Scope and Rules of Engagement Role Play

Assignment goals:

$$ To analyze a penetration test Request for Proposal $($RFP$)$

$$ To create a scope for a sample penetration test

$$ To create Rules of Engagement for that penetration test

Overview:

For this lab, we will build RoE and scopes for a sample pentest by doing some interactive role playing. There will be two groups for this lab:

The pen test client: This client is an organization $($Ohio State University$)$ that has issued an ambiguous RFP for a pen test project.

The pen tester: This tester will ask the client for more information about the scoping.

Both sides then need to discuss and agree on Rules of Engagement.

The RFP:

The RFP issued by OSU provides rather limited details about the test. In a real life scenario, quite often this is the case. It becomes extremely important for the client and the pen testers to discuss and be on the same page regarding the scope of the project.

The RFP provides the following facts:

$$ The test will be performed for OSU, a public state university with about $500$ employees and $8000$ students.

$$ OSU wants a pen test either from an outside company or from a group in UITS.

$$ The goal of the project is to find security flaws that may have resulted from improper policies, practices, implementation, patch management and so on$.$

$$ The RFP has no further information.

The Scopes and RoE Meeting:

The meeting is focused exclusively on scoping and RoE. This meeting must not be adversarial. Engage in a positive discussion to determine the proper scope and RoE, improvising where necessary.

Scope Worksheet:

$1.$ What are the target organization$$s biggest security concern? $($Example: disclosure of sensitive information, malware infection resulting in crash of network drives and$/$or servers, phishing etc.$)$

$2.$ What specific hosts, network address ranges or applications should be tested:

Rules of Engagement Worksheet:

Penetration testing team contact information:

$$ Primary contact:

$$ Mobile phone:

$$ Email:

$$ Secondary contact:

$$ Mobile phone:

$$ Email:

OSU contact information:

$$ Primary contact:

$$ Mobile phone:

$$ Email:

$$ Secondary contact:

$$ Mobile phone:

$$ Email:

Daily debriefing frequency:

Daily debriefing time and location:

Start date of penetration test:

End date of penetration test: