Upload
dinhtu
View
222
Download
1
Embed Size (px)
Citation preview
|i
DOCUMENT REVISION HISTORY
DATE VERSION PAGE(S) DESCRIPTION AUTHOR
06/30/2015 1.0 All FirstRelease FedRAMPPMO
07/06/2015 1.0.1 All Minorcorrectionsandedits FedRAMPPMO
06/06/2017 1.0.1 Cover UpdatedFedRAMPlogo FedRAMPPMO
11/24/2017 2.0 All Updatedtothenewtemplate FedRAMPPMO
ABOUT THIS DOCUMENT
ThepurposeofthisdocumentistoprovideguidelinesfororganizationsregardingplanningandconductingPenetrationTestingandanalyzingandreportingonthefindings.
APenetrationTestisaproactiveandauthorizedexercisetobreakthroughthesecurityofanITsystem.ThemainobjectiveofaPenetrationTestistoidentifyexploitablesecurityweaknessesinaninformationsystem.Thesevulnerabilitiesmayincludeserviceandapplicationflaws,improperconfigurations,andriskyend-userbehavior.APenetrationTestalsomayevaluateanorganization’ssecuritypolicycompliance,itsemployees’securityawareness,andtheorganization'sabilitytoidentifyandrespondtosecurityincidents.
WHO SHOULD USE THIS DOCUMENT
Thefollowingindividualsshouldreadthisdocument:
§ CloudServiceProviders(CSP)shouldusethisdocumentwhenpreparingtoperformaPenetrationTestontheircloudsystem
§ ThirdPartyAssessorOrganizations(3PAO)shouldusethisdocumentwhenplanning,executing,andreportingonPenetrationTestingactivities
§ AuthorizingOfficials(AO)shouldusethisdocumentwhendevelopingandevaluatingPenetrationTestplans.
|ii
HOW THIS DOCUMENT IS ORGANIZED
Thisdocumentisdividedintothefollowingprimarysectionsandappendices:
Table 1 : Document Sect ion Table
SECTION CONTENTS
Section1 DocumentScope
Section2 DefinitionsandAssumptions
Section3 AttackVectors
Section4 ScopingThePenetrationTest
Section5 PenetrationTestMethodologyandRequirements
Section6 Reporting
Section7 TestScheduleRequirements
Section8 3PAOStaffingRequirements
AppendixA Tableofacronymsusedinthisdocument
AppendixB References
AppendixC RulesofEngagement/TestPlan
HOW TO CONTACT US
QuestionsaboutFedRAMPorthisdocumentshouldbedirectedtoinfo@fedramp.gov.
FormoreinformationaboutFedRAMP,visitthewebsiteathttp://www.fedramp.gov.
|iii
TABLE OF CONTENTS
DOCUMENTREVISIONHISTORY..........................................................................................................I
1. SCOPE........................................................................................................................................1
2. DEFINITIONS&THREATS............................................................................................................22.1. DEFINITIONS................................................................................................................................22.2. THREATMODELS..........................................................................................................................32.3. THREATMODELING......................................................................................................................4
3. ATTACKVECTORS.......................................................................................................................53.1. EXTERNALTOCORPORATE–EXTERNALUNTRUSTEDTOINTERNALUNTRUSTED..........................63.2. EXTERNALTOTARGETSYSTEM–EXTERNALUNTRUSTEDTOEXTERNALTRUSTED........................73.3. TARGETSYSTEMTOCSPMANAGEMENTSYSTEM–EXTERNALTRUSTEDTOINTERNALTRUSTED.83.4. TENANTTOTENANT–EXTERNALTRUSTEDTOEXTERNALTRUSTED.............................................93.5. CORPORATETOCSPMANAGEMENTSYSTEM–INTERNALUNTRUSTEDTOINTERNALTRUSTED..103.6. MOBILEAPPLICATION–EXTERNALUNTRUSTEDTOEXTERNALTRUSTED....................................11
4. SCOPINGTHEPENETRATIONTEST............................................................................................11
5. PENETRATIONTESTMETHODOLOGYANDREQUIREMENTS......................................................125.1. INFORMATIONGATHERING&DISCOVERY..................................................................................135.2. WEBAPPLICATION/APITESTINGINFORMATIONGATHERING/DISCOVERY..................................145.3. MOBILEAPPLICATIONINFORMATIONGATHERING/DISCOVERY.................................................145.4. NETWORKINFORMATIONGATHERING/DISCOVERY....................................................................155.5. SOCIALENGINEERINGINFORMATIONGATHERING/DISCOVERY..................................................165.6. SIMULATEDINTERNALATTACKINFORMATIONGATHERING/DISCOVERY....................................165.7. EXPLOITATION...........................................................................................................................165.7.1. WEBAPPLICATION/APIEXPLOITATION..................................................................................175.7.2. MOBILEAPPLICATIONEXPLOITATION....................................................................................175.7.3. NETWORKEXPLOITATION......................................................................................................175.7.4. SOCIALENGINEERINGEXPLOITATION....................................................................................185.7.5. SIMULATEDINTERNALATTACKEXPLOITATION......................................................................185.8. POST-EXPLOITATION..................................................................................................................195.8.1. WEBAPPLICATION/APIPOST-EXPLOITATION.........................................................................205.8.2. MOBILEAPPLICATIONPOST-EXPLOITATION..........................................................................205.8.3. NETWORKPOST-EXPLOITATION.............................................................................................205.8.4. SOCIALENGINEERINGPOST-EXPLOITATION..........................................................................215.8.5. SIMULATEDINTERNALATTACKPOST-EXPLOITATION............................................................21
6. REPORTING..............................................................................................................................21
|iv
6.1. SCOPEOFTARGETSYSTEM...............................................................................................................216.2. ATTACKVECTORSADDRESSEDDURINGTHEPENETRATIONTEST....................................................216.3. TIMELINEFORASSESSMENTACTIVITY..............................................................................................216.4. ACTUALTESTSPERFORMEDANDRESULTS.......................................................................................226.5. FINDINGSANDEVIDENCE..................................................................................................................226.6. ACCESSPATHS...................................................................................................................................22
7. TESTINGSCHEDULEREQUIREMENTS.........................................................................................22
8. THIRDPARTYASSESSMENTORGANIZATION(3PAO)STAFFINGREQUIREMENTS.......................22
APPENDIXA: FEDRAMPACRONYMS...........................................................................................24
APPENDIXB: REFERENCES..........................................................................................................25
APPENDIXC: ROE/TESTPLANTEMPLATE........................................................................................26RULESOFENGAGEMENT/TEST PLAN.........................................................................................................26SYSTEMSCOPE...............................................................................................................................................27ASSUMPTIONSAND LIMITATIONS................................................................................................................27TESTINGSCHEDULE........................................................................................................................................27TESTINGMETHODOLOGY...............................................................................................................................27RELEVANTPERSONNEL...................................................................................................................................27INCIDENTRESPONSE PROCEDURES..............................................................................................................28EVIDENCEHANDLING PROCEDURES.............................................................................................................28
LIST OF FIGURES
Figure1.SampleTargetSystem.........................................................................................................................................6Figure2.ExternaltoCorporateAttackVector...................................................................................................................7Figure3.ExternaltoTargetSystemAttackVector............................................................................................................8Figure4.TargetSystemtoCSPManagementSystem.......................................................................................................9Figure5.TenanttoTenantAttackVector........................................................................................................................10Figure6.CorporatetoCSPManagementSystemAttackVector.....................................................................................11
|v
LIST OF TABLES Table1–DocumentSectionTable....................................................................................................................................iiTable2–CloudServiceClassification................................................................................................................................1Table3–TypesofAttacks.................................................................................................................................................5Table4–AttackVectorSummary......................................................................................................................................5Table5–DiscoveryActivities...........................................................................................................................................14Table6–MobileApplicationInformationGathering/Discovery.....................................................................................15Table7–NetworkInformationGathering/Discovery......................................................................................................15Table8–SocialEngineeringInformationGathering/Discovery......................................................................................16Table9–SimulatedInternalAttackGathering/Discovery...............................................................................................16Table10–WebApplication/APIExploitation..................................................................................................................17Table11–MobileApplicationExploitation.....................................................................................................................17Table12–NetworkExploitation......................................................................................................................................18Table13–SocialEngineerExploitation...........................................................................................................................18Table14–SimulatedInternalAttackExploitation...........................................................................................................19Table15–Post-Exploitation............................................................................................................................................19Table16–WebApplication/APIPost-Exploitation..........................................................................................................20Table17–NetworkPost-Exploitation.............................................................................................................................20Table18–3PAOStaffingRequirements..........................................................................................................................23
|1
1. SCOPE
TheFederalRiskandAuthorizationManagementProgram(FedRAMP)requiresthatPenetrationTestingbeconductedincompliancewiththefollowingguidance:
§ NISTSP800-115TechnicalGuidetoInformationSecurityTestingandAssessment,September2008
§ NISTSP800-145TheNISTDefinitionofCloudComputing,September2011
§ NISTSP800-53SecurityandPrivacyControlsforFederalInformationSystemsandOrganizations,Revision4,April2013,withupdatesasofJanuary2015
§ NISTSP800-53AAssessingSecurityandPrivacyControlsinFederalInformationSystemsandOrganizations:BuildingEffectiveAssessmentPlans,Revision4,December2014
FedRAMPalsorequiresthatCSPproductsandsolutions(cloudservice)undergoingaFedRAMPassessmentandPenetrationTestmustbeclassifiedasaSaaS,PaaS,orIaaS.Insomescenarios,itmaybeappropriatetoapplymultipledesignationstoacloudservice.Table2belowshowsthedefinitionsofthesethreeservicetypes.
Table 2 – Cloud Serv ice Class i f icat ion
CLOUD SERVICE MODEL NIST DESCRIPTION
SoftwareasaService(SaaS)
Thecapabilityprovidedtotheconsumeristousetheprovider’sapplicationsrunningonacloudinfrastructure.Theapplicationsareaccessiblefromvariousclientdevicesthrougheitherathin-clientinterface,suchasawebbrowser(e.g.,web-basedemail),oraprograminterface.Theconsumerdoesnotmanageorcontroltheunderlyingcloudinfrastructureincludingnetwork,servers,operatingsystems,storage,orevenindividualapplicationcapabilities,withthepossibleexceptionoflimiteduser-specificapplicationconfigurationsettings.
PlatformasaService(PaaS)
Thecapabilityprovidedtotheconsumeristodeployontothecloudinfrastructureconsumer-createdoracquiredapplicationscreatedusingprogramminglanguages,libraries,services,andtoolssupportedbytheprovider.Theconsumerdoesnotmanageorcontroltheunderlyingcloudinfrastructureincludingnetwork,servers,operatingsystems,orstorage,buthascontroloverthedeployedapplicationsandpossiblyconfigurationsettingsfortheapplication-hostingenvironment.
InfrastructureasaService(IaaS)
Thecapabilityprovidedtotheconsumeristoprovisionprocessing,storage,networks,andotherfundamentalcomputingresourceswheretheconsumerisabletodeployandrunarbitrarysoftware,whichcanincludeoperatingsystemsandapplications.Theconsumerdoesnotmanageorcontroltheunderlyingcloudinfrastructure,buthascontroloveroperatingsystems,storage,anddeployedapplications;andpossiblylimitedcontrolofselectnetworkingcomponents(e.g.,hostfirewalls).
|2
Allcomponents,associatedservices,andaccesspaths(internal/external)withinthedefinedtestboundaryoftheCSPsystemmustbescopedandassessed.TheRulesofEngagement(ROE)mustidentifyanddefinetheappropriatetestingmethod(s)andtechniquesassociatedwithexploitationoftherelevantdevicesand/orservices.
PenetrationTestingmayrequire:
§ NegotiationandagreementwiththirdpartiessuchasInternetServiceProviders(ISP),ManagedSecurityServiceProviders(MSSP),facilityleaseholders,hostingservices,and/orotherorganizationsinvolvedin,oraffectedby,thetest.Insuchscenarios,theCSPisresponsibleforcoordinationandobtainingapprovalsfromthirdpartiespriortothecommencementoftesting.
§ Tolimitimpactonbusinessoperations,thecompleteorpartialtestingmaybeconductedinanon-productionenvironmentaslongasitisidenticaltotheproductionenvironmentandhasbeenvalidatedbythe3PAO.Forinstance,ifaCSPhastwoidenticallocations,aPenetrationTestononelocationmaysuffice.Inthiscase,theenvironmentsmustbeexactlythesame,notalmost,nearly,orvirtually.
§ Whenthecloudsystemhasmultipletenants,theCSPmustbuildatemporarytenantenvironmentifanothertenantenvironmentsuitablefortestingdoesnotexist.
ThePenetrationTestplanmustincludeactualtestingofalltheattackvectorsdescribedinSection3beloworexplainwhyaparticularvectorwasnotapplicable.TheIndependentAssessors(IA)mayincludeadditionalattackvectorstheybelieveareappropriate.SeeAppendixC:ROE/TestPlanTemplateformoreinformationregardingtestplans.
2. DEFINITIONS & THREATS
ToestablishabaselineandcontextforFedRAMPPenetrationTesting,thefollowingtermsareusedtodescribeproposedcloudservices.
2.1. DEFINITIONS
Thefollowingisalistofdefinitionsforthisdocument.
§ Corporate–InternalCSPnetworkaccessoutsidetheauthorizationboundary.
§ InsiderThreat–AthreatthatisposedbyanemployeeorathirdpartyactingonbehalfoftheCSP.
§ ManagementSystem–Abackendapplicationorinfrastructuresetupthatfacilitatesadministrativeaccesstothecloudservice.TheManagementSystemisaccessibleonlybyCSPpersonnel.
|3
§ Roles–Accesslevelsandprivilegesofauser.
§ System–Thecloudservicethatisofferedtogovernmentcustomers.
§ Target–TheapplicationorcloudservicethatwillbeevaluatedduringthePenetrationTest.
§ Tenant–Acustomerinstanceofthecloudservice.
2.2. THREAT MODELS
ForFedRAMPthreatmodelswithmultipletenants,theCSPmustbuildatemporarytenantenvironmentifanothertenantenvironmentsuitablefortestingdoesnotexist.
ThePenetrationTestplanmustinclude:
§ Adescriptionoftheapproach,constraints,andmethodologiesforeachplannedattack
§ AdetailedTestSchedulethatspecifiestheStartandEndDate/TimesandcontentofeachtestperiodandtheoverallPenetrationTestbeginningandenddates
§ TechnicalPointsofContact(POC)withabackupforeachsubsystemand/orapplicationthatmaybeincludedinthePenetrationTest
ThePenetrationTestRulesofEngagement(ROE)describesthetargetsystems,scope,constraints,andpropernotificationsanddisclosuresofthePenetrationTest.TheIAdevelopstheROEbasedontheparametersprovidedbytheCSP.TheROEmustbedevelopedinaccordancewithNationalInstituteofStandardsandTechnology(NIST)SpecialPublication(SP)800-115,AppendixB,andbeapprovedbytheauthorizingofficialsoftheCSPpriortotesting.SeeSection6,RulesofEngagement,oftheFedRAMPSecurityAssessmentPlanTemplateformoreinformationontheROE.TheIAmustincludeacopyoftheROEintheFedRAMPSecurityAssessmentPlansubmittedtoFedRAMP.
TheROEshouldalsoinclude:
§ LocalComputerIncidentResponseTeamorcapabilityandtheirrequirementsforexercisingthePenetrationTest
§ PhysicalPenetrationConstraints
§ AcceptableSocialEngineeringPretext(s)
§ AsummaryandreferencetoanyThirdPartyagreements,includingPointsofContact(POC)forThirdPartiesthatmaybeaffectedbythePenetrationTest
|4
2.3. THREAT MODELING
TheIAmustensurethePenetrationTestisappropriateforthesizeandcomplexityofthecloudsystemandtakesintoaccountthemostcriticalsecurityrisks.TheIAmustperformthePenetrationTestinaccordancewithindustrybestpracticesandstandards.TypicalgoalsforPenetrationTestinginclude:
§ Gainingaccesstosensitiveinformation
§ Circumventingaccesscontrolsandprivilegeescalation
§ Exploitingvulnerabilitiestogainaccesstosystemsorinformation
§ Confirmingthatremediateditemsarenolongerarisk
TheIAshouldtestallorasufficientsampleofaccesspointsandlocations(forphysicalPenetrationTesting).WhentheIAtestsasample,theIAmustdescribehowandwhythesamplewasselected,andwhyitissufficient.
TheIAshouldattempttoexploitvulnerabilitiesandweaknessesthroughoutthecloudsystemenvironment,includingphysicalPenetrationTesting.Ataminimum,theIAshouldverifysecuritydoorsarelocked,securityalarmswork,andsecurityguardsarepresentandalertasrequiredbytheCSPorganization’ssecuritypoliciesandprocedures.ThesesituationsmustbeidentifiedduringscopingsessionsandaccountedforaccordinglyintheRulesofEngagement/TestPlan(ROE/TP).
Thetypesofattacksmustberepeatableandpresentaconsistentrepresentationofthreats,threatcapabilities,andorganization-specificthreatqualifications.Inaddition,thetypesofattacksmustaddressthegoalsofthePenetrationTestandincludebothinternalandexternalattacks.
§ Internal–EmployeesoruserswhoareemployedbytheCSP,includingbothprivilegedandnon-privilegedusers,inthecontextofthetargetsystem.
§ External–Usersandnon-usersofthesystemwhoarenotemployedbytheCSP.Thisincludesgovernmentusersoftheapplication,aswellasthirdpartieswhodonothaveaccessrightstothetargetsystem.
§ Trusted–Userswithapprovedaccessrightstothetargetsystem.TrustedusersincludebothinternalCSPemployeeswithmanagementaccesstothesystem,aswellasexternaluserswithcredentialedaccesstothetenantenvironment.
§ Untrusted–Non-usersofthetargetsystem.UntrustedusersincludebothinternalCSPemployeeswholackcredentialedaccesstothetargetsystem,aswellasanyindividualattemptingtoaccessthetargetsystemfromtheInternet.
SeeTable3belowfortherelationshipsbetweenTrusted/UntrustedandInternal/Externalattacks.
|5
Table 3 – Types of Attacks
INTERNAL EXTERNAL
Trusted CSPemployeeresponsibleforsetup,maintenance,oradministrativeaccesstotheCSPtargetsystem.
Anyuserofthetargetsystem,regardlessofassignedrolesoraccessrights.
Untrusted AnemployeeoftheCSPwithoutdirectaccesstothetargetsystem.
Anyindividual,withoutauthorizedcredentials,attemptingtoaccessthetargetsystemfromtheInternet.
3. ATTACK VECTORS
Attackvectorscanbedefinedaspotentialavenuesofcompromisewhichmayleadtoadegradationofsystemintegrity,confidentiality,oravailability.FedRAMPhasidentifiedanddevelopedseveralriskscenariosforthe3PAOorganizationtoreviewandaddressduringPenetrationTesting.Table4belowliststheidentifiedattackvectors,whicharedetailedinthesectionsbelow.
Table 4 – Attack Vector Summary
TITLE DESCRIPTION
ExternaltoCorporate–ExternalUntrustedtoInternalUntrusted
Aninternet-basedattackattemptingtogainusefulinformationaboutoraccessthetargetcloudsystemthroughanexternalcorporatenetworkownedandoperatedbytheCSP.
ExternaltoTargetSystem–ExternalUntrustedtoExternalTrusted
Aninternet-basedattackasanun-credentialedthirdpartyattemptingtogainunauthorizedaccesstothetargetsystem.
TargetSystemtoCSPManagementSystem–ExternalTrustedtoInternalTrusted
AnexternalattackasacredentialedsystemuserattemptingtoaccesstheCSPmanagementsystemorinfrastructure.
TenanttoTenant–ExternalTrustedtoExternalTrusted
Anexternalattackasacredentialedsystemuser,originatingfromatenantenvironmentinstance,attemptingtoaccessorcompromiseasecondarytenantinstancewithinthetargetsystem.
CorporatetoCSPManagementSystem–InternalUntrustedtoInternalTrusted
AninternalattackattemptingtoaccessthetargetmanagementsystemfromasystemwithanidentifiedorsimulatedsecurityweaknessontheCSPcorporatenetworkthatmimicsamaliciousdevice.
MobileApplication–ExternalUntrustedtoExternalTrusted
AnattackthatemulatesamobileapplicationuserattemptingtoaccesstheCSPtargetsystemortheCSP’stargetsystem’smobileapplication.
|6
Figure1belowillustratesasampletargetcloudsystemtogivecontexttotheattackvectorsillustratedinFigures2through6below.Eachattackvectorhasbeenpairedwithitsrelevantthreatmodelasageneralguidefordesigningtestcases.Notethatphysicalattackvectorsarenotincludedintheattackvectordescriptionsbelowandaspecificcloudservicemaydifferfromtherepresentedsystem.The3PAOmustdemonstratehowthePenetrationTestwilladdresstheseattackvectors.
Figure 1 . Sample Target System
3.1. EXTERNAL TO CORPORATE – EXTERNAL UNTRUSTED TO INTERNAL UNTRUSTED
Figure2illustratesaninternet-basedattackattemptingtogainusefulinformationaboutoraccesstothetargetcloudsystemthroughanexternalcorporatenetworkownedandoperatedbytheCSP.Only
|7
employeeswhoaredirectlyresponsibleforthetargetsystemwillneedtobeincludedinthisattackvector.SeeSection5.5SocialEngineering,forinformationaboutthisattackvector.
Figure 2 . External to Corporate Attack Vector
3.2. EXTERNAL TO TARGET SYSTEM – EXTERNAL UNTRUSTED TO EXTERNAL TRUSTED
Figure3belowillustratesaninternet-basedattackasanun-credentialedthirdpartyattemptingtogainunauthorizedaccesstothetargetsystem.
|8
Figure 3 . External to Target System Attack Vector
3.3. TARGET SYSTEM TO CSP MANAGEMENT SYSTEM – EXTERNAL TRUSTED TO INTERNAL TRUSTED
Figure4belowillustratesanexternalattackasacredentialedsystemuserattemptingtoaccesstheCSPmanagementsystemorinfrastructure.
|9
Figure 4 . Target System to CSP Management System
3.4. TENANT TO TENANT – EXTERNAL TRUSTED TO EXTERNAL TRUSTED
Figure5belowillustratesanexternalattackasacredentialedsystemuser,originatingfromatenantenvironmentinstance,attemptingtoaccessorcompromiseasecondarytenantinstancewithinthetargetsystem.
|10
Figure 5 . Tenant to Tenant Attack Vector
3.5. CORPORATE TO CSP MANAGEMENT SYSTEM – INTERNAL UNTRUSTED TO INTERNAL TRUSTED
Figure6belowillustratesaninternalattackattemptingtoaccessthetargetmanagementsystemfromasystemwithanidentifiedorsimulatedsecurityweaknessontheCSPcorporatenetworkthatmimicsamaliciousdevice(asiftheorganizationhasbeeninfiltrated)orremotelycompromisedhostonthecorporatenetwork.
|11
Figure 6 . Corporate to CSP Management System Attack Vector
3.6. MOBILE APPLICATION – EXTERNAL UNTRUSTED TO EXTERNAL TRUSTED
ThisattackvectorconsistsofemulatingamobileapplicationuserattemptingtoaccesstheCSPtargetsystemortheCSP’stargetsystem’smobileapplication.ThisattackvectoristestedonarepresentativemobiledeviceanddoesnotdirectlyimpacttheCSPtargetsystemorinfrastructure.Informationderivedfromthisactivitycanbeusedtoinformtestingofotherattackvectors.
4. SCOPING THE PENETRATION TEST
TheauthorizationboundariesoftheproposedcloudservicewillbeinitiallydeterminedbasedontheSystemSecurityPlan(SSP)andattachmentsprovidedtotheFedRAMPPMO.Section9oftheSSPshouldclearlydefineauthorizationboundariesofthecloudsysteminadiagramandwords.Duringthe
|12
PenetrationTestscopingdiscussions,individualsystemcomponentswillbereviewedanddeemedas“in-scope”or“out-of-scope”forthePenetrationTest.Theaggregateoftheagreeduponandauthorizedin-scopecomponentswillcomprisethesystemboundaryforthePenetrationTest.
Whenscopingthesystemboundariesfortheassessment,itisimportanttoconsiderthelegalramificationsofperformingPenetrationTestingactivitiesonthird-partyenvironments.Alltestingactivitiesmustbelimitedtothein-scopetestboundaryforthesystemtoensureadherencetoallagreementsandlimitationoflegalliability.PenetrationTestingshouldnotbeperformedonassetsforwhichpermissionhasnotbeenexplicitlydocumented.Obtainingpermissionforanythird-partyassetsthatarerequiredtobein-scopeistheresponsibilityoftheCSP.
ServicemodelsintendingtouseFedRAMP-compliantserviceslowerinthe“cloudstack”canleveragetheFedRAMPcomplianceandsecurityfeaturesofthoseservices.Asaresult,attackvectorsalreadyaddressedbyotherFedRAMP-compliantserviceslowerinthe“cloudstack”arenotrequiredtobere-evaluated.Forexample:IfaPaaSandSaaSleverageanotherlayerthatisFedRAMPcompliant,thenPenetrationTestingofthelowerlayerisnotrequired.However,theCSPmustdeterminetheauthorizationsystemboundariesandprovidejustificationforanycontrolstheyintendtoclaimasinheritedfromthesupportingservice.IfthePaaSand/orSaaSareincludingFedRAMP-compliantsecurityfeaturesforthelowerlayers,thenPenetrationTestingofthelowerlayersisrequiredandtheCSPneedstoobtainalltheauthorizationsrequiredforthe3PAOtoperformPenetrationTestingforthelowerlayers.
5. PENETRATION TEST METHODOLOGY AND REQUIREMENTS
ThePenetrationTestmethodologyandrequirementsareconstructedtofollowindustrybestpractices.Figure7belowillustratesthekeyelementsofaCSPPenetrationTestFedRAMPidentifiedbasedonthetechnologyusedwithinthecloudservice.ThedepthoftestingandtechnologiestobetestedisdependentonthePenetrationTestsystemboundaryandsystemscope.Thisguidancewillcoverthefollowing:
§ WebApplication/ApplicationProgramInterface(API)Testing
§ MobileApplicationTesting
§ NetworkTesting
§ SocialEngineeringTesting
§ SimulatedInternalAttackVectors
Themethodologyhasbeenorganizedaccordingtocommonassessmentstepsfollowedbyindustry-practicedframeworks.TherequiredlevelofeffortregardingtheappropriatePenetrationTestingmethodologywillbedeterminedbythe3PAObasedonthetechnologiesinthein-scopetestboundary,regardlessofhowtheCSPhasself-identifiedthecloudservice(SaaS,PaaS,orIaaS).Forexample:If
|13
operatingsystem/host-levelaccessisofferedbyaCSPinacloudserviceinwhichtheCSPself-identifiesasaSaaSorPaaScloudservice,networkPenetrationTestingrequirementswillstillapply.
Figure 7 . E lements of a Penetrat ion Test
5.1. INFORMATION GATHERING & DISCOVERY
Informationgatheringanddiscoveryactivitiesoccurpriortoexploitationandareintendedtoaccuratelyandcomprehensivelymaptheattacksurfaceofthetargetsystem.Severalrequirementsareoutlinedbelow.
|14
5.2. WEB APPLICATION/API TESTING INFORMATION GATHERING/DISCOVERY
ForAPItesting,sampleworkflowsandtestcasesshouldbeprovidedbytheCSPtoserveasabasicinterfaceforcommonusecasesoftheapplication’sfunctionality.ThefollowingactivitiesinTable5belowmustbecompleted.
Table 5 – Discovery Act iv i t ies
ACTVITY DESCRIPTION
Performinternetsearchestoidentifyanypubliclyavailableinformationonthetargetwebapplication
Identifyanypubliclyavailabledocumentationthatcanbeleveragedtogaininsightintopotentialattackvectorsofthetargetwebapplication.Determineifanypubliclyavailablevulnerabilityhasbeendisclosed,whichcouldpotentiallybeleveragedtoattackthetargetwebapplication.
Identifythetargetapplicationarchitecture
Identifyalllayersoftheapplicationincludingapplicationservers,databases,middleware,andothertechnologiestodeterminecommunicationflowandpatternswithintheapplication.
Identifyaccountrolesandauthorizationbounds
Identifytherolesassociatedwiththecloudserviceanddetermineaccesslimitations.
Mapallcontentandfunctionality
Createasitemapdetailingalllevelsoffunctionalitywithinthewebapplication.Pleasenote:differentaccountrolesmayhavedifferentaccesslevelstofunctionalitywithinthetargetwebapplication.
Identifyalluser-controlledinputentrypoints
Mapallareasoftheapplicationthattakeinputfromtheuseroftheapplication.
Performwebapplicationserverconfigurationchecks
Performwebvulnerabilityscanningactivitytodetermineifcommonwebserverconfigurationflawsarepresentthatcouldleadtoanaccesspath.
5.3. MOBILE APPLICATION INFORMATION GATHERING/DISCOVERY
Conductinformationgatheringanddiscoveryactivitiesagainstamobileapplication.Pleasenotethatallplatforms(iOS,Android,BlackBerry,etc.)forwhichthemobileapplicationisofferedshouldbetestedindependently.ThefollowingactivitiesinTable6belowmustbecompleted.
|15
Table 6 – Mobi le Appl icat ion Information Gather ing/Discovery
5.4. NETWORK INFORMATION GATHERING/DISCOVERY
Conductinformationgatheringanddiscoveryactivitiesagainstexternallyavailablenetworkrangesandendpoints.ThefollowingactivitiesinTable7belowmustbecompleted.
Table 7 – Network Information Gather ing/Discovery
ACTVITY DESCRIPTION
Performinternetsearchestoidentifyanypubliclyavailableinformationonthetargetwebapplication
Identifyanypubliclyavailabledocumentationthatcanbeleveragedtogaininsightintopotentialattackvectorsofthetargetmobileapplication.Determineifanypubliclyavailablevulnerabilityhasbeendisclosed,whichcouldpotentiallybeleveragedtoattackthetargetmobileapplication.
Mapallcontentandfunctionality
Navigatethroughtheapplicationtodeterminefunctionalityandworkflow.
Identifyallpermissionsetsrequestedbytheapplication
Inventorythepermissionsthatthemobileapplicationrequestsfromthephone.Determineifthereareanydifferencesacrossmobileplatforms.
ACTVITY DESCRIPTION
PerformOpenSourceIntelligence(OSINT)GatheringActivities
ConductananalysisofthepublicprofileofthetargetsystemincludinginformationdisseminatedaboutpublicInternetProtocol(IP)ranges,technologiesimplementedwithinthetargetnetworkororganization,anddetailsaroundpreviouspublicattacksagainstthetargetsystem.
EnumerateandInventoryLiveNetworkEndpoints
Conductascantoidentifyactivenetworkendpointsonthenetworkenvironment.
EnumerateandInventoryNetworkServiceAvailability
Conductaninventoryofnetworkservicestoidentifypotentialattackvectors.
FingerprintOperatingSystemsandNetwork
Determineservicetypesandversionsnumbers.
PerformVulnerabilityIdentification Conductnetworkscanningactivitytoidentifypubliclyavailablevulnerabilities.
|16
5.5. SOCIAL ENGINEERING INFORMATION GATHERING/DISCOVERY
ConductexternalinformationgatheringanddiscoveryactivitiesagainstCSPemployeesandsystemadministratorsforthesystemtobetested.ThefollowingactivitiesinTable8belowmustbecompleted.
Table 8 – Socia l Engineer ing Information Gather ing/Discovery
5.6. SIMULATED INTERNAL ATTACK INFORMATION GATHERING/DISCOVERY
ConductinternalinformationgatheringanddiscoveryactivitiesagainstCSPemployeesandsystemadministratorsforthesystemtobetested.Arepresentativecorporateworkstation/environmentwithgeneraluseraccesscommensuratewithatypicalCSPcorporateusermustbegiventothe3PAOtoconductthisanalysis.ThefollowingactivitiesinTable9belowmustbecompleted.
Table 9 – S imulated Internal Attack Gather ing/Discovery
5.7. EXPLOITATION
Duringexploitation,the3PAOPenetrationTestingteamwillattempttoleverageattackvectorsidentifiedduringinformationgatheringanddiscoverytogaininitialaccessintothetargetsystem,basedontheattackvectorbeingtested.Severalattackvectorsareoutlinedbelow.
ACTVITY DESCRIPTION
PerforminternetsearchestoidentifyCSPpersonnelofinterestresponsiblefortargetsystemmanagement.
InventorypubliclyavailableinformationthatdetailsCSPpersonnelrolesandresponsibilitiesforthetargetsystem.Note:TheCSPmustapproveafinallistofsystemadministratorstotargetforaspearphishingexercise.
ACTVITY DESCRIPTION
PerformascopingexercisewiththeCSPtodeterminepotentialattackvectors.
IdentifyvalidattackchainsassuminganinternalCSPuserwascompromisedbyasocialengineeringattack.
PerformVulnerabilityIdentification
Conductcredentialednetworkscanningactivitytoidentifypubliclyavailablevulnerabilitiesandprivilegeescalationvectors.
|17
5.7.1. WEB APPLICATION/API EXPLOITATION
Conductwebapplicationexploitationactivitiesagainsttargetwebapplications/APIs.ThefollowingactivitiesinTable10belowmustbecompleted.
Table 10 – Web Appl icat ion/API Exploitat ion
5.7.2. MOBILE APPLICATION EXPLOITATION
Conductlocalmobileexploitationactivitiesagainstapplicationcontentinstalledontoend-usermobiledevices.Pleasenotethatallavailableplatformsshouldbetestediftheapplicationisdevelopedformultiplemobiledeviceoperatingsystems.Alsonotethatinteractionbetweenthemobileapplicationandthecloudserviceisnotaddressedunderthissection,asitiscoveredin
Section5.8.1:WebApplication/APIExploitation.ThefollowingactivitiesinTable11belowmustbecompleted.
Table 11 – Mobi le Appl icat ion Exploitat ion
5.7.3. NETWORK EXPLOITATION
Conductnetwork-levelexploitationactivitiestoanalyzetheriskofidentifiedvulnerabilitiesbydemonstratingattacksagainsthoststodeterminethesensitivityoftheinformationthatcanbe
ACTVITY DESCRIPTION
AuthenticationandSessionManagement
Assesstheapplicationtodeterminehowthetargetapplicationcreatesandmaintainsasessionstate.Analyzeaccountcreationandmanagementprocess.
Authorization Identifyissuesrelatedtoroleprivilegeenforcementacrosscommoncustomerrolesinthecloudservice.Attempttobypassauthorizationrestrictions.
ApplicationLogic Attempttocircumventcontrolstopreventbypassonintendedlogicpatternsandapplicationflows.
InputValidation Performinjectionattacksagainstalldatainputstodetermineifinformationorfilescanbeinsertedorextractedfromthetargetapplication.Attempttoalterthebackend.
ACTVITY DESCRIPTION
Authorization Identifyissuesrelatedtoroleprivilegeenforcementacrosscommoncustomerrolesinthecloudservice.Attempttobypassauthorizationrestrictions.
DataStorage Identifyandinventorydatabeingstoredonthedevice.Determineifencryptionisbeingutilizedoutsideofplatformlevelcontrols.
InformationDisclosure Identifywhatinformationisbeingdisclosedinlogfilesandlocalcachestores.
|18
retrieved.Specificrequirementsarenotgiveninthissection,asthenatureoftheexploitationwillbehighlydifferentiatedbytheidentifiedserviceorendpointvulnerabilities;instead,generalguidelinesforperformingexploitationattacksareprovided.ThefollowingactivitiesinTable12belowmustbecompleted.
Table 12 – Network Exploitat ion
5.7.4. SOCIAL ENGINEERING EXPLOITATION
AsocialengineeringexercisewilltargetCSPemployeesresponsibleforadministeringtheCSPmanagementsystem.Whilethisexercisewilldifferbasedontheagreementsandscopeofthetestplan,theassumptionisthatthesystemadministratorsareoperatingoutsideofthetargetsystemtestboundaryanditssecuritycontrols(relyingonCSPcorporatesecuritycontrols).Theintentofthistestistoassessthelikelihoodofanexternaluntrustedthreatachievingcompromiseofaninternaltrusteduserresponsibleforsystemadministrationormanagement.ThefollowingactivitiesinTable13mustbecompleted.
Table 13 – Socia l Engineer ing Exploitat ion
5.7.5. SIMULATED INTERNAL ATTACK EXPLOITATION
AttempttoidentifyandpotentiallyexploitattackvectorsthatcouldallowaccesstosystemswithinthetestsystemboundaryfromwithintheCSPcorporatenetworkenvironment.Thisattackvectorsimulatesabreachofacorporateassetwiththeintentofpivotingaccesstothetargetsystemandwillbesimulatedthroughanalysisofarepresentativecorporateimage/workstation.
ACTVITY DESCRIPTION
AttackScenariosPresentidentifiedattackscenariostotheCSPforapprovalofexecution.NotethatiftheCSPdoesnotapproveapotentialexploitationpath,thismustbedocumentedinthePenetrationTestreport.
ExploitationPerformexploitationactivitywiththeintentofgainingaccesstothetargetsystemsandelevatingprivileges,ifpossible.Ifunsuccessful,attempttoadapttheexploitationapproachtoworkagainstthetargetenvironment.
RecordResultsIfexploitationattackscenariosweresuccessful,documenttheresults.Ifexploitationattackscenarioswereunsuccessful,documentwhytheexploitfailedandwhatprotections(ifany)preventedtheexploitfromexecuting.
ACTVITY DESCRIPTION
Authorization Identifyissuesrelatedtoroleprivilegeenforcementacrosscommoncustomerrolesinthecloudservice.Attempttobypassauthorizationrestrictions.
|19
Anassumptionismadethatifescalationandpivotingvectorsareidentified,thetargetsystemwouldeventuallybecompromised.Althoughthecorporateassetisoutsidethesystemboundary,theresultsofthesimulatedinternalattackwillbedocumentedinthePenetrationTestreportforremediationbytheCSP.UtilizingthismethodologysimulatesaninternalattackwithoutconductingPenetrationTestingactivitiesofthecorporateCSPnetworkenvironment.ThefollowingactivitiesinTable14belowmustbecompleted.
Table 14 – S imulated Internal Attack Exploitat ion
5.8. POST-EXPLOITATION
Duringpost-exploitation,the3PAOPenetrationTestingteamwillattempttoexercisevulnerabilitiesdiscoveredduringexploitation.The3APOPenetrationTestingteamwillconductpost-exploitationactivitieswiththeintentofdemonstratingtheimpactofexploitationbylaterallymovingtoadditionalendpointswiththeintenttocompromisesensitiveCSPdata,information,orcontrolofthetargetsysteminfrastructure.Post-exploitationactivitieswillbedeterminedbythelevelofaccessgainedbyexploitationandthetechnologiesutilizedbythesystem.Theyshouldbroadlycovertheactivitieslistedbelow.ThefollowingactivitiesinTable15mustbecompleted.
Table 15 – Post-Exploitat ion
ACTVITY DESCRIPTION
EscalatetoAdministrativePrivileges
AttempttogainadministrativeprivilegesontheCSPstandardworkstationimage.IftheCSPprovisionsusersaslocalsystemadministratorsbydefault,testingshouldstillbeconductedtodeterminethelikelihoodofasuccessfulpivottoadditionalworkstationsorserversintheCSPenvironment.
RecordingResultsIfexploitationattackscenariosweresuccessful,documenttheresults.Ifexploitationattackscenarioswereunsuccessful,documentwhytheexploitfailedandwhatprotections(ifany)preventedtheexploitfromexecuting.
ACTVITY DESCRIPTION
EscalatetoAdministrativePrivileges
AttempttogainadministrativeprivilegesontheCSPstandardworkstationimage.IftheCSPprovisionsusersaslocalsystemadministratorsbydefault,testingshouldstillbeconductedtodeterminethelikelihoodofasuccessfulpivottoadditionalworkstationsorserversintheCSPenvironment.
RecordingResultsIfexploitationattackscenariosweresuccessful,documenttheresults.Ifexploitationattackscenarioswereunsuccessful,documentwhytheexploitfailedandwhatprotections(ifany)preventedtheexploitfromexecuting.
|20
5.8.1. WEB APPLICATION/API POST-EXPLOITATION
Conductwebapplicationpost-exploitationactivitiesagainsttargetwebapplications/APIs.ThefollowingactivitiesinTable16mustbecompleted.
Table 16 – Web Appl icat ion/API Post-Exploitat ion
5.8.2. MOBILE APPLICATION POST-EXPLOITATION
ThisattackvectorisnotapplicablesincethePenetrationTestwillbeassessingonlythelocalapplicationonthetestplatform.ThedeviceonwhichthemobileapplicationresidesisconsideredoutofscopeforthePenetrationTest.
5.8.3. NETWORK POST-EXPLOITATION
Conductnetworkpost-exploitationactivitiesagainstthetargetinfrastructuretoattempttoaccessmanagementnetworks,applications,andothercustomerinstances.ThefollowingactivitiesinTable17belowmustbecompleted.
Table 17 – Network Post-Exploitat ion
ACTVITY DESCRIPTION
UnauthorizedManagementAccess
Useaccesstoapplicationtoattempttogaincontrolofunderlyinginfrastructureormanagementsystems.
UnauthorizedDataAccess
Attempttodemonstratethepotentialtoaccessadditionaldatafromsourcesoutsidethecloudservice’sintendedscope.
ACTVITY DESCRIPTION
GainSituationalAwareness
Determinewhatlevelofaccesswasgainedfollowingasuccessfulexploitationattempt.
PrivilegeEscalation Ifapplicable,attempttoescalateprivilegestoallowforadditionalaccessontheexploitedendpointorotherendpointswithinthenetworkenvironment.
LateralMovement Performfurtherdiscoveryandenumerationtoidentifyhostsonthenetworkthatmayrespondonlytothecompromisedsystem.Leveragecompromisedsystemsandcredentialstopivottoadditionalhostswiththeintentofgainingunauthorizedaccesstomanagementsystemsorothercustomersystems.
IdentificationandExfiltrationofSensitiveSystemsorData
Identifysensitiveorcriticalinformationthatmaybeaccessedorcompromisedthroughasuccessfulattack(criteriaforsensitivedatatobedeterminedduringthescopingphase).Attempttoexfiltratesensitiveinformationundetected.
|21
5.8.4. SOCIAL ENGINEERING POST-EXPLOITATION
Conductnetworkpost-exploitationactivitiesagainstthetargetinfrastructuretoattempttoaccessmanagementnetworks,applications,andothercustomerinstances.ThefollowingactivitiesinTable16belowmustbecompleted.
5.8.5. SIMULATED INTERNAL ATTACK POST-EXPLOITATION
Thisattackvectorisnotapplicable.TheCSPwillassumecorporatebreach;eventuallyleadingtomanagementaccessintotheCSPtargetsystemgiventhe3PAOisabletoidentifyprivilegeescalationandpivotingavenuesandattackchains.
6. REPORTING
PenetrationTestassessmentactivitiesandresultsmustbeorganizedandcompiledintoacomprehensivePenetrationTestreporttobeincludedintheSecurityAssessmentReport(SAR).Thereportisrequiredtoaddressthefollowingsections.
6.1. SCOPE OF TARGET SYSTEM
OutlinethetargetsystemthatwasassessedandifanydeviationsweremadefromtheROE/TPdocument.
6.2. ATTACK VECTORS ADDRESSED DURING THE PENETRATION TEST
Describedtheattackvector(s)testedandthethreatmodel(s)followedforexecutingthePenetrationTest.
6.3. TIMELINE FOR ASSESSMENT ACTIVITY
DocumentwhenPenetrationTestingactivitywasperformed.
|22
6.4. ACTUAL TESTS PERFORMED AND RESULTS
DocumenttheactualtestsperformedtoaddressthePenetrationTestrequirementsoutlinedinthisdocument,anddocumenttheresultsofeachtest.
6.5. FINDINGS AND EVIDENCE
Findingsshouldincludeadescriptionoftheissue,theimpactonthetargetsystem,arecommendationtotheCSP,ariskrating,andrelevantevidencetoprovidecontextforeachfinding.
6.6. ACCESS PATHS
Accesspathsarethechainofattackvectors,exploitations,andpost-exploitationsthatleadtoadegradationofsystemintegrity,confidentiality,oravailability.The3PAOmustdescribetheaccesspathandthePenetrationTestimpactifmultiplevulnerabilitiescouldbecoupledtoformasophisticatedattackagainsttheCSP.
ThePenetrationTestreportshouldincludeappropriateconfidentialityandsensitivitymarkingsincompliancewiththeCSPorganizationalpolicy.The3PAOshouldprovidethereporttotheCSPviaasecuremeansincompliancewiththeCSPorganization’spolicies.Anyinformationincludedinthereportthatcouldcontainsensitivedata(screenshots,tables,figures)mustbesanitizedormaskedusingtechniquesthatrenderthesensitivedatapermanentlyunrecoverablebyrecipientsofthereport.The3PAOmustnotincludepasswords(includingthoseinencryptedform)inthefinalreport,ormustmaskthemtoensurerecipientsofthereportcannotrecreateorguessthepassword.
7. TESTING SCHEDULE REQUIREMENTS
Foreachinitialsecurityauthorization,aPenetrationTestmustbecompletedbya3PAOasapartoftheassessmentprocessdescribedintheSecurityAssessmentPlan(SAP).Thereafter,FedRAMPrequiresacompletePenetrationTestatleastevery12months,unlessotherwiseapprovedbytheauthorizingbodywithdocumentedrationale.
8. THIRD PARTY ASSESSMENT ORGANIZATION (3PAO) STAFFING REQUIREMENTS
AllPenetrationTestactivitiesmustbeperformedbya3PAOthathasdemonstratedPenetrationTestingproficiencyandmaintainsadefinedPenetrationTestmethodology.ThePenetrationTestteam
|23
leadoneachPenetrationTestmustbeapprovedbytheAssessmentOrganizationandeitherhaveanindustry-recognizedcredentialforPenetrationTestingorequivalenteducationandexperience.Industry-recognizedcredentialsareidentifiedinTable18below.
Table 18 – 3PAO Staff ing Requirements
ACTVITY DESCRIPTION
GlobalInformationAssuranceCertification(GIAC)
GWAPT-GIACWebApplicationPenetrationTesterGPEN-GIACNetworkPenetrationTesterGXPN-GIACExploitResearcherandAdvancedPenetrationTester
OffensiveSecurity OSCP-OffensiveSecurityCertifiedProfessionalOSCE-OffensiveSecurityCertifiedExpert
InternationalCouncilofElectronicCommerceConsultants(EC-Council)
CEH-CertifiedEthicalHackerLPT-LicensedPenetrationTester
|24
APPENDIX A: FedRAMP ACRONYMS ThemasterlistofFedRAMPacronymandglossarydefinitionsforallFedRAMPtemplatesisavailableontheFedRAMPwebsiteDocumentspageunderProgramOverviewDocuments.
(https://www.fedramp.gov/resources/documents-2016/)
Pleasesendsuggestionsaboutcorrections,additions,[email protected].
|25
APPENDIX B: REFERENCES
ThepublicationsreferencedinthisdocumentareavailableatthefollowingURLs:
§ https://www.fedramp.gov/resources/documents-2016/§ https://www.fedramp.gov/files/2015/03/Guide-to-Understanding-FedRAMP-v2.0-4.docx§ http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf§ http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf§ http://dx.doi.org/10.6028/NIST.SP.800-53Ar4§ http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf§ https://www.owasp.org/images/5/52/OWASP_Testing_Guide_v4.pdf§ https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Mobile_Security_
Testing§ http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html§ https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project§ https://azure.microsoft.com/blog/2014/11/11/red-teaming-using-cutting-edge-threat-
simulation-to-harden-the-microsoft-enterprise-cloud/
|26
APPENDIX C: ROE/TEST PLAN TEMPLATE
RULES OF ENGAGEMENT/TEST PLAN
ThePenetrationTestRulesofEngagement(ROE)andTestPlan(TP)documentsdescribethetargetsystems,scope,constraints,andpropernotificationsanddisclosuresofthePenetrationTest.The3PAOisrequiredtodeveloptheROEandTPbasedontheparametersandsysteminformationprovidedbytheCSP.
TheROEandTestPlandocumentmustbedevelopedinaccordancewithNISTSP800-115,AppendixB,andbeapprovedbytheAuthorizingOfficialoftheCSPpriortotesting.The3PAOmustincludeacopyoftheROEintheFedRAMPSecurityAssessmentPlansubmittedtoFedRAMP.
PenetrationTestplanningmustincludeoraccountforthefollowingconsiderations:
§ Penetration
- Networkpenetration- Wirelessnetworkpenetration- Physicalpenetration- Socialengineeringpenetration
§ AffectedIPrangesanddomains § Acceptablesocialengineeringpretexts § Targetedorganization’scapabilitiesandtechnologies § Investigativetools § Specifictestingperiods(startandenddate/times) § CSPreportingrequirements(format,content,media,encryption)
ThePenetrationTestPlanmustdescribe:
§ Targetlocations § Categoriesofinformationsuchasopensourceintelligence,humanintelligence § Typeofinformationsuchasphysical,relationship,logical,electronic,metadata § Gatheringtechniquessuchasactive,passive,on-andoff-location § Pervasiveness § Constraintsthatdonotexploitbusinessrelationships(customer,supplier,jointventure,or
teamingpartners)
The3PAOmustjustifyomittinganyattackvectorsdescribedinSection3aboveintheROE/TestPlanandthePenetrationTestReport.
|27
SYSTEM SCOPE
Provideadescriptionoftheboundariesandscopeofthecloudservicesystem,alongwithanyidentifiedsupportingservicesorsystems.SystemscopeshouldaccountforallIPaddresses,UniformResourceIdentifiers(URLs),devices,components,software,andhardware.
ASSUMPTIONS AND LIMITATIONS
Provideadescriptionoftheassumptions,dependencies,andlimitationsidentifiedthatmayhaveanimpactonPenetrationTestingactivitiesorresults.Includereferencestolocalandfederallegalconstraintsthatmayberelevanttotestingorresults.Assumptionsalsoincludeanyassumedagreement,oraccesstothirdpartysoftware,systems,orfacilities.
TESTING SCHEDULE
Provideaschedulethatdescribestestingphases,initiation/completiondates,andallowsfortrackingofPenetrationTestdeliverables.
TESTING METHODOLOGY
ThemethodologysectionwilladdressrelevantPenetrationTestingactivitiesasdescribedinSection5above.
RELEVANT PERSONNEL
ProvidealistofkeypersonnelinvolvedinthemanagementandexecutionofthePenetrationTest.Thelistshouldinclude,ataminimum:
§ SystemOwner(CSP) § TrustedAgent(CSP) § PenetrationTestTeamLead(3PAO) § PenetrationTestTeamMember(s)(3PAO) § EscalationPointsofContact(CSPand3PAO)
|28
INCIDENT RESPONSE PROCEDURES
ProvideadescriptionofthechainofcommunicationsandprocedurestobefollowedshouldaneventrequiringincidentresponseinterventionbeinitiatedduringPenetrationTesting.
EVIDENCE HANDLING PROCEDURES
ProvideadescriptionofproceduresfortransmissionandstorageofPenetrationTestevidencecollectedduringthecourseoftheassessment.