pen testing scopes advice

I am looking for a broad scope on penetration testing/vulnerability exercises to engage a tender for 6-monthly assessments of our network. Most 3rd parties seem to steer you on the areas that should be included, but I was hoping for a more independent view on what type of areas are typically included for a thorough review, e.g. wireless, web apps, network devices, perimeter, build standards, end user equipment, telephony etc? I presume they will test as little or as much as you pay for, but some guidance on critical/desirable/little value per category would be most helpful so we know we are covering the critical areas at bare minimum, in line with budget.

Also any guidance on certifications of companies to look out for as a marker of quality service, would also be useful.
LVL 4
pma111Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

masnrockCommented:
Honestly, it really depends on you. Is your aim for things that are vulnerable from the outside, from the inside, or both? That becomes the very first question you'd have to answer.

From the outside, I'd be looking at scanning the perimeter (so public IP addresses and along with any outside-accessible systems that might be in the DMZ). Not sure how you're leveraging outside vendors or cloud services, but I would surely include websites and things in my cloud, as well as web apps (be sure that you coordinate with any vendors whose systems may get wrapped up in the scope).

From the inside, obviously I'd want to check any databases (but you need to make sure the pentest they do is ideally one that won't modify any data, a good penetration test should be able to tell you about their tests), servers, network devices, and so on. Great thing is this also may help you identify any unauthorized systems on the network. A thing to consider is whether you want/require this to always be done by a third party, or if you eventually want your internal scans taken in house.

You might want to have your first test or two start with a smaller scope, and ramp up from there. Or even alternate between internal and external scans, so that way you have one of each per year.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
The traditional approach to PT and VS are targeted to system and infrastructure which you can still include it and normally that is more for compliance sake to meet the regime interval counts. That again, for such long term, it is good to plan well and not be just a once off effort as this engagement if proven good, your stakeholder may go with you for more of such initiative. But first you need to identify your objective even though it can be a broad scope - be specific on the outcome and deliverable. For example, you may say the intent of this testing is to validate the baseline proper level of hygiene

a) infrastructure architecture (common services like your data centre, and extended site),  
b) critical service security posture (online asset eServices, and internal core business system)
c) asset discovery & management system (architecture and security design)
d) Identity Access & privileged management system (role based access control & authorisation matrix)
e) Key management System (mainly part of the PKI setup and validate its whole lifecycle SOP)
f) Vendor management & control (close to (d) but check also the contractor VLAN if any and rights granted)
g) Vulnerability management system (mainly on the patch discovery and timeliness to complete)
h) application hosting platform (any form of internal portal and API interface across data exchange)
i) mobility management system (in the form of mobile device, smart device like IoT and cloud based hosting)

Phase out in term of planning (0.5mth)  to firm up the priority and scope, go on to the preparation (1mth) stage which is document gathering and asset checks, onsite clarification based on the prep work (0.5mth), and kickstart the testing in stages of coverage (1.5-2mth) and summarise on closure of observation (0.5 mth) and stage the various reporting to management (1mth). You can have remaining to be buffer as it tends to take longer on the observation and seeking the management comments.

For the certification, you would check out CREST certified professional or accrediated companies
http://www.crest-approved.org/
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Vulnerabilities

From novice to tech pro — start learning today.