Glen E. Clarke - CompTIA Pentest+ Certification For Dummies

Earlier in this chapter, I discuss the importance of including a disclaimer in the SOW, and I want to stress again that as the penetration tester, you need to make the risk of performing a penetration test clear to the customer (in discussion and in the contract). Make sure the customer accepts those risks before starting the penetration test, as risk acceptance is critical to protecting yourself from legal action.

Some key points to communicate with the customer in relation to the acceptance of risk of the penetration test are:

Tools are used to try to compromise the security of the company’s systems.

Although you have tested the tools and are using tools that have not crashed your test systems, the tools could have unpredictable results in different environments due to different software and configurations that you may not have had in your test environment.

Stress that although you will not try to crash systems, the risk is there that systems may crash.

Verify that the customer has recent backups of the systems being assessed.

It is also important to verify the customer’s tolerance to the impact the assessment will have on the company’s systems. Here are some questions you can ask to verify the customer’s acceptance of the impact of the assessment:

Is the customer aware and okay with the fact that you are hacking into the company’s systems when performing the penetration test?

Does the customer accept that the system may fail if you run exploits against the system? If the customer is not willing to accept the crashing of a system, you may want to do a vulnerability assessment instead of a penetration test. The vulnerability assessment will review the configuration of the systems and run a vulnerability scan to determine how exposed the system is, but not actually try to hack the system.

If a system fails due to the penetration test, how long will it take to recover a failed system?

How long can the business survive without the asset or system in question? How much downtime is the customer willing to accept if it does occur?

Ensure the customer understands the risks of having a penetration test performed. It is possible that a pentest could crash a system or network and cause it to be offline for some time.

Scheduling and scope creep are two important points to remember for the CompTIA PenTest+ certification exam as well as when you conduct a penetration test in the real world.

When discussing the details of the pentest with the customer during the pre-engagement phase, be sure to determine when the penetration test is to occur. Generally, pentests are scheduled to occur during any of the following timeframes:

During work hours (for example, 8 a.m. to 5 p.m.)

After work hours (for example, 6 p.m. to 6 a.m.)

On weekends (for example, 8 a.m. to 12 a.m.)

Be sure your emergency contacts are readily available during the penetration testing hours so that you can contact the appropriate person should any issues arise during the penetration test.

When preparing the budget, be sure to have a schedule set up for how long it will take to perform the penetration test. Table 2-1illustrates a sample schedule, but know that the schedule will vary depending on the size of the organization being assessed and the number of resources you have available to perform the penetration test.

TABLE 2-1A Sample Pentest Schedule

An important discussion to have during the planning and scoping phase of the penetration test is how to handle scope creep. Scope creep occurs when the size of the project — in this case the penetration test — continues to change or grow as the project continues. As the consulting pentester, scope creep is a nightmare, as you have given a quote to the customer on the cost to perform the penetration test based on how long you estimate the pentest will take. The length of time is dependent on the number of targets defined for the project, and if that changes while the penetration test is occurring, the cost will go up! Increased costs typically do not sit well with the customer, so be very clear at the start that the cost is for the targets that have been defined within the scope of the project and that any newly discovered targets that arise while the penetration test is occurring will be an additional cost. Make sure the pentest team knows who to contact when a new target has been discovered during the pentest that was not specified in the scope of the project so that you can determine how to continue.

If you discover additional company assets that are out of scope while performing the penetration test, be sure to bring it to the attention of the customer. If the customer wants the newly discovered asset added to the target list, let the customer know that doing so will increase the time and cost to complete the project.

If the organization for which you are performing a penetration test is conducting a pentest to be in compliance with industry regulations, you may need to meet strict requirements when performing the assessment. It is important as a penetration tester to become familiar with the requirements of a compliance-based assessment. Know that the requirements are different in every industry, as they depend on the laws or regulations that govern each industry. Following are examples of industry-specific laws or regulations an organization must follow based on the industry the organization operates in:

Health Insurance Portability and Accountability Act (HIPAA), which controls the handling of health records.

Family Educational Rights and Privacy Act (FERPA), which allows parents access to educational records of their child.

Payment Card Industry Data Security Standard (PCI DSS), which secures debit and credit card information.

General Data Protection Regulation (GDPR), which is a regulation that covers the collection and protection of personal data in the European Union (EU). GDPR is also a regulation that includes laws surrounding the transfer of personal data to areas outside of Europe.