Having clear Rules of Engagement is critical to ensure you are getting the most value from your Penetration Test and avoid problems during or after the project. Regardless of whether your test is network, application or cloud pentesting, here are six “must have” Rules of Engagement you should include in your contract or SOW. Make sure your vendor adds these to their SOW and you will save headaches later.
Pentest teams are busy and often jumping from one project to the next. Communication problems happen, and often the actual person doing your pentest was not part of the scoping discussions. It may even be outsourced to someone not employed by the vendor! Because of this, it’s very important to define clearly the purpose and scope of the pentest so that you can control their activities and your budget. The more definition you provide, the better the pentest will be.
Pentesters can be creative…the good ones generally are. But, creativity has its limits when it goes beyond adding value to the project. Dropping silly scripts or videos on multiple systems with the same vulnerability goes beyond what’s required. But we've heard these stories. While most professionals use common business sense, you should include a clause that any exploit needs to add value to the project. This also prevents the pentester from consuming budget on leveraging an easy but time-consuming exploit.
Pentesters often need to test vulnerabilities with a higher level of force. This can be risky to your organization. You should never need to recover from a back up due to a pentest, though we have heard of this happening. This should be clearly stated in a “do no harm” clause on the SOW. In addition, pentesters need to “prove” their success. It’s part of the process. Be sure to state that any files or evidence they leave should never include malware and should always be removed when they are finished. A clause in the SOW that states this puts the onus on them to make sure they clean up when they are done.
You don’t want your pentest to impact customer activities. The SOW needs to state this and define rules of engagement on how to handle a vulnerability that could impact your customers. You need to be clear in the SOW what customer activities are and what you expect the pentest team to do when they might impact those processes. At a minimum, they should stop and inform you so you can coordinate adequate testing. The key is they stop and inform you. You can then take the time to understand what they are seeing and decide if the knowledge of the vulnerability is enough, or if you want them to test it after-hours, or some other alternative.
Inexperienced or misinformed pentesters can launch a pentest attack that results in a DOS that disrupts your business. This can happen as a result of not knowing the scope of the engagement, but also by accident should a pentester be trying something new. It goes without saying that you don’t want this, but be sure it is in your SOW so you can hold the pentest vendor accountable should it happen. Again, it might be adequate to simply know the vulnerability is there without testing it fully.
This is like saying, "do all of the above," but it's important to include this anyway. It’s not at all uncommon for pentesters to see something interesting that falls out of scope. It can be irresistible to take a closer look. There’s potential risk of testing out of scope systems, but it’s also a waste of time and budget. Every project is inherently limited, and you want your pentesters to focus all their time on the scope you want tested…not on things that look interesting to them. Be sure to put this language in the SOW to put extra emphasis on your need and that you will hold them accountable.
If these seem a bit obvious, they really are. But, if you have problems during or after your pentest, you will be very glad you included them.
If you want to learn more about our excellent penetration testing service, email us today. We can send information or schedule a discovery meeting. We can align to your unique needs and provide you guidance on getting the best Penetration Test possible.
Email us at: Sales@securitypursuit.com
