Non-Technical Specifics

Penetration Testing

Vulnerability Assessments
Vulnerability Assessments are designed to yield a prioritized list of vulnerabilities and are generally for clients who already understand they are not where they want to be in terms of security. The customer already knows they have security issues and simply needs help identifying and prioritizing them.

The more issues identified the better, so naturally a white box approach should be embraced when possible. The end result of the assessment is the creation of a prioritized list of discovered vulnerabilities with methods of remediation.

Penetration Testing
Penetration Tests are designed to achieve a specific, hacker/attacker-simulated goal and should be requested by customers who are already at their desired security level. A typical hacker goal could be to access the contents of a prized customer database on an internal network; or to modify records in an HR system.

A penetration test yields a report of how security was breached and methods of remediation.

Deliverables
At the conclusion of the assessments, reports are written documenting the approach, findings, and recommendations associated with the exercise. The documentation consists of a detailed technical report and an executive summary report.

Detailed Technical Report
A document developed for the use of the organization’s technical staff which discusses:

    • the methodology employed
    • positive security aspects identified and their importance
    • detailed technical vulnerability/threat findings
    • an assignment of a risk rating for each vulnerability/threat, supporting detailed exhibits for vulnerabilities when appropriate, and detailed technical remediation steps.

Executive Summary Report
A document developed to summarize the scope, approach, findings and recommendations – in a manner suitable for senior management (or non-IT professionals).

The following are the main sections, defined by the standard, as the basis for penetration testing execution:

  • Pre-engagement Interactions
  • Intelligence Gathering
  • Threat Modeling
  • Vulnerability Analysis
  • Exploitation
  • Post Exploitation
  • Reporting

Summary
Vulnerability Assessment – Typically requested by customers who already know they have issues and need help getting started.
Customer Maturity Level: Low to Medium.
Goal: Attain a prioritized list of vulnerabilities in the environment so that remediation can occur.
Focus: Breadth over depth.

Penetration Test – Requested by clients believing their defenses to be strong, but want to test that assertion.
Customer Maturity Level: High.
Goal: Determine whether a mature security posture can withstand an intrusion attempt from an advanced attacker with a specific goal.
Focus: Depth over breadth.