Presentation is loading. Please wait.

Presentation is loading. Please wait.

Module 3 (Ground Rules and Rules of Engagement)

Published byDominick Parrish Modified over 6 years ago

Similar presentations

Presentation on theme: "Module 3 (Ground Rules and Rules of Engagement)"— Presentation transcript:

1 Module 3 (Ground Rules and Rules of Engagement)
At the end of this module, you should have a good idea of how to lay out the ground rules for a penetration test and what issues must be addressed by your rules of engagement. Module 3

2 Verifying IP Address Ranges
It is absolutely critical that when carrying out a penetration test, you test the correct machines. Companies may try to give you a single domain name and ask you to hack in just like the bad guys do. (Kevin Johnson: “Does that mean I get to sell all the information I find, just like the bad guys do?”) Third Parties abound. You need their permission as well: Cloud services ISP Web Hosting Managed Security Services Providers (MSSPs) Know what countries these machines are in and know their laws. Module 3

3 Social Engineering Pretexts
Companies may be sensitive about what ways of fooling their employees are appropriate. Explain current popular phishing exploits. Some pretexts may use sensitive content (e.g. sexual performance enhancement, pornographic services, etc.) that companies do not want to impose on their employees. Make sure that any pretexts to be used in phishing are approved. In particular, get specific approval of every phishing message to be sent. Module 3

4 Communication and Contact Information Identify how and how often information will be conveyed concerning the state of the penetration test. Provide contact information about everyone involved in the penetration test including emergency contact information. Name Title Emergency contact information (24/7) Secure bulk data transfer method (sftp or encrypted ) Agree to an incident reporting process Share encryption keys. (Not an option.) Module 3

5 Rules of Engagement Timeline for the test. Locations (if on-site)
Method of disclosure of sensitive information. Data may be protected by HIPAA. Avoid copying personal health information (PHI) and other personally identifiable information (PII). Evidence handling (use encryption) Regular status meetings Time of day to test Dealing with shunning Permission to test (including scope and possible negative outcomes of testing such as system instability, crashes, etc.) Legal considerations (wiretapping laws, etc.) Module 3

6 Testing the Customers Detection Capabilities
Ability to detect and respond to information gathering Ability to detect and respond to foot printing Ability to detect and respond to scanning and vulnerability analysis Ability to detect and respond to infiltration (attacks) Ability to detect and respond to data aggregation Ability to detect and respond to data ex-filtration Module 3

Download ppt "Module 3 (Ground Rules and Rules of Engagement)"

Similar presentations

Ethics Ethics are the rules of personal behavior and conduct established by a social group for those existing within the established framework of the social.

Ethics Ethics are the rules of personal behavior and conduct established by a social group for those existing within the established framework of the social.
Hacking Techniques & Intrusion Detection Ali Al-Shemery arabnix [at] gmail.

Hacking Techniques & Intrusion Detection Ali Al-Shemery arabnix [at] gmail.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
Introduction Social Implications & EthicsSocial Implications & Ethics Since the introduction of the Internet, many policies have been introduced as a way.

Introduction Social Implications & EthicsSocial Implications & Ethics Since the introduction of the Internet, many policies have been introduced as a way.
Module #2: What Sensitive Data is and how to handle it Module 2 is approximately 3min and 30 sec.

Module #2: What Sensitive Data is and how to handle it Module 2 is approximately 3min and 30 sec.
Prepared By, Mahadir Ahmad. StopBadware makes the Web safer through the prevention, mitigation, and remediation of badware websites. partners include.

Prepared By, Mahadir Ahmad. StopBadware makes the Web safer through the prevention, mitigation, and remediation of badware websites. partners include.
HIPAA PRIVACY AND SECURITY AWARENESS.

HIPAA PRIVACY AND SECURITY AWARENESS.
The Significance and Evolution of End User Privacy Julie Earp College of Management North Carolina State University WISE 2010 Sponsored by TRUST June 21-24,

The Significance and Evolution of End User Privacy Julie Earp College of Management North Carolina State University WISE 2010 Sponsored by TRUST June 21-24,
Georgia Department of Human Services Division of Aging Services (DAS): Data Breach Presenter:Harold Johnson Acting General Counsel Presentation to: Board.

Georgia Department of Human Services Division of Aging Services (DAS): Data Breach Presenter:Harold Johnson Acting General Counsel Presentation to: Board.
Data Security: Steps to Improved Information Security September 22, 2015 Presented by: Alex Henderson General Counsel and Chief Administrative Officer.

Data Security: Steps to Improved Information Security September 22, 2015 Presented by: Alex Henderson General Counsel and Chief Administrative Officer.
HIPAA THE PRIVACY RULE. 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti- depressant medications.

HIPAA THE PRIVACY RULE. 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti- depressant medications.
Supervision SICOR Securities, Inc.. Why? NASD 3110 requires the firm to “…establish and maintain a system to supervise the activities of each registered.

Supervision SICOR Securities, Inc.. Why? NASD 3110 requires the firm to “…establish and maintain a system to supervise the activities of each registered.
Prevent Data Breaches and PII from Walking Out the Door Jim Farrell, Senior Vice President Products Archive Systems 9/18/2015.

Prevent Data Breaches and PII from Walking Out the Door Jim Farrell, Senior Vice President Products Archive Systems 9/18/2015.
Academic Year 2014 Spring Academic Year 2014 Spring.

Academic Year 2014 Spring Academic Year 2014 Spring.
Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Corporate Governance and Information Security (InfoSec)

Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Corporate Governance and Information Security (InfoSec)
Computer Security By Duncan Hall.

Computer Security By Duncan Hall.
Data protection—training materials [Name and details of speaker]

Data protection—training materials [Name and details of speaker]
KS4 Lesson 2 :The media and sexualisation. Aim To explore the influence of the media, pornography and sexualisation of the high street on young people.

KS4 Lesson 2 :The media and sexualisation. Aim To explore the influence of the media, pornography and sexualisation of the high street on young people.
Hacking Techniques & Intrusion Detection

Hacking Techniques & Intrusion Detection
© 2012 by Robert W. Lucas Chapter 3: Verbal Communication Skills.

© 2012 by Robert W. Lucas Chapter 3: Verbal Communication Skills.

Similar presentations

Ads by Google