Penetration Test - Planning and Scoping(7)
Penetration Test - Planning and Scoping(7)
TYPES OF ASSESSMENTS
- Goal-based
- Goals created upfront
- Tests set up to fulfill goal(s)
- Objectives-based
- Define a resource to attack
- Tests use all angles to attack protected objectives
- Compliance-based
- Mandated by standard, regulation, or legislation
- Ex. PCI DSS
- Red team
- Typically internal
- A single compromise is a success
- Ongoing
- Blue team
- Defense against the red team
SPECIAL SCOPING CONSIDERATIONS
- Premerger
- Part of due diligence prior to mergers
- Used to harmonize security efforts
- Supply chain
- Partners often provide software and/or hardware to interface with an organization
- Weaknesses in interfaces can provide unauthorized access
TARGET SELECTION
- Targets
- Internal(on-site vs. off-site)
- External
- First-party vs third-party hosted
- Physical
- Users
- SSIDs
- Applications
QUICK REVIEW
- Know if your assessment is goals-based or objectives-based
- Document any compliance requirements
- Specify any external considerations that affect the scope
- Identify the valid targets of your tests
相信未来 - 该面对的绝不逃避,该执著的永不怨悔,该舍弃的不再留念,该珍惜的好好把握。