Planning and Engagement

Governance, risk, and compliance (GRC)

describes the processes, tools, and strategies that organizations use to address compliance with industry regulations, enterprise risk management, and interal governance.

Penetration tests are often used to what?

examine risk and comply with legal and regulatory requirements for testing

Pentests evaluate what?

an organization’s security regarding their processing and handling of protected data.

GRC model

a standard that unifies various sub-disciplines of governance, risk, audit, compliance, ethics/culture, and IT.

Laws may affect what when it comes to penetration testing?

what tools are allowed, what types of cryptography can be exported, what activities are permitted during a pentest

Scoping should consider what?

the laws that apply to the target and what corporate policies affect testing

Confidentiality

the concept of limiting access to data based on need to know, preventing the unauthorized disclosure of data

Privacy

a legal concept that addresses what rights an individual has to control how their personal information is used, collected, and disclosed

Standards and regulations define what

privacy rights, the rules of how to handle data

what is considered protected data

Personally identifiable information (PII)

aka personal information, is data that allows identification of one individual over other individuals

often considered a single piece of data, like SSN, or a combination of data, like name and address

considered sensitive information

Protected health information (PHI)

is data that is created/used in a health care context, like medical diagnoses, provider visit details, etc.

Other examples: email addresses, bank account numbers, last name + first initial, biome

Cardholder data (CHD)

often specific to Payment Card Industry Data Security Standards (PCI-DSS)

Examples include account numbers, authentication data for transactions using payment cards

Test considerations

testing parameters, access vectors, and environmental boundaries

Protected environment

where clients can store, collect, or process protected data, segregated from other networks

Testing protected data

the findings may be showing that an access exists rather than the protected data that was accessed to show that it'‘s insecurely handled

General Data Protection Regulation 2016/679 (GDR)

a law passed within the European Union (EU) that imposes data privacy and security obligation on organization that target or collect data related to people in the EU.

Personal data defined by GDPR

data that can be used to distinguish one individual from other individuals, either directly or with the use of additional information

Penetration test for GDPR purposes

generally evaluate the security of data transfer and data storage and the security of systems that perform transfer, processing, and storage for protected data.

Payment Card Industry Security Standards Council (PCI-SSC)

a series of rules that businesses that process payments using payments cards should follow in order to better secure card data and transactions.

PCI-DSS

the resulting standard of PCI-SCC,

defines the due diligence practices for securing cardholder data and protecting the card data environment (CDE) and provides guidance for the penetration tests and organizations that require penetration tests in the document “Information Supplement: Penetration Testing Guidance”

defines protections for cardholder data and sensitive authentication data

Cardholder data examples: cardholder name, service code, expiration date

Authentication Data (may be unreadable): PINs, CVV2, full track data

CDE

card data enviroment

Noncompliance with PCI-DSS

noncompliant merchants may be subject to fines or may lost their ability to accept payments using payment cards from main brands (not enforced by government)

PCI-DSS assessments requires what?

testing from inside and outside of the regulated environment, as it gives perspective and offers consistency

Point-in-time assessment

captures the state of the environment at the time of testing

Time-based limitations

can limit to testing between certain hours, like after business-hours, which may affect the kinds of tests you can do

can limit to testing for a certain duration of time (days, weeks, etc.), which may affect how thorough you are able to be and the number or type of findings

Asset scope limitations

sometimes, certain systems must be moved out of scope. These systems could be irrelevant to the client’s goals for the pentest, fragile or special systems that would respond unpredictably to normal pentest activity, or even mission-critical systems whose interruption or malfunction could lead to a major loss (revenue, natural disaster, human life)

may affect the test results

Tool limitations

sometimes, local laws will forbid the use of certain kinds of tools or tests, clients may require that testers use an approved list of client tools, or the pentester may choose to limit tools used in the interest of time or budget for the work

may impact testing, test results, cost of the test, and resource planning

Allowed and Disallowed tests

destructive activities are automatically put out of scope as few companies have the intentions of having their assets destroyed or their business disrupted

some organizations may specifically ask for stress testing against their assets or to see whether it’s possible to affect the integrity of transactions within a controlled environment

hosting and cloud provides who also need to authorize testing may not allow layer 2 attacks due to the security risk to co-located customers sharing the same network infrastructure

Contract

a mutual agreements that are enforceable by law and require an authorized representative, like contract signing authority, from each party to sign the contract

Master services agreement (MSA)

a type of overarching contract reached between 2 or more parties where each party agrees to most terms that will govern all other future transactions and agreements

Will cover conditions like payment terms, product warranties, intellectual property ownership, dispute resolution, allocation of risk, indemnification, corporate social responsibility, business ethics, network and facility access, etc.

MSA is used when?

in fields that tend to be open ended and support an organization’s functional areas, like manufacturing, sales, accounting, finance, etc.

Payment terms

negotiated schedule of payment

Product warranties

assurance that a product meets certain conditions

Intellectual property ownership

copyrights, patents, and trademarks

Allocation of risk

provision that defines levels of responsibility between each party

Indemnification

parties agree to be financially responsible in certain circumstances

Nondisclosure agreement (NDA)

a confidentiality agreement that protects a business’s competitive advantage by protecting its proprietary information and intellectual property

Statement of work (SOW)

a formal document that is routinely employed in the field of project management, which outlines project-specific work to be executed by a service vendor for an organization. It explains the problem to be solved, the work activities, the project deliverables, and the timeline for when the work is to be completed.

can also be a provision found in the MSA

Will address purpose, scope of work, location of work, period of performance, deliverables schedule, applicable industry standards, acceptance criteria, special requirements (travel, workforce) , and payment schedule

Deliverables schedule

defines the project artifacts and due dates

Applicable industry standards

relevant criteria that must be followed

Acceptance criteria

conditions that must be satisi=fied

Rules of engagement (RoE)

a document that puts into writing the guidelines and constraints regarding the execution of a pentest, about what is and is not authorized for testing, it is established before the pentest starts

can be part of the SOW or treated as a separate deliverable

requires sign-off from the service vendor and the client, to show that the baseline expections have been set and agreed upon. Cloud service provider approvals may also need to be added as an appendix to the RoE.

Doesn’t have to have the same legal review as an MSA or an SOW.

Permission to test

documents that grant permission for testing activities to occur and set clear expectation that penetration testers are not held liable for system instability or crashes and that the tester will perform due diligence to avoid damage to systems as part of testing.

someone with legal authority over the assets being tested must sign this document and the pentester must verify that the person requesting the testing has the authority to

Scope

the boundaries for what you are permitted to test

Scoping process

addresses several components of testing like testing requirements, target selection, timelines and scheduling, and testing strategies

Standards

cover details like how much information you are given about the environmental, your vectors of attack, the types of systems you will target, and what methods of attack you will employ within testing limits

MITRE ATT&CK

a knowledge base of attacker actions created from a survey of publicly reported attacker activities. These actions are cataloged as tactics, techniques, and sub-techniques

organized into matrices of attack components with each matrix being designed to address attacker activities in different operating platforms

ATT&CK

Adversarial Tactics, Techniques, and Common Knowledge

Tactics

an attacker’s high-level objective for using a certain method of attack like Initial Access, Privilege Escalation, etc.

Techniques

the ways adversaries achieve their tactics like Phishing, Credential Dumping, etc.

Sub-techniques

provide more detail on specific implementations

Threat actor emulation plan

a detailed, structured simulation of a known adversary’s behavior, designed to test an organization’s defenses using real-world attack techniques

Enterprise matrix

addresses attacks for Windows, Linux, macOS, network-specific attacks, and cloud and container technologies

ICS

industrial control system

Attack actions

are described as techniques and sub-techniques

TTPs

tactics, techniques, and procedures

APT

advanced persistent threat

OWASP project

a nonprofit organization and open-source community effort that produces tools, technologies, methodologies and documentation related to the field of web application security.

SDLC

software development lifecycle

OWASP Top Ten

provides community awareness of the most serious web application security risks for a broad array of organizations

2017 List:

1. Injection

2. Broken Authentication

3. Sensitive Data Exposure

4. XML External Entities

5. Broken Access Control

6. Security Misconfiguration

7. Cross-Site Scripting (XSS)

8. Insecure Deserialization

9. Using Components with Known Vulnerabilties

10. Insufficient Logging & Monitoring

API

application programming interface

National Institute for Standards and Technology (NIST)

a nonregulatory U.S. government agency