Glen E. Clarke - CompTIA Pentest+ Certification For Dummies

Following are some limitations and caveats to keep in mind with regard to compliance-based assessments:

Rules to complete the assessment: Each regulation or standard has strict rules on how the penetration test is to be performed and what to look for in the assessment. For example, the PCI DSS includes strict requirements on the use of firewalls to restrict communication with data-holder equipment, and encryption requirements for transferring credit card data across public networks.

Password policies: To be compliant, an organization may have to follow strict requirements on passwords and password policies. For example, you may need to assess the company’s password policy and ensure that the company employees use strong passwords, change passwords frequently, and cannot use a password they used previously.

Data isolation: Due to laws or regulations you may need to ensure that certain types of data are separated from other types of data. For example, with PCI DSS, a company must ensure that credit and debit card data is isolated from the rest of the company data. As another example, in a bring-your-own-device (BYOD) environment, you may need to ensure that mobile devices partition personal data from business data so that business data can be remotely wiped if needed.

Key management: You may need to assess the use and storage of encryption keys as well as assess the company’s backup policies or the archival of encryption keys to allow recovery of sensitive data.

Limitations: You may need to assess for limitations placed on resources such as systems, devices, and data. For example, there may be strict limitations on certain types of systems not being accessible from the Internet.

Limited network access: You may need to ensure that the network is segmented to allow control of a specific type of system that can only access a particular network segment. For example, with PCI DSS, the credit card processing system must be on a separate network segment than regular company systems.

Limited storage access: You may need to assess that the company is controlling access to data and that one specified person has access to sensitive data. Again, looking at PCI DSS, the pentester would validate that access to card data is limited and protected.

When performing a penetration test for compliance reasons, you want to be aware of how a regulation can alter how the penetration test is performed due to restrictions on the regulation. Following are some examples of restrictions that could exist with compliance-based assessments:

Location restrictions: You may find that depending on the type of compliance-based assessment, there may be strict rules on visitors to a particular location.

Country limitations: Depending on the types of regulations, there could be strict rules on access to information and handling of information based on laws in a particular country.

Tool restrictions: You may find that to be compliant you are limited to the tools that can be used during an assessment. For example, there could be strict rules on the types of testing, such as not being allowed to do a DoS attack.

Local laws: You should review the local laws where the penetration test is being performed to ensure you are not breaking any laws.

Local government requirements: The local government may have strict requirements on the organization being tested depending on the industry. For example, the healthcare industry has strict requirements surrounding the privacy of patient data.

It is important to stress that there are clearly defined objectives based on regulations. For example, if the organization is processing credit cards, the organization must be compliant with PCI DSS by following the objectives and requirements set by PCI DSS. (You can view the Requirements and Security Assessment Procedures document at https://www.pcisecuritystandards.org/document_library .)

Before moving out of the planning and scoping phase it is important to validate the scope of the engagement with the customer. Following are key tasks to perform that help validate the scope of the engagement:

Question the client and review contracts: Before moving to the information gathering phase, be sure you review the scope of the assessment with the client and review the signed contracts.

Time management: Review the timeline of the penetration testing and be sure to review the times during the day that you are allowed to perform testing. Customers may require the pentest be performed during the day so that someone is available to handle any incidents that may arise (such as a system crash). Each step of the way verify your timeline to ensure the project is on track.

Maintaining professionalism and integrity is critical to the success of any company performing a penetration test, and to the pentesters themselves. For a penetration test to be successful, you should follow these guidelines to maintain professionalism and integrity:

Perform background checks of the penetration testing team. Ensure you perform background checks and criminal records checks on all members of the penetration testing team.

Adhere to the specific scope of engagement. Ensure the scope of the engagement is followed at all times. It is important to monitor adherence to the scope throughout the penetration test.

Identify criminal activity. During a penetration test always keep a close eye out for any criminal activity against the target.

Report breaches and/or criminal activity immediately. If you notice a prior security breach on a target or any criminal activity against a target, pause the penetration test and immediately report the evidence of a prior compromise or criminal activity to the client.

Limit the use of tools to a particular engagement. Ensure you limit the use of tools used during a penetration test to the tools that should be used based on the scope of the test. For example, if the RoE states that there should be no DoS attacks against systems, then ensure none of the tools are DoS tools.

Limit invasiveness based on scope. Remember to limit the type of testing to testing that matches the scope of the engagement.

Maintain confidentiality of data and information. Always maintain confidentiality of the penetration test including data and information found and the results of the penetration test.

For the PenTest+ certification exam, remember that if you see evidence of a prior compromise or criminal activity, you should pause the penetration test and report the evidence to the client.

It is important to know that when you perform a penetration test, there are risks involved to the penetration tester:

Fees/fines: If you do not follow the scope of the engagement or follow the RoE, you may find yourself in a legal battle and you may end up paying fines and fees based on damage done.

Criminal charges: Hacking into systems without proper authorization is illegal. This includes penetration testing. If you do not get permission from an authorized individual, such as the owner of the asset, you could find that criminal charges are laid against you.

For the PenTest+ certification exam, you are expected to understand the risks involved with being a penetration tester. Be sure to know those for the exam!