Pre-Engagement in Penetration Testing
Introduction Ethical Hacking & Cybersecurity fundamentals
Companies' penetration testing has become an essential vital role in securing information and vulnerabilities against cybercriminals. But before we step into the world of Ethical hackers, let's cover the importance of pre-engagement.
What we will cover in today's article
- Why does the company require Pen Test
- What's the Company's objective in achieving the Penetration Test?
- Scope of engagement and Preparation
- Budget Of Company
Why does the company require Pen Test?
When the penetration tester is asked to perform a vulnerability assessment against a company, there is always a specific objective behind the test and why it's required. Is their vulnerability present in SQL servers that is leading to SQL injections? Are our company's employees vulnerable to social engineering attacks? This needs to be clarified before the pen test is performed. By doing this beforehand, we can tighten any loose ends between stakeholders and prepare our pen test accordingly to meet their requirements.
What's the Company's objective in achieving the Penetration Test?
The objective of the Pen Test should be clarified strictly with stakeholders arranging Pen Test before the engagement begins. What if our company is interested in tightening the password policy for the company's user accounts. After the engagement, the company will require the findings and vulnerabilities to change the password policy. Having this conversation with stakeholders will better prepare you to organize all results after the penetration test to satisfy the company's objective
This all sounds kind of familiar to something that every Pen Tester is accustomed to, and that's called Scope.
Requirements for Test: What are the requirements for penetration test, and what is allowed and not allowed? An example could be using password crackers against organizations' user accounts to test for strength. If the company wants to try password complexability, Are stakeholders in agreement with using password crackers. If not, this should be annotated and not executed during the assessment. What is the scope of the environment to be assessed? Is the team required to perform social engineering attacks on the company's employees?
Target field of pentest: What is the environment we are penetrating? Will, it is a Web application, wireless network, production server, physical test. This needs to be clarified to plan accordingly to what tools and techniques can be used to begin the assessment.
Schedule and Timeline to start & finish pentest: When will your team begin the assessment, and how long will it take to complete the penetration test? Stakeholders should be given an accurate window of when the process will start and be completed.
Tools to execute pentest: What tools are allowed by the penetration team to perform an assessment. Clarifying what will be used can give the stakeholder a better idea of the quality of tools and the possibility of reducing the company's uptime. An example could be running Nmap could trigger many security alarms and slow down a company's performance based on the type of scan performed.
Scope of Engagement and Preparation
Penetration testers are faced with many obstacles when beginning penetration, such as the environment they will be testing. Depending on the nature of the penetration test, whether it's per compliance with the company's policy or locate vulnerabilities, it's a good idea to issue a pre-engagement survey to stakeholders requesting penTest.
1) The pre-engagement survey is designed to give the penetration tester a good idea of the kind of environment he will be testing. Examples could be Cisco devices, Type third-party software, Server location.
2) It should be understood that legacy devices and software should be directly notified to the penetration tester due to outdated legacy software being damaged or corrupted during tests. Constraints of this level need to be adjusted to perform penetration test examples include running Windows 7 server for the company's revenue and marketing.
Budget Of Company
Pen testing can be costly depending on getting tested within the company's technical or physical controls. The company's budget will only afford specific pen testing requirements based on the organizational budget. Pentester should be highly flexible based on the company's budget, and pricing should be explained thoroughly to stakeholders.
Conclusion
Today we covered some important topics about penetration testing and cybersecurity. Pre-engagement is an integral part of any pen test as it allows the penetration tester to have clearly defined goals with stakeholders in the company. We will cover more about pre-engagement in the following article and add new topics!
