Some critical controls to secure and protect your environment from Ransomeware attacks

Below are some of the controls you can consider to protect your environment from Ransomeware attacks:

• User Training
• Identify phishing
• Train your users to be able to identify phishing attacks
• How to handle attachments
• Block executable and compressed zip files
• Train your users about Macros and risky files
• Incident procedures
• Be prepared and have an incident response plan for Ransomeware attacks
• Protecting the PC
• Blocking emails
• Use security controls, email gateways, AVs, sandboxing, etc
• Restriction on Group Policies and Firewalls
• Block risky applications like Flash
• Block Proxies like Tor
• Block websites with low or no rating
• Block download capability from low rating websites, bittorents, public file shares
• Limiting User Rights
• Do not allow privileged access to the workstations
• Execute application whitelisting when possible
• Revisiting Mapped Drives
• Minimize user access to what is needed
• Protecting the Server and Backups
• Securing File Locations
• Secure file shares, file servers, storages and the permissions on them
• Backup Data
• Backup data regularly and review and verify on regular bases
• Integrity monitoring
• Use File integrity monitoring solutions (FIM)

Using DNS Brute with NMAP to detect subdomains

Reference: Kali Linux: Hacking Tools Introduction

Using “dns-brute.nse” script, we can detect and find sub-domains associated with an organizations domain. This will help with revealing new targets when performing a security assessment. 

The discovered hosts may be virtual web hosts on a single web server or may be distinct hosts on IP addresses spread across the world in different data centres.

The script will find valid DNS (A) records by trying a list of common sub-domains and finding those that successfully resolve.

Below picture shows a sample output of using dns-brute script with the below command. (corp.example.org is an example domain which can be replaced by your choice)


nmap --script dns-brute corp.example.org

What is Cross Site Request Forgery (CSRF) and how it works

Reference: Hacking and Securing Web Applications

What is CSRF?



Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. 

CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. 

With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. 

If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.

Below picture is a simple explanation of CSRF attacks where the legacy website can be a banking website as an example. Attacker, can use the current available session initiate a money transfer to his/her own account.

How to protect yourself against CSRF?

1- First of all, avoid clicking on links and browse website which you are unsure of their safety. Especially when you have logged in to other important websites.

2- Second, always use security softwares like antivirus and anti spyware.

3- Beware of phishing attempts on emails, attachments, etc.

4- Use a safe browser when doing critical tasks and avoid browsing other websites using that browser

5- Always keep your browser up to date

6- Use tools or plugins to clear browser cookies on regular bases

How to encrypt and decrypt files using OpenPGP encryption

Below are some basic simple and useful OpenPGP commands on linux for newbies without going too much into details like encryption algorithms, key management, etc.

First step for encryption is generating the keys:
gpg2 --gen-key

The below command is used for listing the keys once they are created:
gpg2 --list-secret-keys

We need to export the public key to a file to be able to send it out:
gpg --armor --export you@domain.com > mypublickey.asc

Or we can export to the public key to a key server if we have one:
gpg --keyserver search.keyserver.net --send-key you@domain.com

We can export the private key using below command:
gpg2 --armor --export-secret-keys your_email@domain.com > myprivatekey.asc

One the other end,  we need to import the public key first:

gpg2 --import senderpublickey.asc

Next step is to encrypt a file using public key on the other end:
gpg2 --encrypt file.txt --output file.gpg

Once file encrypted using public key, it will be sent back to us and we can decrypt using private key:

gpg2 --output file.txt --decrypt file.gpg

Generic Architecture Design Principles and Considerations

Reference: Enterprise Security Architecture, A guide to Infosec Management

When designing any architecture there are certain principles need to be considered and followed. They will assure the architecture is aligned with business strategy, vision and goals. 

Usually Enterprise architect team is responsible of defining those principles with senior management help and guidance. Below are some principles to be used when designing security architecture.

1. Principle 1: Comprehensive Documentation
2. Principle 2: No plan is fool-proof
3. Principle 3: Successful business operation supported by reasonable and appropriate controls
4. Principle 4: Business requirements require translation into forms that technical architecture designers can form into conceptual models
5. Principle 5: It makes no sense to design something the engineers can’t build
6. Principle 6: Partial understanding results in incomplete designs
7. Principle 7: Use attach trees
8. Principles 8: Business and technical users will avoid complex and hard to use security controls
9. Principle 9: Testing models and final architecture implementations must take into consideration design
10. Principle 10: Ensure architecture constraints are reviewed during the change management process
11. Principle 11: Frequently assess risk
12. Principle 12: Meeting security requirements means the architecture is compliant with regulatory and best practise constraints

Gartner’s Six Principles of Resilience for Digital Business Risk and Security

There are 6 main principles when talking about information security. These principles first introduced in 2016 by Gartner risk and security division.


Principles are:

• Principle No. 1: Stop Focusing on Check Box Compliance, and Shift to Risk-Based Decision Making 
• Security is not the same old beast. Information security must be a top down approach and driven from identified business risk. Risk management and risk analysis is the first big step of any information security work. 
• Principle No. 2: Stop Solely Protecting Infrastructure, and Begin Supporting Business Outcomes 
• Information security is a business enabler. Security is there to help business achieve its goals and targets. The only way of having a successful information security architecture is to make sure it is aligned with business strategy. 
• Principle No. 3: Stop Being a Defender, and Become a Facilitator 
• Again, the aim of information security is to facilitate business to hit the targets. Of-course security is important, but if we are blocking business process, it is useless. 
• Principle No. 4: Stop Trying to Control Information; Instead, Determine How It Flows 
• Big shift in security mind set is moving away from local and limited controls and have a holistic approach looking at flows and process. 
• Principle No. 5: Accept the Limits of Technology and Become People-Centric 
• These days more and more attacks are result of lack of user awareness. Training people and using resources is as important as having technical controls. 
• Principle No. 6: Stop Trying to Perfectly Protect Your Organization, and Invest in Detection and Response 
• We all know it is impossible to have a complete safe environment. Threats and vulnerabilities are always there. Proper incident response plan and operation is crucial for any business. 

Mis-Association attack on wireless Networks and how it works

Reference: Ethical Hacking and Penetration with Kali Linux

Reference: Kali Linux: Hacking Tools Introduction

The technique of mis-association attack is to get a computer connect to your Kali machine using one of the old Wirelesses that it has connected before. Or use the same SSID name as is available and has some clients. For example, if a computer was connected to a WIFI network called “Public-wifi” in the past, that name will be discovered and used to attack to the host.

The steps are as below:

• Find one of the wireless SSID names that the victim has connected before using “airodump-ng”
• Set up a new access point with exactly the same name
• Send a de-auth message to the victim to it will be disconnected from the current AP and try to connect again
• As the SSID you created is already on the victim’s list, it will be connected to your created AP.
• You can start capture victim’s traffic!

To achieve this, below commands and steps need to be followed on Kali Linux:

• airmon-ng start wlan0
• airodump-ng mon0
• You can see the station is trying to connect to a list of Aps that it has connected before (probe column) - e.g Public-wifi
• Note: make sure that SSID is not available on the current list of APs

• airbase-ng -essid “Public-wifi” -c 1 mon0
• This will make Kali an access point and client can authenticate and connect
• Set up DHCP and other setting as per previous section (Rogue access points)
• Now the client station will try to connect to your computer as it has the same SSID on its database
• If client machine is already connected to another WIFI, start a de-auth attach as below
• aireplay-ng -0 0 -a 22:AF:3A:5E:22:3D mon0
• This forces clients to reauthenticate and connect to our machine
• Monitor the output of airbase-ng command to see when the victim connects

Security Tips:

• Do NOT Connect to any public wireless network unless you are 100% certain.
• If you are on public network, Do NOT use any sensitive information over clear text (http, ftp, etc)
• If you are on public network, watch for certificate error messages
• Try using a VPN if you need to use public networks

Vigenère Cipher, Simple and Powerful Symmetric Encryption

Vigenère cipher is a method of encrypting alphabetic text by using a series of different Caesar ciphers based on the letters of a keyword. It is a simple form of polyalphabetic substitution.

Below we explain Vigenère Cipher which is a Symmetric cryptosystem. We have a table including 26 characters of alphabet each associated with a number from 0 to 25.

A	B	C	D	E	F	G	H	I	J	K	L	M	N	O	P	Q	R	S	T	U	V	W	X	Y	Z
0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15	16	17	18	19	20	21	22	23	24	25

Message (Plain-Text) we are trying to encrypt is: “Network Security”

Encryption Key that we will use for this is: “ITC”

First, we find the Numbers for the key work on the table:

ITC = 8, 19, 2



Now we need to repeat the keyword to be the same size as message text. Once that’s done, next step is to shift each character to the right based on associated key number. For example, if the character is “N”, and associated Key character is “I”, then we shift “N” on the above table, 8 cells to the right and that makes it “V”.

Note: If we reach end of the table, we go back and start from the left side.



We will do this for all message text characters in the below table:

MC

N

E

T

W

O

R

K

S

E

C

U

R

I

T

Y

K

I

T

C

I

T

C

I

T

C

I

T

C

I

T

C

KN

8

19

2

8

19

2

8

19

2

8

19

2

8

19

2

CC

V

X

V

D

G

T

S

K

G

K

M

T

Q

L

A

MC: Message Character
K: Key
KN: Key Number
CC: Cipher Character

So, as it can be seen on the above table, the output Cipher-Text would be: “VXVDGTS KGKMTQLA”

How to prevent your sensitive information from being revealed to a keylogger infected computer

What is keylogger?

Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording (logging) the keys struck on a keyboard, typically covertly, so that the person using the keyboard is unaware that their actions are being monitored. This attack can be achieved by using a software typically called keylogger or keystroker.


Scenario:

Suppose you want to use an Internet café or a public computer to login to your personal account on a bank web site, but you suspect that the computer is infected with software keylogger.

Assuming that, you have access both a web browser window and a text editing window open at the same time. As a security expert you want to protect your sensitive data in particular user credentials from the affected malware.


Summary of the Solution:

Type random characters on the text editor in between of typing your sensitive infomation (e.g. password) on the browser.

Solution:

Keyloggers work based on the monitoring active window interactions with keyboard and don’t recognize the mouse events. If we have both web browser and text editing window open, the best way to get around the keylogger is type quickly between the two windows and when typing username and password on a browser, randomly press characters and type others on the text box and move between text box and browser continuously.

This is confusing the keylogger by receiving a long string or presses characters which is unusable for the attacker.

I would also personally advise even if we follow the above principle, we change the passwords immediately after using in a public suspected area and have multi-factor authentication enabled as well.

Note: If the text editor is not available on the computer, we can use a second application or even a different tab of the browser and use them to type random characters in between.

Data Enumeration phase in ethical hacking

Reference: Ethical Hacking and Penetration with Kali Linux

What is data enumeration?

One of the first phases of Ethical Hacking is to now extrapolate data such as usernames, computer names, network share, and more. Some use-cases below:

• Grabbing detailed system specific information about the systems, networks and hosts
• Utilized various techniques that aren’t defined as exploits
• Non-Intrusive way tgain valuable technical information
• Information include:
• SNMP communities, MIB specific information
• Usernames and Groups
• Advertising Services such as Master Browser

Some common methods of data enumeration are below:

SNMP Enumeration

• Default community string for most of the devices is ‘public’
• The public string could have various permissions tget the information
• MIBs contain extensive system specific information which can be gained
• Kali Linux can be used for number of SNMP tests

DNS Zone Transfers

• DNS service is the core name resolution service for any organization
• DNS servers use lookup and zone transfers synchronize the records between themselves
• Linux BIND and Microsoft DNS are the most common DNS servers
• Zones are owned by DNS servers and if they allow the zone transfer you can get a complete list of DNS records which can identify all hosts on the network
• Nslookup provides simple name resolution testing interface
• Can be used for on-the-fly zone transfers
• Zone transfers can footprint an entire network with ease
• Example: This below return all the DNS records (Need tbe allowed by primary DNS server)
• nslookup
• >set type=any
• >set type=ALL
• >ls -d “yourdomain.com”

Windows Null Sessions

• Microsoft Windows uses SMB (Server Message Block) for data sharing and advertisement of services
• Alternatively CIFS can be used as non-windows replacement
• Null sessions are established by using a ‘null’ user account
• Null sessions can be used tenumeration system information
• Example of connecting ta Windows machine using null account:
• net use \\192.168.66.132\ipc$ /user:null
• net view

• NETBIOS Enumeration
• Netbios operates with or without a WINS server
• Its operation is primarily based on broadcast
• It relies on advertisement
• Advertisements include services, roles, drives
• Netstat can be used tenumeration information
• NBTScan is another command tool
• Example: 
• (On Kali Linux)
• nbtscan 192.168.1.130
• ./smbgetserverinf-I 192.168.1.130
• ./smbdumpusers -I 192.168.1.130 -v
• (On Windows)
• nbtstat -a 192.168.1.130
• Active Directory Extraction
• Uses LDAP protocol
• Ldp.exe is a simple LDAP client
• Authenticate with Guest or npermissions at all

Port and Service Enumeration in Ethical hacking

Reference: Ethical Hacking and Penetration with Kali Linux

The process of tying the program or service to the TCP/IP port it uses is called port enumeration. Below headlines provide some info about enumeration and how it is done.

Identifying Ports and Services

• This step will be the next after Scanning to determine live hosts
• Identifying services and open ports tells what function box is performing and what OS is running
• Exploitation of those services can begin after this step
• Port scans are run to determine what ports on computer is listening on
• Ping/Port/Service scans are frequently run together using the same tool

OS Fingerprinting

• This step is used to determine what OS on target system is running, then exploit vulnerabilities associated with that OS
• IT works based on the fact that some OSes implement TCP/IP stack differently and responses to certain scans determine the type of OS
• Some OSes run particular services on certain ports and this is another way of identifying their OS
• Example: 137,138,139,445 indicate windows 2000 or above

Popular Scanners

• SuperScan - Windows base application now owned by Mcafee 
• Hping - Hping is a command-line oriented TCP/IP packet scanner/assembler/analyser
• Nmap
• Nmap is the most popular scanner which is *nix based. It has a windows version as well.
• Offers full, half, stealth & UDP scan

TCP, UDP and ICMP Scan types and operation

Reference: Ethical Hacking and Penetration with Kali Linux

TCP Scan Types

• Full scan: completes all 3 parts of the 3-way handshake. This is the most reliable scan but very noisy and can be easily picked up by IDS systems
• Half open (syn) scan: only uses first part (syn) of the handshake to get syn-ack but won’t send the third part (ack) back. This also can be picked be IDS systems
• Stealth Scan: Varies time and frequency of scan to avoid detection by IDS. This is not a full connect scan
• Xmas Scan: malformed packet that sets fin, urg, and push flags; This is used to bypass firewalls
• Ack Scan: Sending only an ack packet; receiving end won’t know how to respond as there was no handshake; causes open ports to return a reset
• FIN Scan: Sending a packet with fin flag set; This can usually bypass the IDS systems
• Null Scan: Sending a packet with no flag set; This can also bypass the IDS systems in most cases

UDP Scanning

• Unlike TCP, UDP protocol doesn’t have too many controls and handshakes. The process of a UDP stream is much simpler.
• Source device will send a UDP request and the destination will respond.
• UDP scanning scans only for UDP packets
• It is less reliable than TCP scanning
• Maybe of limited value, since UDP or ICMP may be blocked at the firewall

ICMP Scanning

• ICMP is the most common protocol to
• Ping scanning is the most common way of scanning
• Live hosts may respond to ICMP Type 0 or 8
• Most network scanners include ping scans
• Usually it will trigger IDS alerts and is detectable

Understanding TCP connections, flags and flood attacks

TCP Connection Basics

• TCP and UDP the most common protocol on the networks and internet. You need to understand how TCP works to be able to use the scanning tools and initiate an attack.
• TCP includes 6 TCP flags that are set in packets
• TCP Flags indicate whether packet is initial (syn), acknowledgement (ack), finish (fin), urgent (urg), push (psh) or reset (rst)
• TCP Uses 3-way handshake to establish and maintain the sessions which includes the below steps between the Source and Destination devices:
• Syn (source to dest) -> syn-ack (dest to source) -> ack (source to dest)
• Many attacks use non-standard combinations of these flags (malformed packets) to elicit response from host or attack host

Syn flood

It is a DoS attack where source computer sends only syn packets. As a result there will be a lot of open-half sessions on the victim machine and it will be overloaded and not usable.


Understanding TCP Flags:

• SYN - Initiates a connection 
• ACK - Acknowledges received data 
• FIN - Closes a connection 
• RST - Aborts a connection in response to an error 
• URG: Inform a receiving station that certain data within a segment is urgent and should be prioritized. 
• PSH: TCP buffers data that you send. This means it won't send data immediately and will wait to see there is more. On receiving end once PSH received, buffered data will be pushed to application.

The next picture shows the TCP Connection flags at different stages of the TCP state machine.

What is Reconnaissance step of Penetration Testing?

Reconnaissance is the first step of any penetration testing and ethical hacking and it is when we start gathering information about the target and getting prepared for the next steps.
There are two type of reconnaissance: Passive and Active

Passive Reconnaissance

• This step is used to gather information about a company, network, or other target with using any intrusive means
• It is very difficult to detect/defend against by the target company
• Most of these information are publicly available on web, newspapers, advertisements, brochures, etc.
• You can use resources like company websites, Exchange commission, better business bureau, literature, job site posting (e.g. if Nortel skills required you will know they have Nortel equipment), partner sites, etc.
• Information can include name of company officers, addresses or major locations (data centres), partner network and connections, types of systems used (FW, IDS, etc.), IP address space, domain names, etc.
• Gathering Information with Whois and other Tools
• Name of administrators, IP address space, location, Email addresses, phone number, etc.
• Other tools include Sam Spade and web based tools are also available
• One popular tool is Maltego on Kali Linux which will be explained later in this book

Active Reconnaissance

• At this stage hacker uses more intrusive methods to gather information and actively touches target sites and networks as a normal user
• It does not involve a hacking system
• May involve personal contact or site visits

Some Tools and Methods:

• Banner Grabbing - Telnet/SSH to devices and read the banner to identify what it is
• Mail Bouncing - Send an email to wrong email address to check the bounce message and identify the mail servers
• DNS Zone Transfers - To get a list of all the available servers and hosts
• View company’s public web site source code and directory structure - To identify the type of possible CMS they are using
• Social Engineering - e.g. Find out where Sysadmin goes after work and go with him, socialize and make friend and get the information out of him!
• Shoulder Surfing - Stand on someone’s shoulder, watch and gather information like passwords, codes, etc.
• Dumpster Diving - This is mainly done by local people who steal information
• Piggybacking/Site Visits – E.g. Following people, visiting sites and bypassing security.

Putting it all together

• 
  
• Use reconnaissance techniques to footprint and organization’s structure and network
• Gather publicly available or easily obtained info about target organization
• Use this info to determine weaknesses and organization boundaries
• Examples include names, addresses, titles, phone numbers or company personnel
• IP address range and domain structure (e.g. using BGP or Lookups)
• Infrastructure layout and software used
• Document all the findings in this step and put them together
• The information gained at this step serves as starting point for next steps

Ethical Hacking and Penetration Testing Methodology Overview

Reference: Ethical Hacking and Penetration with Kali Linux

There are number of steps that need to be followed to plan and implement a penetration project. We will explain each one in detail later in this book, however; summary of steps can be found below.

Formal Methodology

A good methodology provides structured framework to testing and procedure. Below are some notes which can be useful to implement your methodology.

• Ensures you do not overlook venues of attack and possible vulnerabilities
• Provides a comprehensive testing plan. You can use the below standards:
• OSSTMM - Open Source Security Testing Methodology Manual
• A widely used, peer-reviewed, methodology for performing security tests
• NIST SP 800-42
• Technical Guide to Information Security Testing and Assessment
• TRAWG
• TRAWG stands for Threat and Risk Assessment Working Guide
• OCTAVE
• Operationally Critical Threat, Asset, and Vulnerability Evaluation

Reconnaissance

This is the first step in penetration testing. The point is to gather as much as information about the Target Company, network, infrastructure or personnel as possible.

There are two different types of gathering information; active (calling, talking, visiting, etc.) and passive (finding information on websites, jobs advertisement, etc.)



Scanning

On this step networks are scanned to determine which hosts are live on network and what they do. There are multiple types of scans and tools available. Most popular ones are Nmap and Supercan.

The scans can easily be picked up by Intrusion Detection Systems, although; there are ways to avoid this with specific scans.



Service Enumeration (Fingerprinting)

This step follows the scanning step after determining which hosts are live. Tools will be used to discover what services hosts are running to determine vulnerabilities. Fingerprinting tools are often combined with scanners and we can get both reports at once.



Vulnerability Assessment

This step will be used to determine what vulnerabilities exist with an app or a service on a host. Tools in this step use known vulnerability databases and compare the responses from the target device with the database to find a match. The Targets are all popular Operating Systems and applications.

Nessus is the most popular assessment tool in this category which is an open source with a freeware edition.



Vulnerability Exploitation

At this stage vulnerabilities discovered in previous steps are exploited with known exploits or by developing new ones. Vulnerabilities are exploited to penetrate and gain access to systems.



Penetration and Access

This is the stage where hacking actually occurs. All previous stages are planning only and we will try to take control of the target at this step. Systems are penetrated based upon exploited vulnerabilities identified in previous steps.

Access to systems at various levels is attempted and tested. Metasploit framework is a popular tool in this category which will be explained later in this book.



Privilege Escalation and Owning the Box

The Goal at this stage is administrative access or access privilege information. Hacker may start as guest level of access or normal user and uses exploits to increase the privilege levels.

Remember Owning the box = Full Control



Evading Defences and Erasing Tracks

Hackers must evade defences like IDS, FW, IPS to penetrate and access the systems. They must avoid detection or penetration will be short-lived. Remember, most of the medium and large size organizations have detection mechanisms in place.

Erasing tracks, deleting log files, resetting permissions, hiding hacker tools on system with rootkits are some of the common steps in this category.



Maintaining and Expanding Access

Once penetration is complete, access must be maintained and expanded. Rootkits often used to keep access, hide the running processes and tools, along with backdoor accounts.


Access can be expanded to increase target and further penetration into network.

Command Execution Attacks on Web Applications

Reference: Hacking and Securing Web Applications

What is Command Execution or Command Injection?

Command Execution is where a website application provides the ability to execute system commands. 

What is a Command Injection Attack?


The purpose of the command injection attack is to inject and execute commands specified by the attacker in the vulnerable application. In situations like this, the application, which executes unwanted system commands, is like a pseudo system shell, and the attacker may use it as an authorized system user. Note the commands are executed with the same privileges as the application and/or web server. Command injection attacks are possible in most cases because of lack of correct input data validation, which can be manipulated by the attacker (forms, cookies, HTTP headers etc.).

What is Command Injection Harvesting?

Command Injection Harvesting is where a malicious user manipulates a website command execution application to render sensitive data. (E.g., usernames, config files, directory and file listings, etc). 

As an example on DVWA (Damn Vulnerable Web Application is a php vulnerable application which can be downloaded and used for testing), running below commands will initiate a command execution attack:

Unix/Linux Example on DVWA: 9.9.9.9; cat /etc/passwd
Windows Example on DVWA: 9.9.9.9 && dir

Types of penetration attacks on computer networks and systems

Reference: Ethical Hacking and Penetration with Kali Linux

There are number of different attacks that can be done on a network or system. The main categories are explained below:

Full penetration

Taking full control of the system and accessing the resources and data. This is a very complex and difficult task and requires spending a long time investigating the vulnerabilities and ways to access a system.

Denial of Service

Interrupting the system’s operation and affecting the users. This is usually an easier type of attack which can be achieved with spending less time and effort, however; can be a big problem in big organizations.

Specific Information

Theft or disclosure of the documents or information. This could be accessing documents or penetrating a database but usually attacker is looking for some specific information and not interested in damaging any system.

Social Engineering

The art of manipulating people so they give up confidential information. This is perhaps the easiest way of attacking and won’t require any technical knowledge. Attacker will usually use the users, administrators or employees to get the information out of them and use those information to penetrate the systems.

How to get prepared for the Preparation Testing

Reference: Ethical Hacking and Penetration with Kali Linux

Once you want to start a penetration project, there are number of things that you need to consider. Remember, without following the proper steps, getting approvals and finalizing an agreement with customer; using these techniques is illegal and against the law.

Important things to consider before you start:

• Get signed approval for all tests from the customer
• You need to sign confidentiality agreement (NDA)
• Get approval of collateral parties (ISPs)
• Put together team and tools and get ready for the tests
• Define goals (DoS, Penetration, etc.)
• Set the ground rules (rules of engagement with the customer and team)
• Set the schedule (non-work hours, weekends?)
• Notify appropriate parties (Sys admin, Security department, Legal department, law enforcement)