My work at Raxis has allowed me to work with people from companies of all sizes in several industries to scope their best penetration test. Many factors come into play, from budgets and politics to compliance and legal issues.
When you reach out to Raxis for a penetration test, we’re happy to work with you to find the best scope for your specific needs. In today’s blog, I discuss a number of common factors we discuss on those calls.
Defining Your Objectives
We always recommend that our customers start with this step. If your penetration test will be used as a step towards compliance, whether PCI, HIPAA, SOC 2 or others, it’s key to be sure that the scope covers those needs.
Though that often seems daunting, most compliance requirements allow for limiting budgets through specific scoped assets. Each framework is very specific on requirements, and our team works with customers filling these needs daily. We’d be happy to help with this step.
Identifying Assets
While this may sound like the easiest step, we’ve worked with organizations that are unsure of the extent of their assets. Whether key team members left the organization or systems haven’t been documented for extended periods, we can scope asset discovery into your test if needed. In such cases, we often include a verification step where your tester sends you the discovered assets for you to check and approve before vulnerability testing and exploitation is attempted.
For initial scoping, you don’t need an exact asset count, but you do want an idea of the range:
- External Network
- How many active external IPs do you have?
- How many have critical systems?
- Internal Network
- Do you have specific IP ranges that you know are critical? Server subnets, employee desktop subnets, telephonic subnets?
- Do you plan to use large ranges and request the penetration test includes discovery? If so, having an idea of the number of active hosts is helpful for scoping.
- Do you plan to include segmentation testing? Some compliance, such as PCI, may require this.
- Wireless Network
- How many internal SSIDs do you have?
- Do you have a guest network?
- Web & Mobile Applications and APIs
- Is this a SaaS product used by customers? A simple app with no login? A customer-created login that does not require verification?
- Do users login? How many roles are there (admin, data-entry user, read-only, etc?)
- Is sensitive data displayed or edited via the app?
- Cloud Infrastructure
- What cloud environment(s) do you plan to test (Amazon AWS, Microsoft Azure, Google Cloud, Cloudflare, Akamai, etc)?
- Which cloud assets are you looking to test? Servers, databases, storage, networks, applications, APIs?
- Is your cloud deployment model public, private, or hybrid?
Defining Methodologies and Constraints
We often have new customers reach out to us about one type of test (say a web application penetration test) and, after discussing with us, realize they actually need an entirely different test (in this case, often an external network penetration test). That’s why we’re here to help.
Once you’ve gathered information to identify the assets above, our team would be happy to discuss and help you decide the best test for you, whether one of those listed above, a hybrid combination test, or a specialized service that meets your specific requirements.
Next, we’ll think about the methodologies used for testing.
- Black Box
- No information is provided by the client: no IP addresses, applications, or system descriptions
- The most realistic form of penetration testing
- Valid approach for companies wanting to better understand what an outside attacker can find
- Not very useful for compliance pentesting, such as PCI
- Gray Box
- The customer provides partial details of the in-scope assets, typically an IP range
- Common in PCI pentesting or when customers want to maximize testing time by bypassing discovery efforts
- White Box
- The customer provides full details of the network and applications deemed in scope
- Also common in PCI pentesting
Each of these (or a combination) are valid options. The best choice is specific to your organization’s needs, and we’re happy to walk you through the benefits of each.
Establish the Rules of the Engagement
While our contracts lay out terms that ensure the security of your systems is a priority throughout testing, you may have special needs for specific systems as well. Our team is happy to work with you to be sure that any special rules are in place during your test.
A few things to consider:
- Identify systems that require special care: While our testers always take care not to bring systems down during testing, older or unpatched systems or misconfigurations could lead to issues our testers may not expect. If they discover possible exploits on those systems, they can work with you to decide if further testing should be performed.
- Outline communications: Our pentesters send updates daily through Raxis One and contact primary customer contacts immediately if critical issues that should be corrected immediately are found.
- Decide testing hours: Our tests are usually performed during business hours. If special hours are required, that may add costs to your test, but our team is happy to perform specific tests on sensitive systems off hours, and we can help you find the best hybrid option to stay within your budget.
In Conclusion
Proper scoping is essential for a successful penetration test, but it can also be daunting. Following these guidelines can ensure that your test is focused, comprehensive, and aligned with your organization’s security objectives, allowing your team to gain meaningful insights into your security posture.
Reach out to our team today if you’d like to know more.
