Contents of a Contract – PTES
Contents of a Contract Penetration Testing: When the initial meeting is conducted, a contract will be generated outlining the objectives and parameters of the test.
Read: Intelligence Gathering – PTES
Let me give you a rough idea of some of the items that may be included:
System to Be Evaluated or Target of Evaluation: The client and penetration tester will work together to determine which systems require evaluation during the penetration test.
This evaluation can be limited to those of higher value to the organization or those that need to be tested for compliance reasons.
Perceived Risks: In any penetration test, some unplanned events can and will happen. Despite your best-laid plans and preparation, the unexpected will occur, and by informing the client of the likelihood ahead of time you decrease the surprise of downtime and allow for preparations for lessening any impact.
Timeframe: Set a realistic timeframe during which the tests are to be conducted. Ensure that enough time is allocated to perform the test, check and verify the results, and catch any problems.
Set specific times of the day and week to perform the test because results and response to an attack will vary depending on time of day and which day it is performed.
System Knowledge: You don’t need extensive knowledge of the system you are testing, but you should have some level of understanding and comprehension about them.
Actions to Be Performed When a Serious Problem is Discovered: Don’t stop after you find one security hole. Ensure that you document your findings using the five Ws.
A pen test team that is operating 24 hours a day will need to keep a log in order to meet customer requirements as well as any regulations that apply.
Keep going to see what else may possibly be discovered. If you haven’t found any vulnerabilities, you haven’t look hard enough.
If you uncover something big, you do need to share that information with the key players as soon as possible to plug the hole before it’s exploited.
Deliverables: These include vulnerability scanner reports and a higher-level report outlining the important vulnerabilities to address, along with countermeasures to implement.