Penetration Test - Planning and Scoping(2)
TARGET AUDIENCE AND ROE
- Know your target audience
- Who is sponsoring the pen test?
- What is the purpose of the test?
- Rules of engagement - governs the pen tester's activities
- Schedule - start, stop, temporal restrictions
- Team composition, location, access
- Test scope
- Technical/physical/personnel
- Target limits (inclusion, invasiveness, etc.)
Communication - How, When, Why
COMMUNICATION ESCALATION PATH
- Risks of pen testing
- Crashing devices, services, whole servers
- Corrupting data
- Degrading performance
- Terms of Service(TOS)/regulation/legislation violation
- Communication escalation path
- Who to contact if thins go wrong
- Communication expectations(content, trigger, frequency)
QUICK REVIEW
- Know who is sponsoring the pen test and why
- Know what kind of tests can you execute and what is off-limits
- Understand pen test risks
- Plan to communicate and know who to call and when