The Five W’s of Penetration Testing

Often in discussions with customers and
potential customers, questions arise about our penetration testing services, as well as
penetration testing in general. In this post, we want to walk
through Mandiant’s take on the five W’s of penetration testing, in
hopes of helping those of you who many have some of these same
questions. For clarity, we are going to walk through these W’s in a
non-traditional order.

Why

First and
foremost, it’s important to be upfront with yourself with why
you are having a penetration test performed (or at least
considering one). If your organization’s primary motivation is
compliance and needing to "check the box," then be on
the lookout for your people attempting to subtly (or not so
subtly) hinder the test in order to earn an "easy pass"
by minimizing the number of findings (and therefore the amount of
potential remediation work required). Individuals could attempt to
hinder a penetration test by placing undue restrictions on the scope
of systems assessed, the types of tools that can be used, or the
timing of the test.

Even if compliance is a motivating
factor, we hope you’re able to take advantage of the opportunity
penetration testing provides to determine where vulnerabilities lie
and make your systems more secure. That is the real value that
penetration testing can provide.

Finally, if you are getting
a penetration test to comply with requirements imposed on your
organization, that will often drive some of the answers to later
questions about the type and scope of the test. Keep in mind that
standards only dictate minimum requirements, however, so you should
also consider additional penetration testing activities beyond the
"bare minimum."

Who

There are
really two "who" questions to consider, but for now we
will just deal with the first: Who are the attackers that
concern you? Are they:

Random individuals on the
Internet?
Specific threat actors, such as
state-sponsored attackers, organized criminals, or hacktivist
groups?
An individual or malware that is behind the
firewall and on your internal corporate network?
Your own
employees ("insider threats")?
Your customers
(or attackers who may compromise customers’
systems/accounts)?
Your vendors, service providers, and
other business partners (or attackers who may have compromised
their systems)?

The answer to this will help drive
the type of testing to be performed and the types of test user
accounts (if any) to provision. The next section will describe some
possible penetration test types, but it’s helpful to also discuss
the types of attackers you would like the penetration test to
simulate.

What

What type of penetration test
do you want performed? For organizations new to penetration
testing, we recommend starting with an external network
penetration test, which will assess your Internet-accessible
systems in the same way that an attacker anywhere in the world
could access them. Beyond that, there are several options:

Internal network penetration test – A penetration
test of your internal corporate network. Typically we start
these types of assessments with only a network connection on
the corporate networks, but a common variant is what we call an
"Insider Threat Assessment," where we start with one of
your standard workstations and a standard user account.
Web application security assessment – A review of custom web
application code for security vulnerabilities such as access
control issues, SQL injection, cross-site scripting (XSS) and
others. These are best done in a test or development environment
to minimize impact to the production environment.
Social
engineering – Using deceptive email, phone calls, and/or physical
entry to gain access to systems.
Wireless penetration
test – A detailed security assessment of wireless network(s) at
one or more of your locations. This typically includes a survey of
the location looking for unauthorized ("rogue") wireless
access points that have been connected to the corporate network
and are often insecurely configured.

If budgets were
not an issue, you would want to do all of the above, but in reality
you will need to prioritize your efforts on what makes sense for
your organization. Keep in mind that the best approach may change
over time as your organization matures.

Where

In what physical location should the test take place? Many
types of penetration testing can be done remotely, but some
require the testers to visit your facility. Physical social
engineering engagements and wireless assessments clearly need to be
performed at one (or more) of your locations.

Some internal
penetration tests can be done remotely via a VPN connection, but we
recommend conducting them at your location whenever possible. If
your internal network has segmentation in place (as we recommend),
then you should work with your penetration testing organization to
determine the best physical location for the test to be performed.
Generally, you’ll want to do the internal penetration test from a
network segment that has broad access to other portions of the
internal network in order to get the best coverage from the
test.

Another "Where" to consider for remote testing
is where the testers are physically located. When testers are in a
different country than you, legal issues can arise with data
provisioning and accessibility. Differences in language, culture,
and time zones could also make coordination and interpretation of
results more difficult.

When

We recommend
that most organizations get some sort of security assessment on
an annual basis, but that security assessment does not
necessarily need to be a penetration test (see Penetration
Testing Has Come Of Age – How to Take Your Security Program to the
Next Level). Larger organizations may have multiple
assessments per year, each focused in a different area.

Within the year, the timing of the penetration test is usually
pretty flexible. You will want to make sure that the right people
from your organization are available to initiate and manage the test
– and to receive results and begin implementing changes. Based on
your organization’s change control procedures, you may need to work
around system freezes or other activities. Testing in December can
be difficult due to holidays and vacation, along with year-end
closeout activities, especially for organizations in retail,
e-commerce, and payment processing.

If you have significant
upgrades planned for the systems that will be tested, it is
typically best to schedule the test for a month or two after the
upgrades are due to be finished. This will allow some time for the
inevitable delays in deploying the upgrades as well give the
upgraded systems (and their administrators) a bit of time to
"settle in" and get fully configured before being
tested.

Who (part 2)

The other
"who" question to consider is who will perform the
penetration test? We recommend considering the following when
selecting a penetration testing provider:

What are
the qualifications of the organization and the individuals
who will be performing the test? What differentiates them
from other providers?
To what degree does their
testing rely on automated vulnerability scanners vs. hands
on manual testing?
How well do they understand the
threat actors that are relevant to your environment? How well are
they able to emulate real world attacks?
What
deliverables will you receive from the test? Are they primarily
the output of an automated tool? Ask for samples.
Are
they unbiased? Do they use penetration tests as a means to sell or
resell other products and services?

No doubt, there
are other questions that you will want to consider when scoping a
penetration test, but we hope that these will help you get started.
If you’d like to read more about Mandiant’s penetration testing (and
other) services, you can do so here. Of course,
also feel free to contact
us if you’d like to talk about your situation and how Mandiant
can best assess your organization’s security.

Print Share Comment Cite Upload Translate

APA

() » The Five W’s of Penetration Testing. Retrieved from https://www.truth.cx/2014/09/16/the-five-ws-of-penetration-testing-2/.

MLA

" » The Five W’s of Penetration Testing." - , https://www.truth.cx/2014/09/16/the-five-ws-of-penetration-testing-2/

HARVARD

» The Five W’s of Penetration Testing., viewed ,

VANCOUVER

- » The Five W’s of Penetration Testing. [Internet]. [Accessed ]. Available from: https://www.truth.cx/2014/09/16/the-five-ws-of-penetration-testing-2/

CHICAGO

" » The Five W’s of Penetration Testing." - Accessed . https://www.truth.cx/2014/09/16/the-five-ws-of-penetration-testing-2/

IEEE

" » The Five W’s of Penetration Testing." [Online]. Available: https://www.truth.cx/2014/09/16/the-five-ws-of-penetration-testing-2/. [Accessed: ]

Select a language:

<div class="c00 c00v1"> Often in discussions with customers and
 potential customers, questions arise about our <a
 href="http://internal-www.fireeye.com/content/fireeye-www/en_US/mandiant/penetration-testing.html"
 >penetration testing services</a>, as well as
 penetration testing in general. In this post, we want to walk
 through Mandiant's take on the five W's of penetration testing, in
 hopes of helping those of you who many have some of these same
 questions. For clarity, we are going to walk through these W's in a
 non-traditional order. Why First and
 foremost, it's important to be upfront with yourself with why
 you are having a penetration test performed (or at least
 considering one). If your organization's primary motivation is
 compliance and needing to "check the box," then be on
 the lookout for your people attempting to subtly (or not so
 subtly) hinder the test in order to earn an "easy pass"
 by minimizing the number of findings (and therefore the amount of
 potential remediation work required). Individuals could attempt to
 hinder a penetration test by placing undue restrictions on the scope
 of systems assessed, the types of tools that can be used, or the
 timing of the test. Even if compliance is a motivating
 factor, we hope you're able to take advantage of the opportunity
 penetration testing provides to determine where vulnerabilities lie
 and make your systems more secure. That is the real value that
 penetration testing can provide. Finally, if you are getting
 a penetration test to comply with requirements imposed on your
 organization, that will often drive some of the answers to later
 questions about the type and scope of the test. Keep in mind that
 standards only dictate minimum requirements, however, so you should
 also consider additional penetration testing activities beyond the
 "bare minimum." Who There are
 really two "who" questions to consider, but for now we
 will just deal with the first: Who are the attackers that
 concern you? Are they: <ol> <li>Random individuals on the
 Internet?</li> <li>Specific threat actors, such as
 state-sponsored attackers, organized criminals, or hacktivist
 groups?</li> <li>An individual or malware that is behind the
 firewall and on your internal corporate network?</li> <li>Your own
 employees ("insider threats")?</li> <li>Your customers
 (or attackers who may compromise customers'
 systems/accounts)?</li> <li>Your vendors, service providers, and
 other business partners (or attackers who may have compromised
 their systems)?</li> </ol> The answer to this will help drive
 the type of testing to be performed and the types of test user
 accounts (if any) to provision. The next section will describe some
 possible penetration test types, but it's helpful to also discuss
 the types of attackers you would like the penetration test to
 simulate. What What type of penetration test
 do you want performed? For organizations new to penetration
 testing, we recommend starting with an external network
 penetration test, which will assess your Internet-accessible
 systems in the same way that an attacker anywhere in the world
 could access them. Beyond that, there are several options:
 <ol> <li>Internal network penetration test - A penetration
 test of your internal corporate network. Typically we start
 these types of assessments with only a network connection on
 the corporate networks, but a common variant is what we call an
 "Insider Threat Assessment," where we start with one of
 your standard workstations and a standard user account.</li>
 <li>Web application security assessment - A review of custom web
 application code for security vulnerabilities such as access
 control issues, SQL injection, cross-site scripting (XSS) and
 others. These are best done in a test or development environment
 to minimize impact to the production environment.</li> <li>Social
 engineering - Using deceptive email, phone calls, and/or physical
 entry to gain access to systems.</li> <li>Wireless penetration
 test - A detailed security assessment of wireless network(s) at
 one or more of your locations. This typically includes a survey of
 the location looking for unauthorized ("rogue") wireless
 access points that have been connected to the corporate network
 and are often insecurely configured.</li> </ol> If budgets were
 not an issue, you would want to do all of the above, but in reality
 you will need to prioritize your efforts on what makes sense for
 your organization. Keep in mind that the best approach may change
 over time as your organization matures. Where
 In what physical location should the test take place? Many
 types of penetration testing can be done remotely, but some
 require the testers to visit your facility. Physical social
 engineering engagements and wireless assessments clearly need to be
 performed at one (or more) of your locations. Some internal
 penetration tests can be done remotely via a VPN connection, but we
 recommend conducting them at your location whenever possible. If
 your internal network has segmentation in place (as we recommend),
 then you should work with your penetration testing organization to
 determine the best physical location for the test to be performed.
 Generally, you'll want to do the internal penetration test from a
 network segment that has broad access to other portions of the
 internal network in order to get the best coverage from the
 test. Another "Where" to consider for remote testing
 is where the testers are physically located. When testers are in a
 different country than you, legal issues can arise with data
 provisioning and accessibility. Differences in language, culture,
 and time zones could also make coordination and interpretation of
 results more difficult. When We recommend
 that most organizations get some sort of security assessment on
 an annual basis, but that security assessment does not
 necessarily need to be a penetration test (see <a
 href="https://www.mandiant.com/blog/penetration-testing-age/">Penetration
 Testing Has Come Of Age - How to Take Your Security Program to the
 Next Level</a>). Larger organizations may have multiple
 assessments per year, each focused in a different area.
 Within the year, the timing of the penetration test is usually
 pretty flexible. You will want to make sure that the right people
 from your organization are available to initiate and manage the test
 - and to receive results and begin implementing changes. Based on
 your organization's change control procedures, you may need to work
 around system freezes or other activities. Testing in December can
 be difficult due to holidays and vacation, along with year-end
 closeout activities, especially for organizations in retail,
 e-commerce, and payment processing. If you have significant
 upgrades planned for the systems that will be tested, it is
 typically best to schedule the test for a month or two after the
 upgrades are due to be finished. This will allow some time for the
 inevitable delays in deploying the upgrades as well give the
 upgraded systems (and their administrators) a bit of time to
 "settle in" and get fully configured before being
 tested. Who (part 2) The other
 "who" question to consider is who will perform the
 penetration test? We recommend considering the following when
 selecting a penetration testing provider: <ol> <li>What are
 the qualifications of the organization and the individuals
 who will be performing the test? What differentiates them
 from other providers?</li> <li>To what degree does their
 testing rely on automated vulnerability scanners vs. hands
 on manual testing?</li> <li>How well do they understand the
 threat actors that are relevant to your environment? How well are
 they able to emulate real world attacks?</li> <li>What
 deliverables will you receive from the test? Are they primarily
 the output of an automated tool? Ask for samples.</li> <li>Are
 they unbiased? Do they use penetration tests as a means to sell or
 resell other products and services?</li> </ol> No doubt, there
 are other questions that you will want to consider when scoping a
 penetration test, but we hope that these will help you get started.
 If you'd like to read more about Mandiant's penetration testing (and
 other) services, you can do so <a
 href="http://internal-www.fireeye.com/content/fireeye-www/en_US/services.html">here</a>. Of course,
 also feel free to <a href="http://www.mandiant.com/contact/">contact
 us</a> if you'd like to talk about your situation and how Mandiant
 can best assess your organization's security. </div>

First name:

Last name:

Related Posts