Development and operations a practical guide
Download 4.62 Mb. View original pdf
|
- Navigate this page:
- Policy Controls
| Data Handling General guidelines to handling data generated or gathered during a Red Team engagement is critical. All Red Team members should be responsible for safeguarding all target (aka. customer) data, including: Personally, Identifiable Information (PII)—information that can be used to uniquely identify, contact, or locate a single person or that can be used with other sources to uniquely identify a single individual Privacy Act information in accordance with established regulations, policies, and procedures for handling restricted and sensitive information Other Industry BBP data A Red Team should avoid the data mining of files containing Privacy Act, medical, justice, worship or religious pursuit, or any other protected or privileged information. If protected or privileged information is encountered, the Red Team should pause actions gaining or providing access, protect the information, notify the ECG, and return it to the target environment (or properly dispose of it as appropriate to the datatype per ROE). A Red Team is normally authorized to exploit files, email, or message traffic stored on the network or communications transiting the network for analysis specifically related to the accomplishment of the objectives (e.g., identifying user IDs, passwords, or network IP addresses in order to gain further access however, each Red Team member should ensure all information exploited is necessary and within the scope of the engagement. A Red Team should not modify or delete any production user data or conduct any denial-of-service attacks unless specifically requested or authorized to do so by the ECG or ROE. The team should not otherwise intentionally degrade or disrupt normal operations of the targeted systems being exploited. Red Team Operators must follow the provisions asset in the ROE. A properly documented ROE will contain guidance and rules related to permissions, authorizations, permitted actions, data collection requirements, and target space details. All Red Team members must adhere to the permissions granted during engagement planning. Controls The controls around handling client data should be agreed upon and documented in the ROE. These controls are critical. Remember, a Red Team is given the privilege to play on someone else's playground This access must be respected, and the data captured must be protected. General controls and suggestions to consider when safeguarding sensitive data follow. Adjust them as required and incorporate them into your ROE template. Policy Controls Policy controls implemented by the Red Team should include: A Red Team Non-Disclosure Agreement signed by each Red Team member |