Читать книгу CompTIA PenTest+ Certification For Dummies - Glen E. Clarke - Страница 62

Impact analysis and remediation timelines

Оглавление

As discussed in “Disclaimers” earlier in this chapter, during the pre-engagement phase, it is critical that you communicate to the customer the risk or impact a penetration test can have on the company’s systems and the network. It is important that you try not to crash systems, and that you test all tools and techniques before using them on your customer’s systems, but in the end, the tools you are using are hacking tools, and they may have unexpected results in different environments. You must state that there is a risk to crashing a system or network in your contract, but stress during your discussions with the customer that you have tested the tools and will not intentionally try to crash systems.

You can minimize the risk by performing the penetration test on exact clones of the systems in a test environment. This environment could be a set of VMs that are exact copies of the production systems.

The penetration test report will include remediation steps that the customer needs to take to better secure their assets. It is critical that after the customer implements these fixes that the assets are retested to make sure the penetration test is not successful. Make sure you accommodate for this retesting in your budget estimate. It is also important to make sure you give a deadline on when the remediation steps need to be completed — and how long after report delivery retesting is covered in the price.

For the PenTest+ certification exam, remember that it is critical the pentest report contains remediation steps to better secure the asset. It is also important to specify a due date for when the remediation steps need to be completed if retesting is going to be performed.

CompTIA PenTest+ Certification For Dummies

Подняться наверх