Question

Principles of Cybersecurity

Penetration testing is a very rewarding career in Cybersecurity. Companies contract penetration testers to find vulnerabilities and generate reports which can be used by the company's IT personnel to address vulnerabilities found during the pen test. The penetration tester has a huge resposibility because he/she has access to the network, network devices, servers, security devices such as firewalls, workstations, and the actual data. It is important that the penetration tester puts in writing what is going to happen during the penetration test. Administrators from the company need to give written consent before the penetration tester begins his/her work.

Using Microsoft Word, write a half-page report explaining the different laws and regulations that penetration testers need to consider when conducting a penetration test.

Answer 1

The Laws and Regulations of Penetration Testing includes the Rules of Engagement (RoE) document that deals with the manner in which the penetration testing to be conducted. Some of the directives that should be clearly spelled out in RoE before you start the penetration testing.

As per the above, Penetration Testing includes below main things:

1. Type & Scope of Testing
2. Client contact details
3. Notifications to Client IT team
4. Handling of Sensitive Data
5. Status meeting and Reports

Type & Scope of Testing:

This deals with the type of Testing to be carried out, it can be Black Box, White Box or Intermediate Gray Box testing. These things dependent upon the how the engagement is perform and the quantity of information shared with the testing team

Client Contact details:

Normally agreement is made that when we take all of the necessary precautions while conducting tests, at times they can go wrong because it involves making computers face some issues. So, having right contact information on client-side will help to great extent. So we have the penetration test is often seen turning into a Denial-of-Service (DoS) attack. The technical team from client should be available 24/7 in case system goes down.

Notifications to Client IT team:

The main things is to specify the scope of work. This includes the amount of Networks, as well as range of IP addresses with in that Network, etc. The Testing team should discuss this with the client whether it is an announced or unannounced test. It’s important for the customer to decide what are the areas to be tested and as well as what not to be tested as well. Clients who decided to go with penetration testing have to be especially accurate about the environment area to be tested.

Handling of Sensitive Data:

The testing team during their test cases execution may also be provide and find sensitive information about the company, the system or its users. The sensitive data handling needs special attention in the Rules of Engagement and proper storage & communication measures should be taken. It should be ensured that only authorized personnel should be able to view personal user data.

Status Meeting and Reports:

Regular and Periodical meetings should be happening between the client and testing team. This will help them to know their work progress, status and any updates can be provided as well. This will make both of them to avoid deviation from the expected output.

The Areas of Penetration Testing includes below mentioned work items:

1. Network Penetration Testing
2. Application Penetration Testing
3. The response or workflow of the system