pen testing scopes advice

I am looking for a broad scope on penetration testing/vulnerability exercises to engage a tender for 6-monthly assessments of our network. Most 3rd parties seem to steer you on the areas that should be included, but I was hoping for a more independent view on what type of areas are typically included for a thorough review, e.g. wireless, web apps, network devices, perimeter, build standards, end user equipment, telephony etc? I presume they will test as little or as much as you pay for, but some guidance on critical/desirable/little value per category would be most helpful so we know we are covering the critical areas at bare minimum, in line with budget.

Also any guidance on certifications of companies to look out for as a marker of quality service, would also be useful.
LVL 3
pma111Asked:
Who is Participating?
 
masnrockCommented:
Honestly, it really depends on you. Is your aim for things that are vulnerable from the outside, from the inside, or both? That becomes the very first question you'd have to answer.

From the outside, I'd be looking at scanning the perimeter (so public IP addresses and along with any outside-accessible systems that might be in the DMZ). Not sure how you're leveraging outside vendors or cloud services, but I would surely include websites and things in my cloud, as well as web apps (be sure that you coordinate with any vendors whose systems may get wrapped up in the scope).

From the inside, obviously I'd want to check any databases (but you need to make sure the pentest they do is ideally one that won't modify any data, a good penetration test should be able to tell you about their tests), servers, network devices, and so on. Great thing is this also may help you identify any unauthorized systems on the network. A thing to consider is whether you want/require this to always be done by a third party, or if you eventually want your internal scans taken in house.

You might want to have your first test or two start with a smaller scope, and ramp up from there. Or even alternate between internal and external scans, so that way you have one of each per year.
0
 
btanExec ConsultantCommented:
The traditional approach to PT and VS are targeted to system and infrastructure which you can still include it and normally that is more for compliance sake to meet the regime interval counts. That again, for such long term, it is good to plan well and not be just a once off effort as this engagement if proven good, your stakeholder may go with you for more of such initiative. But first you need to identify your objective even though it can be a broad scope - be specific on the outcome and deliverable. For example, you may say the intent of this testing is to validate the baseline proper level of hygiene

a) infrastructure architecture (common services like your data centre, and extended site),  
b) critical service security posture (online asset eServices, and internal core business system)
c) asset discovery & management system (architecture and security design)
d) Identity Access & privileged management system (role based access control & authorisation matrix)
e) Key management System (mainly part of the PKI setup and validate its whole lifecycle SOP)
f) Vendor management & control (close to (d) but check also the contractor VLAN if any and rights granted)
g) Vulnerability management system (mainly on the patch discovery and timeliness to complete)
h) application hosting platform (any form of internal portal and API interface across data exchange)
i) mobility management system (in the form of mobile device, smart device like IoT and cloud based hosting)

Phase out in term of planning (0.5mth)  to firm up the priority and scope, go on to the preparation (1mth) stage which is document gathering and asset checks, onsite clarification based on the prep work (0.5mth), and kickstart the testing in stages of coverage (1.5-2mth) and summarise on closure of observation (0.5 mth) and stage the various reporting to management (1mth). You can have remaining to be buffer as it tends to take longer on the observation and seeking the management comments.

For the certification, you would check out CREST certified professional or accrediated companies
http://www.crest-approved.org/
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.