Penetration Test - Planning and Scoping(9)
Project Strategy and Risk
CONSIDERATIONS
- White-listed
- No one can access resources unless specifically granted
 
- Black-listed
- Everyone can access unless specifically blocked
 
- Security exceptions
- IPS(Intrusion Prevention System)/WAF(Web application firewall) whitelist
- NAC(Network Access Control)
- Certificate pinning (public key pinning)
 
- Explore company policies to learn about security considerations
Black-Box Penetration Testing
- Zero prior knowledge
- Most familiar to the real attacker
- Generally a surprise to internal personnel
White-Box Penetration Testing
- Full access to internal information
Grey-Box Penetration Testing
- Some internal information available
Risk Acceptance
- Pen tests can be risky
- Service can be interrupted
- Devices/servers can become unresponsive
 
- How much risk is the client willing to accept?
- The client has identified risks
- Acceptance: willing to accept risks, based on likelihood and impact.
 
- Tolerance to impact
- If a risk is realized, what is the client's tolerance to the result?
- How much disruption is tolerable?
 
QUICK REVIEW
- Consider whether your tests are a black box, white box, or grey box
- Discuss risk acceptance with your client
- Agree on the tolerance to impact if tests affect the client's environment
    相信未来 - 该面对的绝不逃避,该执著的永不怨悔,该舍弃的不再留念,该珍惜的好好把握。
 
                    
                     
                    
                 
                    
                
 
                
            
         
         浙公网安备 33010602011771号
浙公网安备 33010602011771号