the adversaries. Per SANS Critical Control #20, penetration testing involves mimicking the actions of computer attackers to identify vulnerabilities in a target organization, and exploiting them to determine what kind of access an attacker can gain. Penetration tests typically provide a deeper analysis of security flaws than a vulnerability assessment.31 Penetration tests should blend client-based, internet-based, web application–based, and wireless-based attacks. When selecting a testing method, consider the types of attacks that might occur most frequently against your organization. With these scenarios, you can test the resiliency of your cybersecurity program. Penetration tests can be run internally by qualified individuals, or they can be run by external partners. No matter who will conduct the test, proper authority to perform the test must be documented, clearly defining the scope of the assets that may be tested, the methods that may be deployed, and the timing for conducting the tests. Assets and methods not permitted should be clearly articulated. This documentation is especially important if internal staff will conduct the test, and documentation may be necessary to comply with legal and HR obligations. Multiple variations of penetration tests that can be conducted. Outlined in Table 9 are a few options for consideration. Review each of the factors in the table below and select what works best for your organization. Table 9. Factors for Consideration in Penetration Test Planning Factor
Options
1. White box: Tester is permi�ed to know all aspects of the target Type
2. Grey box: Tester is permi�ed to know some aspects of the target 3. Black box: Tester is not permi�ed to know any details of the target
Description Depending on the type of test you want to conduct, it might be useful for the tester to already know some details of the target or organiza�on. Such knowledge might reduce the effort of common reconnaissance ac�vi�es, such as finding e-mail addresses for phishing targets or discovering all vulnerabili�es on externally facing servers.
31. “CIS ontrol 20. Penetration Tests and Red Team Exercises,” Center for Internet Security, accessed September 24, 2018, https://www.cisecurity.org/controls/penetration-tests-and-red-team-exercises/.
69
