Penetration Test - Planning and Scoping(9)

Project Strategy and Risk

CONSIDERATIONS

• White-listed
  • No one can access resources unless specifically granted
• Black-listed
  • Everyone can access unless specifically blocked
• Security exceptions
  • IPS(Intrusion Prevention System)/WAF(Web application firewall) whitelist
  • NAC(Network Access Control)
  • Certificate pinning (public key pinning)
• Explore company policies to learn about security considerations

Black-Box Penetration Testing

• Zero prior knowledge
• Most familiar to the real attacker
• Generally a surprise to internal personnel

White-Box Penetration Testing

• Full access to internal information

Grey-Box Penetration Testing

• Some internal information available

Risk Acceptance

• Pen tests can be risky
  • Service can be interrupted
  • Devices/servers can become unresponsive
• How much risk is the client willing to accept?
  • The client has identified risks
  • Acceptance: willing to accept risks, based on likelihood and impact.
• Tolerance to impact
  • If a risk is realized, what is the client's tolerance to the result?
  • How much disruption is tolerable?

QUICK REVIEW

• Consider whether your tests are a black box, white box, or grey box
• Discuss risk acceptance with your client
• Agree on the tolerance to impact if tests affect the client's environment