Your message has been sent.
This article has been saved to your account.
Go to my account
This article has been emailed to your Kindle.
Send this article
This article by Shakeel Ali and Tedi Heriyanto, authors of BackTrack 4: Assuring Security by Penetration Testing, covers a scope process to provide necessary guidelines on formalizing the test requirements. A scope process will introduce and describe each factor that builds a practical roadmap towards test execution. This process integrates several key elements, such as gathering client requirements, preparing a test plan, profiling test boundaries, defining business objectives, and project management and scheduling. You will learn to acquire and manage the information about the target's test environment.
|Read more about this book|
(For more resources on this subject, see here.)
Target Scoping is defined as an empirical process for gathering target assessment requirements and characterizing each of its parameters to generate a test plan, limitations, business objectives, and time schedule. This process plays an important role in defining clear objectives towards any kind of security assessment. By determining these key objectives one can easily draw a practical roadmap of what will be tested, how it should be tested, what resources will be allocated, what limitations will be applied, what business objectives will be achieved, and how the test project will be planned and scheduled. Thus, we have combined all of these elements and presented them in a formalized scope process to achieve the required goal. Following are the key concepts which will be discussed in this article:
- Gathering client requirements deals with accumulating information about the target environment through verbal or written communication.
- Preparing test plan depends on different sets of variables. These may include shaping the actual requirements into structured testing process, legal agreements, cost analysis, and resource allocation.
- Profiling test boundaries determines the limitations associated with the penetration testing assignment. These can be a limitation of technology, knowledge, or a formal restriction on the client's IT environment.
- Defining business objectives is a process of aligning business view with technical objectives of the penetration testing program.
- Project management and scheduling directs every other step of the penetration testing process with a proper timeline for test execution. This can be achieved by using a number of advanced project management tools.
It is highly recommended to follow the scope process in order to ensure test consistency and greater probability of success. Additionally, this process can also be adjusted according to the given situation and test factors. Without using any such process, there will be a greater chance of failure, as the requirements gathered will have no proper definitions and procedures to follow. This can lead the whole penetration testing project into danger and may result in unexpected business interruption. Paying special attention at this stage to the penetration testing process would make an excellent contribution towards the rest of the test phases and clear the perspectives of both technical and management areas. The key is to acquire as much information beforehand as possible from the client to formulate a strategic path that reflects multiple aspects of penetration testing. These may include negotiable legal terms, contractual agreement, resource allocation, test limitations, core competencies, infrastructure information, timescales, and rules of engagement. As a part of best practices, the scope process addresses each of the attributes necessary to kickstart our penetration testing project in a professional manner.
As we can see in the preceding screenshot, each step constitutes unique information that is aligned in a logical order to pursue the test execution successfully. Remember, the more information that is gathered and managed properly, the easier it will be for both the client and the penetration testing consultant to further understand the process of testing. This also governs any legal matters to be resolved at an early stage. Hence, we will explain each of these steps in more detail in the following section.
Gathering client requirements
This step provides a generic guideline that can be drawn in the form of a questionnaire to devise all information about target infrastructure from a client. A client can be any subject who is legally and commercially bounded to the target organization. Such that, it is critical for the success of the penetration testing project to identify all internal and external stakeholders at an early stage of a project and analyze their levels of interest, expectations, importance, and influence. A strategy can then be developed for approaching each stakeholder with their requirements and involvement in the penetration testing project to maximize positive influences and mitigate potential negative impacts. It is solely the duty of the penetration tester to verify the identity of the contracting party before taking any further steps.
The basic purpose of gathering client requirements is to open a true and authentic channel by which the pentester can obtain any information that may be necessary for the testing process. Once the test requirements have been identified, they should be validated by a client in order to remove any misleading information. This will ensure that the developed test plan is consistent and complete.
We have listed some of the commonly asked questions that can be used in a conventional customer requirements form and the deliverables assessment form. It is important to note that this list can be extended or shortened according to the goal of a client and that the client must retain enough knowledge about the target environment.
Customer requirements form
- Collecting company's information such as company name, address, website, contact person details, e-mail address, and telephone number.
- What are your key objectives behind the penetration testing project?
- Determining the penetration test type (with or without specific criteria):
- Black-box testing or external testing
- White-box testing or internal testing
- Informed testing
- Uninformed testing
- Social engineering included
- Social engineering excluded
- Investigate employees background information
- Adopt employee's fake identity
- Denial of Service included
- Denial of Service excluded
- Penetrate business partner systems
- How many servers, workstations, and network devices need to be tested?
- What operating system technologies are supported by your infrastructure?
- Which network devices need to be tested? Firewalls, routers, switches, modems, load balancers, IDS, IPS, or any other appliance?
- Is there any disaster recovery plan in place? If yes, who is managing it?
- Are there any security administrators currently managing your network?
- Is there any specific requirement to comply with industry standards? If yes, please list them.
- Who will be the point of contact for this project?
- What is the timeline allocated for this project? In weeks or days.
- What is your budget for this project?
- List any other requirements as necessary.
Deliverables assessment form
- What types of reports are expected?
- Executive reports
- Technical assessment reports
- Developer reports
- In which format do you want the report to be delivered? PDF, HTML, or DOC.
- How should the report be submitted? E-mail or printed.
- Who is responsible for receiving these reports?
By using such a concise and comprehensive inquiry form, you can easily extract the customer requirements and fulfill the test plan accordingly.
Preparing the test plan
As the requirements have been gathered and verified by a client, it is now time to draw a formal test plan that should reflect all of these requirements, in addition to other necessary information on legal and commercial grounds of the testing process. The key variables involved in preparing a test plan are a structured testing process, resource allocation, cost analysis, non-disclosure agreement, penetration testing contract, and rules of engagement. Each of these areas will be addressed with their short descriptions below:
- Structured testing process: After analyzing the details provided by our customer, it may be important to re-structure the BackTrack testing methodology. For instance, if the social engineering service was excluded then we would have to remove it from our formal testing process. This practice is sometimes known as Test Process Validation. It is a repetitive task that has to be visited whenever there is a change in client requirements. If there are any unnecessary steps involved during the test execution then it may result in a violation of the organization's policies and incur serious penalties. Additionally, based on the test type there would be a number of changes to the test process. Such that, white-box testing does not require information gathering and target discovery phase because the auditor is already aware of the internal infrastructure.
- Resource allocation: Determining the expertise knowledge required to achieve completeness of a test is one of the substantial areas. Thus, assigning a skilled penetration tester for a certain task may result in better security assessment. For instance, an application penetration testing requires a dedicated application security tester. This activity plays a significant role in the success of penetration testing assignment.
- Cost analysis: The cost for penetration testing depends on several factors. This may involve the number of days allocated to fulfill the scope of a project, additional service requirements such as social engineering and physical security assessment, and the expertise knowledge required to assess the specific technology. From the industry viewpoint, this should combine a qualitative and quantitative value.
- Non-disclosure Agreement (NDA): Before starting the test process it is necessary to sign the agreement which may reflect the interests of both parties "client" and "penetration tester". Using such a mutual non-disclosure agreement should clear the terms and conditions under which the test should be aligned. It is important for the penetration tester to comply with these terms throughout the test process. Violating any single term of agreement can result in serious penalties or permanent exemption from the job.
- Penetration testing contract: There is always a need for a legal contract which will reflect all the technical matters between the "client" and "penetration tester". This is where the penetration testing contract comes in. The basic information inside such contracts focus on what testing services are being offered, what their main objectives are, how they will be conducted, payment declaration, and maintaining the confidentiality of a whole project.
- Rules of engagement: The process of penetration testing can be invasive and requires clear understanding of what the assessment demands, what support will be provided by the client, and what type of potential impact or effect each assessment technique may have. Moreover, the tools used in the penetration testing processes should clearly state their purpose so that the tester can use them accordingly. The rules of engagement define all of these statements in a more detailed fashion to address the necessity of technical criteria that should be followed during the test execution.
By preparing each of these subparts of the test plan, you can ensure the consistent view of a penetration testing process. This will provide a penetration tester with more specific assessment details that has been processed from the client requirements. It is always recommended to prepare a test plan checklist which can be used to verify the assessment criteria and its underlying terms with the contracting party. One of such exemplary types of checklist is discussed in the following section.
eBook Price: $29.99
Book Price: $49.99
|Read more about this book|
(For more resources on this subject, see here.)
Test plan checklist
Following are some of the key statements that should be answered correctly before taking any further step into the scope process.
- Is the test scope defined clearly?
- Have all the testing entities been identified?
- Have all the non-testing entities been separately listed?
- Is there any specific testing process that will be followed?
- Is the testing process documented correctly?
- Will the deliverables be produced upon completion of a test process?
- Has the entire target environment been researched and documented before?
- Have all the roles and responsibilities been assigned for the testing activities?
- Is there any third-party contractor to accomplish technology-specific assessment?
- Have any steps been taken to bring the project to a graceful closure?
- Has the disaster recovery plan been identified?
- Has the cost of the test project been finalized?
- Have the people who will approve the test plan been identified?
- Have the people who will accept the test results been identified?
Profiling test boundaries
Understanding the limitations and boundaries of the test environment comes hand in hand from the client requirements which can be justified as intentional or non-intentional interests. These can be in the form of technology, knowledge, or any other formal restrictions imposed by the client on the infrastructure. Each of these limitations may cause serious interruption to the testing process and can be resolved by using alternative methods. However, it is important to note that certain restrictions cannot be modified, as they are administered by the client to control the process of penetration testing. We will discuss each of these generic types of limitations with their relevant examples below.
- Technology limitations: This kind of limitation occurs when the scope of a project is properly defined but the presence of a new technology in the network infrastructure does not let the auditor test it. This only happens when the auditor does not hold any pentesting tool which can assist in the assessment of this new technology. For instance, a company XYZ has introduced a robust GZ network firewall device that sits at the perimeter and works to protect the entire internal network. However, its implementation of proprietary methods inside the firewall does not let any firewall assessment tool work. Thus, there is always a need for an up-to-date solution which can handle the assessment of such a new technology.
- Knowledge limitations: When the scope of a project is properly defined except the resource allocation process, in which the assumption has been made that the current auditor holds enough knowledge about assessing the security of a whole IT environment. It misleads the whole testing process and can bring unexpected assessment results. This clearly happens because the knowledge of an auditor was narrow and he/she was not capable of testing certain technologies. For example, a dedicated database penetration tester would not be able to assess the physical security of a network infrastructure. Hence, it is good to divide the roles and responsibilities according to the skills and knowledge of the auditors to achieve the required goal.
- Other infrastructure restrictions: Certain test restrictions can be applied by the client to control the assessment process. This can be done by limiting the view of an IT infrastructure to only specific network devices and technologies that need assessment. Generally, this kind of restriction is introduced during the requirements gathering phase. For instance, test all the devices behind network segment "A" except the first router. Restrictions like these that are imposed by the client do not ensure the security of a router in the first place, which can lead to a compromise in the whole network, even if all the other network devices are hardened and security assured. Thus, proper thinking is always required before putting any such restrictions on penetration testing.
Profiling all of these limitations and restrictions is important, which can be observed while gathering the client requirements. It is the duty of a good auditor to dissect each requirement and hold the discussion with the client to pull or change any ambiguous restrictions which may cause interruption to the testing process or may result in a security breach in the near future. These limitations can also be overcome by introducing the highly skilled auditors and advanced set of tools and techniques for the assessment. Although by nature, certain technology limitations cannot be eliminated and may require extra time to develop their testing solution.
Defining business objectives
Based on the assessment requirements and the endorsement of services, it is vital to define the business objectives. This will ensure that the testing output should benefit a business from multiple aspects. Each of these business objectives is focused and structured according to the assessment requirement and can provide a clear view of the industry achievement. We have formatted some general business objectives that can be used to align with any penetration testing assignment. However, they can also be re-designed according to the change in requirements. This process is important and may require an auditor to observe and understand the business motives while maintaining the minimum level of standard before, during, and after the test is completed. Business objectives are the main source to bring the management and technical team together in order to support a strong proposition and idea of securing information systems. Based on different kinds of security assessments to be carried out, the following list of common objectives has been derived:
- Provide industry wide visibility and acceptance by maintaining regular security checks.
- Achieve the necessary standards and compliance by assuring the business integrity.
- Secures the information systems holding confidential data about the customers, employees, and other business entities.
- List the active threats and vulnerabilities found in the network infrastructure and help to create security policies and procedures that should thwart against known and unknown risks.
- Provide a smooth and robust business structure which would benefit its partners and clients.
- Retain the minimum cost for maintaining the security of an IT infrastructure. The security assessment measures the confidentiality, integrity, and availability of the business systems.
- Provide greater return on investment by eliminating any potential risks that might cost more, if exploited by a malicious adversary.
- Detail the remediation procedures that can be followed by a technical team at the concerning organization to close any open doors, and thus, reduce the operational burden.
- Follow the industry best practices and best-of-breed tools and techniques to evaluate the security of the information systems according to the underlying technology.
- Recommend any possible security solutions that should be used to protect the business assets.
Project management and scheduling
Managing the penetration testing project requires a thorough understanding of all the individual parts of the scope process. Once these scope objectives have been cleared, the project manager can coordinate with the penetration testing process to develop a formal outline that defines the project plan and schedule. Usually this task can be carried out by the penetration tester himself, but the cooperation of a client can bring positive attention to that part of the schedule. This is important because the test execution requires careful allotment of the timescale that should not exceed the declared deadline. Once the proper resources have been identified and allocated to carry certain tasks during the assessment period, it becomes necessary to draw a timeline depicting all those resources with their key parts in the penetration testing process.
The task is defined as a piece of work undertaken by the penetration tester. The resource can be a person involved in the security assessment or an ordinary source such as, lab equipment, which can be helpful in penetration testing. In order to manage these projects efficiently and cost effectively, there are a number project management tools available that can be used to achieve our mission. We have listed some important project management tools below. Selecting the best one depends on the environment and requirements of the testing criteria.
Using any of these powerful tools, the work of the penetration tester can easily be tracked and managed in accordance with their defined tasks and time period. Additionally, these tools provide the most advanced features, such as generating an alert for the project manager if the task is finished or the deadline has been crossed. There are many other positive facts which encourage the use of project management tools during the penetration testing assignment. These include efficiency in delivering services on time, improved test productivity and customer satisfaction, increased quality and quantity of work, and flexibility to control the work progress.
This article explains one of the first steps of the BackTrack testing process. The main objective of this article is to provide a necessary guideline on formalizing the test requirements. For this purpose, a scope process has been introduced to highlight and describe each factor that builds a practical roadmap towards test execution. The scope process is made of five independent elements. These are gathering client requirements, preparing test plan, profiling test boundaries, defining business objectives, and project management and scheduling. The aim of a scope process is to acquire and manage as much information as possible about the target environment which can be useful throughout the penetration testing process. As discussed in the article, we have summarized each part of the scope processes below.
- Gathering client requirements provide a practical guideline on what information should be gathered from a client or customer in order to conduct the penetration testing successfully. Covering the data on types of penetration testing, infrastructure information, organization profile, budget outlook, time allocation, and the type of deliverables are some of the most important areas that should be cleared at this stage.
- Preparing a test plan combines structured testing process, resource allocation, cost analysis, non-disclosure agreement, penetration testing contract, and rules of engagement. All these branches constitute a step-by-step process to prepare a formal test plan which should reflect the actual client requirements, legal and commercial prospects, resource and cost data, and the rules of engagement. Additionally, we have also provided an exemplary type of checklist which can be used to ensure the integrity of a test plan.
- Profiling test boundaries provides a guideline on what type of limitations and restrictions may occur while justifying the client requirements. These can be in the form of technology limitation, knowledge limitation, or other infrastructure restrictions posed by the client to control the process of penetration testing. These test boundaries can clearly be identified from the client requirements. There are certain procedures which can be followed to overcome these limitations.
- Defining business objectives focus on key benefits that a client may get from the penetration testing service. This section provides a set of general objectives that is structured according to the assessment criteria and the industry achievement.
- Project management and scheduling is a vital part of a scope process. Once all the requirements have been gathered and aligned according to the test plan, it's time to allocate proper resources and timescale for each identified task. By using some advanced project management tools, one can easily keep track of all these tasks assigned to specific resources under the defined timeline. This can help increase the test productivity and efficiency.
- Tips and Tricks on BackTrack 4 [Article]
- FAQs on BackTrack 4 [Article]
- BackTrack 4: Security with Penetration Testing Methodology [Article]
- Security and Disaster Recovery in PrestaShop 1.3 [Article]
- Blocking Common Attacks using ModSecurity 2.5 [Article]
- Telecommunications and Network Security Concepts for CISSP Exam [Article]
- Preventing SQL Injection Attacks on your Joomla Websites [Article]
eBook Price: $29.99
Book Price: $49.99
About the Author :
Shakeel Ali is a main founder and CTO of Cipher Storm Ltd, UK. His expertise in the security industry markedly exceeds the standard number of security assessments, compliance, governance, and forensic projects that he carries in day-to-day operations. As a senior security evangelist and having spent endless nights without taking a nap, he provides constant security support to various businesses and government institutions globally. He is an active independent researcher who writes various articles, whitepapers, and manages a blog at Ethical-Hacker.net. He regularly participates in BugCon Security Conferences, Mexico, to highlight the best-of-breed cyber security threats and their solutions from practically driven countermeasures.
Tedi Heriyanto currently works as a Senior Technical Consultant in an Indonesian information technology company. He has worked with several well-known institutions in Indonesia and overseas, in designing secure network architecture, deploying and managing enterprise-wide security systems, developing information security policies and procedures, doing information security audit and assessment, and giving information security awareness training. In his spare times, he manages to research, write various articles, participate in Indonesian Security Community activities, and maintain a blog site. He has shared his knowledge in information security by writing several information security and computer programming books.