One important and often overlooked step in the penetration testing process is the pre-engagement interactions with the client. Preparation is key for every PenTest activity and neglecting to properly complete the pre-engagement activities may lead to problems like scope-creep or legal troubles.
The client and the tester should meet in order to understand the associated risks, the organizational culture and decide on the best strategy to be followed.
It has to be made clear for the benefit of both parties, the customer and the tester, the reason for the penetration test. There are many occurrences where the customer will not know what exactly needs to be tested or what the expectations of the test should be.
Scoping always helps to manage expectations.
What drives the need for a PenTest? Is there a business or a compliance requirement? Hopefully a security oriented culture or a CEO who understands technology and want the highest level of assurance that his information, and thus his business, is safe from hackers.
DEFINE SCOPE AND TIMELINE
An agreement must be made to define the type of the test and share the relevant information.
Will the test be internal, external, or both?
Generally, internal resources require more extensive testing which means more time and effort for the tester.
The scope for an internal test is larger and more complex and needs more clarification from the business.
External PenTests are usually faster in completion because there are fewer resources exposed on the internet than internally.
What will the knowledge of the tester for the infrastructure and its applications be? The amount of information you give the tester will define the color of the “hat” (Black, Grey, White) he/she will be wearing during the test.
ASSETS, PRACTICES AND COMMUNICATION
During the initial meetings, the customer will need to verify that all assets which will be tested belong to him.
The IPs and/or web applications to be tested must be defined along with the time in which the active portions of the tests will be taken.
Actions like brute-forcing and enumerating can cause service degredation or systems downtime and harm the business.
If it is probable that any actions can cause service downtime, then those must be agreed to be taken after business hours or maybe on weekends.
Networks, specific IPs, or Applications can be explicitly excluded from the test because of their importance if the business cannot afford any downtime or corruption of the services and data behind them.
Communication is of vast importance during a PenTest. Emergencies are likely to arise and the point of contact must be established in order to handle them.
AGREED UPON TIME
Depending on the amount and types of assets to be tested, an estimation of the total time the penetration test will last should be made. Like any other project, Penetration Tests should have a definite start and end date. This is towards the benefit of the customer as well as the client. Both know what and when is expected of them in order to calculate the number of working hours to be billed.
HOW TO TREAT A COMPROMISED MACHINE
In the case that the tester successfully compromises a machine, what are the allowed actions from there on? Are there any limitations on the actions of the tester, are there any boundaries the pentester should not cross?
- Is further scan from within the machine allowed?
- Is privilege escalation allowed?
- Is brute force attacks allowed on the machine or on other connected machines/applications?
- Can the tester access all data possible or are some types of data too sensitive and out of reach?
There are cases where a business will not want to further tamper with a compromised machine for confidentiality reasons.
PERMISSION TO TEST
One of the most important documents which need to be obtained for a penetration test is the Permission to Test document. This document states the scope and contains a signature which acknowledges awareness of the activities of the testers. Further, it should clearly state that testing can lead to system instability and all due care will be given by the tester to not crash systems in the process. However, because testing can lead to instability the customer shall not hold the tester liable for any system instability or crashes. It is critical that testing does not begin until this document is signed by the customer.
In addition, some service providers require advance notice and/or separate permission prior to testing their systems. For example, Amazon has an online request form that must be completed, and the request must be approved before scanning any hosts on their cloud. If this is required, it should be part of the document.
IS EVERY BUSINESS READY FOR A PENTEST?
There are a number of organizations that choose to jump directly into a penetration test first assessing this maturity level. For customers with a very immature security program, it is often a good idea to perform a vulnerability analysis first.
Also, many consider the Black-Box testing most appropriate because it can simulate a real attack better. A full or partial White-Box testing may bring more value to a company as it can reveal and solve more problems which may not be visible from a Black-Box testing.
Good penetration tests do not simply check for unpatched systems. They also test the capabilities of the target organization.
Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.