Penetration Test - Planning and Scoping(9)
其他
2020-07-27 20:41:43
阅读次数: 0
Project Strategy and Risk
CONSIDERATIONS
- White-listed
- No one can access resources unless specifically granted
- Black-listed
- Everyone can access unless specifically blocked
- Security exceptions
- IPS(Intrusion Prevention System)/WAF(Web application firewall) whitelist
- NAC(Network Access Control)
- Certificate pinning (public key pinning)
- Explore company policies to learn about security considerations
Black-Box Penetration Testing
- Zero prior knowledge
- Most familiar to the real attacker
- Generally a surprise to internal personnel
White-Box Penetration Testing
- Full access to internal information
Grey-Box Penetration Testing
- Some internal information available
Risk Acceptance
- Pen tests can be risky
- Service can be interrupted
- Devices/servers can become unresponsive
- How much risk is the client willing to accept?
- The client has identified risks
- Acceptance: willing to accept risks, based on likelihood and impact.
- Tolerance to impact
- If a risk is realized, what is the client's tolerance to the result?
- How much disruption is tolerable?
QUICK REVIEW
- Consider whether your tests are a black box, white box, or grey box
- Discuss risk acceptance with your client
- Agree on the tolerance to impact if tests affect the client's environment
转载自www.cnblogs.com/keepmoving1113/p/13387385.html