Rules of Engagement
docx
keyboard_arrow_up
School
University of Maryland, University College *
*We aren’t endorsed by this school
Course
321
Subject
Information Systems
Date
Feb 20, 2024
Type
docx
Pages
4
Uploaded by mdshay
Penetration Test Proposal Deliverable 1: Rules of Engagement
Course Number and Section: CMIT 321 6387
Date: 26 May 2020
Rules of Engagement
Overview
Centralia Security Lab (CSL) has been hired by Haverbrook Investment Group L.L.L.P. (HIG) to perform a penetration test (pentest) on their networks. These tests will determine the vulnerability of CSL’s networks and specifically identify potential vectors of malicious access (Information Supplement: Penetration Testing Guidance, 2017). These tests are meant to mimic real-life scenarios and by identifying vulnerabilities, keep them from happening. Any identified security issues will be documented and issued to CSL stakeholders to assist in changes and updates to current security controls.
Scope
The CSL grey box pentest will cover HIG’s corporate network, including computers operating in the IP range of 10.4.12.20-31, the printer on 10.X.X, and all attached servers and networking systems. HIG can limit the scope of the pentest at any time, including barring access to specific ip ranges or IT systems. Testing will be conducted during regular business hours (9:00 AM to 5:00 PM) Monday through Friday. The testing will begin at an agreed-upon time with HIG’s stakeholders, leaving a five-day window open prior to the initiation of the pentest. At this point, stakeholders will be given an initial pentest brief, containing a general overview of the pentest. At the conclusion of each day, the testers will compile results to be sent to stakeholders the following morning. The pentest will last five days and after the conclusion, CSL will prepare an after-action report that will detail findings and recommendations.
Prior to the initiation of testing, HIG and CSL will ratify an agreement that will give permission to CSL to conduct the pentest. This agreement will also guarantee that HIG’s IT systems and data will not be compromised tangibly, legally, or ethically. HIG will encrypt any data regarding HIG’s networks and destroy any HIG data that has been accessed as a result of the pentest. CSL testers will also be bound by
a non-disclosure agreement.
During the five-day testing window, reporting of criminal activity related to HIG’s networks will be routed through one of the company stakeholders to ensure that testing activity is not mistaken for criminal activity (EC-Council, n.d.).
Checklist
CSL will attempt the following actions:
-
Discovery and enumeration of network
-
Data Exfiltration
-
Acquire user/administrator credentials and passwords
-
Escalate permissions
-
Install or alter software
-
Gain access to secure files -
Social Engineering
CSL will use a number of tools to perform the pentest, such as Kali Linus, Nmap, and Wireshark. Ethical Considerations CSL’s pentest team will only engage the specified IP range during the specified times.
The CSL team will not operate outside of these parameters or engage HIG networks in any way other than what has been previously specified.
The CSL team will also sign a non-disclosure agreement, protecting both sensitive information that may be observed by the team during the penetration test and information about any discovered network vulnerabilities.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
References
EC-Council. Certified Ethical Hacker (CEH) Version 10 eBook (Volumes 1 through 4)
. [eVantage]. Retrieved
from https://evantage.gilmoreglobal.com/#/books/9781635671919/ Information Supplement: Penetration Testing Guidance. (2017, September). Retrieved from https://www.pcisecuritystandards.org/documents/Penetration-Testing-Guidance-v1_1.pdf