New Training: Understanding the Need for Scope Planning
In this 7-video skill, CBT Nuggets trainer Shawn Powers covers the importance of planning for a pentest engagement. Watch this new CompTIA training.
Learn CompTIA with one of these courses:
This training includes:
- 7 videos
- 35 minutes of training
You’ll learn these topics in this skill:
- Introduction to the Importance of Planning
- Identifying Target Audience
- Specifying the Rules of Engagement
- Defining Resources, Requirements, and Budgets
- Explaining Timelines and Disclaimers
- Defining Technical Constraints
- Requesting Support Resources
How Can Pentesting Land You in Hot Water?
At its root, pen-testing is a process designed to break into business or government networks. Though pen-testing may not be a malicious act, penetration testers can still get into trouble with the law if they are not careful. Therefore, any pentester needs to define timelines and disclaimers with their clients before executing any attacks against an IT infrastructure.
Setting timelines with clients is important. This indicates to clients when tests will be performed so they are expecting abnormal behaviors in their network. IT security staff need to be made aware of potential attacks made by pen-testers so they don't attempt to thwart them, or worse, contact authorities.
Likewise, pen-testing always carries risks of causing harm to IT environments. Pentesters need to make these disclaimers known so that they can cover liability for themselves as well as ensuring that businesses have incident response plans in place if something does goes wrong.
Penetration testers need to explain both timelines and disclaimers to stakeholders before performing any tasks. Security professionals need un-inhibited access to a network to properly perform tests while understanding that sometimes these tests can cause harm. Both security researchers and stakeholders need to be prepared for these events.