Pre-engagement

During the pre-engagement phase, key personnel are selected. These individuals are key to providing information, coordinating resources, and helping testers understand the scope, breadth, and rules of engagement in the assessment.

This phase also covers legal requirements, which typically include a non-disclosure agreement (NDA) and a consulting services agreement (CSA). The following is a typical process overview of what is required prior to the actual penetration testing:

An NDA is a legal agreement that specifies that a penetration tester will not share or hold onto any sensitive or proprietary information that is encountered during the assessment. Companies usually sign these agreements with cybersecurity companies who will, in turn, sign it with employees working on the project. In some cases, companies sign these agreements directly with the penetration testers from the company carrying out the project.

The scope of a penetration test defines the systems that the testers can and cannot hack or test. To ensure that the penetration tester remains within the legal boundaries, he or she must acquire legal permission in writing from the client or company who is requesting the services. Additionally, the penetration tester must provide an NDA. The agreement between the ethical hacker and the client also defines sensitive systems as well as testing times and which systems require special testing windows. It's incredibly important for penetration testers to pay close attention to the scope of a penetration test and where they are testing in order to always stay within the testing constraints.

The following are some sample pre-engagement questions to help you define the scope of your penetration test:

  • What is the size/class of your external network? (Network penetration testing.)
  • What is the size/class of your internal network? (Network penetration testing.)
  • What is the purpose and goal of the penetration test? (Applicable to any form of penetration testing.)
  • How many pages does the web application have? (Web application penetration testing.)
  • How many user inputs or forms does the web application have?
This is not an extensive list of pre-engagement questions, and all engagements should be given thorough thought to ensure that you ask all the important questions so you don't underscope or underprice the engagement.

Now that we've understood the legal limitation stages in penetration testing, let's move on to learn about the information-gathering phase and its importance.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.145.111.125