Module 02: Penetration Testing Scoping and Engagement Methodology - Setup P1

Setup - Creating and Reviewing Administrative Control Documents - Part 1

Scenario

This exercise focuses on the creation and review of the administrative control documents required for the engagement, coordination of logistical issues for the on-site portion of the engagement and providing the engagement team with an initial briefing to facilitate scheduling and maximize individual planning and preparation time.

The exercise consists of following tasks:

1. Preparing engagement control documentation
2. Coordinating and scheduling various activities with the client
3. Preparing internal control questionnaires and initial requests for information in the form of a “Provided By Client” or PBC list
4. Initial preparatory tasks for documents used later in the engagement such as Entrance, Exit Conference documents and the Preliminary Exit and Draft reports
5. Logistical tasks such as ensuring that the engagement team has transportation to and from the client city (airline or other long-distance transportation methods), transportation while they are in the client city (rental vehicles) and lodging accommodations
6. Preparing and disseminating information about the upcoming engagement to team members so that they can begin their individual planning and preparation for the engagement

Note: This exercise is a continuation of the first exercise of this module and should be performed in the same order.

Lab Duration: 5 Minutes

1. Obtain the target point-of-contact (TPOC) email address from the Engagement Letter.
2. 
   Compose an email to the TPOC introducing yourself and requesting a 30-minute teleconference at the TPOC's convenience.
   

   Note 1:
   The purpose of the teleconference is to obtain initial information, non-disclosure agreement provider, secure email capabilities and explain the pre-execution process.
   Note 2:
   Set a reminder in your calendar program to follow-up the email with a telephone call (if the client has not responded) 2 business days in the future. Follow-up as necessary.

3. 
   Just prior to the time of the scheduled teleconference, navigate to YY-MM-DD-FNBF**\00_Administration\00C_Client_Info** folder and rename ICWvx.x.pdf file to YY-MM-DD**-FNBF****_ICW.pdf**.
4. 
   Open the YY-MM-DD**-FNBF****_ICW.pdf** file and complete all information known about the client. Any remaining information will be obtained during the conference call.
5. 
   At the scheduled time, call the TPOC.
   Introduce yourself and reiterate that the purpose of the teleconference is to obtain the initial information needed to set up the engagement documentation, determine who will provide non-disclosure and data use agreements (if required), determine how sensitive information will be transmitted between your Partnership and the TORG and to explain the engagement process.
   Tell the TPOC that you want to start by gathering some information.
6. 
   Review YY-MM-DD**-FNBF****_ICW.pdf**, completing any information that is missing.
7. 
   
   1. Determine if your EGS Partnership or the client will provide the Non-Disclosure Agreement (NDA):
      
      1. Tell the TPOC that your EGS Partnership has an NDA form that you give to clients to help assure them that their data will not be disclosed.
      2. Ask if the use of that form will be acceptable or if they would like to use their own.
   2. If the client prefers to use their own NDA:
      
      1. Ask them to email a copy to you, along with completion instructions (if necessary).
      2. When received, replace YY-MM-DD**-FNBF****\00_Administration\00D_NDA\NDA.pdf** with the copy provided by the client.
8. 
   Determine if the engagement requires a Data Use Agreement (DUA):
   
   1. This document is normally required if the client is subject to HIPAA regulations. Clients subject to HIPAA will normally have their own DUA.
   2. If a DUA is not required, no further action is necessary. Proceed to step 7.
   3. If a DUA is required:
      
      1. Ask them to email a copy to you, along with the completion instructions (if necessary).
      2. When received, replace YY-MM-DD**-FNBF\00_Administration\00E_DUA\DUA.pdf** with the copy provided by the client.
9. 
   
   1. Determine which delivery method the client will accept for NDA and DUA:
      
      1. Digitally signed copies
      2. Digital images of signed copies (scans)
      3. Original copies delivered via registered carrier.
   2. Determine if there are any operating systems in use at client facilities other than Microsoft^® Windows. This information is used to determine which Internal Control Questionnaires (ICQ) are sent to the client.
   3. Determine what “office suite” package the client uses: MS Office (and version), Open Office, or another office suite. This information is used to determine the format in which editable documents are sent to the client.
10. 
    
    1. If the Information Systems Security Assessment (ISSA) will be completed “off-site”, determine a mutually acceptable date for the return of ICQ and PBC items, if the client is prepared to do so at the time of the call. If not, tell the client POC that this information can be decided during the working teleconference.
    2. Determine if the POC has the ability to send and receive encrypted email and encrypted attachments:
       
       1. If yes, arrange to exchange public keys.
       2. If not, determine if there is someone else in the organization who has secure email capabilities that the POC would be comfortable using as a recipient for secured email. If yes, arrange to exchange public keys with that individual.
       3. If neither of these is currently possible, explain that secure transmission and receipt of sensitive data is a requirement and is implemented for the client's protection. Encourage the client to either purchase and install a secure email solution such as PGP, the open source GPG, or obtain a free or commercial Hushmail or similar type of secure email account for use during the engagement.
       4. If the client refuses to initiate secure email capability, inform the client that all data transmitted from them to EGS must be sent via a registered carrier on encrypted CD, with the password provided separately. EGS will provide sensitive data to them through a “send only” email system such as Network Solutions Secure Messaging or something similar.
11. 
    
    1. Tell the client that you will explain the pre-execution administrative process, so that they are aware of what is going to happen.
    2. Explain to the POC that you will send them:
       
       1. A working draft of the Rules of Engagement,
       2. A working draft of the Test Plan,
       3. Working drafts of the External and Internal Testing Authorizations,
       4. An example of an LOIA, with instructions on how to prepare it for each engagement team member,
       5. Internal Control Questionnaires that they can disperse as needed to personnel most qualified to answer them,
       6. An initial list of information required to support the answers on the ICQ, called a PBC list,
       7. A completed NDA for each member assigned to the engagement, and
       8. A data use agreement, (if one is required and the client does not have their own).
12. 
    
    1. Tell the client POC that all documentation will be sent through secure email, unless the client has opted for original hard copies of NDA and DUA. Those will be delivered via registered carrier.
    2. Tell the client the date you expect to deliver the electronic documentation.
    3. Tell the client the date you expect to send any hard copy documentation (Must be before the date of the “working teleconference” in step 23 below).
    4. Tell the client that you will email the tracking number and expected delivery date as soon as you receive it and will follow-up via telephone or email the first business day after the expected arrival date.
    5. Tell the client they will need approximately 2 business days to review the documentation, and prepare for the working teleconference.
13. 
    
    1. Establish a tentative date for a working teleconference of up to 2 hours to jointly complete the Rules of Engagement, Test Plan, External and Internal Testing Authorization forms, DUA (if one was provided by EGS), and to answer any questions they may have on the remaining documentation.
    2. Tell the client that once the documents are completed, you will send them the final copies via secure email.
    3. Tell the client they must:
       
       1. Return a signed copy of the RoE before any work can begin,
       2. Return a signed copy of the External Testing Authorization before any external logical testing can begin,
       3. Return original copies of the LOIA before any social engineering work can begin, and
       4. Return the draft DUA (if it was provided by EGS), so that they can be signed and returned to the client before any external work begins.
    4. If the ISSA will be conducted off-site, the client will also need to return the completed questionnaires and supporting PBC requests by the agreed upon suspense date.
    5. The client may retain the remaining documentation at their facility. You will require a signed, original copy of the Internal Testing Authorization upon arrival for the on-site work.
14. 
    
    1. Answer any remaining initial questions that the POC may have.
    2. Recap the milestones established during the call:
       
       1. EGS delivery of draft documents (both electronic and hard copies),
       2. Tentative date and time for the “working teleconference”,
       3. Tentative date for EGS delivery of the final documents,
       4. Client suspense to return signed documents, and
       5. Client suspense for return of other documents (ICQ, PBC, etc. (if applicable))
    3. Thank the client and end the call.
15. 
    Complete any remaining work on the ICW and save with the original file name.
16. 
    ETL notifies engagement team members by email that an NDA needs to be executed and provides:
    
    1. Information on the location of engagement data folders, and
    2. Complete instructions (digital signature, digital image or hard copy required).

    Note 1: Each team member assigned to work on an engagement must sign a separate Non-Disclosure Agreement.
    Note 2: We will not conduct this task for this exercise. This task is given here for your reference in a real time pen testing assignment.

17. 
    
    1. All engagement team members navigate to YY-MM-DD-FNBF**\00_Administration\00D_NDA\** and open the NDA.pdf file.
    2. All engagement team members complete the NDA as required and process per ETL email instructions:
       
       1. If the client will accept digitally signed statements, each team member:
       2. Signs their statement
       3. Saves the file as <Surname>-NDA.pdf in the YY-MM-DD**-FNBF****\00_Administration\00D_NDA\** folder, and
       4. Notifies the ETL via email that the NDA has been completed.
       5. If the client will accept digital images of signed copies, each team member:
       6. Prints the file,
       7. Signs in the appropriate area,
       8. Scans the file to a TIFF image,
       9. Saves the TIFF file as <Surname>-NDA.tif in the YY-MM-DD**-FNBF****\00_Administration\00D_NDA\** folder, and
       10. Notifies the ETL via email that the NDA has been completed.
       11. Team members then destroy the hard copy of the NDA and electronically shred all individual temporary copies.
       12. If the client will only accept original copies of the NDA, each team member:
       13. Prints the file,
       14. Signs in the appropriate area,
       15. Scans the file to a TIFF image,
       16. Saves the TIFF file as <Surname>-NDA.tif in the YY-MM-DD**-FNBF****\00_Administration\00D_NDA\** folder, and
       17. Delivers the original copy to the ETL.
18. 
    
    1. After all the engagement team members have signed the NDA, the ETL (or designated person) moves the contents of the YY-MM-DD**-FNBF****\00_Administration\00D_NDA\** folder to an archive, naming the archive file as YY-MM-DD**-FNBF****_NDA.zip**.
    2. The ETL or designated person then uses an MD5 calculator to create an MD5 checksum for the archive file.
    3. The ETL or designated person creates a text file and copies the checksum to that file.
    4. The ETL or designated person saves the text file in the same location as the archive as YY-DD-MM**-FNBF****_NDA_hash.txt**.

    Note:
    The Non-Disclosure Agreements will become part of the documentation sent to the client as part of the “**Advance Packe**t” discussed later.

After completing this exercise you will be able to create and review the administrative control documents required for the engagement