Scribd Logo
Carica

Benvenuto in Scribd!

  • LPTv4 Module 13 Rules of Engagement

    Caricato da

    Shanky Verma Soni
    117 visualizzazioni12 pagine
    ECSAv4 Module 00 Student Introduction

    Copyright

    © © All Rights Reserved

    Formati disponibili

    PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    ECSAv4 Module 00 Student Introduction

    Copyright:

    © All Rights Reserved
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    117 visualizzazioni12 pagine

    LPTv4 Module 13 Rules of Engagement

    Caricato da

    Shanky Verma Soni
    ECSAv4 Module 00 Student Introduction

    Copyright:

    © All Rights Reserved
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 12

    ECSA/LPT

    EC Council
    EC-Council

    Module XIII
    Rules of Engagement
    g g

    Module Objective
    This module
    Thi
    d l will
    ill iintroduce
    t d
    you tto th
    the
    following:
    Rules of Engagement (ROE) between an organization and
    penetration testers
    Scope
    p of ROE
    Steps for framing ROE
    Clauses in ROE

    EC-Council

    Copyright by EC-Council
    All Rights Reserved. Reproduction is Strictly Prohibited

    Module Flow

    Rules of Engagement (ROE)

    Clauses in ROE

    EC-Council

    Scope of ROE

    Steps for
    f Framing
    i ROE

    Copyright by EC-Council
    All Rights Reserved. Reproduction is Strictly Prohibited

    Rules of Engagement (ROE)


    Rules of engagement (ROE) is the formal permission to
    conduct pen test before starting.
    ROE helps testers to overcome legal, federal, and policy related
    restrictions to use different penetration testing tools and
    techniques.
    q

    EC-Council

    Copyright by EC-Council
    All Rights Reserved. Reproduction is Strictly Prohibited

    Scope of ROE
    The ROE should also clearlyy explain
    p
    the limits associated with the
    security test.
    ROE includes:
    i l d
    Specific IP addresses/ranges to be tested.
    Any restricted hosts (i.e., hosts, systems, subnets, not to be tested).
    A list of acceptable testing techniques (e.g. social engineering, DoS,
    etc.) and tools (password crackers, network sniffers, etc.).
    Times when testing is to be conducted (e
    (e.g.,
    g during business hours
    hours,
    after business hours, etc.).
    Identification of a finite period for testing.

    EC-Council

    Copyright by EC-Council
    All Rights Reserved. Reproduction is Strictly Prohibited

    Scope of ROE (contd)


    ROE includes:
    IP addresses of the machines from which penetration testing
    will be conducted so that administrators can differentiate the
    legitimate penetration testing attacks from actual malicious
    attacks.
    Points of contact for the penetration testing team, the
    targeted systems, and the networks.
    Measures to prevent law enforcement being called with false
    alarms (created by the testing).
    Handling of information collected by penetration testing
    team.

    EC-Council

    Copyright by EC-Council
    All Rights Reserved. Reproduction is Strictly Prohibited

    Steps for Framing ROE


    Estimate cost, time, and effort that organization can invest

    Decide on desired depth for penetration testing

    Have pre-contract discussions with different pen-testers

    Conduct brainstorming
    g sessions with the top
    p management
    g
    and
    technical teams
    EC-Council

    Copyright by EC-Council
    All Rights Reserved. Reproduction is Strictly Prohibited

    Clauses in ROE
    Li off allowed
    List
    ll
    d and
    d prohibited
    hibi d activities:
    i ii
    g
    mayy allow some activities like p
    port
    Organization
    scanning for offline cracking and prohibit others like
    password cracking, SQL injection and DoS attacks
    Definitions of test scope, limitations, and other activities
    for protecting the test team

    Authorization of penetration testers for systems and


    network testing
    EC-Council

    Copyright by EC-Council
    All Rights Reserved. Reproduction is Strictly Prohibited

    Clauses in ROE (contd)


    D t il about
    Details
    b t th
    the llevell and
    d reach
    h off pen-test
    t t

    Definition of different type of allowed testing techniques

    Information on activities, such as:

    Port and service identification


    Vulnerability scanning
    S
    Security
    it configuration
    fi
    ti review
    i
    Password cracking

    EC-Council

    Copyright by EC-Council
    All Rights Reserved. Reproduction is Strictly Prohibited

    Clauses in ROE (contd)


    Details
    eta s o
    on how
    ow o
    organizational
    ga at o a data iss ttreated
    eated
    throughout and after the test

    Details on how data should be transmitted during and


    after the test

    Techniques for data exclusion from systems upon


    termination of the test

    Clear guidance on incident handling


    EC-Council

    Copyright by EC-Council
    All Rights Reserved. Reproduction is Strictly Prohibited

    Summary

    Rules of engagement is the formal permission to conduct


    the pen-test before starting.
    The scope should also clearly explain the limits associated
    with the security test.
    It prevents activities such as installing and using executable
    files that pose as a greater risk to the system.

    EC-Council

    Copyright by EC-Council
    All Rights Reserved. Reproduction is Strictly Prohibited

    EC-Council

    Copyright by EC-Council
    All Rights Reserved. Reproduction is Strictly Prohibited

    Potrebbero piacerti anche