Before you offer Penetration services, you may need to write a Statement of Work (SOW) that outlines the work you are going to perform. This is typically the first step you would want to complete with your stakeholders before starting a project.
When writing a SOW, we recommend you follow a format that will ultimately represent your reporting structure. The basic format of a Statement of Work documents include the following:
Example of SOW executive summary is as follows:
The SERVICE PROVIDER is pleased to present the CUSTOMER with our methodology for conducting a security assessment. The principal objective of CUSTOMER for initiating this engagement is to evaluate the current level of risk and exposure adequately within the organization with a focused view to develop and/or implement solutions that will help reduce critical threats and ultimately mitigate relevant risk.
In response to the needs of CUSTOMER, SERVICE PROVIDER has outlined an effective security assessment strategy that has proven to be very successful in elevating the security posture in many similar organizations. Our approach begins with understanding the business requirements associated with the assessment, followed by a detailed topology mapping and base-lining of the existing infrastructure identified to be in scope. Upon completion of the discovery of the infrastructure, we begin a systematic vulnerability assessment of critical systems and network devices to identify threat vectors that may be behavioral in nature. A careful exploitation method is then reviewed and executed to identify the relevance of vulnerabilities that have been detected. Techniques such as Penetration Testing and social engineering may be employed during this phase. Lastly, we undergo weekly status briefings throughout the life cycle of the engagement to review activities for the week and communicate key goals and objectives for the upcoming weeks. This provides CUSTOMER an opportunity to inform our engineers of any system upgrades in progress that require special consideration. SERVICE PROVIDER provides credible project management expertise to ensure operational excellence and a superior customer experience in all our engagements and this is no exception.
SERVICE PROVIDER recognizes a consistent business need to assess and improve the security posture of an organization continually, and we believe that this engagement will help in reducing operational expenses from minimized risks and downtime while also providing data protection and brand reputation benefits to CUSTOMER.
Furthermore, the insight gained from such an exercise is crucial in planning for future services that will enable business performance and profitability. These benefits are consistent and well aligned with the CUSTOMER's objectives listed as follows:
- Gain a better understanding of potential CUSTOMER network vulnerabilities and security risks
- Determine critical security architecture weakness within the CUSTOMER infrastructure
- Evaluate the security associated with the CUSTOMER website and external-facing applications
- Activity report: A report of all executed exploits (available in three levels of detail).
- Host report: Detailed host information, including the number of compromised computers, the average number of vulnerabilities exploited on each computer, and the CVE names of vulnerabilities found on each computer.
- Vulnerability report: A detailed report of successfully exploited, versus potential, vulnerabilities on each computer.
- Client-side Penetration Test report: A full audit trail of each client-side Penetration Testing, including the email template sent, exploit launched, test results (success or failure), and details about compromised systems.
- User report: A client-side testing report of which links were clicked, when they were clicked, and by whom.
Special consideration should to be given to Penetration Testing from external sources. An external Penetration Testing SOW identifies your target and possible steps you are willing to take during your attack. The SOW also defines when you will stop testing or what circumstances are beyond scope. In other words, the SOW gives you a stopping point.
The next example shows an external Penetration Testing summary. It includes a quick overview of the testing process, followed by an outline with step-by-step instructions of the work that will be performed. This example also outlines the client and application owner's responsibility.
External web test SOW example:
The central objective of our external and web Penetration Testing effort is to exploit the inherent security weaknesses of the network perimeter, web domain, and web application delivery. Adjacent application delivery elements, including backend databases and middleware, are also included in this domain and are evaluated as well. Common vulnerabilities and exploits that we focus on during this phase are the ones related to buffer overflows, SQL injections, and cross-site scripting. Our engineers may also engage in a manual navigation of the web domain to extract other pieces of sensitive and critical data. Furthermore, as requested by the CUSTOMER, devices in the DMZ will also be included in this Penetration Testing exercise in an attempt to logically break down the defenses surrounding the web application domain.
Detailed testing procedures:
SERVICE PROVIDER will complete the following testing procedures for the web application domain:
- Identify the servers to be tested, based on the customer's web site, and crawl a website to harvest addresses published on the site.
- Leverage major search engines to locate addresses for a given domain.
- Find addresses in
PGPandWHOISdatabases. - Launch multiple, simultaneous attacks to speed the Penetration Testing process.
- Interact with compromised machines via discrete agents that are installed only in system memory.
- Run local exploits to attack machines internally, rather than from across the network.
- Analyze custom, customized, and out-of-the-box web applications for security weaknesses.
- Validate security exposures using dynamically generated exploits, emulating a hacker trying various attack paths and methods.
- Demonstrate the consequences of an attack by interacting with web server file systems and databases through command shells and database consoles.
- Perform Penetration Tests without corrupting web applications or running code on targeted servers.
Customer responsibilities are as follows:
- Identify the web domain's for which web assessment will be performed. Communicate service maintenance and/or impacts during Penetration Tests.
- Ensure web accessibility to domains and perimeter devices in scope if not publicly available.
Other areas to consider when writing a scope of work should be considered. Some of the common content recommended to include are as follow:
- Legal and testing release: Usually this is preapproved verbiage from lawyers excluding the application owners from holding the service provider liable for any damages caused by the Penetration Test.
- Methodology and approach: This is how you plan to conduct the Penetration Test (rules of engagement), how the customer receives updates, timelines, and how the customer can provide input. The following diagram provides an example of a SOW methodology:
- Price: How long will the work take to complete and how much will it cost. This can be broken down into project phases and should include notation when expected hours could potentially exceed projected pricing.
- Expectations and responsibilities: What the service provider and customer are assigned during the project lifecycle. There should be notations when steps required by either the service provider or customer is a prerequisite to a future stage of the project.
- Credentials and tools: Customers typically verify credentials held by the staff conducting audits as well as what tools might be used to complete tasks. Providing this information in a SOW adds a degree of credibility and professionalism. Providing the potential toolset upfront also reduces the likelihood of the customer having a negative reaction when a negative impact occurs due to the use of a tool.
The following example shows a table that highlights a sample Penetration Rester's expertise along with tools that will be used:
|
Testing Tools | |
|---|---|
|
ISC2 Certified Information Security Professional (CISSP) International Council of E-Commerce Consultants (CEH) Information Systems Audit and Control Association (ISACA) Certified Information Systems Auditor (CISA) RSA Authentication Manager v8.0 RSA DLP Suite Certified Systems Engineer (CSE) RSA SecurID Choice/Product Cisco Certified Internetwork Expert (CCIE-RS, Security, Voice, Storage, SP) SAINT Certified Engineers Qualys Certified Engineers Cisco Advanced Wireless Design Specialist PMI's Project Management Professional (PMP) Cisco Advanced Security Field Specialist Cisco Advanced Wireless Field Specialist Cisco Master Security Specialized Partner |
Kali Linix Backtrack 5 RC3 AirSnort AirCrack Airsnarf Airmagnet Core Impact Saint Rapid 7 Qualys Metasploit Palisade eEye Retina Threat Guard |
Note
It is important to address concerns you believe may arise upfront. Our colleague and friend Willie Rademaker has a famous saying, "Always throw the fish on the table". In other words, avoid having surprises when a project is being scoped. If you believe there might be a point of contention, address it head on. Surprises are for birthdays…not business.