I'm an IT auditor who wants to perform an intrusion penetration test of our company's ports. I'm getting resistance...
from the IT group because they are concerned it will cause system outages. Based on my research, however, there appears to be minimal risk of this. What would you recommend I do to convince them?
Prior to doing any corporate network pen testing, it's important to take some fundamental actions not only to protect the company, but also to protect yourself. Probably one of the best guides to help you prepare for such testing is Appendix B, Rules of Engagement, a template in the NIST Special Publication 800-115, Technical Guide to Information Security Testing and Assessment (.pdf). The Rules of Engagement template (ROE) will help you organize and prepare the penetration testing methodology, while also giving a better sense to the IT department that you know what you are doing and are also concerned about possibly causing outages.
For example, the ROE includes the following key elements that you'll need to complete with the help of IT and corporate management:
- Assumptions and Limitations
- Document Structure
- Test Schedule
- Test Site
- Test Equipment
- Communications Strategy
- General Communication
- Incident Handling & Response
- Target System / Network
- Testing Execution
- Non-Technical Test Components (e.g., Interviews, social engineering)
- Technical Test Components (e.g., network scanning, discovery, penetration testing)
- Data Handling
- Signature Page
- At a minimum the test team leader and the company's senior management (CSO, CISO, CIO, etc.) should sign the ROE stating they understand the test's scope and boundaries and risks.
As an addendum, consider these extra things to add to the ROE to help the IT staff know you are on their side:
- Detail activities that will be allowed and those that arenot allowed. (E.g., Don't allow a pen test of a system that if tipped by the testing would result in a catastrophic failure of a key asset. Alternatively, don't allow a pen test during any major events that cannot be interrupted.)
- Identify those systems that are not authorized for testing (i.e., an "exclude list").
- Have a detailed incident handling and response procedure in case an incident occurs on the network while testing is in progress.
By completing this ROE and working closely with the IT staff, you can prove the trustworthiness of your intentions and your capabilities, as well as get appropriate management buy-in, before trying any risky testing.
Dig Deeper on Penetration testing, ethical hacking and vulnerability assessments
Related Q&A from Ernie Hayden
Dealing with lawyers is often a challenge. Ernie Hayden offers advice for CISOs dealing with enterprise information security legal issues. Continue Reading
Which will be more likely to further your infosec career: A certification, or an advanced degree? Expert Ernie Hayden weighs in. Continue Reading
While employee termination may be necessary in cases of insecure conduct, most employees are more encouraged by the carrot than the stick when it ... Continue Reading