---

Скачать книгу

---

points about the penetration test.

      First, you should have a disclaimer that states that the penetration test is a point-in-time assessment — meaning you have tested against known vulnerabilities and exploits as of the current date. As time goes on and new software and systems are installed on the network, your assessment would not have tested those new items.

Second, you should have a disclaimer that indicates that the comprehensiveness of the penetration test is based on the types of tests authorized by the customer and the known vulnerabilities at the time. For example, if the customer requests that no denial of service (DoS) attacks are performed (which is common), your penetration test would not have tested how the company stands up against a DoS attack. This disclaimer will help protect you if the customer is hit with a DoS attack after the penetration test is performed.

       Your agreement should also make it clear that a penetration test uses hacking tools that a hacker would use, and although you have tested these tools, it is possible that they could have unpredictable results due to the additional software installed on the systems or the configuration of the systems. Unpredictable results in this case is referring to the fact that it is possible that the target systems could crash and be unavailable. For example, I have heard cases where performing a vulnerability scan of the network caused the print servers to drop off the network. This is not something that happens all the time, but the point is that different products from different vendors respond differently to the scanning and attack tools. One way to help prevent disruption on the network is to perform the penetration test on virtual machines within a test environment that are copies of the production systems.

       Ensure you have a disclaimer in the agreement that specifies that the pentest is a point-in-time assessment and that the comprehensiveness is based on the scope of the assessment.

Scoping the Project

      During the pre-engagement activities, it is important to have an initial meeting with the customer that allows you to discuss the scope of the project and get an understanding of what the customer’s goals are for the penetration test.

      When preparing for the initial meeting with the customer, you should plan out scoping questions that will help you understand the magnitude of the project. Some common questions to ask when determining the scope of the pentest are:

       What is the goal of the penetration test? (Why is it being done?)

       Is the penetration test going to test internal systems, external systems, or both?

       What are the Internet Protocol (IP) ranges of the internal and external systems that are being tested?

       What are the internal and external domain names of the systems to be tested?

       Does the company own the systems using those IP addresses?

       Are there any systems hosted by third-party companies such as an ISP or a cloud provider?

       What applications and services will be tested?

       What types of tests are to be performed? For example, are you testing physical security and/or social engineering, and are DoS attacks allowed?

      If performing a black box test, which is discussed in Chapter 1, the penetration tester is typically responsible for discovering target services, and some would say the target IP addresses. The important point here to remember is that you want the customer to give you the target IP addresses and domain names so that you can be sure you have proper authorization to perform testing on those systems. If it is up to the pentester to discover the IP addresses, especially external IP addresses, the tester runs the risk of performing the penetration test on an unauthorized IP address or system owned by someone else.

      Depending on the type of testing being performed, there are a number of other questions you can ask during the scoping of the project. The Penetration Testing Execution Standard (PTES) website found at www.pentest-standard.org has an extensive list of questions you can ask. The following sections list example questions for each different type of test.

      General questions

       What is the goal of the penetration test? (Why is it being done?)

       Is the pentest being performed for compliance reasons?

       What hours of the day can the penetration test be performed (business hours/non-business hours)?

       What are the internal and external target IP addresses?

       Are security controls in place such as firewalls and intrusion detection systems?

       If a system is compromised, what actions should be taken next (for example, no action, elevate privileges, and so on)?

      Web application testing questions

       How many web applications/sites are being tested?

       How many of those require authentication?

       How many static pages are in those sites?

       How many dynamic pages are in those sites?

       Is the source code available for review?

       Is authentication testing to be performed?

      Wireless network testing questions

       How many wireless networks are there?

       What wireless encryption protocol(s) are being used?

       What is the area covered by wireless?

       Should detection of rogue devices be performed?

       Should wireless attacks against clients be performed (or just focus on the access point)?

       How many wireless clients are there?

      Physical security testing questions

       Is physical security testing part of the pentest?

       How many locations are there?

       Are the locations shared with other businesses? If so, what floors do you occupy?

       Are lock picks and bump keys allowed to bypass a locked door?

       Are video cameras being used? If so, does the customer own those devices?

      Social engineering testing questions

       Is social engineer testing part of the pentest?

       Does the customer have email addresses for social engineering?

       Does the customer have phone numbers for social engineering?

      Testing questions for IT staff

       Are there fragile systems that are easy to crash?

       What is the mean time to repair from a system outage?

       What are the business-critical servers and applications?

       Are backups tested regularly?

       Is there a disaster recovery procedure in place for devices and systems being tested?

       When

---

Скачать книгу