DDactic
Find What Defenses Miss
Responsible Testing Guidelinesהנחיות בדיקה אחראית
These guidelines establish ethical standards and best practices for conducting security assessments. All DDactic engagements follow these principles to ensure safe, legal, and responsible testing.
Core Principlesעקרונות ליבה
1. Authorization and Consent1. הרשאה והסכמה
Always Obtain Written Authorizationעודכן לאחרונה: 2025-01-08
- Never test without explicit written authorizationתמיד לקבל הרשאה בכתב לפני כל בדיקה
- Authorization must specify scope, methods, and timelineבדיקה רק במערכות ושיטות שהורשו מפורשות
- Verify authorization before beginning any testing activitiesלבקש הרשאה חדשה לשינויי היקף
- Document authorization for all engagementsלהעדיף סיור פסיבי ושיטות לא פולשניות
Scope Adherenceסטטוס: פעיל
- Test only authorized systems and networksלהשתמש בהגבלת קצב ולהימנע משעות שיא
- Use only authorized testing methodsלהשהות בדיקה אם מזוהות הפרעות שירות
- Respect defined boundaries and limitationsלדווח על פגיעות קריטיות מיד
- Request new authorization for scope changesלעבוד עם הלקוח על לוחות זמנים לגילוי
2. Minimize Impact2. מזעור השפעה
Non-Intrusive Methods Firstגרסה: 1.0.0
- Prefer passive reconnaissance over active scanningלא לחשוף ממצאים ללא הסכמה מפורשת
- Use rate limiting to avoid overwhelming systemsלאסוף רק נתונים נדרשים
- Schedule testing during low-traffic periods when possibleלהצפין נתונים במעבר ובמנוחה
- Monitor for service disruptions and pause if detectedלהגביל גישה לאנשים מורשים בלבד
Resource Conservation
- Use efficient scanning techniquesלמחוק נתונים מיותרים מיד
- Avoid redundant or unnecessary testingרישום וניתוח DNS
- Minimize bandwidth and resource consumptionיומני שקיפות תעודות
- Clean up test artifacts after completionאיסוף מידע ציבורי ו-OSINT
3. Responsible Disclosure3. גילוי אחראי
Immediate Critical Findings
- Report critical vulnerabilities immediatelyסריקת פורטים ורישום שירותים
- Provide sufficient detail for remediationניתוח HTTP/HTTPS
- Work with clients on disclosure timelinesסריקת פגיעות עם הגבלת קצב
- Never publicly disclose without client consentהערכת CDN ותשתית
Coordinated Disclosure
- Respect client preferences for disclosureהערכת הפחתת DDoS
- Support responsible disclosure practicesהערכת מצב אבטחת רשת
- Help clients understand risk and remediationDenial of Service (DoS) או פגיעה בשירות
- Maintain confidentiality of findingsשינוי, מחיקה או העתקה לא מורשית של נתונים
4. Data Protection4. הגנת נתונים
Data Minimization
- Collect only data necessary for assessmentהסלמת הרשאות או גישה לא מורשית
- Avoid accessing sensitive data when possibleבדיקה הרסנית או מחוץ להיקף
- Use anonymized data for analysis when feasibleהנדסה חברתית או גישה פיזית ללא הסכמה מפורשת
- Delete unnecessary data promptlyתכנון והכנה: סקירת הרשאות, יעדים, לוחות זמנים
Secure Handling
- Encrypt data in transit and at restסיור פסיבי: איסוף מידע ללא השפעה
- Limit access to authorized personnel onlyסריקה פעילה (אם מורשה): סריקות מבוקרות עם הגבלת קצב
- Use secure channels for data transmissionניתוח ודיווח: הערכת סיכונים, המלצות, דוחות
- Follow client data protection requirementsלהפסיק מיד פעילויות בדיקה
Testing Methodologiesמתודולוגיות בדיקה
Passive Reconnaissanceסיור פסיבי
Recommended Methods:
- DNS enumeration and analysisלהודיע לאיש קשר חירום של הלקוח
- Certificate transparency logsלתעד פרטי אירוע ופעולות
- Public information gatheringלעבוד עם הלקוח לפתור ולהפיק לקחים
- WHOIS and domain researchציות לחוקים חלים (כולל CFAA וחוקים מקומיים)
- Social media and OSINTעמידה בסטנדרטים: OWASP, PTES, NIST CSF, ISO 27001
Benefits:
- No impact on target systemsכיבוד רגולציות הגנת נתונים (GDPR, CCPA)
- Undetectable by security systemsשימוש בכלים ומתודולוגיות מאומתים
- Legal and ethicalאימות ממצאים לפני דיווח
- Provides valuable intelligenceהצלבת מקורות ותיעוד נהלים
Active Scanningסריקה פעילה (כאשר מורשה)
When Authorized:
- Port scanning and service enumeration
- HTTP/HTTPS service analysis
- Vulnerability scanning
- Network topology mapping
Best Practices:
- Use rate limiting
- Avoid peak business hours
- Monitor for service impact
- Stop if disruptions detected
Architecture Analysisניתוח ארכיטקטורה
Approach:
- CDN and infrastructure evaluation
- DDoS mitigation assessment
- Origin infrastructure analysis
- Network security posture evaluation
Considerations:
- Requires deeper access
- May involve multiple systems
- Coordinate with client IT teams
- Document all findings
Prohibited Activitiesפעילויות אסורות
Without Explicit Authorization
The following activities are NEVER permitted without explicit written consent:
- Denial of Service (DoS): Any activity that could cause service disruption
- Data Modification: Altering, deleting, or modifying any data
- Data Exfiltration: Copying or removing data beyond assessment scope
- Privilege Escalation: Attempting to gain unauthorized access levels
- Destructive Testing: Any testing that could cause permanent damage
- Social Engineering: Manipulating personnel for access or information
- Physical Access: Attempting physical access to facilities or systems
Ethical Boundaries
Respect Client Systems:
- Treat client systems as if they were your own
- Avoid unnecessary risk or disruption
- Respect business operations and priorities
- Maintain professional boundaries
Legal Compliance:
- Comply with all applicable laws
- Respect computer fraud and abuse laws
- Follow data protection regulations
- Maintain necessary authorizations
Testing Phasesשלבי בדיקה
Phase 1: Planning and Preparation
Activities:
- Review authorization and scope
- Identify authorized targets
- Plan testing methodology
- Coordinate with client contacts
- Prepare testing tools and environment
Deliverables:
- Testing plan
- Contact information
- Schedule confirmation
Phase 2: Passive Reconnaissance
Activities:
- Domain enumeration
- Public information gathering
- DNS and certificate analysis
- Network mapping (passive)
Duration: Typically 1-3 days
Impact: None (passive methods)
Phase 3: Active Scanning (If Authorized)
Activities:
- Port scanning
- Service enumeration
- HTTP/HTTPS analysis
- Vulnerability scanning
Duration: Typically 3-7 days
Impact: Minimal (with rate limiting)
Phase 4: Analysis and Reporting
Activities:
- Data analysis and correlation
- Risk assessment
- Remediation recommendations
- Report preparation
Duration: Typically 5-10 days
Impact: None (analysis only)
Communication Guidelinesניהול אירועים
Pre-Testing Communication
- Confirm testing schedule and window
- Verify emergency contact information
- Discuss any concerns or special requirements
- Provide testing methodology overview
During Testing Communication
- Regular status updates (daily or as agreed)
- Immediate notification of critical findings
- Notification of any issues or disruptions
- Response to client inquiries within [X] hours
Post-Testing Communication
- Summary of testing activities
- Preliminary findings overview
- Timeline for report delivery
- Availability for questions and clarification
Incident Handlingציות וסטנדרטים
Incident Detection
Monitor For:
- Service disruptions or downtime
- Unexpected errors or responses
- System performance degradation
- Security alerts or notifications
Incident Response
Immediate Actions:
- Stop all testing activities
- Assess the situation
- Notify client emergency contact
- Document incident details
- Work with client to resolve
Follow-Up:
- Incident report
- Root cause analysis
- Prevention measures
- Lessons learned
Quality Assuranceהבטחת איכות
Testing Quality
- Use validated tools and methodologies
- Verify findings before reporting
- Cross-reference multiple sources
- Document testing procedures
Report Quality
- Accurate and factual findings
- Clear risk assessments
- Actionable recommendations
- Professional presentation
Continuous Improvement
Learning and Development
- Stay current with industry best practices
- Learn from each engagement
- Share knowledge with team
- Improve methodologies and tools
Feedback Integration
- Solicit client feedback
- Review engagement outcomes
- Identify improvement opportunities
- Update guidelines and procedures
Compliance
Legal Compliance
- Computer Fraud and Abuse Act (CFAA)
- State and local computer crime laws
- Data protection regulations (GDPR, CCPA)
- Industry-specific regulations
Industry Standards
- OWASP Testing Guide
- PTES (Penetration Testing Execution Standard)
- NIST Cybersecurity Framework
- ISO 27001 standards
Resources
Training Materials
- Ethical hacking courses
- Responsible disclosure training
- Legal and compliance training
- Tool-specific training
Reference Documents
- Authorization to Test Agreement
- Safety Policy
- Master Service Agreement
- Statement of Work
Acknowledgment
All DDactic personnel must:
- Read and understand these guidelines
- Apply guidelines to all engagements
- Seek clarification when uncertain
- Report violations or concerns