Creating a statement of work and have a question for you

Hey everyone

I'm in the process of creating a SOW for a pen test I'll be performing. I'm pretty new to this and have the terminology down with the exception of one thing.

What does it mean to consume data? Non-destructive tests where data will not be consumed? I googled it and couldn't find it but my manager mentioned it, and I didn't want to ask him right off the bat.

I'm assuming resources? Perhaps data not being deleted in a database perhaps?

Find more posts tagged with

Comments

paul78

That's not a legal "term of art" that I've ever come across. Unless it's defined, I personally wouldn't use it in a SOW or Agreement. If I was to guess, I would presume that it is related to exfiltrating data for further lateral movement during the pen test.

Jasiono

Ah ok. I will specify it as such and see what he says. I will also state that no data will be deleted in any associated databases as well. It's all internal application testing, but I want to be as specific as possible with my language because someone non-technical will be reading it (non-technical in information security that is)

paul78

Just my 2 cents, but I would never say that something wouldn't be deleted from a database. You may not knowingly or intentionally be deleting something but you can't generally know if some action may cause a removal of data.

Usually, I stick to legal terms around liability and negligence. I.e. "we will take reasonable precautions to reduce the likelihood of negative impact to ... blah blah blah. We will not be responsible blah blah blah except to the extent that such negative impact are due to gross negligence or willful misconduct."

Usually if a lawyer is paying attention, we then have an argument about the use of "gross negligence" which I will usually acquiesce.

the_Grinch

I'd agree that the consumption of data would be the movement of the data in relation to eventual exfiltration. Pentest wise I've seen them actually perform the exfil to the point where they would have pushed it out and I've seen it where once they accessed it they explained the systems they would use to exfil with.

Jasiono

Very nice, thank you everyone. It really helps seeing other people's way of doing things and I do appreciate the time it took for everyone to reply.

DatabaseHead

Non-destructive tests where data will not be consumed?

Consume data is to essentially use it from an upstream processes, flat file, system, database etc....

Non-destructive means to not alter or delete it, change it. If you are sourcing data from database A, whether it be a insert or an update, the source system in which you are sourcing the data would be unchanged.

Ultimately it's saying the data that you are not sourcing/consuming retain it in it's original state.

IN BI we will turn this into a type two dimension and time stamp it so you can retain the history.....

techzie223

scasc

Will you need to use live data as part of your test or will scrambled data be suffice? Also will you be testing in PROD or TEST?

Once you know the scope you will know the approach. If using live data consume data will be defining exactly what will be accessible and from which assets. Non destructive testing can mean either not authorised to perform denial of service testing or could mean making sure if you have access to live data it’s integrity remains intact.

Nail your scope and the approach will flow.

JDMurray

I'm not sure why this old thread was resurrected, but everyone interested in this topic should familiarize themselves with the Pre-engagement section of the Penetration Testing Execution Standard (PTES).