What does a good penetration test consist of ? Flashcards
1
Q
Activities that make up a good penetration test include:
A
- Defining the penetration test parameters
- prevents the pen-tester from doing anything potentially damaging w/in the system.
- protects the pen-tester by providing a legal agreement stating exactly what they are allowed and not allowed to do w/in the system (so as long as they stick to the original arrangement, they’re legally in the clear).
- also helps from a technical standpoint. The test parameters clearly define which aspects of the system should be tested and how extensively those aspects should be tested. - Engaging skilled penetration testers
- make certain that whoever you sign on as a pen-tester knows what they’re doing and has a good track record - Following nondisclosure agreement
- make certain that whoever you sign on as a pen-tester understands the severity of breaking their nondisclosure agreement and make certain that they are unlikely to do so (again, check their track record. If they’ve broken a nondisclosure agreement in past, maybe consider an alternative)
(noted: breaking your nondisclosure agreement could have an absolutely abominable impact on your career)
- Selecting appropriate tests
- find a cost-benefit ratio between more expensive and less expensive tests (don’t pay for what you don’t need) - Using and following a methodology
- going through an arrangement of previously defined steps can make the process, along with documentation of the process much easier.
Word of Ermin: first testing the system for publicly known vulnerabilities should most often be your first step - Documenting the results of the test
- this is arguably the most important step of the process. Without proper documentation, the company won’t be able to benefit from the penetration testing. Your employer will need to know what you did to break into their system and how they may be able to prevent anyone else from doing the same. - Creating a final report
- the amalgamation of all your documented work, and your opinion on how the company might be able to benefit from the information you’ve provided.
- it’s generally not enough to just submit the report. You’ll need to be present and you’ll need to be able to explain every point of the report you’ve provided
- you, your employer, and some members of your employer’s IT department will have a meeting and they will ask you as many questions regarding your report as they can think of in order to take as much information out of the transaction as possible (if they’re serious about improving their system’s security), so for the sake of not looking like an absolute baboon during the duration of that meeting, you must always be deeply involved in the creation of your report and understand all the material held within it