Rules of engagement in pentesting
When you create a software product or build a service or create a platform, it’s a good idea to make sure it is secure. The data we generate is feeding the cybercriminal appetite to the point that cybersecurity attacks are normalized. To check we have created robustly secure systems, we can turn to the discipline of Pentesting.
Earn two pentesting certifications at once!
Enroll in one boot camp to earn both your Certified Ethical Hacker (CEH) and CompTIA PenTest+ certifications — backed with an Exam Pass Guarantee.
What is pentesting?
Penetration testing, or pentesting for short is a discipline that has been around in one form or another for decades. It is a method used to look for security vulnerabilities in an IT system, such as a web application or online service. Usually, a pentest is carried out by security specialists who probe the system in question, acting as a cybercriminal would, to find flaws and ‘ways in’.
OWASP has created a set of industry standard testing guides for the discipline. They also produce their ‘Top Ten’ series of vulnerabilities to help focus tests on core known vulnerabilities. In addition, the Penetration Testing Execution Standard (PTES) published the ‘Pentest Standard’ which goes through the seven main areas that the process of pentesting uses: This includes intelligence gathering, vulnerability analysis, and reporting.
All in all, pentesting is a skilled job that requires high levels of attention to detail and a deep knowledge of IT system security. It is also, however, by its very nature, a job that requires an individual to have intimate knowledge of sensitive data and entry to normally restricted areas of a company. Pentesting requires a company to have a deep level of trust in the company and individuals carrying out the pentests.
This leads to the main discussion point...do we need rules of engagement and codes of conduct in pentesting?
A tale of two pentesters
The ethical issues of pentesting can be complicated and the waters muddy. A recent case between a pentest company Coalfire and Iowa Judicial Council begs the question, “when does a pentest go too far?”
The case highlights the fine line that can be crossed between a pentest event and a genuine breach of security. In the case, two pentesters have been accused of ‘burglary’ by breaking and entering the premises of the client. The pair were arrested in the courthouse around midnight after setting the alarm off. Their defense is that they were engaged to check the physical security of buildings as part of the overall pentest contract. The case has caused much discussion amongst the security community. Were the men genuinely carrying out the job as contracted or was this a ruse to actually burgle the Iowa Judicial Council? The case appears to come down to the finer details of what the company was contracted to do. The contract appears to specifically point out that they will NOT test alarms or force doors, both of which happened in the case.
Whatever the outcome, somewhere during contract creation or thereafter, the pentesters failed to communicate their intentions. The code of conduct of these pentesters is now on trial.
The example above is an important one as it opens up the discussion about ethics and rules of engagement in pentesting.
Code of conduct for pentesting
Pentesters’ raison d’etre is to break into systems. They want to find flaws; they probe the inner workings of your IT systems and services to find ways in which cybercriminals will otherwise locate. Therefore, there needs to be a strong code of conduct for anyone in the industry. If not, you may end up with good pentesters gone bad.
There are industry bodies to help with this. The Council of Registered Ethical Security Testers (CREST) has developed a code of conduct (CREST, 2014) that pentesters adhere to. If you are an individual pentester or a company that offers pentesting services, you can become CREST Accredited.
There have also been models that attempt to provide guidance on penetration testing ethics. One such model was developed in 2006 by Pierce, et.al. The team’s work presents a taxonomy of penetration ethics that can be used as a basis for a work agreement, for example. There have been some criticisms of this model, however, and it is not a certification standard, as that offered by CREST. However, it can be used as a basis for developing ethical standards that you would expect when engaging a pentest team.
On an individual basis, there are a number of certification bodies that provide training and certification for pentesters. Many pentest-specific certifications will detail a pentester code of conduct as part of the training. Others, such as the UK’s The Cyber Scheme (“TCS”) place a high emphasis on maintaining a code of conduct as a pentester.
Conclusion: Trust in pentesting
Can we truly ever trust pentesters? Although there is always an element of risk when allowing anyone into your confidence, it is fair to say that if a pentesting company has a reputation to uphold, they will be less likely to lose it by acting unethically. However, it makes sense that you should always vett your choice of pentester. Take references from previous clients, check accreditation and certification, ask probing questions, and use your gut reaction too. After all, you will be effectively allowing them to hack into your system, see sensitive company data, and if they do turn out to be the bad guy, they could sell this info to your competitors.
Whatever measures you use to check your pentesters' ethical status, rogue actors are always a risk. However, pentesting is an extremely useful way to batten down the hatches in a cybersecurity landscape where data breaches and cyber-attacks are increasingly common. Ultimately, you must decide if the benefits of having your IT systems pentested in this aggressive cybersecurity environment, balance against the risk of a pentester gone bad. The use of codes of conduct within your agreement along with recognized certification and accreditation can certainly help to mitigate that risk.
FREE role-guided training plans
Sources
- Infosec Institute, The Types of Penetration Testing
- OWASP
- Penetration Testing Execution Standard
- Secure World Expo
- CREST Accredited companies
- Pierce, J., et.al., PENETRATION TESTING PROFESSIONAL ETHICS: A CONCEPTUAL MODEL AND TAXONOMY
- Infosec Institute, Top 10 Penetration Testing Certifications for Security Professionals
Enroll in an Ethical Hacking Boot Camp and earn two of the industry’s most respected certifications — guaranteed.
- CEH exam voucher
- PenTest+ exam voucher
- Exam Pass Guarantee
- Live online hacking training
In this Series
- Rules of engagement in pentesting
- Intelligence-led pentesting and the evolution of Red Team operations
- Red Teaming: Taking advantage of Certify to attack AD networks
- How ethical hacking and pentesting is changing in 2022
- Ransomware penetration testing: Verifying your ransomware readiness
- Red Teaming: Main tools for wireless penetration tests
- Fundamentals of IoT firmware reverse engineering
- Red Teaming: Top tools and gadgets for physical assessments
- Red teaming: Initial access and foothold
- Top tools for red teaming
- What is penetration testing, anyway?
- Red Teaming: Persistence Techniques
- Red Teaming: Credential dumping techniques
- Top 6 bug bounty programs for cybersecurity professionals
- Tunneling and port forwarding tools used during red teaming assessments
- SigintOS: Signal Intelligence via a single graphical interface
- Top tools for mobile android assessments
- Top tools for mobile iOS assessments
- Red Team: C2 frameworks for pentesting
- Inside 1,602 pentests: Common vulnerabilities, findings and fixes
- Red teaming tutorial: Active directory pentesting approach and tools
- Red Team tutorial: A walkthrough on memory injection techniques
- Python for active defense: Monitoring
- Python for active defense: Network
- Python for active defense: Decoys
- How to write a port scanner in Python in 5 minutes: Example and walkthrough
- Using Python for MITRE ATT&CK and data encrypted for impact
- Explore Python for MITRE ATT&CK exfiltration and non-application layer protocol
- Explore Python for MITRE ATT&CK command-and-control
- Explore Python for MITRE ATT&CK email collection and clipboard data
- Explore Python for MITRE ATT&CK lateral movement and remote services
- Explore Python for MITRE ATT&CK account and directory discovery
- Explore Python for MITRE ATT&CK credential access and network sniffing
- Top 10 security tools for bug bounty hunters
- Kali Linux: Top 5 tools for password attacks
- Kali Linux: Top 5 tools for post exploitation
- Kali Linux: Top 5 tools for database security assessments
- Kali Linux: Top 5 tools for information gathering
- Kali Linux: Top 5 tools for sniffing and spoofing
- Kali Linux: Top 8 tools for wireless attacks
- Kali Linux: Top 5 tools for penetration testing reporting
- Kali Linux overview: 14 uses for digital forensics and pentesting
- Top 19 Kali Linux tools for vulnerability assessments
- Explore Python for MITRE ATT&CK persistence
- Explore Python for MITRE ATT&CK defense evasion
- Explore Python for MITRE ATT&CK privilege escalation
- Explore Python for MITRE ATT&CK initial access
- Top 18 tools for vulnerability exploitation in Kali Linux
- Explore Python for MITRE PRE-ATT&CK, network scanning and Scapy
- Kali Linux: Top 5 tools for social engineering
- Basic snort rules syntax and usage [updated 2021]
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Penetration testing
Intelligence-led pentesting and the evolution of Red Team operations
Penetration testing
Red Teaming: Taking advantage of Certify to attack AD networks
Penetration testing
Penetration testing
Ransomware penetration testing: Verifying your ransomware readiness