223
Appendix D: Sample Rules
of Engagement
e rules of engagement for this vulnerability assessment are designed
to document the procedures and framework for agency system
scanning conducted during the security test and evaluation (ST&E)
scheduled for date of evaluation. Computer Security Consulting,
Inc. (CSCI) and the agency system security manager will jointly col-
laborate while performing this vulnerability assessment. e rules of
engagement establish the scope by defining targets, time frame, rules,
and points of contact. ey also provide authorization to proceed. For
questions concerningthe content of thisdocument, please contact
company rep at email.com.
Scope of Objective
Our scanning procedures are designed to focus on the agency system
and servers designated and approved for scanning by the agency
system security officer. Our objective is to identify and inventory any
exposures or weaknesses found in the specified targets as a subset
activity within the overall agency system ST&E task.
Our test procedures employ nondestructive, minimally invasive
techniques limited to IP reconnaissance, vulnerability mapping,
and resource enumeration. No files or data will be modified or
224
aPPendIx d: saMPle rules of engageMent
changed. Furthermore, this assessment is not likely to disable users
or deny service. For the purposes of this penetration procedure,
successful penetration is defined by demonstrating any one of the
following:
• Remotely or locally obtain the ability to copy, modify, or
delete system configuration files.
(Note: Under no circumstances will any data or files be modified or
deleted.)
• Remotely or locally view, modify, or obtain password files.
• Obtain the ability to redirect traffic.
(Note: Under no circumstances will traffic be redirected.)
Evidence to support any weaknesses discovered will consist
primarily of screen prints, session logs, or automated tool reports. We
will evaluate vulnerabilities discovered during the scan and discuss
with agency system the potential for further penetration testing.
Use of Automated Tools
We will direct the use of the automated probing and scanning tools,
Nessus, WebSense, and Nmap, to determine system configurations,
default settings, security settings, network services, and open ports
on the agency resources. e tools will detect vulnerabilities on the
scanned resources, including those vulnerabilities published by the
Common Vulnerabilities and Exposures Database and the FBI/
SANS Top 20 List.
Vulnerabilities tested by agencys scanning tools include, but are
not limited to
• SMTP weaknesses
• IP fragmentation checks
• ICMP checks
• Odd protocol checks
• Port checks
• NETBIOS vulnerabilities
• WC service vulnerabilities
225
aPPendIx d: saMPle rules of engageMent
• HTTP vulnerabilities
• NIS weaknesses
• Protocol spoofing checks
We will carefully analyze the results of the scans in order to verify
the detection of vulnerabilities and ensure accurate reporting. False
positives are extremely difficult to determine, and system adminis-
trators should assist in identifying possible applications that might
utilize unknown findings.
Terms of Testing
e following are agreed upon terms that will be in place as part of
the penetration test:
• All network scanning and penetration procedures will be
accomplished within the specified time period as outlined in
the section “Time Line.
• Penetration testing will be conducted during normal business
hours, defined as 8:00 a.m. through 5:00 p.m.
• e IP addresses are identified in the kickoff meeting or
meeting with the agency security manager as identified for the
penetration testing; only those addresses listed will be tested.
• e scans will simply determine what vulnerabilities may exist
within the agency systems. We will not attempt to exploit
these vulnerabilities or gain unauthorized access.
• A full network scan will not be performed. A targeted
systemscan will be completed and limited to the addresses
onthe server lists that contain target machines, so as to con-
trol and further minimize load on the network infrastructure.
• When high-risk vulnerabilities are discovered, they will be
exploited only to determine their validity. No exploits will be
attempted beyond gaining access to the operating system or
application.
• Absent of log file overflows, we will refrain from denial-
of-service attempts unless specifically authorized by agency
personnel involved.
• e agency security officer may, at any point in time, exercise
the option to cancel scanning activities.

Get Enterprise Architecture and Information Assurance now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.