Penetration testing seeks to evaluate your security posture using simulated attacks to identify and exploit vulnerabilities. Most pen testing is done by experts using manual techniques supported by automated tools.
In any penetration testing engagement, one of the most critical aspects is defining the scope: what networks, applications, databases, accounts, people, physical security controls and other assets are “fair game” for the penetration tester(s) to attack.
Deciding what scope is right for you should be part of the initial discussion with whoever will conduct the assessment and anyone who has a stake in the results. Getting the scope right is key to deriving maximum business value from the assessment; likewise, defining the wrong scope can severely limit the usefulness of the test.
You want the test to have sufficient scope to tell you what you need to know about your controls and defenses, while maximizing the value of your limited resources. Pen tests usually center on answering a specific question, like: Is that sensitive data secure? Is this new web application secure? Is our patch management and asset management effective? Are we in compliance with XYZ regulation?
For mature organizations that have the basics of security covered, pitting your detection and incident response capabilities against a realistic, external attack is a great way to find out if the data you think is protected actually is protected. You can work with the testing team to ensure they give your controls a workout, but don’t waste time throwing every imaginable exploit at your defenses.
If you’re less confident about your overall security posture, an internally focused “readiness test” that starts from an internal network can pinpoint what assets are most at risk from an attack that has breached your perimeter. This will help you prioritize critical areas for mitigation.
Another scope question, especially for a simulated attack, is whether you want to provide the testers with information on the systems they’ll be attacking (white box testing) or let them start from scratch (black box testing). It’s widely believed that black box testing is more “realistic.” But arguably the opposite can be true.
White box testing starts with the assumption that skilled hackers will find the data they need to launch an attack. This, in many ways, is a valid starting point for a rigorous, useful, and cost-effective pen test. Black box testing, in contrast, can be more like “hide-and-seek,” with more time (and money) spent finding than attacking.
Any reputable firm that conducts penetration tests will have both a wealth of experience and a proven methodology, which will include first and foremost working with you to determine the best scope and approach for your engagement, in line with your ultimate goal.
Often the goal will be to learn or confirm where best to invest resources to prepare you for a real attack. This can include validating—and raising a red flag to management—that known or anticipated weaknesses in areas like patching or employee security awareness do, indeed, leave you vulnerable. (It’s not unheard-of to leverage pen test results to get some budget, in other words.)
Whatever your goals, defining the right scope upfront will largely determine how useful your pen test engagement will be.
To talk over your security goals and what level of testing or assessment will best help you meet them, contact Pivot Point Security.
For more information: