Penetration Testing Scope Discovery

1Cyber and its subcontractors adhere to the PTES penetration testing methodology and code of ethics. The analysts performing these tests will each be certified security practitioners holding at least one certification of Certified Information Systems Security Professional (CISSP) and Offensive Security Certified Professional (OSCP).

Penetration tests can range in a number of varieties from scanning one application based on known vulnerabilities to far‐reaching tests where no vulnerability information is provided and every system and network is in‐scope. Additionally, a penetration can go as far as to gain control of the system by any means (aggressive) or to simply illustrate that it “could” be done by “taking these next steps”, without actually taking the steps.

Scoping Questionnaire for Penetration Testing

1. What is the business requirement for this penetration test?

1. This is required by a regulatory audit or standard?

2. Proactive internal decision to determine all weaknesses?

For example, is the driver for this to comply with an audit requirement, or are you seeking to proactively evaluate the security in your environment?

2. Will this be a white box test or a black box test?

1. White Box can be best described as a test where specific information has been provided in order to focus the effort.

2. Black Box can be best described as a test where no information is provided by the client and the approach is left entirely to the penetration tester (analyst) to determine a means for exploitation.

3. How many IP addresses and/or applications are included as in‐scope for this testing?

Please provide an exact listing to avoid attacking out of scope systems.

4. What are the objectives?

1. Map out vulnerabilities.

2. Demonstrate that the vulnerabilities exist.

3. Test the Incidence Response.

4. Actual exploitation of a vulnerability in a network, system, or application. Obtain privileged access, exploit buffer overflows, SQL injection attacks, etc. This level of test would carry out the exploitation of a weakness and can impact system availability.

5. All of the above.

5. What is the "target" of the Penetration test?

1. An Internal Application(s).

2. An External Application(s).

3. An Internal Website(s).

4. An External Website(s).

5. Internal Network.

6. External Network.

7. Source Code Review.

8. All of the above.

6. What protocol should be followed for alerting on vulnerabilities found?

1. Wait until the end of the testing to report all vulnerabilities.

2. Report vulnerabilities as we find them.

3. Daily report on the status of the testing.

4. Report only critical findings immediately.

7. Will this testing be done on a Production, UAT or DEV environment?

Essentially, this is an official and authorised request to hack the requested systems and although we will restrain from impacting the system as much as possible, you need to understand that certain exploitation of vulnerabilities to determine and/or prove a weakness could crash your system or cause it to reboot.

1Cyber is not liable for downtime caused by proving the system’s weakness to attack.

8. Are key stakeholders (business owners) aware that the nature of a pen test is to attack the system as a hacker (or hostile actor) would in order to learn and prove the system’s weakness?

Do ensure that all systems are backed up and tested on restoration prior to scheduling the penetration test activity to begin.

Do you accept the risk?

9. At what time do you want these tests to be performed?

1. During business hours.

2. After business hours.

3. Weekend hours.

4. During system maintenance window.

5. Anytime.