Upload
mahmoud-eladawi
View
41
Download
0
Tags:
Embed Size (px)
DESCRIPTION
LPTv4 Module 13 Rules of Engagement_NoRestriction
Citation preview
Module Objective
Thi d l ill i t d t th This module will introduce you to the following:
• Rules of Engagement (ROE) between an organization and penetration testers
• Scope of ROEp• Steps for framing ROE• Clauses in ROE
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Flow
Rules of Engagement (ROE) Scope of ROE
f iSteps for Framing ROEClauses in ROE
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Rules of Engagement (ROE)
Rules of engagement (ROE) is the formal permission to Rules of engagement (ROE) is the formal permission to conduct pen test before starting.
ROE helps testers to overcome legal, federal, and policy related restrictions to use different penetration testing tools and techniques.q
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Scope of ROE
The ROE should also clearly explain the limits associated with the y psecurity test.
ROE i l d
• Specific IP addresses/ranges to be tested.
ROE includes:
• Any restricted hosts (i.e., hosts, systems, subnets, not to be tested). • A list of acceptable testing techniques (e.g. social engineering, DoS,
etc.) and tools (password crackers, network sniffers, etc.). • Times when testing is to be conducted (e g during business hours • Times when testing is to be conducted (e.g., during business hours,
after business hours, etc.).• Identification of a finite period for testing.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Scope of ROE (cont’d)
• IP addresses of the machines from which penetration testing
ROE includes:
• IP addresses of the machines from which penetration testing will be conducted so that administrators can differentiate the legitimate penetration testing attacks from actual malicious attacks.
• Points of contact for the penetration testing team, the targeted systems, and the networks.
• Measures to prevent law enforcement being called with false alarms (created by the testing).
• Handling of information collected by penetration testing team.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Steps for Framing ROE
Estimate cost, time, and effort that organization can investEstimate cost, time, and effort that organization can invest
Decide on desired depth for penetration testing
Have pre-contract discussions with different pen-testers
Conduct brainstorming sessions with the top management and
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
g p gtechnical teams
Clauses in ROE
Li f ll d d hibi d i i iList of allowed and prohibited activities:
• Organization may allow some activities like portg y pscanning for offline cracking and prohibit others likepassword cracking, SQL injection and DoS attacks
Definitions of test scope, limitations, and other activitiesfor protecting the test team
Authorization of penetration testers for systems andnetwork testing
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
network testing
Clauses in ROE (cont’d)
D t il b t th l l d h f t tDetails about the level and reach of pen-test
Definition of different type of allowed testing techniques
Information on activities, such as:
• Port and service identification• Vulnerability scanning
S it fi ti i
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• Security configuration review• Password cracking
Clauses in ROE (cont’d)
Details on how organizational data is treated eta s o ow o ga at o a data s t eated throughout and after the test
Details on how data should be transmitted during and after the test
Techniques for data exclusion from systems upon termination of the test
Clear guidance on incident handling
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Clear guidance on incident handling
Summary
Rules of engagement is the formal permission to conduct the pen-test before starting.
The scope should also clearly explain the limits associated with the security test.
It prevents activities such as installing and using executable files that pose as a greater risk to the system.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited