Before you offer Penetration services, you may need to write a Statement of Work (SOW) that outlines the work you are going to perform. This is typically the first step you would want to complete with your stakeholders before starting a project.
When writing a SOW, we recommend you follow a format that will ultimately represent your reporting structure. The basic format of a Statement of Work documents include the following:
Example of SOW executive summary is as follows:
The SERVICE PROVIDER is pleased to present the CUSTOMER with our methodology for conducting a security assessment. The principal objective of CUSTOMER for initiating this engagement is to evaluate the current level of risk and exposure adequately within the organization with a focused view to develop and/or implement solutions that will help reduce critical threats and ultimately mitigate relevant risk.
In response to the needs of CUSTOMER, SERVICE PROVIDER has outlined an effective security assessment strategy that has proven to be very successful in elevating the security posture in many similar organizations. Our approach begins with understanding the business requirements associated with the assessment, followed by a detailed topology mapping and base-lining of the existing infrastructure identified to be in scope. Upon completion of the discovery of the infrastructure, we begin a systematic vulnerability assessment of critical systems and network devices to identify threat vectors that may be behavioral in nature. A careful exploitation method is then reviewed and executed to identify the relevance of vulnerabilities that have been detected. Techniques such as Penetration Testing and social engineering may be employed during this phase. Lastly, we undergo weekly status briefings throughout the life cycle of the engagement to review activities for the week and communicate key goals and objectives for the upcoming weeks. This provides CUSTOMER an opportunity to inform our engineers of any system upgrades in progress that require special consideration. SERVICE PROVIDER provides credible project management expertise to ensure operational excellence and a superior customer experience in all our engagements and this is no exception.
SERVICE PROVIDER recognizes a consistent business need to assess and improve the security posture of an organization continually, and we believe that this engagement will help in reducing operational expenses from minimized risks and downtime while also providing data protection and brand reputation benefits to CUSTOMER.
Furthermore, the insight gained from such an exercise is crucial in planning for future services that will enable business performance and profitability. These benefits are consistent and well aligned with the CUSTOMER's objectives listed as follows:
Special consideration should to be given to Penetration Testing from external sources. An external Penetration Testing SOW identifies your target and possible steps you are willing to take during your attack. The SOW also defines when you will stop testing or what circumstances are beyond scope. In other words, the SOW gives you a stopping point.
The next example shows an external Penetration Testing summary. It includes a quick overview of the testing process, followed by an outline with step-by-step instructions of the work that will be performed. This example also outlines the client and application owner's responsibility.
External web test SOW example:
The central objective of our external and web Penetration Testing effort is to exploit the inherent security weaknesses of the network perimeter, web domain, and web application delivery. Adjacent application delivery elements, including backend databases and middleware, are also included in this domain and are evaluated as well. Common vulnerabilities and exploits that we focus on during this phase are the ones related to buffer overflows, SQL injections, and cross-site scripting. Our engineers may also engage in a manual navigation of the web domain to extract other pieces of sensitive and critical data. Furthermore, as requested by the CUSTOMER, devices in the DMZ will also be included in this Penetration Testing exercise in an attempt to logically break down the defenses surrounding the web application domain.
Detailed testing procedures:
SERVICE PROVIDER will complete the following testing procedures for the web application domain:
PGP
and WHOIS
databases.Customer responsibilities are as follows:
Other areas to consider when writing a scope of work should be considered. Some of the common content recommended to include are as follow:
The following example shows a table that highlights a sample Penetration Rester's expertise along with tools that will be used:
Testing Tools | |
---|---|
ISC2 Certified Information Security Professional (CISSP) International Council of E-Commerce Consultants (CEH) Information Systems Audit and Control Association (ISACA) Certified Information Systems Auditor (CISA) RSA Authentication Manager v8.0 RSA DLP Suite Certified Systems Engineer (CSE) RSA SecurID Choice/Product Cisco Certified Internetwork Expert (CCIE-RS, Security, Voice, Storage, SP) SAINT Certified Engineers Qualys Certified Engineers Cisco Advanced Wireless Design Specialist PMI's Project Management Professional (PMP) Cisco Advanced Security Field Specialist Cisco Advanced Wireless Field Specialist Cisco Master Security Specialized Partner |
Kali Linix Backtrack 5 RC3 AirSnort AirCrack Airsnarf Airmagnet Core Impact Saint Rapid 7 Qualys Metasploit Palisade eEye Retina Threat Guard |
It is important to address concerns you believe may arise upfront. Our colleague and friend Willie Rademaker has a famous saying, "Always throw the fish on the table". In other words, avoid having surprises when a project is being scoped. If you believe there might be a point of contention, address it head on. Surprises are for birthdays…not business.
18.117.196.184