PT0-002 Planning and Scoping

Planning and Scoping Detailed Explanation

1.1 Planning Test Activities

What is Planning Test Activities?

Planning test activities means deciding how the penetration test will be conducted. This includes the type of test to perform, evaluating risks, and ensuring the right tools and people are available for the job.

Selecting Test Types

Penetration testing can be performed in different ways depending on how much information the tester has about the target system. Here are the main types of testing:

• Black-box Testing:

  • What it is: The tester knows nothing about the internal system (like a real-world hacker trying to breach an unfamiliar system).
  • Example: Imagine you are hired to test a company’s website security but are not told how the website is built or hosted.
  • Advantages:
    • Simulates a real-world attack.
    • Requires no prior system knowledge.
  • Disadvantages:
    • Time-consuming as the tester starts from scratch.
    • Might miss vulnerabilities hidden deep in the system.

• White-box Testing:

  • What it is: The tester has full access to internal information, such as source code, network diagrams, and credentials.
  • Example: You are given admin access to a web application and told to find any vulnerabilities in its code.
  • Advantages:
    • Thorough testing of internal structures.
    • Easier to find complex vulnerabilities.
  • Disadvantages:
    • Does not simulate a real-world attack.
    • Requires significant trust from the client.

• Gray-box Testing:

  • What it is: The tester has partial knowledge of the system, combining aspects of black-box and white-box testing.
  • Example: You are given a basic overview of the system, such as user roles or application architecture, but not full access.
  • Advantages:
    • Balances real-world simulation and comprehensive testing.
    • Less time-consuming than black-box testing.
  • Disadvantages:
    • Might miss deeper vulnerabilities not covered by the tester’s partial knowledge.

Risk Assessment

Before starting the test, assess potential risks to avoid unexpected problems.

• Production Environment Risks:

  • Penetration testing may cause disruptions to live systems.
  • Example: Scanning for vulnerabilities might slow down a company’s website, affecting customers.
  • Solution: Test on non-production environments whenever possible.

• Data Risks:

  • Tests might accidentally delete or modify data.
  • Example: Exploiting a database vulnerability could corrupt important records.
  • Solution: Ensure backups are in place and communicate clearly with stakeholders about potential impacts.

Resource Allocation

To run a successful test, you need the right people and tools.

• Define Team Size and Required Skillsets:

  • Example: If the target is a web application, ensure team members have experience in web security testing.
  • Include roles like:
    • Penetration testers (junior and senior levels).
    • Project managers to oversee the process.
    • Report writers to document results.

• Identify Hardware and Software Tools Needed:

  • Tools like:
    • Nmap for network scanning.
    • Burp Suite for web application testing.
    • Metasploit for exploiting vulnerabilities.
  • Example: If testing involves mobile apps, you may need emulators or mobile-specific tools.

1.2 Defining the Scope

What is Defining the Scope?

This step determines what will be tested and what will not be tested. It sets clear boundaries to ensure the test is focused and avoids unnecessary risks.

Asset Identification

List all the systems and components that will be included in the test:

• Network Devices:
  • Examples: Firewalls, routers, switches.
  • Reason: These devices control traffic and are critical for network security.
• Applications:
  • Examples: Websites, mobile apps, APIs.
  • Reason: Applications often store sensitive data and are a common target for attackers.
• Databases:
  • Examples: SQL or NoSQL databases.
  • Reason: Databases store critical business information like user credentials or financial data.

Testing Boundaries

Define exactly what areas of the system are in scope and what areas are out of scope:

• In Scope:
  • Examples:
    • Specific IP address ranges.
    • Certain subdomains of a website.
  • Benefit: Ensures testers focus on authorized targets.
• Out of Scope:
  • Examples:
    • Core production databases.
    • Third-party systems not owned by the organization.
  • Benefit: Prevents unnecessary risks to critical systems or legal issues.

1.3 Legal and Compliance Requirements

What are Legal and Compliance Requirements?

These ensure the penetration test is conducted legally and meets relevant industry standards.

Authorization

Before starting any test, obtain proper authorization to avoid legal consequences:

• Rules of Engagement (ROE):
  • A document that outlines:
    • What is in scope and out of scope.
    • The timeline of the test.
    • Tools and methods that will be used.
  • Example: If testing an e-commerce website, the ROE might specify that payment gateway testing is excluded.

Compliance

Certain industries require compliance with specific security standards:

• GDPR (General Data Protection Regulation):
  • Applies to organizations handling personal data of EU citizens.
  • Testers must ensure no personal data is exposed or misused.
• PCI DSS (Payment Card Industry Data Security Standard):
  • Applies to organizations processing credit card data.
  • Tests should focus on ensuring cardholder data is secure.

1.4 Communication and Approval

What is Communication and Approval?

Before the test begins, it’s critical to communicate the plan to all stakeholders and get their approval.

Delivering the Test Plan

Share the test plan with stakeholders to ensure alignment:

• Test Scope:
  • Clearly define what will be tested.
• Test Objectives:
  • Explain the purpose of the test, such as identifying security weaknesses or meeting compliance standards.
• Timeline:
  • Specify when the test will start and end.

Follow-up

Once the plan is shared, follow up to address any concerns:

• Clarify Risks and Impacts:
  • Example: Let stakeholders know that testing the website might cause minor downtime.
• Obtain Written Approval:
  • Ensure all stakeholders sign off on the test plan to avoid disputes later.

Why is Planning and Scoping Important?

Planning and scoping lay the foundation for a successful penetration test by:

• Ensuring legal compliance.
• Reducing risks to critical systems.
• Focusing on meaningful targets.
• Providing clear communication to all stakeholders.

Planning and Scoping (Additional Content)

1. Ethical Hacking Mindset

Why It Matters

In penetration testing, possessing the correct ethical mindset is not optional—it's foundational. Testers are given special privileges to simulate malicious behavior, but must operate with integrity, caution, and full respect for legal and ethical boundaries.

Core Principles of the Ethical Hacker's Mindset

1. Operate Under Legal Authorization Only

• A penetration tester should never conduct any activity that is not explicitly authorized by the client.

• Even if a system looks vulnerable or interesting, if it's outside the agreed-upon scope, it must be avoided.

2. Minimize Impact to Systems and Data

• Always act with the principle of “do no harm”—use the least intrusive methods first.

• For example, use safe scans before attempting high-impact exploits.

3. Report Any Out-of-Scope or Sensitive Findings Immediately

• If the tester inadvertently gains access to out-of-scope systems or sensitive data (e.g., personal medical records, financial credentials), they must halt further action and notify the client.

• The goal is to protect, not expose, the organization.

4. Maintain Confidentiality and Professional Conduct

• Do not retain any sensitive data post-engagement.

• Follow nondisclosure agreements (NDAs) and respect all legal boundaries.

Why This Is Crucial for the Exam and the Field

Ethical behavior is not just a checkbox—it will affect client trust, legal liability, and the success of your career. The PT0-002 exam expects you to demonstrate this mindset when answering scenario-based questions.

2. Environmental Considerations in Greater Detail

Why This Is Important

Penetration testing, especially against production systems, introduces real risk. Even simple scans can cause unexpected slowdowns or crashes. Therefore, detailed environmental planning is essential.

Deeper Environmental Planning Topics

1. Timing the Test Strategically

• Low-Traffic Hours: Schedule testing during off-peak periods, such as weekends or midnight maintenance windows.

• Why: Reduces risk of business disruption.

2. Using Redundant or Staging Environments

• Staging/Test Environments: For high-risk tests (e.g., DoS simulation, privilege escalation), clients should ideally provide a mirrored test system.

• Why: Protects live data and operations.

3. Pre-Test Risk Simulation or Assessment

• What to Do:

  • Evaluate which tests might have high-impact outcomes.

  • Plan contingencies: For example, what happens if the firewall crashes during the scan?

• Mechanisms: Use impact analysis matrices or simulate certain scans internally before hitting client systems.

4. Communication During Testing

• Let the client know in advance:

  • “This action could cause a 2–3 minute service delay.”

  • “We recommend monitoring CPU/memory/network during this time.”

3. Rules of Engagement (RoE) Document – Example Structure

Why This Is Important

The Rules of Engagement (RoE) is the legal and procedural backbone of any penetration test. It defines what is allowed, what is not, and who is responsible.

Typical Structure of an RoE Document

1. Scope and Objectives

• Systems/IP ranges/Applications to be tested.

• Goals of the engagement: e.g., test external-facing web apps for OWASP Top 10.

2. Authorized Testing Window

• Exact dates and times when testing is allowed.

• Whether testing is permitted outside business hours.

3. In-Scope vs Out-of-Scope Targets

• Clear IP ranges or systems that must not be touched (e.g., third-party SaaS apps, production databases).

4. Methods and Tools Permitted

• Whether social engineering, DoS, or physical testing is allowed.

• Whether the tester may use custom scripts or only commercial tools.

5. Data Handling & Confidentiality

• What should be done if sensitive data is found?

• Where logs, payloads, or evidence will be stored and for how long.

6. Communication and Escalation Procedures

• Who to contact in case of emergency (e.g., system outage).

• How often progress updates will be delivered (e.g., daily briefings, weekly summaries).

7. Reporting Requirements

• Expected format and delivery date of the final report.

• Whether an executive summary is required.

8. Sign-Off

• Authorized client representative signature.

• Tester/team lead signature.

• Date and time of agreement.

Pre-Engagement Meeting (Optional but Recommended)

Before testing begins, a kick-off meeting should clarify:

• Final scope approval.

• Any last-minute exclusions or technical limitations.

• Point-of-contact confirmations.

Summary

Area Enhanced	Key Additions
Ethical Hacking Mindset	Operate legally, minimize harm, report sensitive findings
Environmental Considerations	Testing during low-traffic hours, use of test environments, risk planning
RoE Document Details	Specific structure: scope, timeline, methods, communication, and signatures