Hi Ryan, Do you have a Pen-Test Agreement form drawn up yet? I will attach it to this email, and hopefully it will be helpful to you.
> -----Original Message----- > From: Ryan [mailto:[EMAIL PROTECTED]] > Sent: Sunday, February 02, 2003 9:03 AM > To: [EMAIL PROTECTED] > Subject: Proposal? > > > Hi, > > I am going about doing my first pen-test, and I'm at the > point of writing my proposal with specific details, like the > machine's IP address and host name, the time of day I will be > working, and what I'd like to do. I will be performing a > pen-test on one specific server. I was wondering if anyone > could give me a guideline (format) of how to do this. I was > told by them that they are looking for a 1-2 page writeup. Thanks. > > Ryan > > > -------------------------------------------------------------- > -------------- > This list is provided by the SecurityFocus Security > Intelligence Alert (SIA) Service. For more information on > SecurityFocus' SIA service which automatically alerts you to > the latest security vulnerabilities please see: https://alerts.securityfocus.com/
COMPUTER SECURITY PERFORMANCE TESTEXAMPLE INDEPENDENT OVERSIGHT CYBER SECURITY PERFORMANCE TEST AGREEMENT External Network Security � Unannounced Penetration Test FACILITY: TBD DATE: TBD OBJECTIVE: To provide an assessment of the site�s external security profile of networked computer systems and intrusion detection capabilities. SCENARIO: Testing will consist of four phases, during which various tools and techniques will be used to gain information and identify vulnerabilities associated with the site�s computer systems and subsequent attempts to penetrate the network. These phases, discussed in detail below are: network mapping; vulnerability identification; exploitation; and reporting. Network Mapping Independent Oversight will obtain much of the required information regarding the site�s network profile, such as IP address ranges, telephone number ranges, and other general network topology through public information sources, such as Internet registration services, web pages, and telephone directories. More detailed information about the site�s network architecture will be obtained through the use of domain name server (DNS) queries, ping sweeps, port scans, and connection route tracing. Informal inquiries, not linked to Independent Oversight, may also be attempted to gather information from users and administrators that could assist in gaining access to network resources. Once this general network information is compiled and analyzed, Independent Oversight will begin identification of individual system vulnerabilities. Vulnerability Identification During this phase, Independent Oversight will attempt to associate operating systems and applications with identified computers on the network. Depending upon network architecture, this may be accomplished using automated tools, such as nmap and queso, or using manual techniques, such as telnet, ftp, or sendmail login banners. Using this information, Independent Oversight will create a list of probable vulnerabilities associated with each potential target system. Also, at this point, automated scripts will be developed or compiled to attempt exploitation of vulnerabilities. Exploitation During this phase, system and user information will be used to attack the authentication processes of the target systems. Example attack scenarios in this phase include, but are not limited to: buffer overflows, application or system configuration problems, modems, routing issues, DNS attacks, address spoofing, share access and exploitation of inherent system trust relationships. Potential vulnerabilities will be systematically tested in the order of penetration and detection probability as determined by the members of the Independent Oversight penetration testing team. The strength of captured password files will be tested using password-cracking tools. Individual user account passwords may also be tested using dictionary-based, automated login scripts. In the event that an account is compromised, Independent Oversight will attempt to elevate privileges to that of super user, root, or administrator level. Since the goal of Independent Oversight testing is to determine the extent of vulnerabilities, and not simply penetrate a single site system, information discovered on one system may be used to gain access to additional systems that may be "trusted" by the compromised system. Additionally, host-level vulnerabilities may be exploited to elevate privileges within the compromised system to install "sniffers" or other utilities. Independent Oversight will insert a small text file at the highest level directory of each compromised system. In those cases where Independent Oversight is unable to gain sufficient privilege to write to the system, a file will be copied from the system. In either case, additional files may be copied during testing if further review is required to determine sensitivity of information contained on the system. Independent Oversight will maintain detailed records of all attempts to exploit vulnerabilities and activities conducted during the attack phase. Reporting Independent Oversight will provide an on-site briefing of results. These results will also be documented in a management level report provided to the site, Operations Office, and responsible Headquarters Program Offices that will cover the unannounced penetration testing. Specific details on vulnerabilities will also be provided to site technical personnel. SPECIAL CONSIDERATIONS: Independent Oversight will coordinate testing activities with a "trusted agent" in each organization listed on the performance test agreement as appropriate. Each organization should identify an individual to be designated as a trusted agent. More than one trusted agent may be identified at the site, however, the number should be kept to an absolute minimum. All personnel who are informed of the testing will maintain strict confidentiality to ensure the validity of test results. The Operations Office will coordinate with trusted agents at the site to identify critical systems that should be excluded from testing activities (e.g., safety systems, major applications undergoing upgrades or other special evolutions). Specific network addresses and reasons for exclusion should be provided as an attachment to the signed performance test. The Operations Office will identify any systems or network nodes that are connected to the site network, but are not under the direct control and responsibility of the site or the cognizant Operations Office. These systems will be excluded from testing unless Independent Oversight obtains permission from the system owner. Independent Oversight will provide the DOE Computer Incident Advisory Capability (CIAC) with information regarding the systems used for scanning and testing activities to ensure that testing activities are not confused with real attacks. While Independent Oversight will not attempt to exploit "denial of service" vulnerabilities (unless specifically requested by competent authority) and every attempt will be made to prevent damage to any information system and the data it holds, some penetration attempt scenarios have the possibility of causing service interruption. In the unlikely event that such an event occurs, Independent Oversight will work with the trusted agents at the site to determine the nature of the problem and restore the system to its desired state of operation. All information obtained by Independent Oversight will be protected (to the extent possible) from unauthorized access. In the event that any site personnel (excluding trusted agents) identify Independent Oversight testing activities, site computer security personnel should document the detection of activity and take initial actions that would be taken in the case of a real intrusion, including informing CIAC. If notified by the site of incidents that correspond with OA penetration testing, CIAC and the site�s trusted agents will inform the appropriate site computer security personnel that the activity identified is part of an authorized DOE test. OA will also be informed of the detection. In these cases, logs or other evidence of intrusion detection activities should be provided to Independent Oversight for analysis. Independent Oversight testing will then be allowed to continue as an announced external network security assessment without blocking, filtering, or restricting access. It is the site�s responsibility to restore network computer systems to a secure configuration after Independent Oversight testing. Independent Oversight will coordinate with and provide assistance (as requested) to system administrators during this period of "cleaning up" network computer systems. Clean-up may consist of removing added programs and files, identifying systems whose password files were compromised, and restoring systems to a secure configuration so that no systems are left in a compromised condition. As evidenced by their signature on this performance test agreement, Operations Office and site contractor representatives certify that the Department�s Banner and Warning Policy has been implemented at the site and network computer users have, as a result, granted constructive consent to this type of activity. APPROVALS: ______________________________________________________________ Director, Office of Cyber Security and Special Reviews ______________________________________________________________ Office of Chief Information Officer Representative ______________________________________________________________ Lead Program Secretarial Office Representative ______________________________________________________________ Operations Office Representative ______________________________________________________________ Site Contractor Representative
---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
