Regardless of what type of test you are asked to perform, there are some basic questions you can ask to help establish the goals and objectives of the tests. These include the following:
What specific outcomes does the organization expect?
When will tests be performed — during work hours, after hours, or weekends?
How much time will the organization commit to completing the security evaluation?
Will insiders be notified?
Will customers be notified?
How far will the test proceed? Root the box, gain a prompt, or attempt to retrieve another prize, such as the CEO’spassword.
Who do you contact should something go wrong?
What are the deliverables?
What outcome is management seeking from these tests?
See Also:-Learn Ethical Hacking Basic: Session XI
Getting Approval
Getting approval is a critical event in the testing process. Before any testing actually begins, you need to make sure that you have a plan that has been approved in writing. If this is not done, you and your team might face unpleasant consequences, which might include being fired or even criminal charges.
TIP
Written approval is the most critical step of the testing process. You should never perform any tests without written approval.
If you are an independent consultant, you might also get insurance before starting any type of test. Umbrella policies and those that cover errors and omissions are commonly used. These types of liability policies can help protect you should anything go wrong. To help make sure that the approval process goes smoothly, you should make sure that someone is the champion of this project. This champion or project sponsor is the lead contact to upper management and your contact person. Project sponsors can be instrumental in helping you gain permission to begin testing and also to provide you with thefunding and materials needed to make this a success.
NOTE
Management support is critical in a security test to be successful (or in Kartik and Travis’ case, from being expeled).
No comments:
Post a Comment