2.3 - Target Selection

 2.3 - Target selection 

 

Key terms 

    • Scope of work – This defines exactly what a project will consist of and entail. It is also known as a statement of work. 
    • Rules of engagement – The amount of testing that the ethical hacker is allowed to execute on a system. It defines how the penetration test will be carried out. 

 

Choosing a Target 

There are 3 main questions to consider when choosing a target: 

    • Which type of test should we use? 
    • Who are we testing? 
    • What are we testing? 

These details should be recorded in the SOW document (scope of work) and the ROE document (rules of engagement). These 2 documents protect ethical hackers from prosecution. 

 

Which Type of Test? 

Internal test – relates to systems that logically reside behind the firewall. These can be both onsite and offsite systems. This test is considered a white box test. 

External test – relates to public facing systems such as a web server. These tests are grey or black box tests. 

 

What are we testing? 

Penetration tests are run on onsite systems or 3rd party systems. For example, a website may not be hosted onsite, however they are still responsible for the data held on their site. In this case, the website may not be included in the scope of the penetration test. This is why identifying the scope of work is important before you begin a test. Physical security, although often overlooked, may also be tested, and included in the test scope. All testing must be within the test scope. If there is a physical security test included in the scope, there must be a set limit on how far that testing should be carried out as there may still be areas that testers are not allowed to analyse. Wireless networks may also be included in the scope of the test. An increased use of multiple wireless networks in organisations can often cause issues if the business may want to keep certain networks off limits from the ethical hackers. Off limits applications must also be considered when setting up a penetration test. Some applications are classed as ‘mission-critical’ which means they should not be tested to avoid downtime. These applications include things such as financial processing, medical databases, and other sensitive applications. 

 

Who are we testing? 

In all cases of security, the weakest link is humans. This is why it is important to analyse if social engineering techniques are effective in a penetration test. Social engineering can include in-person attacks such as dressing as a professional worker and trying to gain access to a building under false pretences. It can also include electronic attacks such as email phishing or online pretext attacks. 

 

Additional Scoping Considerations 

A risk assessment must be conducted before a test is carried out. This is to identify vulnerable areas in the business such as high-value data, network systems, web applications, online information, and physical security. This should all be considered inside the penetration test plan. Risk management should be carried out to mitigate, transfer, avoid and accept risks that may arise in the risk assessment. Before a penetration test, the organisation must set a tolerance level. This identifies what the ethical hackers are allowed to test and what is out of scope. 

 

Test Scheduling 

When scheduling a penetration test, the organisation must be aware of time frame given to complete the test, when the test is being executed (in VS out of business hours, holidays) and, who is aware of the test’s occurrence. The less people who know when the test is occurring, the more realistic the test will be. 

 

Security Exceptions 

This is a deviation from standard security procedures. For example, it should be determined if an ethical hacker will be put on a whitelist or blacklist beforehand. A hacker may not be given a network certificate before the test either, this depends on the organisation’s own security policies. Allowing the tester to be aware of what exceptions have been put in place is essential to ensure a fair and realistic test is executed. 

 

Scope Creep 

This is when the client makes slight deviations from the original scope of the test. This can cause the project to fall off track and cost more time and resources. When a change is requested, both parties must agree to a change order and fill out the necessary documentation. This document should also be approved by both sides. After this is completed, the hacker can complete the additional tasks added to the scope of work. 

Comments

Post a Comment

Popular posts from this blog

OSA Assignment 1 - Task 3 GUIDE

Image
  OSA Assignment 1 – Task 3 Guide     Exam parameters   Time length – 5 hours (2x 2 ½ sessions)   Marks available – 28     Task 3: Design – Communication Equipment   In this task you are required to submit :   A technical proposal covering the switches, wireless infrastructure and specifications   Justification of planned network architecture and considerations for security, resilience, performance and redundancy   Evidence print screens   Annotated floor plan/network diagram     Technical Proposal   The technical proposal in task 3 follows a similar format as task 2. It's another large document detailing the requirements and recommendations for the company. In task 3, however , it should discuss communication and other digital equipment such as switches, CCTV and APs.   You should recommend multiple hardware solutions and justify between them.   Here are some examples of tables and information ...
Read more

OSA Assignment 1 - Task 1 GUIDE

  OSA Assignment 1 – Task 1 Guide     Exam parameters   Time length – 3 hours   Marks available – 20     Task 1: Planning   In this task you are required to submit :   A project plan   Gantt chart showing th e critical path   Explanation of legal requirements   Physical and digital threat countermeasures   Annotated floor plan     Gantt Chart   The Gantt Chart is the first document you should create. This details each phase of the project alongside the timescale to complete it.   Ensure you make a note of the deadline for the project along with any pre-requisites such as cabling. This should all be implemented into your Gantt Chart.   You can follow a layout like this:   Project:   Pre considerations (Gathering project timescale, risk assessments, ...)   Planning (Devising project plan, identifying budget, ...)   Design (Research hardware, identify topology, ...)   Pre ...
Read more

OSA Summer 2023 Mock - Task 1, Assignment 1

Image
  OSA Summer 2023 Mock – Task 1           Legal requirements   The company must ensure they are compliant with the correct legislation whilst the project is undertaken.   If any person is working at height, the correct safety measures to prevent injury or death must be imposed under The Work at Height Regulations 2005. They must have an appropriate safety harness on and hazardous areas at height should be i dentified in the risk assessment.   By storing data internally on a local file server, the business is responsible for maintaining the confidentiality, availability and integrity of that data. They must comply with The Data Protection Act 2018 and General Data Protection Regulations.   Display screen equipment regulations (DSE) should be considered when installing workstations. Ergonomic and posture-friendly chairs should be installed and employees given appropriate breaks from working around screens.     Data p...
Read more