Security+ Journey – Prying Eyes

The internet allows us to have the proverbial ‘world at our fingertips’. We have almost immediate access to countless amounts of information at practically any given time. While this is great, it can definitely be seen as a double-edged sword. Being on the internet often means disclosing information about ourselves in order to get access to information or having the ability to purchase goods and services. For instance, if you want access to that bright shiny new social media app of the week, you are going to need to create a profile and give information to the company that owns the application to be able to do so. This information could include your name, email address, age, date of birth, and phone number. There should be some documentation that shows how your data will be used. As the consumer, you will need to decide if you agree to the terms of how your personal data will be used by the company collecting it. Is is purely for use within the application, or is there potential for your data to be sold to other organizations for the purpose of use cases such as targeted advertisments? Other than for business purposes and monteary gain, our personal data could also be used for malicious purposes. An example of this would be attackers gaining unauthorized access to and using personal data for spear phishing campaigns. There are various ways in which our data and activities on the internet can be tracked:

Tracking cookies
Tracking cookies are text files that store information about an individual when they visit a website. Information about the user visiting the site can be tied to what specifically the user views or clicks on while on the site. If you have ever been on a website shopping for something specific, then start scrolling through your favorite social media feed, only to see an advertisement about the item you were just shopping for; the cause could likely be a tracking cookie.

I think of Adware as being similar to a tracking cookie, but rather than being a file, adware is a software that can not only track user data and activities, but also do the actual displaying of targeted ads itself. The advertisements themselves may be unwanted, but the adware is most likely installed with user acknowledgement.

Out of the examples given so far, while the first two could, depending on the circumstances be questionable in their use, spyware is outright malicious. Spyware is software that records and tracks data about systems and users, to be seen/used by another entity, primarily without consent of the user. Spyware is a direct invasion of privacy and could potentially be dangerous.

Like spyware, keyloggers are outright malicious. Keyloggers can come in hardware or software forms and aim to record actual typing keystrokes of a user. One use case of a keylogger for threat actors is to acquire usernames and passwords of targets for credential harvesting purposes.

While the internet can be an amazing tool to be leveraged for awesome use cases, it can also be a very scary place for our data. Increasing more with time, we need to be conscious of our presence online and the risks we might be taking by entering our private information into different sites on the internet. As much, if not more so than in the physical world, there are prying eyes all over the internet.

Security+ Journey – Gone Phishin’

As brought up in the social engineering post in this series, while attacks can rely on sophisticated payloads to accomplish malicious goals, oftentimes the point of entry is an action taken by an unsuspecting human. In that social engineering post, I also highlighted that humans are the last line of defense for an organization, in terms of information security. Threat actors will attempt to exploit vulnerabilities in human behavior using tactics such as familiarity/liking, authority, imtimidation, consensus/social proof, scarcity, and urgency. Messaging platforms are a common attack vector for threat actors, leveraging phishing campaigns as the tactic. Phishing is a type of social engineering attack in which a threat actor sends a message, for instance an email, to a target with the purpose of getting the target to do something that triggers a malicious act. An example is a link in the email to a legitimate-looking website asking the target to login. This allows the attacker to obtain the credentials of the target. Another example is malicious file in an attachment in the email that can inject malicious payloads into the target system when opened. Phishing can take multiple forms and leverage multiple vectors. In the rest of this post, we will go over some of the different types of phishing attacks.

Spear Phishing
A spear phishing attack is a targeted phishing attack. Rather than a broad phishing campaign that could be sent to a large number of people, spear phishing attacks are targeted at specific individuals or specific groups of individuals. Attackers could perform reconnaissance to gather specific information about targets, and tailor the campaign to make it more believable to the target. Individuals may be more likely to click a link or download and execute a file if they feel that the email was specifically sent to them for a reason and called out facts about them to cause them to trust the message.

Whaling attacks bank on a concept of potentially low effort, and potentially high reward. Whaling attacks are similar to spear phishing attacks in that they are targeted at specific individuals. However, whaling attacks are further targeted at executives or wealthy people. The idea behind whaling attacks is twofold. These individuals could be high value, high reward targets, and there is a hope from the threat actors that these targets ar not as aware of cybersecurity threats as they should be.

Vishing is a variant of the traditional phishing attack in that the vector is voice communications rather than email. Threat actors will try to get targets on the phone in hopes that they can trick them into doing something they should not do.

SMiShing is another variant of the traditional email phishing attack that leverages SMS texting as the vector. These attacks seem to be very popular these days and I can see how they can be effective for a few reasons. First, it seems to be an accepted practice that text messages are short, succinct, and maybe even skip common words in order to keep messages short. Because of this, targets may not be as alert to spelling and grammar issues with text messages as they would be with emails. Secondly, these messages will typically have links, however they will be shortened, and you cannot exactly hover over a link in a text message on a mobile device (at least that I am aware of) with a cursor to see where it is actually going before you click it; like you can with an email. Finally, so many legitimate services leverage text messaging to communicate updates to customers and ask for feedback. Threat actors know this and try to exploit that tactic by posing as legitimate companies to lure targets into clicking and following malicious links.

Although technical controls are great assets to organizations in terms of cyber threat defense, the human element is still the last line of defense when it comes to cybersecurity. Threat actors continue to try to leverage the actions and reactions of people to get initial footholds into systems and networks. Phishing and its variants are very popular methods of threat actors to gain that initial access. Cybersecurity awareness training is vital for all employees in an organization, regardless of role.

Security+ Journey – Social Engineering

In today’s day and age, attackers and defenders can both be very sospisticated. Threat actors can have ways to obfuscate their attacks and exploit zero day vulnerabilities. Conversely, defenders can leverage defense in depth to put multiple layers of defense between valuable assets and attackers. However, at the end of the day, there is a human element, which can be thought of as the last line of defense. Organizations can invest a large amount of money in layered defenses, but if an attack gets through a specific vector, for instance email, and the person opening the email falls for the phish, the org can be in big trouble. This is why, that even with technical defense in depth, continuous end user security training is vital. Threat actors will continue to use social engineering as an attempt to kick off their malicious endeavors. Sometimes to hack a system, an attacker must hack a human first. I know that sounds a bit extreme, but in my mind, that is essentially what an attacker is doing with social engineering. Social engineering involves using deception to get targets to do something unknowingly malicious. Examples could be trying to get someone to click a link to a fake login page to accomplish credential harvesting or tricking a user to download and install a malicious file. These attacks are leveraging technology, however they are exploiting the vulnerability of the human nature of trust. There are multiple forms that social engineering can take on that we should all be aware of, so that we can be alert and vigilant.

Sometimes, a social engineer may realize that they could catch more flys with honey. This means that an attacker will attempt to get a target to do something malicious by playing to a potential victims interests, or by just being kind and considerate. We as a society post a lot about ourselves on social media. Threat actors can use this information against us. They can play to our likes and dislikes to gain our trust. This is a big reason for being careful about what we post about ourselves online.

Authority and Intimidation
As a contrast approach to familiarity and liking, threat actors may attempt a method leveraging autority and/or intimidation. The authority approach can exploit individuals’ level of trust with authority figures, such as government agencies. An example of a phishing attack leveraging an authority approach would be email campaigns around tax filing time, claiming to be from a government agency requiring information about a target. This could also lead into the intimidation method. Nobody really wants to get in trouble, and attackers will try to exploit that by potentially threatenting legal action or penalties for not complying with what is asked of them in the notice or email.

Consensus/Social Proof
We often do not like making decisions on our own. It seems we constantly look to others for advice and recommendations. That in it of itself is not necessarily a bad thing at all, as long as we can trust the the person or group providing the advice or recommendations. When shopping for goods and services online or for the next coupon mobile app (my attempt at a joke), we will tend to look at the reviews left from others to see if the product is any good and if it can be trusted. Threat actors know this too and can leverage methods to leave false comments and reviews to trick us into something malicious because it appears to have rave reviews. It would be good to also look for another method of validation as well, to be safe. Multifactor product validation, anyone? C’mon, I’m trying to start a new thing. That at least sounds cool, right?

Scarcity and Urgency

Nobody wants to miss out on a “good deal”, right? Well, threat actors understand this and will definitely try to take advantage. Phishing attempts can try to exploit this desire by offering up something enticing that “will expire soon” or is a product in short supply, so you “must click NOW!”. When it comes to deals like these examples, we must always question if something seems “too good to be true”. If it seems that way, it often is a scam or malicious attempt to get your data or financial information. The scarcity and urgency tactic could potentially also be used along with the authority and intimidation tactic to trick people into a malicious activity right now “or else”.

Organizations can spend a lot of money and resources to protect against threats and migitage risk, however people are still the last line of defense and threat actors will try to exploit different weaknesses in human behaviors. This is why continous security training programs, security testing, and employee engagement about security are important. Employees of an organization need to understand that they are part of the defense against security related threats and that we cannot rely on technical, operational, and managerial controls alone.

Security+ Journey – DNS for Recon

For attackers and defenders, tools are very important. If a threat actor does not know much about a potential target, they will need to perform some reconnaissance. There are many tools out there that can be leveraged for recon, some of which are readily available on popular operating systems. These tools are not necesarily built with a purpose of reconnaissance as a goal, but they can be used that way. One way for a threat actor to find out more about a target domain is by levearaging the Domain Name System (DNS). There are many different types of DNS records that can provide some insight about what a potential target has on their network. By nature of systems that leverage TCP/IP, computers need to be able to find out the IP addresses of the destination systems with which they are attempting to communicate. At a high level, DNS is used to translate familiar names into IP addresses, in a client/server model. This keeps us humans from having to memorize IP addresses of websites and the like, keeping both private and public networks (the internet) usable and dynamic. Tools such as nslookup (Windows), dig (Linux), and dnsenum can be used to query DNS servers to gather information about domains.

Now, let’s take a look at the nslookup utility within Windows to see what some of the options are that exist within the tool. First off, to run nslookup, just open up a command prompt, type nslookup and hit the enter key. This will take you into the nslookup prompt. First, we can look at the existing settings within the utility using the set all command.

Output from the set all command.

An option of note listed above is the type option. This sets the type of query that will be performed. You can see above that it is currently set to the default of A+AAAA, so it will query for IPv4 and IPv6 A records. The available options are: A,AAAA,A+AAAA,ANY,CNAME,MX,NS,PTR,SOA,SRV. To change the record type, you can enter set type=<record type>. Another option, that could be potentially used for reconnaissance is the all type. If you enter set type=all (then hit enter), then enter a domain name to query; if the server allows it, it will return the answers of all records in that DNS zone. This type of query can be thought of as a zone transfer.

Once the settings are configured the way you want them (oftentimes they can be left default if you are just wanting to query basic A records), you are just about ready to query a domain name. Sometimes, when it comes to troubleshooting potential DNS issues, perspective is key. When record changes are made, especially to public facing DNS servers, by nature of time-to-live (TTL) values, it can take ptotentially a considerable amount of time for a record to change to reach global DNS propagation. You may want to query different local or public DNS servers to see how they are resolving the record in question. That could explain why a record is resolving correctly for some users that point to DNS server #1 and incorrectly for other users that point to DNS server #2. Within nslookup, to change the server you want to query, you just type server followed by a space, followed by the IP address of name of the DNS server that you want to query (then hit enter). Finally, to query a record, you just have to type in the name of the record (as a fully qualified domain name) and hit the enter key. If the DNS server you are pointing to is able to resolve this record to an IP address, you will the result on the screen.

Leveraging DNS query tools such as nslookup, dig, and dnsenum can absolutley be used as methods of gathering reconnaissance by threat actors. Having a list of records from a target domain could give the threat actor information about services the target is running, or in the least, a list of devices to scan for open services and/or vulnerabilities.

Security+ Journey – Attack Surface and Vectors

One thing is certain in terms of cybersecurity. Attacks will and do occur regularly. While security is the responsiblity of all employees in an organization, active defense is up to IT and Info Sec teams. One way to help defend organizations effectively and efficiently is to understand the existing attack surface and potential attack vectors that exist for attackers to exploit. Essentially, these are the points of attack and paths that attackers can take to infiltrate networks and systems. We will unpack and describe these terms in the rest of this post.

Attack Surface
As brought up in the opening paragragh, the attack surface is comprised of the different points in a network or system that are open for connections. For example, these points could be application servers that provide a service to customers and employees. While these connections are necessary to serve business purposes, they can also potentially be exploited by attackers. In order to properly defend networks and systems, it is imperative to have an inventory and understanding of the attack surface. You cannot effectively defend what you do not know even exists.

Attack Vectors
While the attack surface describes the potential entry points into a network or system, an attack vector is the specific path taken by a threat actor to attack a sytem. For a contrast example, while an open web server is in the attack surface, the HTTP/HTTPS application port/service would be the attack vector. Attack vectors describe the method or direction taken by a threat actor to exploit a vulnerability. Examples of potential attack vectors include:

  • Direct access
    • The direct access vector describes the ability for attackers to gain physical access to a system. This would be like someone being able to walk up to an unlocked workstation and gain unauthorized access to a system.
  • Removable media
    • A great example of removable media as an attack vector is a small, USB flash drive. Flash drives are great tools for storage, but can be easily exploited as a means of attack. If you do not know for sure what is on a flash drive, it is dangerous to plug it into a system. We often hear examples of pen tests or experiments at security conferences in which flash drives are strategically left around unattended or actively handed out to see if people will accept them and plug them into their workstations.
  • Email
    • Email has to be one of the largest attack vectors out there, and has been for some time. Phishing schemes are very prevalent and prove to be a relatively low effort vector for attackers. If malicious emails can get past security controls, they can inflict major damage.
  • Remote access
    • Remote access is similar to the web server example I gave above. Remote access provides us the ability to gain access to systems when we are off-site. While it is very useful, it has the potential to be exploited by attackers as well.
  • Supply chain
    • Supply chain is an attack vector that has gained popularity in recent years. Often as consumers, we place trust in the companies from which we purchase goods and services. The same is true for businesses. Businesses are also consumers of goods and services from other companies. Attackers can leverage that supply chain to infect and infiltrate customers of these services. If a threat actor can inflitrate a product that has many consumers, they have the ability to potentially infiltrate or infect those consumers as well.
  • Social media
    • Social media as an attack vector, to me, is a bit different than the other examples here. Rather than leveraging social media to gain access to or infect systems, it can be used to maliciously influence people or provide disinformation as an influence campaign.
  • Cloud
    • Just because services get hosted and leveraged in the cloud, does not mean that security concerns go away. There is a shared responsibility model with cloud computing. The cloud service providers are responsible for security of the cloud, and the consumers are responsible for security in the cloud. There have been many stories of security researchers finding unsecured cloud databases on the internet. Cloud is very much a viable attack vector.

It does seem that when it comes to cybersecurity, the decks are often stacked against the defenders. There is a saying that I’ve heard before that goes something like, defenders have to be constantly ready and successful; attackers only have to be successful once to gain access. While information security can prove to be challenging, we are in much better shape when we are aware of the attack surface and potential attack vectors that attackers can leverage.

Featured image credit: Tomáš Malík

Security+ Journey – Lions, Tigers, and Bears

Yeah I know, I went for the catchy title to try to draw you into reading this. However, when looking at the topic of vulnerabilities, threats, and risks in my list, the title above is what came to mind. Thinking through it though, that title seems to work. Vulnerabilities, threats, and risks are all scary things we have to consider and account for. Now, depending on where you live, lions, tigers, and bears may not be as applicable in your daily life as vulnerabilities, threats, and risks, but I think you get the idea. Actually, as I write this, I’m going add a fourth scary thing in the world of information security; exploits. Yes, that throws off my title name, but I feel like I’m on a roll here so I am just going to run with it. Let’s equate exploits to spiders just for fun. Those things are terrifying, right? In the rest of the post, I will give some descriptions around these four items.

A vulnerability is really just a weakness in an application, hardware, or system. From a cybersecurity perspective, it is something that can be leveraged for malicious purposes. Another way to put this is that a vulnerability can be exploited.

I think it is easy to not necessarily confuse the concepts of vulnerabilities and exploits, but it is definitely easy to think about them in the same vein. Which makes sense, because they are definitely coupled together, so it’s possible to potentially confuse the meanings. As stated above, while the vulnerability is the weakness or the actual issue with the application or system, the exploit is the tool or method that is used to take advantage of, or attack that vulnerability. For a practical example, you may hear that a vendor has issued a statement that they have a known security flaw in their product (and hopefully also have a patch to fix that flaw). The security flaw itself is the vulnerability. Now, if it is also announced that there is a known attack method in the wild that is able to leverage this vulnerability for malicious purposes, that attack method would be the exploit.

When it comes down to it, threats are potentially bad things that you are trying to avoid or protect against. Further, threats are individuals, groups, actions, or behaviors that could cause harm to the organization. Keep in mind that this list of items could lead to either intentional or unintentional harm. As we all know, accidents happen, and we want to be cognizant of those as well.

How I like to think of this, is that the previous terms vulnerabilities, exploits, and threats are all factors in the calculation of overall risk. To me, a large portion of cybersecurity is risk management. We need to be able to determine which activities pose the most risk to the organization and work toward mitigating and managing that level of risk. Risk is the probability of a vulnerability being exploited by a threat, along with the level of impact that will be caused to the organization.

In my opinion, a big part of cybersecurity is constantly being aware of the potential bad things that can happen so you can put controls in place to mitigate and minimze the risk/impact of those bad things. At least there are clear definitions out there to help us understand and deal with vulnerabilities, exploits, and threats, and use those explanations and concepts to help us calculate the overall risk.

Featured image credit – Rasmus Svinding

Security+ Journey – Functional Types of Controls

Security controls are put in place ultimately to mitigate and minimize risk for an organization. As covered in a previous post, there are three main categories of security contols. To recap, these categories are technical (logical), operational (physical), and managerial (administrative). While these categories give us an idea of the high level characteristics of the different groupings of security controls, in this post we will take it a step further and highlight the different functional types of security controls. I interpret the functional control types as describing what role the control is serving and how it is being implemented. There are three main functional control types and three of what I call “sub-types”. As listed below, the first three are the main types.

A preventive control is put in place to do just what the name implies; to prevent an attack from occuring or a vulnerability from being exploited. From a sequence/time perspective, a preventive control is active before a successful attack can occur. Examples of preventive controls, listed alongside their corresponding control categories are access control lists (technical), next generation firewalls (technical), standard operating procedures (managerial), and security guards (operational).

Detective security controls identify and track events as they happen. Detective controls get the most use during an event. Events are tracked through logging and can be alerted upon as well. Examples of detective controls, listed alongside their corresponding control categories are logs (technical), motion sensors (operational), and intrustion detection systems (technical).

Corrective security controls are put in place to mitigate or minimize the impact of a security event. Examples of technical, corrective security controls are backup systems, patch management systems, and anti-malware software.

The purpose of physical security controls are to protect again in-person attacks and malicious attempts at access. Examples of physical controls are doors/locks, alarms, lights, and phyical security (guards).

Deterring security controls discourage individuals from doing something that is unauthorized. Typical detterent controls include signage, lights, and fencing.

A compensating control can be thought of as a backup or secondary control. This would be something that replicates a primary control in case of failure of the primary control, or something that provides added protection if the primary control does not fully meet the requirements. An example of a compensating control would be a configuration or system backup. If a system becomes corrupted or wiped, it can be restored from the backup, if one exists.

Security controls help us to mitigate and minimize risks. As listed above, there are different functional types of controls that can help us to understand the purpose of the controls and which may be needed to support the security policy and posture of the company.

Featured image credit – Travis Saylor

Cloud Essentials+ Journey – Try Before You Buy

Wouldn’t it be great if everything we wanted to purchase and integrate into our technology stacks would just work the way we wanted without needing to worry about it or even test things out? Well, anyone who has been around technology knows that is not the case. There is not always a ‘one size fits all’ technology that is going to meet the need for every organization and use case. We need methods to be able to evaluate new technology products and systems before we take the plunge of purchases to ensure that the given tech is going to be a good fit for the organization. Luckily, we have multiple means available for accomplishing this ‘try before you buy’ concept when it comes to evaluating new products and services. The options we have are proofs of concept, pilot programs, and proof of value studies.

Before we dig into each of these product evaluation options, let’s start where I often like to, which is with requirements. If we do not begin with a clear picture of what it is that we are trying to accomplish, it is going to be very difficult for us to definitively determine whether the evaluation is a success or a failure. These requirements or outcomes that we are trying to achieve in these evaluation programs are called success criteria. Having defined success criteria gives us a guide to perform and analyze a proper evaluation. Now, let’s touch on the different evaluation options listed above.

Proof of Concept
In my opinion, the proof of concept (POC) is going to be the lowest lift, and minimally intrusive evaluation option for a new technology. The purpose of a POC study or implementation is to just verify that a new product or service functions as advertised for the specific use case in question. Depending on the technology being evaluated, combined with the use case in question, a proof of concept could be a relatively small effort. Most likely in a POC, we are not going to be delving too deeply into the details of the product or performing a lot of stress testing. We are really just wanting to answer the question of “Does this product, at a high level, do what I need it to do?”. For more in depth evaluations, we look to implementing a pilot program.

Pilot Programs
As introduced in the section above, pilot programs really take the POC a step further. A pilot program is going to get more people involved in evaluating a potential new solution. A subset of users would be selected to test out the new product over a period to time to perform that in depth analysis and stress testing that was mentioned to not necessarily take place in a proof of concept study. Some key points and tasks that should be part of a pilot program include:

  • Defining objectives.
  • Carefully select the participants. These should be individuals that would be key users, or power users of the system if it is purchased and integrated into production.
  • Have a clear test plan defined to make sure the success criteria of the pilot program are met.
  • Have known methods defined for communicating and delivering feedback throughout the pilot program.
  • If the product ends up getting purchased, make sure to use the lessons learned from the pilot, when deploying the system into production.

Proof of Value
At face value, I think a proof of value (POV) study can be somewhat nebulus. The goal of a POV study is to come to a decision about whether or not implementing a new technology solution will add value to an individual process or the organization overall. We need a way of quantifying that value into terms that make sense such as cost or time savings. In my option, this definitely means getting the proper business units involved to make sure this value calculation is as close to reality as possible.

While proofs of concept, pilot programs, and proof of value studies take time and effort to complete, we would really be doing a disservice to the organizations we represent if we did not go through the due diligence of proper evaluations before purchasing new technology solutions. The evaluation concepts described in this article give us those different options to try before we buy.

Featured image credit – Magda Ehlers

Security+ Journey – Control Categories

Large concepts within information security are understanding what protections/controls we should have in place and then the actual processes of implementing those controls. The reason we have security controls can point back to the concept of the CIA Triad. To keep our organizations safe and healthy from an information security perspective, we should ensure that our data and systems are kept confidential, have integrity, and are available for use. Implementing security controls can help us align with the principles of the CIA Triad. That being stated, it might be easy to think that since we are dealing with information security, that we are only concerned technical controls and protections such as firewalls and anti-malware solutions. While those and others like them are important, that is not all there is when it comes to categories of security controls. The three main security control categories are technical (logical), operational (physical), and managerial (administrative). Let’s delve into these to get a better understanding.

Technical controls (also known as logical controls) are those that I mentioned in the first paragraph. These are the security controls that are implemented as hardware or software IT systems. Examples of technical security controls are firewalls, anti-malware solutions, web filtering, multi factor authentication (MFA), and email security products.

While technical controls are implemented as hardware and/or software solutions, operational controls (also known as physical controls) are implemented by people. Examples of operational controls are security guards, door locks, motion sensor activated lighting, and ongoing training.

As with many things, in order for a system or process to remain effective, we need ways to audit it over time. That is where managerial controls (also known as adminitrative controls) come into the picture. Managerial controls give oversight of, or auditing platforms for information systems and processes. Examples of managerial controls include security policies, ongoing testing such as test phishing campaigns, change control processes, and of course, auditing processes.

There are many ways for us to protect the information security of our organizations. Not just technical controls are in scope. There are also operational and managerial controls that can be put in place to help ensure confidentiality, integrity, and availability.

Featured image credit – George Becker

Cloud Essentials+ Journey – Statement of Work

In a previous post in this series, we covered different request documents that are sent to vendors/partners/service providers such as the request for information (RFI), request for proposal (RFP), and request for quote (RFQ). These request documents all deal with different phases of the pre-procurement process of a technology, system, or application. There is another vendor/partner related document of note that is more geared toward the sales/post sales side of the procurement process. That document is called the statement of work (SOW).

A statement of work (SOW) can be thought of as a project management document. A SOW is generated by a partner organization or service provider when a business is purchasing a solution which includes an implementation effort from the partner organization/service provider. The purpose of the SOW is to paint a clear picture of what the customer is purchasing, and how the partner organization will implement said solution. This gets both parties on the same page to agree upon the work to be completed and the success criteria to ensure that expectations are met. In general, the statement of work will include the following information:

  • High level need and scope of the project.
  • Detailed steps of tasks to be performed, including the schedule or timeline.
  • Success criteria. This should include a clear representation of what “done” means. What has to be completed and agreed upon to consistute a completed project.
  • Billing information.

In my opinion, a statement of work (SOW) is not just trivial paperwork. A well done and agreed upon SOW is a vital component of a successul project. We cannot just assume that everyone involved has the same understanding of what needs be done and why. A statement of work displays all of this in writing so that all parties involved have a clear picture of the solution that was purchased, how it will be implemented, and when.