Scope Definition

After the initial request to conduct a penetration test, we find ourselves in the Pre-Engagement phase. Here, we conduct all necessary discussions, define the execution of the penetration test, and sign the required permissions in written form, which is then documented. However, before any of this can happen, it is necessary to sign an NDA to ensure confidentiality.

Non-Disclosure Agreement

An Non-Disclosure Agreement (NDA) is a legal document that plays one of the most important roles in penetration testing. It is a written contract between two parties—the penetration tester and the company (customer)—that ensures any sensitive information shared between them remains confidential. When we look at a company’s systems, we might encounter various sensitive details, such as:

• Security weaknesses that could be exploited

• Private company information and trade secrets

• Employee and customer data

• Details about how the company’s systems work

The NDA creates a safe environment/agreement for both sides. The company can feel comfortable letting us examine their systems, knowing their secrets won’t be shared with anyone and at the same time, we can work without worrying about legal problems that might come from handling sensitive information.

Often we can discover serious security problems that could damage the company if made public. For example, we might find ways to access private data or how to break into important, mission-critical systems. If this information were fall into the wrong hands, it could lead to real cyber attacks or data breaches. The NDA helps prevent these risks by making sure all findings stay confidential. Without this protection in place, neither the company nor we would feel safe working together. The NDA covers everything about handling private information, including how to store and share any information we find, such as:

• System details

• Software code

• Passwords

• Company rules

• Network setup

The NDA also states that we can’t share out findings with others, or use them for personal benefit. It sets clear rules about which systems we can and can not access during testing. Some topics should only be discussed after both parties sign the NDA, and nay conversations that happen prior to the NDA should stay general. However, after signing, you are free to talk about almost everything including:

• Which systems will be tested

• Past security problems

• Important company processes

• Login details needed for testing

This careful approach keeps everyone’s information safe and helps create a good working relationship. Now, for the practical aspect, let’s say we already have a signed NDA.

The Scoping Process

With the NDA signed, we can now define the actual scope. Two main tools help plan a penetration test:

1. the scoping questionnaire and

2. the scoping document.

The scoping questionnaire is a checklist that helps gather basic information about what needs to be tested. It asks about the company’s systems, security needs, and goals for the test. An example of such a questionnaire can be found here.

The scoping document is more detailed. It’s created using information from the questionnaire and clearly explains what will be tested, how it will be tested, and what the limits are.

These tools help make everything clear by covering (in this example):

• Which systems will be tested: 2 hosts in total, 1 Web Application running on Linux, 1 Windows-based server (both IPs given after spawning the targets)

• What type of testing will be done: Black box

• What the test aims to achieve: Ensure the new small environment is secure.

In the real world, the scoping questionnaire and document will be much more extensive. However, for the purposes of this module, this case is enough. Even now, using these two tools will help us avoid confusion and keep the project on track.

Defining the Scope of Work

Before we can start with the penetration testing engagement, the final plan needs to include:

• Goals: What the company wants to achieve - in your case: cyber security assessment confirming their systems are secure

• Limits: What will and won’t be tested - only the 2 provided hosts (Web application on Linux and the Windows host)

• Methods: How the testing will be done - Black box, without prior knowledge of the web application, the Linux host nor the Windows host

• Schedule: When things will happen - for us: take your time as much as you need

• Our Role: Assisting our penetration testing team during their engagement

• Results: What reports and recommendations will be provided -we are tasked to tasked to provide our findings to the team lead

A clear plan helps everyone understand what to expect and ensures the testing provides real value to the company.