Prior to doing any corporate network pen testing, it's important to take some fundamental actions not only to protect the company, but also to protect yourself. Probably one of the best guides to help you prepare for such testing is Appendix B, Rules of Engagement, a template in the NIST Special Publication 800-115, Technical Guide to Information Security Testing and Assessment (.pdf). The Rules of Engagement template (ROE) will help you organize and prepare the penetration testing methodology, while also giving a better sense to the IT department that you know what you are doing and are also concerned about possibly causing outages.
For example, the ROE includes the following key elements that you'll need to complete with the help of IT and corporate management:
- Assumptions and Limitations
- Document Structure
- Test Schedule
- Test Site
- Test Equipment
- Communications Strategy
- General Communication
- Incident Handling & Response
- Target System / Network
- Testing Execution
- Non-Technical Test Components (e.g., Interviews, social engineering)
- Technical Test Components (e.g., network scanning, discovery, penetration testing)
- Data Handling
- Signature Page
- At a minimum the test team leader and the company's senior management (CSO, CISO, CIO, etc.) should sign the ROE stating they understand the test's scope and boundaries and risks.
As an addendum, consider these extra things to add to the ROE to help the IT staff know you are on their side:
- Detail activities that will be allowed and those that arenot allowed. (E.g., Don't allow a pen test of a system that if tipped by the testing would result in a catastrophic failure of a key asset. Alternatively, don't allow a pen test during any major events that cannot be interrupted.)
- Identify those systems that are not authorized for testing (i.e., an "exclude list").
- Have a detailed incident handling and response procedure in case an incident occurs on the network while testing is in progress.
By completing this ROE and working closely with the IT staff, you can prove the trustworthiness of your intentions and your capabilities, as well as get appropriate management buy-in, before trying any risky testing.
This was first published in May 2010