Ethical Hacking Agreement
of 4
-
Upload
vijay-sundar -
Category
Documents
-
view
216 -
download
0
Transcript of Ethical Hacking Agreement
-
8/4/2019 Ethical Hacking Agreement
1/4
ETHICAL HACKING AGREEMENT
External Network Security Unannounced Penetration Test
FACILITY : _____________________________________
DATE: _________________________________________
OBJECTIVE: To provide an assessment of the sites external security profile of networked computer systems and intrusion detection capabilities.
SCENARIO: Testing will consist of four phases, during which various tools andtechniques will be used to gain information and identify vulnerabilities associated withthe sites computer systems and subsequent attempts to penetrate the network. These
phases, discussed in detail below are: network mapping; vulnerability identification;exploitation; and reporting.
Network Mapping will obtain much of the required information regarding thesites network profile, such as IP address ranges, telephone number ranges, andother general network topology through public information sources, such asInternet registration services, web pages, and telephone directories. Moredetailed information about the sites network architecture will be obtainedthrough the use of domain name server (DNS) queries, ping sweeps, port scans,and connection route tracing. Informal inquiries, not linked to IndependentOversight, may also be attempted to gather information from users andadministrators that could assist in gaining access to network resources. Oncethis general network information is compiled and analyzed, will begin identification of individual system vulnerabilities.
Vulnerability IdentificationDuring this phase, will attempt to associate operatingsystems and applications with identified computers on the network. Dependingupon network architecture, this may be accomplished using automated tools, suchas nmap and queso, or using manual techniques, such as telnet, ftp, or sendmaillogin banners. Using this information, will create a listof probable vulnerabilities associated with each potential target system. Also,at this point, automated scripts will be developed or compiled to attemptexploitation of vulnerabilities.
-
8/4/2019 Ethical Hacking Agreement
2/4
ExploitationDuring this phase, system and user information will be used to attack theauthentication processes of the target systems. Example attack scenarios in this
phase include, but are not limited to: buffer overflows, application or systemconfiguration problems, modems, routing issues, DNS attacks, address spoofing,
share access and exploitation of inherent system trust relationships. Potentialvulnerabilities will be systematically tested in the order of penetration anddetection probability as determined by the members of the
penetration testing team. The strength of captured password files will be testedusing password-cracking tools. Individual user account passwords may also betested using dictionary-based, automated login scripts. In the event that anaccount is compromised, will attempt to elevate privilegesto that of super user, root, or administrator level.
Since the goal of testing is to determine the extent of vulnerabilities, and not simply penetrate a single site system, information
discovered on one system may be used to gain access to additional systems thatmay be "trusted" by the compromised system. Additionally, host-levelvulnerabilities may be exploited to elevate privileges within the compromisedsystem to install "sniffers" or other utilities. willinsert a small text file at the highest level directory of each compromisedsystem. In those cases where is unable to gain sufficient
privilege to write to the system, a file will be copied from the system. Ineither case, additional files may be copied during testing if further review isrequired to determine sensitivity of information contained on the system. will maintain detailed records of all attempts to exploitvulnerabilities and activities conducted during the attack phase.
Reporting will provide an on-site briefing of results. These resultswill also be documented in a management level report provided to the site,Operations Office, and responsible Headquarters Program Offices that will cover the unannounced penetration testing. Specific details on vulnerabilities willalso be provided to site technical personnel.
SPECIAL CONSIDERATIONS:
will coordinate testing activities with a "trustedagent" in each organization listed on the performance test agreement asappropriate. Each organization should identify an individual to be designatedas a trusted agent. More than one trusted agent may be identified at the site,however, the number should be kept to an absolute minimum. All personnel whoare informed of the testing will maintain strict confidentiality to ensure thevalidity of test results.
-
8/4/2019 Ethical Hacking Agreement
3/4
The Operations Office will coordinate with trusted agents at the site toidentify critical systems that should be excluded from testing activities(e.g., safety systems, major applications undergoing upgrades or other specialevolutions). Specific network addresses and reasons for exclusion should be
provided as an attachment to the signed performance test.
The Operations Office will identify any systems or network nodes that areconnected to the site network, but are not under the direct control andresponsibility of the site or the cognizant Operations Office. These systemswill be excluded from testing unless obtains permissionfrom the system owner.
will provide the DOE Computer Incident AdvisoryCapability (CIAC) with information regarding the systems used for scanning andtesting activities to ensure that testing activities are not confused withreal attacks.
While will not attempt to exploit "denial of service"vulnerabilities (unless specifically requested by competent authority) andevery attempt will be made to prevent damage to any information system and thedata it holds, some penetration attempt scenarios have the possibility of causing service interruption. In the unlikely event that such an event occurs, will work with the trusted agents at the site todetermine the nature of the problem and restore the system to its desiredstate of operation.
All information obtained by will be protected (to theextent possible) from unauthorized access.
In the event that any site personnel (excluding trusted agents) identify testing activities, site computer security personnelshould document the detection of activity and take initial actions that would
be taken in the case of a real intrusion, including informing CIAC. If notified by the site of incidents that correspond with OA penetration testing,CIAC and the sites trusted agents will inform the appropriate site computer security personnel that the activity identified is part of an authorized DOEtest. OA will also be informed of the detection. In these cases, logs or other evidence of intrusion detection activities should be provided to IndependentOversight for analysis. testing will then be allowed tocontinue as an announced external network security assessment without
blocking, filtering, or restricting access.
It is the sites responsibility to restore network computer systems to asecure configuration after testing. IndependentOversight will coordinate with and provide assistance (as requested) to systemadministrators during this period of "cleaning up" network computer systems.Clean-up may consist of removing added programs and files, identifying systems
-
8/4/2019 Ethical Hacking Agreement
4/4
whose password files were compromised, and restoring systems to a secureconfiguration so that no systems are left in a compromised condition.As evidenced by their signature on this performance test agreement, OperationsOffice and site contractor representatives certify that the DepartmentsBanner and Warning Policy has been implemented at the site and network
computer users have, as a result, granted constructive consent to this type of activity.
APPROVALS:
______________________________________________________________ Director, Office of Cyber Security and Special Reviews
______________________________________________________________
Office of Chief Information Officer Representative ______________________________________________________________ Lead Program Secretarial Office Representative
______________________________________________________________ Operations Office Representative
______________________________________________________________ Site Contractor Representative
