Post on 22-Feb-2018
7/24/2019 LPTv4 Module 13 Rules of Engagement
1/12
ECSA/LPT
- Module XIIIRules of En a ement
7/24/2019 LPTv4 Module 13 Rules of Engagement
2/12
Module Objective
s mo u e w n ro uce you o efollowing:
Rules of Engagement (ROE) between an organization andpenetration testers
Sco e of ROE Steps for framing ROE Clauses in ROE
EC-CouncilCopyright byEC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
7/24/2019 LPTv4 Module 13 Rules of Engagement
3/12
Module Flow
Rules of Engagement (ROE) Scope of ROE
Steps or Framing ROEClauses in ROE
EC-CouncilCopyright byEC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
7/24/2019 LPTv4 Module 13 Rules of Engagement
4/12
Rules of Engagement (ROE)
conduct pen test before starting.
ROE helps testers to overcome legal, federal, and policy relatedrestrictions to use different penetration testing tools andtechni ues.
EC-CouncilCopyright byEC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
7/24/2019 LPTv4 Module 13 Rules of Engagement
5/12
Scope of ROE
The ROE should also clearl ex lain the limits associated with thesecurity test.
Specific IP addresses/ranges to be tested.
nc u es:
ny restricted hosts (i.e., hosts, systems, subnets, not to be tested).
A list of acceptable testing techniques (e.g. social engineering, DoS,etc.) and tools (password crackers, network sniffers, etc.).
. ., ,after business hours, etc.).
Identification of a finite period for testing.
EC-CouncilCopyright byEC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
7/24/2019 LPTv4 Module 13 Rules of Engagement
6/12
Scope of ROE (contd)
ROE includes:
will be conducted so that administrators can differentiate thelegitimate penetration testing attacks from actual maliciousattacks.
Points of contact for the penetration testing team, thetargeted systems, and the networks.
Measures to prevent law enforcement being called with false
alarms (created by the testing). Handling of information collected by penetration testing
team.
EC-CouncilCopyright byEC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
7/24/2019 LPTv4 Module 13 Rules of Engagement
7/12
Steps for Framing ROE
Estimate cost time and effort that or anization can invest
Decide on desired depth for penetration testing
Have pre-contract discussions with different pen-testers
Conduct brainstorming sessions with the top management and
EC-CouncilCopyright byEC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
technical teams
7/24/2019 LPTv4 Module 13 Rules of Engagement
8/12
Clauses in ROE
st o a owe an pro te act v t es:
Or anization ma allow some activities like ortscanning for offline cracking and prohibit others likepassword cracking, SQL injection and DoS attacks
Definitions of test scope, limitations, and other activitiesfor protecting the test team
Authorization of penetration testers for systems and
EC-CouncilCopyright byEC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
7/24/2019 LPTv4 Module 13 Rules of Engagement
9/12
Clauses in ROE (contd)
e a s a ou e eve an reac o pen- es
Definition of different type of allowed testing techniques
Information on activities, such as:
Port and service identification
Vulnerability scanning
EC-CouncilCopyright byEC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
ecur ty con gurat on rev ew
Password cracking
7/24/2019 LPTv4 Module 13 Rules of Engagement
10/12
Clauses in ROE (contd)
Details on how or anizational data is treatedthroughout and after the test
Details on how data should be transmitted during andafter the test
Techniques for data exclusion from systems upontermination of the test
EC-CouncilCopyright byEC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
7/24/2019 LPTv4 Module 13 Rules of Engagement
11/12
Summary
Rules of engagement is the formal permission to conductthe pen-test before starting.
The scope should also clearly explain the limits associatedwith the security test.
It prevents activities such as installing and using executablefiles that pose as a greater risk to the system.
EC-CouncilCopyright byEC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
7/24/2019 LPTv4 Module 13 Rules of Engagement
12/12
EC-CouncilCopyright byEC-Council
All Rights Reserved. Reproduction is Strictly Prohibited