Answered step by step
Verified Expert Solution
Question
1 Approved Answer
Scope and Rules of Engagement Role Play Assignment goals: To analyze a penetration test Request for Proposal ( RFP ) To create a scope for
Scope and Rules of Engagement Role Play
Assignment goals:
To analyze a penetration test Request for Proposal RFP
To create a scope for a sample penetration test
To create Rules of Engagement for that penetration test
Overview:
For this lab, we will build RoE and scopes for a sample pentest by doing some interactive role playing. There will be two groups for this lab:
The pen test client: This client is an organization Ohio State University that has issued an ambiguous RFP for a pen test project.
The pen tester: This tester will ask the client for more information about the scoping.
Both sides then need to discuss and agree on Rules of Engagement.
The RFP:
The RFP issued by OSU provides rather limited details about the test. In a real life scenario, quite often this is the case. It becomes extremely important for the client and the pen testers to discuss and be on the same page regarding the scope of the project.
The RFP provides the following facts:
The test will be performed for OSU, a public state university with about employees and students.
OSU wants a pen test either from an outside company or from a group in UITS.
The goal of the project is to find security flaws that may have resulted from improper policies, practices, implementation, patch management and so on
The RFP has no further information.
The Scopes and RoE Meeting:
The meeting is focused exclusively on scoping and RoE. This meeting must not be adversarial. Engage in a positive discussion to determine the proper scope and RoE, improvising where necessary.
Scope Worksheet:
What are the target organizations biggest security concern? Example: disclosure of sensitive information, malware infection resulting in crash of network drives andor servers, phishing etc.
What specific hosts, network address ranges or applications should be tested:
Rules of Engagement Worksheet:
Penetration testing team contact information:
Primary contact:
Mobile phone:
Email:
Secondary contact:
Mobile phone:
Email:
OSU contact information:
Primary contact:
Mobile phone:
Email:
Secondary contact:
Mobile phone:
Email:
Daily debriefing frequency:
Daily debriefing time and location:
Start date of penetration test:
End date of penetration test:
Step by Step Solution
There are 3 Steps involved in it
Step: 1
Get Instant Access to Expert-Tailored Solutions
See step-by-step solutions with expert insights and AI powered tools for academic success
Step: 2
Step: 3
Ace Your Homework with AI
Get the answers you need in no time with our AI-driven, step-by-step assistance
Get Started