Scope your efforts

When contracted to perform a network security evaluation or penetration test, one of the most important stages is the pre-evaluation phase. During this phase, you develop contacts and gather information about the company. It's important to determine the scope of your efforts with your customer and sign an engagement agreement. In your contract, you square away all legal issues concerning a security evaluation.

The scope defines the customer's mission, industry regulations in effect, and most importantly their expecatations. Some companies may want you to run vulnerability scanners, review security policies, or do actual red team activities. It's important to communicate up front what is expected. The scope also identifies customer constraints and concerns. Politics or other concerns may prevent you from performing a thorough evaluation, and/or limit you only to a certain set of systems. I've encountered situations where the site being evaluated was well secured, however a remote site was neglected and thus opend up a vulnerability.

To avoid impact to the customer during peak operation times, you need to reach an agreement on when the technical scanning and testing will be conducted. Often this is during non-working hours, i.e., 8PM to 6AM. Let the customer know what you plan on using to do to evaluate their security. This can include commercial and open source tools, custom scripts, etc. In addition, some customers may have had negative experiences with certain evaluation tools and will not want them run on their network. Document these concerns and include them in your report.

One last thing: never assume anything! You wouldn't want to arrive at a customer site only to discover it's an IPX network and you only brought tools that work on TCP/IP.

Posted by Marcin on Tuesday, January 30, 2007 in Security.