Policy
Sprocket Ongoing Enablement
The Company hereby hires Sprocket Security to perform the following tests:
Continuous Penetration Testing
Sprocket Security shall perform continuous security testing with the goal to minimize the risk exposure to the Company by identifying vulnerabilities as soon as they are exposed. Sprocket Security does this by monitoring the Company's assets for change and determining if that change requires security testing and by testing threat tactics as they become known publicly.
Continuous penetration testing includes the following:
- An initial external penetration test (including all items as described in the above section titled “External Penetration Test”) to be performed within 90 days of the initial kick-off call for the engagement.
- Sprocket Security shall use information learned from the external penetration test to seed a proprietary monitoring engine to identify when the following external (publicly accessible) assets change:
- DNS records
- IP address
- Network services (TCP and UDP ports)
- Websites and URLs
- Sprocket Security shall review the change internally and determine if a penetration tester should take further action to test the impact of change as it relates to security.
- Sprocket Security shall test the Company’s assets for newly disclosed threat tactics. A threat tactic could be an exploit, technique, or procedure used by threat actors.
- Sprocket Security shall perform best effort to identify changes, but the Company understands that some technologies are difficult to monitor and, in some circumstances, change may not be identified. The Company shall be able to inform Sprocket Security of change or provide advanced notice for scheduled testing.
- Sprocket Security shall be available to assist the Company IT staff in security related consulting. This includes answering questions, providing advice, mentoring, and general consulting. Not to exceed 4 hours a month unless agreed upon between Sprocket Security and the Company.
External Penetration Testing
Sprocket Security shall perform security testing to mimic real-world hackers attempting to breach the Company’s publicly accessible network. The goal of the test is to identify vulnerabilities and provide the Company with recommendations to mitigate the risks.
Sprocket Security shall conduct the external penetration test in the following phases:
Phase I - Pre-Engagement
A pre-engagement kickoff call shall be conducted to clearly establish the following:
- Testing methodology, goals, and desired outcomes
- Testing scope
- Scheduling and timelines for active testing and report delivery
- Key personnel (point of contacts) and exchange of contact information
Phase II – Intelligence Gathering
The goal of this phase is to gain an external perspective of the organization, its employees, and information systems. The intelligence gathered is used in testing to increase the probability of successful exploitation.
- Sprocket Security shall perform an intelligence gathering phase consisting of reconnaissance and OSINT (Open Source Intelligence) activities.
- Examples of reconnaissance and OSINT activities are:
- Identifying employees and harvesting their contact information from public resources
- Discovering IT infrastructure technologies and software used within the organization
- Discovering credentials through publicly exposed breach data
- Discovering URLs and extracting metadata from publicly available files
Phase III – Vulnerability Analysis
The goal of this phase is to identify possible vulnerabilities in both infrastructure and personnel to actively attempt exploitation upon.
- Sprocket Security shall perform port scanning against in-scope IP addresses to obtain a list of networked services to be tested for vulnerabilities.
- Sprocket Security shall simulate attacks against services using brute-force techniques. The goal is to discover hidden content and user account information.
- Sprocket Security shall test authentication logins to enumerate usernames, emails, and passwords.
- Sprocket Security shall test web servers for inadvertent exposure of sensitive files and data.
- Sprocket Security shall test web application functions with enumerable data in attempt to discover information disclosures.
- Sprocket Security shall test DNS services to identify records.
- Sprocket Security shall test web servers for hidden directories and files.
- Sprocket Security shall spider websites to identify additional assets and identify a comprehensive attack surface.
- Sprocket Security shall use tools specialized in scanning networks for vulnerabilities.
Phase IV – Attack & Exploitation
The goal of this phase is to perform attacks until successful exploitation and breach of the Company’s perimeter network is achieved.
- Sprocket Security shall attempt to exploit discovered vulnerabilities.
- If security controls and defenses are preventing exploitation, Sprocket Security shall attempt to circumvent them. This may include firewalls, intrusion prevention systems, host & network based anti-virus, etc.
- If password hashes (a cryptographic form of a password) are obtained, Sprocket Security shall attempt to crack them to discover their clear-text password.
Phase V – Post Exploitation
The goal of this phase is to mimic the actions carried out by real-world attackers after a breach of the Company’s perimeter network.
- Sprocket Security shall perform a post-exploitation phase if the previous phase (Attack & Exploitation) was successful.
- Sprocket Security shall setup persistence to maintain access to the Company’s internal network and workstations.
- Sprocket Security shall simulate lateral movement by pivoting their access from an internal workstation to other systems on the internal network.
- Sprocket Security shall attempt to extract sensitive information from memory, the network, files shares, and documents.
- Sprocket Security shall attempt to harvest credentials and escalate privileges to gain control of IT systems.
- Sprocket Security shall attempt to obtain high-value or important assets as agreed upon during the pre-engagement kickoff call. This mimics what real-world attackers could steal if a breach were to happen.
- Examples of high-value assets are: databases, credit cards, personal/customer/payroll information, business plans, source code, etc.
Phase VI – Post-Engagement & Reporting
The goal of this phase is to perform a thorough review of data collected during the engagement and provide a comprehensive report of all vulnerabilities and actions performed during the test.
- In this phase, after active testing is complete, Sprocket Security shall perform all actions as described in the “Deliverables” section of this SOW.
- Sprocket Security shall perform best effort to clean up any artifacts from testing. In the rare case that cleanup is not possible, specific instructions will be provided.
- Sprocket Security shall provide remediation validation for findings at the request of the Company for publicly accessible systems.
General Notes
- Sprocket Security does not perform Denial of Service (DoS) attacks unless approved and coordinated with the Company's permission.
- If Sprocket Security discovers a critical vulnerability that should be remediated immediately, the consultant will inform and advise the point of contact immediately.
- The Company understands that penetration testing is not without risk. Sprocket Security’s consultants leverage their industry experience to minimize or avoid causing disruption to the business.
Internal Penetration Testing
Sprocket Security will perform an internal penetration test to mimic a real-world insider threat. The goal of the test is to identify vulnerabilities and provide the Company with recommendations to mitigate the risks. Sprocket Security will use techniques commonly carried out by a determined attacker, malware, a malicious insider, or a disgruntled employee.
Sprocket Security shall conduct the internal penetration test in the following phases:
Phase I - Pre-Engagement
A pre-engagement kickoff call shall be conducted to clearly establish the following:
- Testing methodology, goals, and desired outcomes
- Testing scope and locations
- Scheduling and timelines for active testing and report delivery
- Key personnel (point of contacts) and exchange of contact information
Phase II – Attack & Exploitation (Uncredentialled)
The goal of this phase is to determine the risks to the organization from an insider threat that has authorized network connectivity to the internal network. This phase conducts testing without valid domain credentials or login IDs.
- Sprocket Security shall enumerate hosts, services, and perform port scanning against in-scope IP addresses to obtain a list of networked services to be tested for vulnerabilities.
- Sprocket Security shall use tools specialized in scanning networks for vulnerabilities.
- Sprocket Security shall attempt to exploit discovered vulnerabilities.
- Sprocket Security shall simulate attacks against services using brute-force techniques.
- Sprocket Security shall attempt to harvest login credentials from users via insecure network protocols.
- If password hashes (a cryptographic form of a password) are obtained, Sprocket Security shall attempt to crack them to discover their clear-text password.
Phase III – Attack & Exploitation (Credentialed)
The goal of this phase is to determine the risks to the organization from an insider threat that has authorized network connectivity and valid credentials (either provided by client or obtained during the previous phase).
This phase includes everything listed in the previous phase with an addition of the following:
- Sprocket Security shall mimic real-world insider threats by leveraging credentials and login IDs to access sensitive company information.
- Sprocket Security shall utilize credentialed access to obtain additional credentials and simulate escalation of privileges.
Phase IV – Post Exploitation
The goal of this phase is to mimic the actions carried out by real-world attackers after unauthorized access is obtained.
- Sprocket Security shall perform a post-exploitation phase if the previous phases (Attack & Exploitation) were successful.
- Sprocket Security shall simulate lateral movement by pivoting their access from an internal workstation to other systems on the internal network.
- Sprocket Security shall attempt to extract sensitive information from memory, the network, files shares, and documents.
- Sprocket Security shall attempt to harvest credentials and escalate privileges to gain control of IT systems.
- Sprocket Security shall attempt to obtain high-value or important assets as agreed upon during the pre-engagement kickoff call. This mimics what real-world attackers could steal if a breach were to happen.
- Examples of high-value assets are: databases, credit cards, personal/customer/payroll information, business plans, privileged domain accounts, source code, etc.
Phase V – Post-Engagement & Reporting
The goal of this phase is to perform a thorough review of data collected during the engagement and provide a comprehensive report of all vulnerabilities and actions performed during the test.
- In this phase, after active testing is complete, Sprocket Security shall perform all actions as described in the “Deliverables” section of this SOW.
- Sprocket Security shall perform best effort to clean up any artifacts from testing. In the rare case that cleanup is not possible, specific instructions will be provided.
- Sprocket Security shall provide remediation validation for findings at the request of the Company.
General Notes
- Sprocket Security does not perform Denial of Service (DoS) attacks unless approved and coordinated with the Company's permission.
- If Sprocket Security discovers a critical vulnerability that should be remediated immediately, the consultant will inform and advise the point of contact upon discovery.
- Sprocket Security will perform the internal penetration test remotely by providing a preconfigured system (dropbox). The dropbox connects back to Sprocket Security over a secure channel. All network traffic will originate from the dropbox.
- The Company understands that penetration testing is not without risk. Sprocket Security’s consultants leverage their industry experience to minimize or avoid causing disruption to the business.
Social Engineering
Sprocket Security will perform social engineering tests to mimic a read-world threat actors attempting to abuse human interactions to gain access to the Company’s internal network.
Sprocket Security shall conduct 4-6 social engineering tests in the following phases:
Phase I - Campaign Development
The goal of this phase is to develop and design campaigns on one or more of the following criteria:
- Mimic real-world techniques and tactics
- Provision phone-based (voice or text) or email-based delivery methods
- Develop custom pre-text for voice or text-based campaigns
- Design campaigns to evade technical security controls such as email gateways and spam filters
- Spoof valid web pages, employees, or company affiliates
- Include latest techniques for exploitation of workstations
Phase II - Active Testing
The goal of this phase is to execute campaigns to harvest sensitive information or breach the internal network.
- Sprocket Security shall deliver email, voice, or text-based campaigns in attempts to trick personnel into performing a requested action or executing a file attachment.
- Sprocket Security shall monitor and modify campaigns to improve success rate. Actions may include responding to users, changing URLs to evade security controls, and changing delivery rate
- Sprocket Security shall record statistics of clicks, credential submissions, and tracking of successful exploitation
Phase III - Post Exploitation (Showcase Impact)
The goal of this phase is to demonstrate impact from a successful social engineering attack. Sprocket Security shall perform this phase only if the user submits sensitive data or their workstation is exploited from the previous phase. The following actions shall be performed if applicable to the campaign:
- Sprocket Security shall attempt to login to company resources with passwords harvested
- Sprocket Security shall attempt to escalate privileges within the internal network
- Sprocket Security may simulate lateral movement by pivoting their access from an internal workstation to other systems on the internal network.
- Sprocket Security may attempt to extract sensitive information from memory, the network, files shares, and documents.
- Sprocket Security may attempt to obtain high-value or important assets. This mimics what real-world attackers could steal if a breach were to happen.
Phase IV - Post-Engagement & Reporting
The goal of this phase is to perform a thorough review of data collected and provide a comprehensive report of all vulnerabilities and actions performed during the test.
- Sprocket Security shall share all metrics collected of users/employees that fell victim to the test.
- Sprocket Security shall perform all actions as described in the “Deliverables” section of this SOW.
- Sprocket Security shall perform best effort to clean up any artifacts from testing. In the rare case that cleanup is not possible, specific instructions will be provided.
Web Application Penetration Testing
Sprocket Security will perform a web application penetration test with the goal to identify vulnerabilities and provide the Company with recommendations to mitigate the risks.
Sprocket Security shall conduct the web application penetration test in the following phases:
Phase I - Pre-Engagement
A pre-engagement kickoff call shall be conducted to clearly establish the following:
- Testing methodology, goals, and desired outcomes
- Testing scope and locations, URL, API documentation
- Scheduling and timelines for active testing and report delivery
- Key personnel (point of contacts) and exchange of contact information
Phase II – Unauthenticated Testing
The goal of this phase is to determine the risks to the organization and attempt to compromise the application and its data. This phase conducts testing without valid user credentials and with no prior information about the application.
- Sprocket Security shall perform port scanning and identify vulnerabilities with the underlying servers hosting the application. Sprocket Security shall attempt to discover misconfigurations and weaknesses related to the web server. Examples are TLS/SSL vulnerabilities, HTTP headers, cookies and their attributes, etc.
- Sprocket Security shall map the application to identify URLs, third-party software libraries, cloud services, and test them for known vulnerabilities and misconfigurations.
- Sprocket Security shall attempt to discover information leakage through hidden URLs, files, and directories not intended to be exposed by the application.
- Sprocket Security shall perform non-authenticated web application vulnerability scans using custom and commercially available tools.
- Sprocket Security shall perform enumeration and brute-force attacks against locations that require authentication and attempt to identify authentication weaknesses. All authentication testing will be done without valid credentials to mimic attacks from the Internet.
- Sprocket Security shall attempt to circumvent or exploit cryptographic flaws. If password hashes (a cryptographic form of a password) are obtained, Sprocket Security shall attempt to crack them to discover their clear-text password.
- Sprocket Security shall test for input handling vulnerabilities. This is done by fuzzing parameters used by the application and APIs and testing client-side controls. The goal is to identify vulnerabilities through the application’s responses to unexpected data input.
Phase III – Post-Engagement & Reporting
The goal of this phase is to perform a thorough review of data collected during the engagement and provide a comprehensive report of all vulnerabilities and actions performed during the test.
- In this phase, after active testing is complete, Sprocket Security shall perform all actions as described in the “Deliverables” section of this SOW.
- Sprocket Security shall provide remediation validation for findings at the request of the Company.
Web Application Assessment - General Notes
- Sprocket Security’s testing utilizes methodologies that identify the following categories of vulnerabilities as defined by the Open Web Application Security Project (OWASP) Top Ten Project:
- A01: Broken Access Control
- A02: Cryptographic Failures
- A03: Injection
- A04: Insecure Design
- A05: Security Misconfiguration
- A06: Vulnerable and Outdated Components
- A07: Identification and Authentication Failures
- A08: Software and Data Integrity Failures
- A09: Security Logging and Monitoring Failures
- A10: Server-Side Request Forgery
- If Sprocket Security discovers a critical vulnerability that should be remediated immediately, the consultant will inform and advise the point of contact upon discovery.
- If the application is not publicly accessible, Sprocket Security will perform the test remotely by providing a preconfigured system (dropbox). The dropbox connects back to Sprocket Security over a secure channel. All network traffic will originate from the dropbox.
- Sprocket Security strongly urges the Company to host a non-production setup of the application infrastructure for testing. This includes a non-production database with test data. During testing, data can be created, deleted, or modified. If Sprocket Security is requested to perform testing against a production system, it shall not be held liable for loss of data.
- The Company understands that penetration testing is not without risk. Sprocket Security’s consultants leverage their industry experience to minimize or avoid causing disruption to the business.
Web Application Assessment
Sprocket Security will perform a web application assessment with the goal to identify vulnerabilities and provide the Company with recommendations to mitigate the risks.
Sprocket Security shall conduct the web application assessment in the following phases:
Phase I - Pre-Engagement
A pre-engagement kickoff call shall be conducted to clearly establish the following:
- Testing methodology, goals, and desired outcomes
- Testing scope and locations, URL, API documentation
- Scheduling and timelines for active testing and report delivery
- Key personnel (point of contacts) and exchange of contact information
Phase II – Unauthenticated Testing
The goal of this phase is to determine the risks to the organization and attempt to compromise the application and its data. This phase conducts testing without valid user credentials and with no prior information about the application.
- Sprocket Security shall perform port scanning and identify vulnerabilities with the underlying servers hosting the application. Sprocket Security shall attempt to discover misconfigurations and weaknesses related to the web server. Examples are TLS/SSL vulnerabilities, HTTP headers, cookies and their attributes, etc.
- Sprocket Security shall map the application to identify URLs, third-party software libraries, cloud services, and test them for known vulnerabilities and misconfigurations.
- Sprocket Security shall attempt to discover information leakage through hidden URLs, files, and directories not intended to be exposed by the application.
- Sprocket Security shall perform non-authenticated web application vulnerability scans using custom and commercially available tools.
- Sprocket Security shall perform enumeration and brute-force attacks against locations that require authentication and attempt to identify authentication weaknesses. All authentication testing will be done without valid credentials to mimic attacks from the Internet.
- Sprocket Security shall attempt to circumvent or exploit cryptographic flaws. If password hashes (a cryptographic form of a password) are obtained, Sprocket Security shall attempt to crack them to discover their clear-text password.
- Sprocket Security shall test for input handling vulnerabilities. This is done by fuzzing parameters used by the application and APIs and testing client-side controls. The goal is to identify vulnerabilities through the application’s responses to unexpected data input.
Phase III – Authenticated Testing
The goal of this phase is to determine the risks to the organization from post-authentication functions within the in-scope applications. This phase includes all objectives from phase II with the following additions:
- Sprocket Security shall use privileged user accounts and roles to test systems. The goal is to identify weaknesses related to authentication and authorization.
- The Company agrees to provide Sprocket Security with two user accounts per role tested.
- Sprocket Security shall test using multiple accounts/roles and attempt to discover weaknesses in access controls between accounts. Example: user1 shouldn’t be able to read documents uploaded by user2.
- Sprocket Security shall attempt to abuse and circumvent session management controls.
- Sprocket Security shall attempt to identify business logic flaws through application functions and workflows.
Phase IV – Post-Engagement & Reporting
The goal of this phase is to perform a thorough review of data collected during the engagement and provide a comprehensive report of all vulnerabilities and actions performed during the test.
- In this phase, after active testing is complete, Sprocket Security shall perform all actions as described in the “Deliverables” section of this SOW.
- Sprocket Security shall provide remediation validation for findings at the request of the Company.
Web Application Assessment - General Notes
- Sprocket Security’s testing utilizes methodologies that identify the following categories of vulnerabilities as defined by the Open Web Application Security Project (OWASP) Top Ten Project:
- A01: Broken Access Control
- A02: Cryptographic Failures
- A03: Injection
- A04: Insecure Design
- A05: Security Misconfiguration
- A06: Vulnerable and Outdated Components
- A07: Identification and Authentication Failures
- A08: Software and Data Integrity Failures
- A09: Security Logging and Monitoring Failures
- A10: Server-Side Request Forgery
- If Sprocket Security discovers a critical vulnerability that should be remediated immediately, the consultant will inform and advise the point of contact upon discovery.
- If the application is not publicly accessible, Sprocket Security will perform the test remotely by providing a preconfigured system (dropbox). The dropbox connects back to Sprocket Security over a secure channel. All network traffic will originate from the dropbox.
- Sprocket Security strongly urges the Company to host a non-production setup of the application infrastructure for testing. This includes a non-production database with test data. During testing, data can be created, deleted, or modified. If Sprocket Security is requested to perform testing against a production system, it shall not be held liable for loss of data.
- The Company understands that penetration testing is not without risk. Sprocket Security’s consultants leverage their industry experience to minimize or avoid causing disruption to the business.
Wireless Penetration Test
Sprocket Security shall conduct one wireless penetration test with the goal to identify weakness and circumvent security controls.
- Sprocket Security shall test a wireless network at the home location (TBD) of the Company
- Sprocket Security shall identify wireless technologies used and their protocols and encryption algorithms used such as WEP, WPA, WPA2, TKIP, LEAP, PEAP, etc. Depending on technologies used, Sprocket Security shall perform any of the following:
- De-authentication attacks to force users to disconnect and reconnect to the wireless network in attempt to harvest packets, 4-way handshakes, or authenticate to fake radius servers.
- Crypto attacks against weak protocols and cracking of frame contents extracted from 4-way handshakes.
- WPS attacks such as brute forcing PINs.
- Passively harvest credential information such as usernames from authentication traffic.
- Rogue Access Point and “Evil Twin” attacks against wireless clients. These man-in-the-middle attacks attempt to trick systems that automatically connect to trusted networks by impersonating known access points and SSIDs. The fake access point is setup to harvest authentication and other sensitive information that could lead to a compromise of the Company’s networks.
- Sprocket Security shall document any observed security counter measures that mitigate the attacks attempted.