Penetration Test - Planning and Scoping(7)

Penetration Test - Planning and Scoping(7)

TYPES OF ASSESSMENTS

• Goal-based
  • Goals created upfront
  • Tests set up to fulfill goal(s)
• Objectives-based
  • Define a resource to attack
  • Tests use all angles to attack protected objectives
• Compliance-based
  • Mandated by standard, regulation, or legislation
  • Ex. PCI DSS
• Red team
  • Typically internal
  • A single compromise is a success
  • Ongoing
• Blue team
  • Defense against the red team

SPECIAL SCOPING CONSIDERATIONS

• Premerger
  • Part of due diligence prior to mergers
  • Used to harmonize security efforts
• Supply chain
  • Partners often provide software and/or hardware to interface with an organization
  • Weaknesses in interfaces can provide unauthorized access

TARGET SELECTION

• Targets
  • Internal(on-site vs. off-site)
  • External
  • First-party vs third-party hosted
  • Physical
  • Users
  • SSIDs
  • Applications

QUICK REVIEW

• Know if your assessment is goals-based or objectives-based
• Document any compliance requirements
• Specify any external considerations that affect the scope
• Identify the valid targets of your tests