Читать книгу CompTIA Pentest+ Certification For Dummies - Glen E. Clarke - Страница 76

When working on exploiting target systems, applications, and services, you must make different considerations when conducting a known-environment (white box) test versus an unknown-environment (black box) test. With a known-environment test, the company will grant the pentester access to the system by allowing the pentester to pass through any security controls, but with an unknown-environment test, the pentester will need to figure out how to bypass the security controls as part of the pentest.

Here are some considerations to keep in mind when performing the pentest on the identified targets:

 Allow list (whitelisted) versus deny list (blacklisted): As a pentester, you can seek to have your system added to the allow list by security controls, which is also known as whitelisting a system, so that the system is not blocked when performing the assessment. If the pentester system is added to a deny list, which is also known as blacklisting a system, then the system is blocked by security controls, which can slow down the assessment dramatically.

 Security exceptions: You can add the pentester’s IP address or account to security exceptions within security controls so that the pentester is not blocked. For example, on a firewall you can add the pentester’s IP address to the firewall exception list so that the pentester’s traffic can pass through the firewall.

 IPS/WAF whitelist: You can add the pentester’s IP address to the whitelist on the intrusion prevention system (IPS) and the web application firewall (WAF) so that it is not blocked and the pentester can test the web application.

 NAC: The customer may have network access control (NAC) features implemented that only allow devices in a secure state to connect to the network. As a pentester, this could affect your capabilities to connect to the network and perform the pentest. You may have to be placed on an exception list so that you can access the network from your pentest system.

 Certificate pinning: Certificate pinning refers to the process of associating a host with the expected server it will receive certificates from. If the certificate comes from a different system, the communication session will not occur. You may need to disable certificate pinning on the network to allow communication.

 Company’s policies: You should review the company security policy to determine if there are any policies in place that would put limits on the actions the penetration testers can take.

 Technical constraints: Be aware of any technical constraints that may limit your capabilities to perform the penetration test. For example, there may be firewalls blocking your scans during discovery of targets or there may be network segments controlling communication.

 Environmental differences: When performing the penetration test, it is important to be aware of any differences in the environment, as any differences could change how the pentest tools respond. Be aware of export restrictions when it comes to crossing borders with any encrypted content and any other local and national government restrictions that may be in place with regard to encryption and penetration testing tools. When performing a pentest on large global companies, know that the laws are different in these different companies with regard to using pentest tools. Also, review any corporate policies so that you are aware of the pentesting rules.

 Special scoping considerations: There may be other special scoping considerations that may arise during the pre-engagement phase, such as premerger testing and supply chain testing considerations. Premerger testing refers to assessing the security of a business the company is going to acquire. Supply chain testing refers to assessing the security of a supplying company, or multiple supplying companies, before the customer does business with those companies.