Link to home
Create AccountLog in
Avatar of Techno Savvy
Techno SavvyFlag for Norway

asked on

Internal Pen Testing

My company hired a third-party company to carry out the black box internal pen testing.


The testing will be conducted offsite, and we plan to provide the team with VPN access and a jump host. 

Is it required to conduct a vendor risk assessment against 3rd party providing the service?


Any suggestions or best practices for this type of situation would be greatly appreciated!


Thanks in advance for your insights!

ASKER CERTIFIED SOLUTION
Avatar of btan
btan

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Avatar of Techno Savvy

ASKER

Thank you Madunix and btan.


By doing this test, we want to hunt down as many vulnerabilities as possible. Through this black box testing, we will provide everything we can such as IP address information for all the devices and apps part of the scope.


We will limit the access to the systems that need to be tested but do we need to open all ports through the firewall? Please guide.

Avatar of madunix
madunix

Q: do we need to open all ports through the firewall?

A: No

  

Opening all ports through the firewall for the test duration is not generally recommended. Doing so might allow you to identify potential vulnerabilities but can expose your systems to unnecessary risk. Even though a penetration test is a controlled activity, the security measures in place (like FW/NG FW) should still operate normally to simulate real-world conditions as closely as possible.

 

Instead, your penetration testers should aim to identify open ports as part of their test, using techniques like port scanning. This would give you a more accurate understanding of your vulnerabilities from an outsider's perspective.

in fact to hunt down as much vulnerabilities, blackbox is not the most ideal. You may even have to consider whitebox or grey box to expose backend codes. Front end codes are not just avenue to pentest but the impact is greatest from gap in the backend servers. 


agree with expert, opening all ports are not advised. typically pentester will surface the excessive open port esp high or unknown ones which will be closed as follow up action if not justified. The gap via even well known port is where attack can come in like 443 or 80. In any case, to go deeper, you should consider app test account to allow tester to penetrate deeper as it gain access and attempt privilege escalation and lateral move to the crown jewel. Rule of engagment should draw the boundary so as not to bring down the services.  

blackbox is not the most ideal. You may even have to consider whitebox or grey box to expose...

 

I agree with the expert.

 

 

If you aim to identify as many vulnerabilities as possible, you might consider a different approach, like a Gray Box Penetration Test. In a Gray Box test, you provide the testers with more information about your systems (like system architecture, source code, or access credentials). This approach allows them to thoroughly examine your systems more than a Black Box test alone.

Last question, when providing the IP information of internal servers and network devices, should we include a description of each server or device along with its actual purpose? 

SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.

I feel there is no need unless to dispute false positive or misrepresentation in the finding for management reading. In any case, given the IP addresses and whitelisted their scanner. The rule of thumb is to adopt a "need to know" basis. No need to reveal more than necessary to conduct the test. Those description is not needed. 


importantly, confirm the security clearance received as company policy may dictate the amount of information to be revealed.

Let's assume if it's a whitebox or greybox testing, do we still to provide the description of the servers?. For example.


 

10.1.1.1Domain Controller
10.1.1.2Oracle Business Suite DB
10.1.1.3Oracle Business Suite Application

More importantly is the ip address range. In fact, I would expect the pentester to be able to fingerprint these servers without you telling them. But if the time schedule is of urgency then you may consider sharing more. Tool fingerprinting I'd typical and part of the testing. Most of time, we shared more due to concern that the testing will bring down the server or eating into the traffic throughput of system.

Including descriptions allows everyone involved in the testing process to understand better the network's structure and the specific systems being assessed. It is a valuable addition to any testing documentation.