IP addresses/ranges to be tested.

ROE includes:

• Any restricted hosts (i.e., hosts, systems, subnets, not to be tested). • A list of acceptable testing techniques (e.g. social engineering, DoS,

etc.) and tools (password crackers, network sniffers, etc.). • Times when testing is to be conducted (e g during business hours • Times when testing is to be conducted (e.g., during business hours,

after business hours, etc.).• Identification of a finite period for testing.



Scope of ROE (cont’d)

• IP addresses of the machines from which penetration testing

ROE includes:

• IP addresses of the machines from which penetration testing will be conducted so that administrators can differentiate the legitimate penetration testing attacks from actual malicious attacks.

• Points of contact for the penetration testing team, the targeted systems, and the networks.

• Measures to prevent law enforcement being called with false alarms (created by the testing).

• Handling of information collected by penetration testing team.



Steps for Framing ROE

Estimate cost, time, and effort that organization can investEstimate cost, time, and effort that organization can invest

Decide on desired depth for penetration testing

Have pre-contract discussions with different pen-testers

Conduct brainstorming sessions with the top management and



g p gtechnical teams

Clauses in ROE

Li f ll d d hibi d i i iList of allowed and prohibited activities:

• Organization may allow some activities like portg y pscanning for offline cracking and prohibit others likepassword cracking, SQL injection and DoS attacks

Definitions of test scope, limitations, and other activitiesfor protecting the test team

Authorization of penetration testers for systems andnetwork testing



network testing

Clauses in ROE (cont’d)

D t il b t th l l d h f t tDetails about the level and reach of pen-test

Definition of different type of allowed testing techniques

Information on activities, such as:

• Port and service identification• Vulnerability scanning

S it fi ti i



• Security configuration review• Password cracking

Clauses in ROE (cont’d)

Details on how organizational data is treated eta s o ow o ga at o a data s t eated throughout and after the test

Details on how data should be transmitted during and after the test

Techniques for data exclusion from systems upon termination of the test

Clear guidance on incident handling



Clear guidance on incident handling

Summary

Rules of engagement is the formal permission to conduct the pen-test before starting.

The scope should also clearly explain the limits associated with the security test.

It prevents activities such as installing and using executable files that pose as a greater risk to the system.





Documents

LPTv4 Module 13 Rules of Engagement_NoRestriction