Appendix D: Sample Rules
e rules of engagement for this vulnerability assessment are designed
to document the procedures and framework for agency system
scanning conducted during the security test and evaluation (ST&E)
scheduled for date of evaluation. Computer Security Consulting,
Inc. (CSCI) and the agency system security manager will jointly col-
laborate while performing this vulnerability assessment. e rules of
engagement establish the scope by deﬁning targets, time frame, rules,
and points of contact. ey also provide authorization to proceed. For
questions concerningthe content of thisdocument, please contact
company rep at email.com.
Scope of Objective
Our scanning procedures are designed to focus on the agency system
and servers designated and approved for scanning by the agency
system security oﬃcer. Our objective is to identify and inventory any
exposures or weaknesses found in the speciﬁed targets as a subset
activity within the overall agency system ST&E task.
Our test procedures employ nondestructive, minimally invasive
techniques limited to IP reconnaissance, vulnerability mapping,
and resource enumeration. No ﬁles or data will be modiﬁed or
aPPendIx d: saMPle rules of engageMent
changed. Furthermore, this assessment is not likely to disable users
or deny service. For the purposes of this penetration procedure,
successful penetration is deﬁned by demonstrating any one of the
• Remotely or locally obtain the ability to copy, modify, or
delete system conﬁguration ﬁles.
(Note: Under no circumstances will any data or ﬁles be modiﬁed or
• Remotely or locally view, modify, or obtain password ﬁles.
• Obtain the ability to redirect traﬃc.
(Note: Under no circumstances will traﬃc be redirected.)
Evidence to support any weaknesses discovered will consist
primarily of screen prints, session logs, or automated tool reports. We
will evaluate vulnerabilities discovered during the scan and discuss
with agency system the potential for further penetration testing.
Use of Automated Tools
We will direct the use of the automated probing and scanning tools,
Nessus, WebSense, and Nmap, to determine system conﬁgurations,
default settings, security settings, network services, and open ports
on the agency resources. e tools will detect vulnerabilities on the
scanned resources, including those vulnerabilities published by the
Common Vulnerabilities and Exposures Database and the FBI/
SANS Top 20 List.
Vulnerabilities tested by agency’s scanning tools include, but are
not limited to
• SMTP weaknesses
• IP fragmentation checks
• ICMP checks
• Odd protocol checks
• Port checks
• NETBIOS vulnerabilities
• WC service vulnerabilities
aPPendIx d: saMPle rules of engageMent
• HTTP vulnerabilities
• NIS weaknesses
• Protocol spooﬁng checks
We will carefully analyze the results of the scans in order to verify
the detection of vulnerabilities and ensure accurate reporting. False
positives are extremely diﬃcult to determine, and system adminis-
trators should assist in identifying possible applications that might
utilize unknown ﬁndings.
Terms of Testing
e following are agreed upon terms that will be in place as part of
the penetration test:
• All network scanning and penetration procedures will be
accomplished within the speciﬁed time period as outlined in
the section “Time Line.”
• Penetration testing will be conducted during normal business
hours, deﬁned as 8:00 a.m. through 5:00 p.m.
• e IP addresses are identiﬁed in the kickoﬀ meeting or
meeting with the agency security manager as identiﬁed for the
penetration testing; only those addresses listed will be tested.
• e scans will simply determine what vulnerabilities may exist
within the agency systems. We will not attempt to exploit
these vulnerabilities or gain unauthorized access.
• A full network scan will not be performed. A targeted
systemscan will be completed and limited to the addresses
onthe server lists that contain target machines, so as to con-
trol and further minimize load on the network infrastructure.
• When high-risk vulnerabilities are discovered, they will be
exploited only to determine their validity. No exploits will be
attempted beyond gaining access to the operating system or
• Absent of log ﬁle overﬂows, we will refrain from denial-
of-service attempts unless speciﬁcally authorized by agency
• e agency security oﬃcer may, at any point in time, exercise
the option to cancel scanning activities.