LPTv4 Module 13 Rules of Engagement

7/24/2019 LPTv4 Module 13 Rules of Engagement

1/12

ECSA/LPT

- Module XIIIRules of En a ement


2/12

Module Objective

s mo u e w n ro uce you o efollowing:

Rules of Engagement (ROE) between an organization andpenetration testers

Sco e of ROE Steps for framing ROE Clauses in ROE

EC-CouncilCopyright byEC-Council

All Rights Reserved. Reproduction is Strictly Prohibited


3/12

Module Flow

Rules of Engagement (ROE) Scope of ROE

Steps or Framing ROEClauses in ROE




4/12

Rules of Engagement (ROE)

conduct pen test before starting.

ROE helps testers to overcome legal, federal, and policy relatedrestrictions to use different penetration testing tools andtechni ues.




5/12

Scope of ROE

The ROE should also clearl ex lain the limits associated with thesecurity test.

Specific IP addresses/ranges to be tested.

nc u es:

ny restricted hosts (i.e., hosts, systems, subnets, not to be tested).

A list of acceptable testing techniques (e.g. social engineering, DoS,etc.) and tools (password crackers, network sniffers, etc.).

. ., ,after business hours, etc.).

Identification of a finite period for testing.




6/12

Scope of ROE (contd)

ROE includes:

will be conducted so that administrators can differentiate thelegitimate penetration testing attacks from actual maliciousattacks.

Points of contact for the penetration testing team, thetargeted systems, and the networks.

Measures to prevent law enforcement being called with false

alarms (created by the testing). Handling of information collected by penetration testing

team.




7/12

Steps for Framing ROE

Estimate cost time and effort that or anization can invest

Decide on desired depth for penetration testing

Have pre-contract discussions with different pen-testers

Conduct brainstorming sessions with the top management and



technical teams


8/12

Clauses in ROE

st o a owe an pro te act v t es:

Or anization ma allow some activities like ortscanning for offline cracking and prohibit others likepassword cracking, SQL injection and DoS attacks

Definitions of test scope, limitations, and other activitiesfor protecting the test team

Authorization of penetration testers for systems and




9/12

Clauses in ROE (contd)

e a s a ou e eve an reac o pen- es

Definition of different type of allowed testing techniques

Information on activities, such as:

Port and service identification

Vulnerability scanning



ecur ty con gurat on rev ew

Password cracking


10/12

Clauses in ROE (contd)

Details on how or anizational data is treatedthroughout and after the test

Details on how data should be transmitted during andafter the test

Techniques for data exclusion from systems upontermination of the test




11/12

Summary

Rules of engagement is the formal permission to conductthe pen-test before starting.

The scope should also clearly explain the limits associatedwith the security test.

It prevents activities such as installing and using executablefiles that pose as a greater risk to the system.




12/12



Documents

LPTv4 Module 13 Rules of Engagement