Soft Skills - scoping, risk, reporting, engagement lifecycle Flashcards
list the phases of a penetration test lifecycle
requirements elicitation scoping testing reporting remediation
What’s the difference between ‘whitebox’ and ‘blackbox’
Whitebox - you have credentials and full access to the target, you’re identifying findings within the application that could be exploited by attacker with credentials, and without. This is the context from which most web application tests are conducted
Blackbox - you start from nothing, you are an attacker with network access to the target, and you go from there. - this is the format that most network penetration tests are conducted from.
list the phases of a basic methodology of a network penetration test
Port scan Enumeration Exploitation Privilege Escalation Loot Cover Tracks
Describe the core elements to include when explaining a finding to a client
What is the impact
what is the likelihood
what is the fix - how much effort is it
When describing the impact of a finding, what elements are used to describe this?
Confidentiality
Integrity
Availability
When debriefing a client, what elements should you include
The findings that were identified
how they relate to the client’s objectives
what changes were made to the system (if any)
What are the benefits of penetration testing?
It emulates an attacker, shows you where the holes in security are
it assists in compliance with standards and law
Where is penetration testing not useful
When the client doesn’t need it
When the client is not in a final state of development for a project
When the client’s concerns cannot be answered by penetration testing
What risks can penetration testing present?
DoS - Availability
Compromise of sensitive information - confidentiality
Modification of sensitive information - integrity
These can all have legal consequences on the client and yourselves (this human rights act, data protection act)
what should you do if a system stops responding during testing?
Stop operations against that host
Inform the client
gather information on what was happening at that time
What impacts can DoS conditions have on an organisation?
Loss of income (if an ecommerce site goes down)
Loss of productivity (such as a very important fileshare)
SLAs - if it’s some kind of SaaS app
The core 2 elements in calculating the risk of an issue is what?
Impact
Likelihood
What are the potential issues associated with poor record keeping during a penetration test?
Being unable to ‘cover your ass’
- without records that you are doing the right thing, you may be blamed for doing the wrong thing
- without records you may be blamed for not completing tasks
- you may be accused of hacking under the CMA
Being unable to prove vulnerabilities
- sysadmins are bastards, you need proof
- you will also be unable to demonstrate your ‘l33tness’ to executives
- people respond to real impacts, without evidence you will be unable to impress upon readers the importance of your findings.
- you will be unable to revisit issues, your colleagues will be unable to audit your work for completeness or crapness
