Scope Vulnerabilities
SCHEDULING AND SCOPE CREEP
- Scheduling
- When can/should tests be run?
- Who should be notified?
- When must tests be completed?
- Scope creep - common in nearly all projects
- Client requests additional tasks after SOW is signed
- Many may seem "doable"
- Tasks resources away from core SOW tasks
- Must get authorization for any SOW modifications
THREAT ACTORS
-
Adversary tier - what role should the pen tester assume?
- APT (Advanced persistent threat)
- Script kiddies
- Hacktivist
- Insider threat
-
Capabilities
-
What resources does the attacker(s) have?
- Raspberry Pi 4:https://www.raspberrypi.org/
.png/1200px-Raspberry_Pi_3_B%2B_(39906369025).png)
-
Organized and sponsored attackers have more equipment and sophistication
-
-
Intent
- Power/revenge
- Status/validation
- Monetary gain
- Ideology
-
Threat model
- Gather information and identify assets
- Rank pertinent threats
- Map threats to assets
QUICK REVIEW
- Agree on days and times that are available for testing
- Develop a scope management plan and stick to it
- Assume an adversary role for tests
- Realistically determine the technical capabilities based on adversary role