Problem solve Get help with specific problems with your technologies, process and projects.

Penetration test methodology: Creating a network pen testing agreement

Network pen testing can be very useful when it comes to detecting vulnerabilities, but it's important to work with the IT department to prevent network downtime. In this expert response, learn how to draw up pen testing rules of engagement for greater security and IT uptime.

I'm an IT auditor who wants to perform an intrusion penetration test of our company's ports. I'm getting resistance...

from the IT group because they are concerned it will cause system outages. Based on my research, however, there appears to be minimal risk of this. What would you recommend I do to convince them?

Prior to doing any corporate network pen testing, it's important to take some fundamental actions not only to protect the company, but also to protect yourself. Probably one of the best guides to help you prepare for such testing is Appendix B, Rules of Engagement, a template in the NIST Special Publication 800-115, Technical Guide to Information Security Testing and Assessment (.pdf). The Rules of Engagement template (ROE) will help you organize and prepare the penetration testing methodology, while also giving a better sense to the IT department that you know what you are doing and are also concerned about possibly causing outages.

For example, the ROE includes the following key elements that you'll need to complete with the help of IT and corporate management:

  1. Introduction
    1. Purpose
    2. Scope
    3. Assumptions and Limitations
    4. Risks
    5. Document Structure
  2. Logistics
    1. Personnel
    2. Test Schedule
    3. Test Site
    4. Test Equipment
  3. Communications Strategy
    1. General Communication
    2. Incident Handling & Response
  4. Target System / Network
  5. Testing Execution
    1. Non-Technical Test Components (e.g., Interviews, social engineering)
    2. Technical Test Components (e.g., network scanning, discovery, penetration testing)
    3. Data Handling
  6. Reporting
  7. Signature Page
    1. At a minimum the test team leader and the company's senior management (CSO, CISO, CIO, etc.) should sign the ROE stating they understand the test's scope and boundaries and risks.

As an addendum, consider these extra things to add to the ROE to help the IT staff know you are on their side:

  1. Detail activities that will be allowed and those that arenot allowed. (E.g., Don't allow a pen test of a system that if tipped by the testing would result in a catastrophic failure of a key asset. Alternatively, don't allow a pen test during any major events that cannot be interrupted.)
  2. Identify those systems that are not authorized for testing (i.e., an "exclude list").
  3. Have a detailed incident handling and response procedure in case an incident occurs on the network while testing is in progress.

By completing this ROE and working closely with the IT staff, you can prove the trustworthiness of your intentions and your capabilities, as well as get appropriate management buy-in, before trying any risky testing.

This was last published in May 2010

Dig Deeper on Penetration testing, ethical hacking and vulnerability assessments