FedRAMP PENETRATION TEST GUIDANCE · PENETRATION TEST GUIDANCE Version 2.0 ... NETWORK INFORMATION GATHERING/DISCOVERY ... Security Assessment Plan Template for more information …

FedRAMP PENETRATION TEST

GUIDANCE

Version 2.0

November 24, 2017

|i

DOCUMENT REVISION HISTORY

DATE VERSION PAGE(S) DESCRIPTION AUTHOR

06/30/2015 1.0 All FirstRelease FedRAMPPMO

07/06/2015 1.0.1 All Minorcorrectionsandedits FedRAMPPMO

06/06/2017 1.0.1 Cover UpdatedFedRAMPlogo FedRAMPPMO

11/24/2017 2.0 All Updatedtothenewtemplate FedRAMPPMO

ABOUT THIS DOCUMENT

ThepurposeofthisdocumentistoprovideguidelinesfororganizationsregardingplanningandconductingPenetrationTestingandanalyzingandreportingonthefindings.

APenetrationTestisaproactiveandauthorizedexercisetobreakthroughthesecurityofanITsystem.ThemainobjectiveofaPenetrationTestistoidentifyexploitablesecurityweaknessesinaninformationsystem.Thesevulnerabilitiesmayincludeserviceandapplicationflaws,improperconfigurations,andriskyend-userbehavior.APenetrationTestalsomayevaluateanorganization’ssecuritypolicycompliance,itsemployees’securityawareness,andtheorganization'sabilitytoidentifyandrespondtosecurityincidents.

WHO SHOULD USE THIS DOCUMENT

Thefollowingindividualsshouldreadthisdocument:

§ CloudServiceProviders(CSP)shouldusethisdocumentwhenpreparingtoperformaPenetrationTestontheircloudsystem

§ ThirdPartyAssessorOrganizations(3PAO)shouldusethisdocumentwhenplanning,executing,andreportingonPenetrationTestingactivities

§ AuthorizingOfficials(AO)shouldusethisdocumentwhendevelopingandevaluatingPenetrationTestplans.

|ii

HOW THIS DOCUMENT IS ORGANIZED

Thisdocumentisdividedintothefollowingprimarysectionsandappendices:

Table 1 : Document Sect ion Table

SECTION CONTENTS

Section1 DocumentScope

Section2 DefinitionsandAssumptions

Section3 AttackVectors

Section4 ScopingThePenetrationTest

Section5 PenetrationTestMethodologyandRequirements

Section6 Reporting

Section7 TestScheduleRequirements

Section8 3PAOStaffingRequirements

AppendixA Tableofacronymsusedinthisdocument

AppendixB References

AppendixC RulesofEngagement/TestPlan

HOW TO CONTACT US

QuestionsaboutFedRAMPorthisdocumentshouldbedirectedtoinfo@fedramp.gov.

FormoreinformationaboutFedRAMP,visitthewebsiteathttp://www.fedramp.gov.

|iii

TABLE OF CONTENTS

DOCUMENTREVISIONHISTORY..........................................................................................................I

1. SCOPE........................................................................................................................................1

2. DEFINITIONS&THREATS............................................................................................................22.1. DEFINITIONS................................................................................................................................22.2. THREATMODELS..........................................................................................................................32.3. THREATMODELING......................................................................................................................4

3. ATTACKVECTORS.......................................................................................................................53.1. EXTERNALTOCORPORATE–EXTERNALUNTRUSTEDTOINTERNALUNTRUSTED..........................63.2. EXTERNALTOTARGETSYSTEM–EXTERNALUNTRUSTEDTOEXTERNALTRUSTED........................73.3. TARGETSYSTEMTOCSPMANAGEMENTSYSTEM–EXTERNALTRUSTEDTOINTERNALTRUSTED.83.4. TENANTTOTENANT–EXTERNALTRUSTEDTOEXTERNALTRUSTED.............................................93.5. CORPORATETOCSPMANAGEMENTSYSTEM–INTERNALUNTRUSTEDTOINTERNALTRUSTED..103.6. MOBILEAPPLICATION–EXTERNALUNTRUSTEDTOEXTERNALTRUSTED....................................11

4. SCOPINGTHEPENETRATIONTEST............................................................................................11

5. PENETRATIONTESTMETHODOLOGYANDREQUIREMENTS......................................................125.1. INFORMATIONGATHERING&DISCOVERY..................................................................................135.2. WEBAPPLICATION/APITESTINGINFORMATIONGATHERING/DISCOVERY..................................145.3. MOBILEAPPLICATIONINFORMATIONGATHERING/DISCOVERY.................................................145.4. NETWORKINFORMATIONGATHERING/DISCOVERY....................................................................155.5. SOCIALENGINEERINGINFORMATIONGATHERING/DISCOVERY..................................................165.6. SIMULATEDINTERNALATTACKINFORMATIONGATHERING/DISCOVERY....................................165.7. EXPLOITATION...........................................................................................................................165.7.1. WEBAPPLICATION/APIEXPLOITATION..................................................................................175.7.2. MOBILEAPPLICATIONEXPLOITATION....................................................................................175.7.3. NETWORKEXPLOITATION......................................................................................................175.7.4. SOCIALENGINEERINGEXPLOITATION....................................................................................185.7.5. SIMULATEDINTERNALATTACKEXPLOITATION......................................................................185.8. POST-EXPLOITATION..................................................................................................................195.8.1. WEBAPPLICATION/APIPOST-EXPLOITATION.........................................................................205.8.2. MOBILEAPPLICATIONPOST-EXPLOITATION..........................................................................205.8.3. NETWORKPOST-EXPLOITATION.............................................................................................205.8.4. SOCIALENGINEERINGPOST-EXPLOITATION..........................................................................215.8.5. SIMULATEDINTERNALATTACKPOST-EXPLOITATION............................................................21

6. REPORTING..............................................................................................................................21

|iv

6.1. SCOPEOFTARGETSYSTEM...............................................................................................................216.2. ATTACKVECTORSADDRESSEDDURINGTHEPENETRATIONTEST....................................................216.3. TIMELINEFORASSESSMENTACTIVITY..............................................................................................216.4. ACTUALTESTSPERFORMEDANDRESULTS.......................................................................................226.5. FINDINGSANDEVIDENCE..................................................................................................................226.6. ACCESSPATHS...................................................................................................................................22

7. TESTINGSCHEDULEREQUIREMENTS.........................................................................................22

8. THIRDPARTYASSESSMENTORGANIZATION(3PAO)STAFFINGREQUIREMENTS.......................22

APPENDIXA: FEDRAMPACRONYMS...........................................................................................24

APPENDIXB: REFERENCES..........................................................................................................25

APPENDIXC: ROE/TESTPLANTEMPLATE........................................................................................26RULESOFENGAGEMENT/TEST PLAN.........................................................................................................26SYSTEMSCOPE...............................................................................................................................................27ASSUMPTIONSAND LIMITATIONS................................................................................................................27TESTINGSCHEDULE........................................................................................................................................27TESTINGMETHODOLOGY...............................................................................................................................27RELEVANTPERSONNEL...................................................................................................................................27INCIDENTRESPONSE PROCEDURES..............................................................................................................28EVIDENCEHANDLING PROCEDURES.............................................................................................................28

LIST OF FIGURES

Figure1.SampleTargetSystem.........................................................................................................................................6Figure2.ExternaltoCorporateAttackVector...................................................................................................................7Figure3.ExternaltoTargetSystemAttackVector............................................................................................................8Figure4.TargetSystemtoCSPManagementSystem.......................................................................................................9Figure5.TenanttoTenantAttackVector........................................................................................................................10Figure6.CorporatetoCSPManagementSystemAttackVector.....................................................................................11

|v

LIST OF TABLES Table1–DocumentSectionTable....................................................................................................................................iiTable2–CloudServiceClassification................................................................................................................................1Table3–TypesofAttacks.................................................................................................................................................5Table4–AttackVectorSummary......................................................................................................................................5Table5–DiscoveryActivities...........................................................................................................................................14Table6–MobileApplicationInformationGathering/Discovery.....................................................................................15Table7–NetworkInformationGathering/Discovery......................................................................................................15Table8–SocialEngineeringInformationGathering/Discovery......................................................................................16Table9–SimulatedInternalAttackGathering/Discovery...............................................................................................16Table10–WebApplication/APIExploitation..................................................................................................................17Table11–MobileApplicationExploitation.....................................................................................................................17Table12–NetworkExploitation......................................................................................................................................18Table13–SocialEngineerExploitation...........................................................................................................................18Table14–SimulatedInternalAttackExploitation...........................................................................................................19Table15–Post-Exploitation............................................................................................................................................19Table16–WebApplication/APIPost-Exploitation..........................................................................................................20Table17–NetworkPost-Exploitation.............................................................................................................................20Table18–3PAOStaffingRequirements..........................................................................................................................23

|1

1. SCOPE

TheFederalRiskandAuthorizationManagementProgram(FedRAMP)requiresthatPenetrationTestingbeconductedincompliancewiththefollowingguidance:

§ NISTSP800-115TechnicalGuidetoInformationSecurityTestingandAssessment,September2008

§ NISTSP800-145TheNISTDefinitionofCloudComputing,September2011

§ NISTSP800-53SecurityandPrivacyControlsforFederalInformationSystemsandOrganizations,Revision4,April2013,withupdatesasofJanuary2015

§ NISTSP800-53AAssessingSecurityandPrivacyControlsinFederalInformationSystemsandOrganizations:BuildingEffectiveAssessmentPlans,Revision4,December2014

FedRAMPalsorequiresthatCSPproductsandsolutions(cloudservice)undergoingaFedRAMPassessmentandPenetrationTestmustbeclassifiedasaSaaS,PaaS,orIaaS.Insomescenarios,itmaybeappropriatetoapplymultipledesignationstoacloudservice.Table2belowshowsthedefinitionsofthesethreeservicetypes.

Table 2 – Cloud Serv ice Class i f icat ion

CLOUD SERVICE MODEL NIST DESCRIPTION

SoftwareasaService(SaaS)

Thecapabilityprovidedtotheconsumeristousetheprovider’sapplicationsrunningonacloudinfrastructure.Theapplicationsareaccessiblefromvariousclientdevicesthrougheitherathin-clientinterface,suchasawebbrowser(e.g.,web-basedemail),oraprograminterface.Theconsumerdoesnotmanageorcontroltheunderlyingcloudinfrastructureincludingnetwork,servers,operatingsystems,storage,orevenindividualapplicationcapabilities,withthepossibleexceptionoflimiteduser-specificapplicationconfigurationsettings.

PlatformasaService(PaaS)

Thecapabilityprovidedtotheconsumeristodeployontothecloudinfrastructureconsumer-createdoracquiredapplicationscreatedusingprogramminglanguages,libraries,services,andtoolssupportedbytheprovider.Theconsumerdoesnotmanageorcontroltheunderlyingcloudinfrastructureincludingnetwork,servers,operatingsystems,orstorage,buthascontroloverthedeployedapplicationsandpossiblyconfigurationsettingsfortheapplication-hostingenvironment.

InfrastructureasaService(IaaS)

Thecapabilityprovidedtotheconsumeristoprovisionprocessing,storage,networks,andotherfundamentalcomputingresourceswheretheconsumerisabletodeployandrunarbitrarysoftware,whichcanincludeoperatingsystemsandapplications.Theconsumerdoesnotmanageorcontroltheunderlyingcloudinfrastructure,buthascontroloveroperatingsystems,storage,anddeployedapplications;andpossiblylimitedcontrolofselectnetworkingcomponents(e.g.,hostfirewalls).

|2

Allcomponents,associatedservices,andaccesspaths(internal/external)withinthedefinedtestboundaryoftheCSPsystemmustbescopedandassessed.TheRulesofEngagement(ROE)mustidentifyanddefinetheappropriatetestingmethod(s)andtechniquesassociatedwithexploitationoftherelevantdevicesand/orservices.

PenetrationTestingmayrequire:

§ NegotiationandagreementwiththirdpartiessuchasInternetServiceProviders(ISP),ManagedSecurityServiceProviders(MSSP),facilityleaseholders,hostingservices,and/orotherorganizationsinvolvedin,oraffectedby,thetest.Insuchscenarios,theCSPisresponsibleforcoordinationandobtainingapprovalsfromthirdpartiespriortothecommencementoftesting.

§ Tolimitimpactonbusinessoperations,thecompleteorpartialtestingmaybeconductedinanon-productionenvironmentaslongasitisidenticaltotheproductionenvironmentandhasbeenvalidatedbythe3PAO.Forinstance,ifaCSPhastwoidenticallocations,aPenetrationTestononelocationmaysuffice.Inthiscase,theenvironmentsmustbeexactlythesame,notalmost,nearly,orvirtually.

§ Whenthecloudsystemhasmultipletenants,theCSPmustbuildatemporarytenantenvironmentifanothertenantenvironmentsuitablefortestingdoesnotexist.

ThePenetrationTestplanmustincludeactualtestingofalltheattackvectorsdescribedinSection3beloworexplainwhyaparticularvectorwasnotapplicable.TheIndependentAssessors(IA)mayincludeadditionalattackvectorstheybelieveareappropriate.SeeAppendixC:ROE/TestPlanTemplateformoreinformationregardingtestplans.

2. DEFINITIONS & THREATS

ToestablishabaselineandcontextforFedRAMPPenetrationTesting,thefollowingtermsareusedtodescribeproposedcloudservices.

2.1. DEFINITIONS

Thefollowingisalistofdefinitionsforthisdocument.

§ Corporate–InternalCSPnetworkaccessoutsidetheauthorizationboundary.

§ InsiderThreat–AthreatthatisposedbyanemployeeorathirdpartyactingonbehalfoftheCSP.

§ ManagementSystem–Abackendapplicationorinfrastructuresetupthatfacilitatesadministrativeaccesstothecloudservice.TheManagementSystemisaccessibleonlybyCSPpersonnel.

|3

§ Roles–Accesslevelsandprivilegesofauser.

§ System–Thecloudservicethatisofferedtogovernmentcustomers.

§ Target–TheapplicationorcloudservicethatwillbeevaluatedduringthePenetrationTest.

§ Tenant–Acustomerinstanceofthecloudservice.

2.2. THREAT MODELS

ForFedRAMPthreatmodelswithmultipletenants,theCSPmustbuildatemporarytenantenvironmentifanothertenantenvironmentsuitablefortestingdoesnotexist.

ThePenetrationTestplanmustinclude:

§ Adescriptionoftheapproach,constraints,andmethodologiesforeachplannedattack

§ AdetailedTestSchedulethatspecifiestheStartandEndDate/TimesandcontentofeachtestperiodandtheoverallPenetrationTestbeginningandenddates

§ TechnicalPointsofContact(POC)withabackupforeachsubsystemand/orapplicationthatmaybeincludedinthePenetrationTest

ThePenetrationTestRulesofEngagement(ROE)describesthetargetsystems,scope,constraints,andpropernotificationsanddisclosuresofthePenetrationTest.TheIAdevelopstheROEbasedontheparametersprovidedbytheCSP.TheROEmustbedevelopedinaccordancewithNationalInstituteofStandardsandTechnology(NIST)SpecialPublication(SP)800-115,AppendixB,andbeapprovedbytheauthorizingofficialsoftheCSPpriortotesting.SeeSection6,RulesofEngagement,oftheFedRAMPSecurityAssessmentPlanTemplateformoreinformationontheROE.TheIAmustincludeacopyoftheROEintheFedRAMPSecurityAssessmentPlansubmittedtoFedRAMP.

TheROEshouldalsoinclude:

§ LocalComputerIncidentResponseTeamorcapabilityandtheirrequirementsforexercisingthePenetrationTest

§ PhysicalPenetrationConstraints

§ AcceptableSocialEngineeringPretext(s)

§ AsummaryandreferencetoanyThirdPartyagreements,includingPointsofContact(POC)forThirdPartiesthatmaybeaffectedbythePenetrationTest

|4

2.3. THREAT MODELING

TheIAmustensurethePenetrationTestisappropriateforthesizeandcomplexityofthecloudsystemandtakesintoaccountthemostcriticalsecurityrisks.TheIAmustperformthePenetrationTestinaccordancewithindustrybestpracticesandstandards.TypicalgoalsforPenetrationTestinginclude:

§ Gainingaccesstosensitiveinformation

§ Circumventingaccesscontrolsandprivilegeescalation

§ Exploitingvulnerabilitiestogainaccesstosystemsorinformation

§ Confirmingthatremediateditemsarenolongerarisk

TheIAshouldtestallorasufficientsampleofaccesspointsandlocations(forphysicalPenetrationTesting).WhentheIAtestsasample,theIAmustdescribehowandwhythesamplewasselected,andwhyitissufficient.

TheIAshouldattempttoexploitvulnerabilitiesandweaknessesthroughoutthecloudsystemenvironment,includingphysicalPenetrationTesting.Ataminimum,theIAshouldverifysecuritydoorsarelocked,securityalarmswork,andsecurityguardsarepresentandalertasrequiredbytheCSPorganization’ssecuritypoliciesandprocedures.ThesesituationsmustbeidentifiedduringscopingsessionsandaccountedforaccordinglyintheRulesofEngagement/TestPlan(ROE/TP).

Thetypesofattacksmustberepeatableandpresentaconsistentrepresentationofthreats,threatcapabilities,andorganization-specificthreatqualifications.Inaddition,thetypesofattacksmustaddressthegoalsofthePenetrationTestandincludebothinternalandexternalattacks.

§ Internal–EmployeesoruserswhoareemployedbytheCSP,includingbothprivilegedandnon-privilegedusers,inthecontextofthetargetsystem.

§ External–Usersandnon-usersofthesystemwhoarenotemployedbytheCSP.Thisincludesgovernmentusersoftheapplication,aswellasthirdpartieswhodonothaveaccessrightstothetargetsystem.

§ Trusted–Userswithapprovedaccessrightstothetargetsystem.TrustedusersincludebothinternalCSPemployeeswithmanagementaccesstothesystem,aswellasexternaluserswithcredentialedaccesstothetenantenvironment.

§ Untrusted–Non-usersofthetargetsystem.UntrustedusersincludebothinternalCSPemployeeswholackcredentialedaccesstothetargetsystem,aswellasanyindividualattemptingtoaccessthetargetsystemfromtheInternet.

SeeTable3belowfortherelationshipsbetweenTrusted/UntrustedandInternal/Externalattacks.

|5

Table 3 – Types of Attacks

INTERNAL EXTERNAL

Trusted CSPemployeeresponsibleforsetup,maintenance,oradministrativeaccesstotheCSPtargetsystem.

Anyuserofthetargetsystem,regardlessofassignedrolesoraccessrights.

Untrusted AnemployeeoftheCSPwithoutdirectaccesstothetargetsystem.

Anyindividual,withoutauthorizedcredentials,attemptingtoaccessthetargetsystemfromtheInternet.

3. ATTACK VECTORS

Attackvectorscanbedefinedaspotentialavenuesofcompromisewhichmayleadtoadegradationofsystemintegrity,confidentiality,oravailability.FedRAMPhasidentifiedanddevelopedseveralriskscenariosforthe3PAOorganizationtoreviewandaddressduringPenetrationTesting.Table4belowliststheidentifiedattackvectors,whicharedetailedinthesectionsbelow.

Table 4 – Attack Vector Summary

TITLE DESCRIPTION

ExternaltoCorporate–ExternalUntrustedtoInternalUntrusted

Aninternet-basedattackattemptingtogainusefulinformationaboutoraccessthetargetcloudsystemthroughanexternalcorporatenetworkownedandoperatedbytheCSP.

ExternaltoTargetSystem–ExternalUntrustedtoExternalTrusted

Aninternet-basedattackasanun-credentialedthirdpartyattemptingtogainunauthorizedaccesstothetargetsystem.

TargetSystemtoCSPManagementSystem–ExternalTrustedtoInternalTrusted

AnexternalattackasacredentialedsystemuserattemptingtoaccesstheCSPmanagementsystemorinfrastructure.

TenanttoTenant–ExternalTrustedtoExternalTrusted

Anexternalattackasacredentialedsystemuser,originatingfromatenantenvironmentinstance,attemptingtoaccessorcompromiseasecondarytenantinstancewithinthetargetsystem.

CorporatetoCSPManagementSystem–InternalUntrustedtoInternalTrusted

AninternalattackattemptingtoaccessthetargetmanagementsystemfromasystemwithanidentifiedorsimulatedsecurityweaknessontheCSPcorporatenetworkthatmimicsamaliciousdevice.

MobileApplication–ExternalUntrustedtoExternalTrusted

AnattackthatemulatesamobileapplicationuserattemptingtoaccesstheCSPtargetsystemortheCSP’stargetsystem’smobileapplication.

|6

Figure1belowillustratesasampletargetcloudsystemtogivecontexttotheattackvectorsillustratedinFigures2through6below.Eachattackvectorhasbeenpairedwithitsrelevantthreatmodelasageneralguidefordesigningtestcases.Notethatphysicalattackvectorsarenotincludedintheattackvectordescriptionsbelowandaspecificcloudservicemaydifferfromtherepresentedsystem.The3PAOmustdemonstratehowthePenetrationTestwilladdresstheseattackvectors.

Figure 1 . Sample Target System

3.1. EXTERNAL TO CORPORATE – EXTERNAL UNTRUSTED TO INTERNAL UNTRUSTED

Figure2illustratesaninternet-basedattackattemptingtogainusefulinformationaboutoraccesstothetargetcloudsystemthroughanexternalcorporatenetworkownedandoperatedbytheCSP.Only

|7

employeeswhoaredirectlyresponsibleforthetargetsystemwillneedtobeincludedinthisattackvector.SeeSection5.5SocialEngineering,forinformationaboutthisattackvector.

Figure 2 . External to Corporate Attack Vector

3.2. EXTERNAL TO TARGET SYSTEM – EXTERNAL UNTRUSTED TO EXTERNAL TRUSTED

Figure3belowillustratesaninternet-basedattackasanun-credentialedthirdpartyattemptingtogainunauthorizedaccesstothetargetsystem.

|8

Figure 3 . External to Target System Attack Vector

3.3. TARGET SYSTEM TO CSP MANAGEMENT SYSTEM – EXTERNAL TRUSTED TO INTERNAL TRUSTED

Figure4belowillustratesanexternalattackasacredentialedsystemuserattemptingtoaccesstheCSPmanagementsystemorinfrastructure.

|9

Figure 4 . Target System to CSP Management System

3.4. TENANT TO TENANT – EXTERNAL TRUSTED TO EXTERNAL TRUSTED

Figure5belowillustratesanexternalattackasacredentialedsystemuser,originatingfromatenantenvironmentinstance,attemptingtoaccessorcompromiseasecondarytenantinstancewithinthetargetsystem.

|10

Figure 5 . Tenant to Tenant Attack Vector

3.5. CORPORATE TO CSP MANAGEMENT SYSTEM – INTERNAL UNTRUSTED TO INTERNAL TRUSTED

Figure6belowillustratesaninternalattackattemptingtoaccessthetargetmanagementsystemfromasystemwithanidentifiedorsimulatedsecurityweaknessontheCSPcorporatenetworkthatmimicsamaliciousdevice(asiftheorganizationhasbeeninfiltrated)orremotelycompromisedhostonthecorporatenetwork.

|11

Figure 6 . Corporate to CSP Management System Attack Vector

3.6. MOBILE APPLICATION – EXTERNAL UNTRUSTED TO EXTERNAL TRUSTED

ThisattackvectorconsistsofemulatingamobileapplicationuserattemptingtoaccesstheCSPtargetsystemortheCSP’stargetsystem’smobileapplication.ThisattackvectoristestedonarepresentativemobiledeviceanddoesnotdirectlyimpacttheCSPtargetsystemorinfrastructure.Informationderivedfromthisactivitycanbeusedtoinformtestingofotherattackvectors.

4. SCOPING THE PENETRATION TEST

TheauthorizationboundariesoftheproposedcloudservicewillbeinitiallydeterminedbasedontheSystemSecurityPlan(SSP)andattachmentsprovidedtotheFedRAMPPMO.Section9oftheSSPshouldclearlydefineauthorizationboundariesofthecloudsysteminadiagramandwords.Duringthe

|12

PenetrationTestscopingdiscussions,individualsystemcomponentswillbereviewedanddeemedas“in-scope”or“out-of-scope”forthePenetrationTest.Theaggregateoftheagreeduponandauthorizedin-scopecomponentswillcomprisethesystemboundaryforthePenetrationTest.

Whenscopingthesystemboundariesfortheassessment,itisimportanttoconsiderthelegalramificationsofperformingPenetrationTestingactivitiesonthird-partyenvironments.Alltestingactivitiesmustbelimitedtothein-scopetestboundaryforthesystemtoensureadherencetoallagreementsandlimitationoflegalliability.PenetrationTestingshouldnotbeperformedonassetsforwhichpermissionhasnotbeenexplicitlydocumented.Obtainingpermissionforanythird-partyassetsthatarerequiredtobein-scopeistheresponsibilityoftheCSP.

ServicemodelsintendingtouseFedRAMP-compliantserviceslowerinthe“cloudstack”canleveragetheFedRAMPcomplianceandsecurityfeaturesofthoseservices.Asaresult,attackvectorsalreadyaddressedbyotherFedRAMP-compliantserviceslowerinthe“cloudstack”arenotrequiredtobere-evaluated.Forexample:IfaPaaSandSaaSleverageanotherlayerthatisFedRAMPcompliant,thenPenetrationTestingofthelowerlayerisnotrequired.However,theCSPmustdeterminetheauthorizationsystemboundariesandprovidejustificationforanycontrolstheyintendtoclaimasinheritedfromthesupportingservice.IfthePaaSand/orSaaSareincludingFedRAMP-compliantsecurityfeaturesforthelowerlayers,thenPenetrationTestingofthelowerlayersisrequiredandtheCSPneedstoobtainalltheauthorizationsrequiredforthe3PAOtoperformPenetrationTestingforthelowerlayers.

5. PENETRATION TEST METHODOLOGY AND REQUIREMENTS

ThePenetrationTestmethodologyandrequirementsareconstructedtofollowindustrybestpractices.Figure7belowillustratesthekeyelementsofaCSPPenetrationTestFedRAMPidentifiedbasedonthetechnologyusedwithinthecloudservice.ThedepthoftestingandtechnologiestobetestedisdependentonthePenetrationTestsystemboundaryandsystemscope.Thisguidancewillcoverthefollowing:

§ WebApplication/ApplicationProgramInterface(API)Testing

§ MobileApplicationTesting

§ NetworkTesting

§ SocialEngineeringTesting

§ SimulatedInternalAttackVectors

Themethodologyhasbeenorganizedaccordingtocommonassessmentstepsfollowedbyindustry-practicedframeworks.TherequiredlevelofeffortregardingtheappropriatePenetrationTestingmethodologywillbedeterminedbythe3PAObasedonthetechnologiesinthein-scopetestboundary,regardlessofhowtheCSPhasself-identifiedthecloudservice(SaaS,PaaS,orIaaS).Forexample:If

|13

operatingsystem/host-levelaccessisofferedbyaCSPinacloudserviceinwhichtheCSPself-identifiesasaSaaSorPaaScloudservice,networkPenetrationTestingrequirementswillstillapply.

Figure 7 . E lements of a Penetrat ion Test

5.1. INFORMATION GATHERING & DISCOVERY

Informationgatheringanddiscoveryactivitiesoccurpriortoexploitationandareintendedtoaccuratelyandcomprehensivelymaptheattacksurfaceofthetargetsystem.Severalrequirementsareoutlinedbelow.

|14

5.2. WEB APPLICATION/API TESTING INFORMATION GATHERING/DISCOVERY

ForAPItesting,sampleworkflowsandtestcasesshouldbeprovidedbytheCSPtoserveasabasicinterfaceforcommonusecasesoftheapplication’sfunctionality.ThefollowingactivitiesinTable5belowmustbecompleted.

Table 5 – Discovery Act iv i t ies

ACTVITY DESCRIPTION

Performinternetsearchestoidentifyanypubliclyavailableinformationonthetargetwebapplication

Identifyanypubliclyavailabledocumentationthatcanbeleveragedtogaininsightintopotentialattackvectorsofthetargetwebapplication.Determineifanypubliclyavailablevulnerabilityhasbeendisclosed,whichcouldpotentiallybeleveragedtoattackthetargetwebapplication.

Identifythetargetapplicationarchitecture

Identifyalllayersoftheapplicationincludingapplicationservers,databases,middleware,andothertechnologiestodeterminecommunicationflowandpatternswithintheapplication.

Identifyaccountrolesandauthorizationbounds

Identifytherolesassociatedwiththecloudserviceanddetermineaccesslimitations.

Mapallcontentandfunctionality

Createasitemapdetailingalllevelsoffunctionalitywithinthewebapplication.Pleasenote:differentaccountrolesmayhavedifferentaccesslevelstofunctionalitywithinthetargetwebapplication.

Identifyalluser-controlledinputentrypoints

Mapallareasoftheapplicationthattakeinputfromtheuseroftheapplication.

Performwebapplicationserverconfigurationchecks

Performwebvulnerabilityscanningactivitytodetermineifcommonwebserverconfigurationflawsarepresentthatcouldleadtoanaccesspath.

5.3. MOBILE APPLICATION INFORMATION GATHERING/DISCOVERY

Conductinformationgatheringanddiscoveryactivitiesagainstamobileapplication.Pleasenotethatallplatforms(iOS,Android,BlackBerry,etc.)forwhichthemobileapplicationisofferedshouldbetestedindependently.ThefollowingactivitiesinTable6belowmustbecompleted.

|15

Table 6 – Mobi le Appl icat ion Information Gather ing/Discovery

5.4. NETWORK INFORMATION GATHERING/DISCOVERY

Conductinformationgatheringanddiscoveryactivitiesagainstexternallyavailablenetworkrangesandendpoints.ThefollowingactivitiesinTable7belowmustbecompleted.

Table 7 – Network Information Gather ing/Discovery

ACTVITY DESCRIPTION

Performinternetsearchestoidentifyanypubliclyavailableinformationonthetargetwebapplication

Identifyanypubliclyavailabledocumentationthatcanbeleveragedtogaininsightintopotentialattackvectorsofthetargetmobileapplication.Determineifanypubliclyavailablevulnerabilityhasbeendisclosed,whichcouldpotentiallybeleveragedtoattackthetargetmobileapplication.

Mapallcontentandfunctionality

Navigatethroughtheapplicationtodeterminefunctionalityandworkflow.

Identifyallpermissionsetsrequestedbytheapplication

Inventorythepermissionsthatthemobileapplicationrequestsfromthephone.Determineifthereareanydifferencesacrossmobileplatforms.

ACTVITY DESCRIPTION

PerformOpenSourceIntelligence(OSINT)GatheringActivities

ConductananalysisofthepublicprofileofthetargetsystemincludinginformationdisseminatedaboutpublicInternetProtocol(IP)ranges,technologiesimplementedwithinthetargetnetworkororganization,anddetailsaroundpreviouspublicattacksagainstthetargetsystem.

EnumerateandInventoryLiveNetworkEndpoints

Conductascantoidentifyactivenetworkendpointsonthenetworkenvironment.

EnumerateandInventoryNetworkServiceAvailability

Conductaninventoryofnetworkservicestoidentifypotentialattackvectors.

FingerprintOperatingSystemsandNetwork

Determineservicetypesandversionsnumbers.

PerformVulnerabilityIdentification Conductnetworkscanningactivitytoidentifypubliclyavailablevulnerabilities.

|16

5.5. SOCIAL ENGINEERING INFORMATION GATHERING/DISCOVERY

ConductexternalinformationgatheringanddiscoveryactivitiesagainstCSPemployeesandsystemadministratorsforthesystemtobetested.ThefollowingactivitiesinTable8belowmustbecompleted.

Table 8 – Socia l Engineer ing Information Gather ing/Discovery

5.6. SIMULATED INTERNAL ATTACK INFORMATION GATHERING/DISCOVERY

ConductinternalinformationgatheringanddiscoveryactivitiesagainstCSPemployeesandsystemadministratorsforthesystemtobetested.Arepresentativecorporateworkstation/environmentwithgeneraluseraccesscommensuratewithatypicalCSPcorporateusermustbegiventothe3PAOtoconductthisanalysis.ThefollowingactivitiesinTable9belowmustbecompleted.

Table 9 – S imulated Internal Attack Gather ing/Discovery

5.7. EXPLOITATION

Duringexploitation,the3PAOPenetrationTestingteamwillattempttoleverageattackvectorsidentifiedduringinformationgatheringanddiscoverytogaininitialaccessintothetargetsystem,basedontheattackvectorbeingtested.Severalattackvectorsareoutlinedbelow.

ACTVITY DESCRIPTION

PerforminternetsearchestoidentifyCSPpersonnelofinterestresponsiblefortargetsystemmanagement.

InventorypubliclyavailableinformationthatdetailsCSPpersonnelrolesandresponsibilitiesforthetargetsystem.Note:TheCSPmustapproveafinallistofsystemadministratorstotargetforaspearphishingexercise.

ACTVITY DESCRIPTION

PerformascopingexercisewiththeCSPtodeterminepotentialattackvectors.

IdentifyvalidattackchainsassuminganinternalCSPuserwascompromisedbyasocialengineeringattack.

PerformVulnerabilityIdentification

Conductcredentialednetworkscanningactivitytoidentifypubliclyavailablevulnerabilitiesandprivilegeescalationvectors.

|17

5.7.1. WEB APPLICATION/API EXPLOITATION

Conductwebapplicationexploitationactivitiesagainsttargetwebapplications/APIs.ThefollowingactivitiesinTable10belowmustbecompleted.

Table 10 – Web Appl icat ion/API Exploitat ion

5.7.2. MOBILE APPLICATION EXPLOITATION

Conductlocalmobileexploitationactivitiesagainstapplicationcontentinstalledontoend-usermobiledevices.Pleasenotethatallavailableplatformsshouldbetestediftheapplicationisdevelopedformultiplemobiledeviceoperatingsystems.Alsonotethatinteractionbetweenthemobileapplicationandthecloudserviceisnotaddressedunderthissection,asitiscoveredin

Section5.8.1:WebApplication/APIExploitation.ThefollowingactivitiesinTable11belowmustbecompleted.

Table 11 – Mobi le Appl icat ion Exploitat ion

5.7.3. NETWORK EXPLOITATION

Conductnetwork-levelexploitationactivitiestoanalyzetheriskofidentifiedvulnerabilitiesbydemonstratingattacksagainsthoststodeterminethesensitivityoftheinformationthatcanbe

ACTVITY DESCRIPTION

AuthenticationandSessionManagement

Assesstheapplicationtodeterminehowthetargetapplicationcreatesandmaintainsasessionstate.Analyzeaccountcreationandmanagementprocess.

Authorization Identifyissuesrelatedtoroleprivilegeenforcementacrosscommoncustomerrolesinthecloudservice.Attempttobypassauthorizationrestrictions.

ApplicationLogic Attempttocircumventcontrolstopreventbypassonintendedlogicpatternsandapplicationflows.

InputValidation Performinjectionattacksagainstalldatainputstodetermineifinformationorfilescanbeinsertedorextractedfromthetargetapplication.Attempttoalterthebackend.

ACTVITY DESCRIPTION


DataStorage Identifyandinventorydatabeingstoredonthedevice.Determineifencryptionisbeingutilizedoutsideofplatformlevelcontrols.

InformationDisclosure Identifywhatinformationisbeingdisclosedinlogfilesandlocalcachestores.

|18

retrieved.Specificrequirementsarenotgiveninthissection,asthenatureoftheexploitationwillbehighlydifferentiatedbytheidentifiedserviceorendpointvulnerabilities;instead,generalguidelinesforperformingexploitationattacksareprovided.ThefollowingactivitiesinTable12belowmustbecompleted.

Table 12 – Network Exploitat ion

5.7.4. SOCIAL ENGINEERING EXPLOITATION

AsocialengineeringexercisewilltargetCSPemployeesresponsibleforadministeringtheCSPmanagementsystem.Whilethisexercisewilldifferbasedontheagreementsandscopeofthetestplan,theassumptionisthatthesystemadministratorsareoperatingoutsideofthetargetsystemtestboundaryanditssecuritycontrols(relyingonCSPcorporatesecuritycontrols).Theintentofthistestistoassessthelikelihoodofanexternaluntrustedthreatachievingcompromiseofaninternaltrusteduserresponsibleforsystemadministrationormanagement.ThefollowingactivitiesinTable13mustbecompleted.

Table 13 – Socia l Engineer ing Exploitat ion

5.7.5. SIMULATED INTERNAL ATTACK EXPLOITATION

AttempttoidentifyandpotentiallyexploitattackvectorsthatcouldallowaccesstosystemswithinthetestsystemboundaryfromwithintheCSPcorporatenetworkenvironment.Thisattackvectorsimulatesabreachofacorporateassetwiththeintentofpivotingaccesstothetargetsystemandwillbesimulatedthroughanalysisofarepresentativecorporateimage/workstation.

ACTVITY DESCRIPTION

AttackScenariosPresentidentifiedattackscenariostotheCSPforapprovalofexecution.NotethatiftheCSPdoesnotapproveapotentialexploitationpath,thismustbedocumentedinthePenetrationTestreport.

ExploitationPerformexploitationactivitywiththeintentofgainingaccesstothetargetsystemsandelevatingprivileges,ifpossible.Ifunsuccessful,attempttoadapttheexploitationapproachtoworkagainstthetargetenvironment.

RecordResultsIfexploitationattackscenariosweresuccessful,documenttheresults.Ifexploitationattackscenarioswereunsuccessful,documentwhytheexploitfailedandwhatprotections(ifany)preventedtheexploitfromexecuting.

ACTVITY DESCRIPTION


|19

Anassumptionismadethatifescalationandpivotingvectorsareidentified,thetargetsystemwouldeventuallybecompromised.Althoughthecorporateassetisoutsidethesystemboundary,theresultsofthesimulatedinternalattackwillbedocumentedinthePenetrationTestreportforremediationbytheCSP.UtilizingthismethodologysimulatesaninternalattackwithoutconductingPenetrationTestingactivitiesofthecorporateCSPnetworkenvironment.ThefollowingactivitiesinTable14belowmustbecompleted.

Table 14 – S imulated Internal Attack Exploitat ion

5.8. POST-EXPLOITATION

Duringpost-exploitation,the3PAOPenetrationTestingteamwillattempttoexercisevulnerabilitiesdiscoveredduringexploitation.The3APOPenetrationTestingteamwillconductpost-exploitationactivitieswiththeintentofdemonstratingtheimpactofexploitationbylaterallymovingtoadditionalendpointswiththeintenttocompromisesensitiveCSPdata,information,orcontrolofthetargetsysteminfrastructure.Post-exploitationactivitieswillbedeterminedbythelevelofaccessgainedbyexploitationandthetechnologiesutilizedbythesystem.Theyshouldbroadlycovertheactivitieslistedbelow.ThefollowingactivitiesinTable15mustbecompleted.

Table 15 – Post-Exploitat ion

ACTVITY DESCRIPTION

EscalatetoAdministrativePrivileges

AttempttogainadministrativeprivilegesontheCSPstandardworkstationimage.IftheCSPprovisionsusersaslocalsystemadministratorsbydefault,testingshouldstillbeconductedtodeterminethelikelihoodofasuccessfulpivottoadditionalworkstationsorserversintheCSPenvironment.

RecordingResultsIfexploitationattackscenariosweresuccessful,documenttheresults.Ifexploitationattackscenarioswereunsuccessful,documentwhytheexploitfailedandwhatprotections(ifany)preventedtheexploitfromexecuting.

ACTVITY DESCRIPTION

EscalatetoAdministrativePrivileges

AttempttogainadministrativeprivilegesontheCSPstandardworkstationimage.IftheCSPprovisionsusersaslocalsystemadministratorsbydefault,testingshouldstillbeconductedtodeterminethelikelihoodofasuccessfulpivottoadditionalworkstationsorserversintheCSPenvironment.

RecordingResultsIfexploitationattackscenariosweresuccessful,documenttheresults.Ifexploitationattackscenarioswereunsuccessful,documentwhytheexploitfailedandwhatprotections(ifany)preventedtheexploitfromexecuting.

|20

5.8.1. WEB APPLICATION/API POST-EXPLOITATION

Conductwebapplicationpost-exploitationactivitiesagainsttargetwebapplications/APIs.ThefollowingactivitiesinTable16mustbecompleted.

Table 16 – Web Appl icat ion/API Post-Exploitat ion

5.8.2. MOBILE APPLICATION POST-EXPLOITATION

ThisattackvectorisnotapplicablesincethePenetrationTestwillbeassessingonlythelocalapplicationonthetestplatform.ThedeviceonwhichthemobileapplicationresidesisconsideredoutofscopeforthePenetrationTest.

5.8.3. NETWORK POST-EXPLOITATION

Conductnetworkpost-exploitationactivitiesagainstthetargetinfrastructuretoattempttoaccessmanagementnetworks,applications,andothercustomerinstances.ThefollowingactivitiesinTable17belowmustbecompleted.

Table 17 – Network Post-Exploitat ion

ACTVITY DESCRIPTION

UnauthorizedManagementAccess

Useaccesstoapplicationtoattempttogaincontrolofunderlyinginfrastructureormanagementsystems.

UnauthorizedDataAccess

Attempttodemonstratethepotentialtoaccessadditionaldatafromsourcesoutsidethecloudservice’sintendedscope.

ACTVITY DESCRIPTION

GainSituationalAwareness

Determinewhatlevelofaccesswasgainedfollowingasuccessfulexploitationattempt.

PrivilegeEscalation Ifapplicable,attempttoescalateprivilegestoallowforadditionalaccessontheexploitedendpointorotherendpointswithinthenetworkenvironment.

LateralMovement Performfurtherdiscoveryandenumerationtoidentifyhostsonthenetworkthatmayrespondonlytothecompromisedsystem.Leveragecompromisedsystemsandcredentialstopivottoadditionalhostswiththeintentofgainingunauthorizedaccesstomanagementsystemsorothercustomersystems.

IdentificationandExfiltrationofSensitiveSystemsorData

Identifysensitiveorcriticalinformationthatmaybeaccessedorcompromisedthroughasuccessfulattack(criteriaforsensitivedatatobedeterminedduringthescopingphase).Attempttoexfiltratesensitiveinformationundetected.

|21

5.8.4. SOCIAL ENGINEERING POST-EXPLOITATION

Conductnetworkpost-exploitationactivitiesagainstthetargetinfrastructuretoattempttoaccessmanagementnetworks,applications,andothercustomerinstances.ThefollowingactivitiesinTable16belowmustbecompleted.

5.8.5. SIMULATED INTERNAL ATTACK POST-EXPLOITATION

Thisattackvectorisnotapplicable.TheCSPwillassumecorporatebreach;eventuallyleadingtomanagementaccessintotheCSPtargetsystemgiventhe3PAOisabletoidentifyprivilegeescalationandpivotingavenuesandattackchains.

6. REPORTING

PenetrationTestassessmentactivitiesandresultsmustbeorganizedandcompiledintoacomprehensivePenetrationTestreporttobeincludedintheSecurityAssessmentReport(SAR).Thereportisrequiredtoaddressthefollowingsections.

6.1. SCOPE OF TARGET SYSTEM

OutlinethetargetsystemthatwasassessedandifanydeviationsweremadefromtheROE/TPdocument.

6.2. ATTACK VECTORS ADDRESSED DURING THE PENETRATION TEST

Describedtheattackvector(s)testedandthethreatmodel(s)followedforexecutingthePenetrationTest.

6.3. TIMELINE FOR ASSESSMENT ACTIVITY

DocumentwhenPenetrationTestingactivitywasperformed.

|22

6.4. ACTUAL TESTS PERFORMED AND RESULTS

DocumenttheactualtestsperformedtoaddressthePenetrationTestrequirementsoutlinedinthisdocument,anddocumenttheresultsofeachtest.

6.5. FINDINGS AND EVIDENCE

Findingsshouldincludeadescriptionoftheissue,theimpactonthetargetsystem,arecommendationtotheCSP,ariskrating,andrelevantevidencetoprovidecontextforeachfinding.

6.6. ACCESS PATHS

Accesspathsarethechainofattackvectors,exploitations,andpost-exploitationsthatleadtoadegradationofsystemintegrity,confidentiality,oravailability.The3PAOmustdescribetheaccesspathandthePenetrationTestimpactifmultiplevulnerabilitiescouldbecoupledtoformasophisticatedattackagainsttheCSP.

ThePenetrationTestreportshouldincludeappropriateconfidentialityandsensitivitymarkingsincompliancewiththeCSPorganizationalpolicy.The3PAOshouldprovidethereporttotheCSPviaasecuremeansincompliancewiththeCSPorganization’spolicies.Anyinformationincludedinthereportthatcouldcontainsensitivedata(screenshots,tables,figures)mustbesanitizedormaskedusingtechniquesthatrenderthesensitivedatapermanentlyunrecoverablebyrecipientsofthereport.The3PAOmustnotincludepasswords(includingthoseinencryptedform)inthefinalreport,ormustmaskthemtoensurerecipientsofthereportcannotrecreateorguessthepassword.

7. TESTING SCHEDULE REQUIREMENTS

Foreachinitialsecurityauthorization,aPenetrationTestmustbecompletedbya3PAOasapartoftheassessmentprocessdescribedintheSecurityAssessmentPlan(SAP).Thereafter,FedRAMPrequiresacompletePenetrationTestatleastevery12months,unlessotherwiseapprovedbytheauthorizingbodywithdocumentedrationale.

8. THIRD PARTY ASSESSMENT ORGANIZATION (3PAO) STAFFING REQUIREMENTS

AllPenetrationTestactivitiesmustbeperformedbya3PAOthathasdemonstratedPenetrationTestingproficiencyandmaintainsadefinedPenetrationTestmethodology.ThePenetrationTestteam

|23

leadoneachPenetrationTestmustbeapprovedbytheAssessmentOrganizationandeitherhaveanindustry-recognizedcredentialforPenetrationTestingorequivalenteducationandexperience.Industry-recognizedcredentialsareidentifiedinTable18below.

Table 18 – 3PAO Staff ing Requirements

ACTVITY DESCRIPTION

GlobalInformationAssuranceCertification(GIAC)

GWAPT-GIACWebApplicationPenetrationTesterGPEN-GIACNetworkPenetrationTesterGXPN-GIACExploitResearcherandAdvancedPenetrationTester

OffensiveSecurity OSCP-OffensiveSecurityCertifiedProfessionalOSCE-OffensiveSecurityCertifiedExpert

InternationalCouncilofElectronicCommerceConsultants(EC-Council)

CEH-CertifiedEthicalHackerLPT-LicensedPenetrationTester

|24

APPENDIX A: FedRAMP ACRONYMS ThemasterlistofFedRAMPacronymandglossarydefinitionsforallFedRAMPtemplatesisavailableontheFedRAMPwebsiteDocumentspageunderProgramOverviewDocuments.

(https://www.fedramp.gov/resources/documents-2016/)

Pleasesendsuggestionsaboutcorrections,additions,[email protected].

|25

APPENDIX B: REFERENCES

ThepublicationsreferencedinthisdocumentareavailableatthefollowingURLs:

§ https://www.fedramp.gov/resources/documents-2016/§ https://www.fedramp.gov/files/2015/03/Guide-to-Understanding-FedRAMP-v2.0-4.docx§ http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf§ http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf§ http://dx.doi.org/10.6028/NIST.SP.800-53Ar4§ http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf§ https://www.owasp.org/images/5/52/OWASP_Testing_Guide_v4.pdf§ https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Mobile_Security_

Testing§ http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html§ https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project§ https://azure.microsoft.com/blog/2014/11/11/red-teaming-using-cutting-edge-threat-

simulation-to-harden-the-microsoft-enterprise-cloud/

|26

APPENDIX C: ROE/TEST PLAN TEMPLATE

RULES OF ENGAGEMENT/TEST PLAN

ThePenetrationTestRulesofEngagement(ROE)andTestPlan(TP)documentsdescribethetargetsystems,scope,constraints,andpropernotificationsanddisclosuresofthePenetrationTest.The3PAOisrequiredtodeveloptheROEandTPbasedontheparametersandsysteminformationprovidedbytheCSP.

TheROEandTestPlandocumentmustbedevelopedinaccordancewithNISTSP800-115,AppendixB,andbeapprovedbytheAuthorizingOfficialoftheCSPpriortotesting.The3PAOmustincludeacopyoftheROEintheFedRAMPSecurityAssessmentPlansubmittedtoFedRAMP.

PenetrationTestplanningmustincludeoraccountforthefollowingconsiderations:

§ Penetration

- Networkpenetration- Wirelessnetworkpenetration- Physicalpenetration- Socialengineeringpenetration

§ AffectedIPrangesanddomains § Acceptablesocialengineeringpretexts § Targetedorganization’scapabilitiesandtechnologies § Investigativetools § Specifictestingperiods(startandenddate/times) § CSPreportingrequirements(format,content,media,encryption)

ThePenetrationTestPlanmustdescribe:

§ Targetlocations § Categoriesofinformationsuchasopensourceintelligence,humanintelligence § Typeofinformationsuchasphysical,relationship,logical,electronic,metadata § Gatheringtechniquessuchasactive,passive,on-andoff-location § Pervasiveness § Constraintsthatdonotexploitbusinessrelationships(customer,supplier,jointventure,or

teamingpartners)

The3PAOmustjustifyomittinganyattackvectorsdescribedinSection3aboveintheROE/TestPlanandthePenetrationTestReport.

|27

SYSTEM SCOPE

Provideadescriptionoftheboundariesandscopeofthecloudservicesystem,alongwithanyidentifiedsupportingservicesorsystems.SystemscopeshouldaccountforallIPaddresses,UniformResourceIdentifiers(URLs),devices,components,software,andhardware.

ASSUMPTIONS AND LIMITATIONS

Provideadescriptionoftheassumptions,dependencies,andlimitationsidentifiedthatmayhaveanimpactonPenetrationTestingactivitiesorresults.Includereferencestolocalandfederallegalconstraintsthatmayberelevanttotestingorresults.Assumptionsalsoincludeanyassumedagreement,oraccesstothirdpartysoftware,systems,orfacilities.

TESTING SCHEDULE

Provideaschedulethatdescribestestingphases,initiation/completiondates,andallowsfortrackingofPenetrationTestdeliverables.

TESTING METHODOLOGY

ThemethodologysectionwilladdressrelevantPenetrationTestingactivitiesasdescribedinSection5above.

RELEVANT PERSONNEL

ProvidealistofkeypersonnelinvolvedinthemanagementandexecutionofthePenetrationTest.Thelistshouldinclude,ataminimum:

§ SystemOwner(CSP) § TrustedAgent(CSP) § PenetrationTestTeamLead(3PAO) § PenetrationTestTeamMember(s)(3PAO) § EscalationPointsofContact(CSPand3PAO)

|28

INCIDENT RESPONSE PROCEDURES

ProvideadescriptionofthechainofcommunicationsandprocedurestobefollowedshouldaneventrequiringincidentresponseinterventionbeinitiatedduringPenetrationTesting.

EVIDENCE HANDLING PROCEDURES

ProvideadescriptionofproceduresfortransmissionandstorageofPenetrationTestevidencecollectedduringthecourseoftheassessment.