Читать книгу CompTIA Pentest+ Certification For Dummies - Glen E. Clarke - Страница 87

This chapter highlights a number of important points to remember when planning and scoping the penetration test. Following is a quick review of some of the key points from this chapter:

 Ensure you receive written authorization to perform the penetration test by a signing authority for the company.

 Know the different types of contracts you may encounter, such as a SOW, NDA, and MSA.

 Ensure you include a disclaimer in the contract with the customer that states the risk of performing a penetration test. It is possible that the tools used could crash a system or network and cause downtime with the company asset.

 Ensure you have a clear scope for the penetration test. Include the target IP addresses (both internal and external), a list of the wired and wireless networks and applications to test, and determine whether social engineering is to be performed and whether you are performing an assessment of physical security.

 Clearly define the communication path to follow when performing the assessment. Who is the pentest team allowed to communicate the details of the pentest with? Also, be clear that additional assets discovered during the assessment may increase the time and cost of the assessment if the newly discovered asset is to be evaluated as well.

 If the organization is performing the assessment for compliance reasons, read up on the requirements of the compliance-based assessment to ensure you follow all goals and requirements.