Pre-Engagement & Scoping Handling Legal and Compliance Requirements

Before you begin any penetration testing engagement, it is crucial to establish clear legal boundaries and understand the compliance requirements governing the client's environment. Setting these expectations early ensures that both you and the client are protected throughout the assessment.

Pre-Engagement Checklist

Due to the sensitive nature of penetration testing, you must ensure all legal and procedural bases are covered before touching a client's network. Discuss the following items with your client to establish clear roles and responsibilities.

  1. 1

    Sign the Statement of Work (SOW)

    Ensure that the contract and Statement of Work explicitly state that the actions you take on the tested systems are authorized and performed on behalf of the client.

  2. 2

    Review Acceptable Use Policies

    Obtain a copy of the security policies that govern how users interact with company systems. Verify that the policy covers data ownership, as well as the rules around the storage of personal employee data on client systems.

  3. 3

    Confirm Regulatory Requirements

    Identify the specific laws and regulations that govern the data managed by the client. Understanding these restrictions dictates how you can interact with their data during the test.

  4. 4

    Establish Incident Procedures

    Discuss and agree upon the exact procedures to follow if you discover that the client's environment has already been compromised by a malicious third party.

Data Handling and Privacy

When you gain access to sensitive systems, you must handle the data within strict legal and ethical boundaries.

Proof of Access

If you are using your own penetration testing systems, do not download or store sensitive client data on your local machines. Instead, demonstrate the vulnerability by providing "proof of access."

Here are safe ways to prove you gained access without exposing sensitive data:

MethodDescriptionExample
File PermissionsShow that your compromised user account has read/write access to a sensitive file.ls -la /etc/shadow
Record CountsCount the number of rows in a database without extracting the actual row data.SELECT COUNT(*) FROM users;
Directory ListingsShow the names of files within a restricted or confidential directory.dir C:\Confidential\

Encryption and Third-Party Tools

If you must store client data (and are authorized to do so), you must use full drive encryption on all systems and removable media that will hold the data.

Do not use third-party services for password cracking or share any client data with external services without prior, explicit consent from the client. Uploading client hashes to a cloud cracking service can constitute a severe data breach.

Operational Boundaries During Testing

While executing the test, you must adhere to strict rules regarding system logs and surveillance.

Log Management

No logs should be removed, cleared, or modified unless you are specifically authorized to do so by the client in the engagement contract or SOW.

If you are authorized to clear or modify logs to simulate an attacker covering their tracks, you must back up the logs prior to making any changes.

Audio and Video Capture

Check local and national wiretap laws before capturing audio or video during post-exploitation. Using compromised webcams or microphones can easily violate privacy and wiretap laws, resulting in severe legal consequences.

Handling Prior Compromises

It is not uncommon to breach a network only to find that a real attacker is already there. If you discover evidence of a prior compromise in the assessed environment, follow a strict protocol to preserve evidence for the client's Incident Response (IR) team.

flowchart TD
    A[Discover Evidence of Prior Compromise] --> B[Halt Exploitation in Affected Area]
    B --> C[Save and Hash Pen-Test Logs]
    C --> D[Provide Hashed Logs to Client]
    D --> E[Client Initiates Incident Response]

When a compromise is found, immediately save and hash all logs that record your team's actions and timestamps during the assessment. Provide this hashed record to the client. This allows the client's IR team to easily separate your authorized penetration testing activities from the malicious actions of the real attacker.