Security Practices: Penetration Testing - Paiet/Tech-Journal-for-Everything GitHub Wiki

Penetration testing

• What's the purpose of a pentest?
  • 2-fold answer
    • Realistic approach to security
      • Look for vulns to exploit as a threat actor would
      • Remove or mitigate vulns before threat actor exploits them
    • Ensure security controls are effective
• Internal/External/Both?
• Is it a free-for-all, or are there guidelines for conducting a pentest?
  • Remember! The company still needs to provide services
  • Do no harm
• Rules of engagement
  • Timing (Planning Phase)
    • When will pentest take place overall
      • Start date to stop date
    • Are any devices/services time sensitive
      • Don't test while backups are being performed to avoid corruption
    • Are there any times that service interruption may be inconvenient?
      • Stakeholders meeting
      • Special events
  • Scope (Planning Phase)
    • How much/many of the companies assets/services are to be assessed?
    • IP Range
      • Exclusions
    • Services
      • Exclusions
  • Authorization (Planning Phase)
  • Exploitation (Attack Phase)
    • Vulnerability validation
      • Verifying that it's not a false positive
    • PoC/Walkthrough writeup
  • Communication (Reporting Phase)
  • Reporting (Reporting Phase)
    • All findings must be submitted for review
    • Reports must be understandable
      • Know your audience
        • C-levels
        • IT Staff
    • Include screenshots when possible/applicable
    • Detail what the vulnerabilities are
    • Detail steps to reproduce
    • Detail impact of vulnerability
      • Low/Medium/High risk breakdown
    • Detail mitigation
    • DEMO: Black Box Penetration Test Report.docx