Читать книгу Web Penetration Testing - Radhi Shatob - Страница 11

Once a penetration tester (Pen-tester) gain approval to perform a Penetration testing, a great deal of thought and consideration need to be done. Poor planning of penetration testing can have serious consequences for the network and systems, causing unwanted business disruption that might lead to permanent harm. The planning of Pentest is divided into four steps:

Identifying the Pentest purpose

The first step of planning a pen-test is identifying the need of the customer (the customer is the owner of the IT system), the customer basic needs is identifying the weaknesses in the information systems and take measures before real attack occurs, but her we should find the methods and targets according to the customer sensitive topics, for example:

Who is the most important threat for the customer, an insider employee of the company or an outsider?

 What is the most important asset that the customer wants to protect?

 What can an inner threat do to IT infrastructure?

 Is it possible to extract plain data from the customer database?

Scope of Penetration Testing

There are different areas in the IT systems that may be subject to Pen-test, the customer should decide the scope of Pen-test and what should be tested under the guidance of the Pen-tester, some of the areas that pen-tester should go through and agree with the customer to be part of the pen-test is:

 Inter-Network.

 Internal network.

 Web applications.

 Servers.

 Network devices.

 Database Management systems.

 Applications.

 Social Engineering.

 DDoS.

 Physical Security.

 And more, depending on customer environment.

Requirements

Pen-test Requirement is preparation of things that Pen-tester need to do. The Pen-tester and the company should be prepared for the pen-test, in the Pen-tester side:

 Hardware (laptop, external Servers, external disks, USB sticks, wireless cards, etc.)

 Software Tools.

The customer should have the following setup before the pen test:

 Monitoring solution to detect the attack.

 Backup (since Pen-test have some risks a backup of critical systems should be taken prior the pen-test.

 Emergency response Plan, customer should be ready for service interruption.

Restrictions

A Pen-tester can do anything in the system during the Pentest with having written agreement where the customer define the roles of engagement and what are the restrictions, plus having the Pen-tester to sign the Non-Disclosure Agreement (NDA).

Rules of engagement are:

 Scope.

 Total Duration.

 Attack Times. (during business hours or outside business hours)

 Methods (i.e. no DDOS to DBMS systems).