At White Badger Group, we have a very strict definition of penetration testing. This parallels the definition set forth by the FFIEC in their information security assessment guidelines, which says the following:
A penetration test subjects a system to the real-world attacks selected and conducted by the testing personnel. The benefit of a penetration test is that it identifies the extent to which a system can be compromised before the attack is identified and assesses the response mechanism's effectiveness. Because a penetration test seldom is a comprehensive test of the system's security, it should be combined with other monitoring to validate the effectiveness of the security process.
Given the above, White Badger Group's penetration testing service is centered around a methodology wherein a clear goal, scope, and success/failure conditions are set. This framework scales from the smallest engagements targeting authentication systems, up to the largest red team-style scenarios.
To be certain, penetration testing is not designed to discover vulnerabilities, but to measure a system's response to attack. If your needs involve the discovery, enumeration, and assessment of vulnerability and risk, then please consider our vulnerability assessment service.Designing a Scenario
When working with a customer on a penetration test, one or more "scenarios" are designed, approved, then executed. Each scenario is an end-to-end test that carries a defined goal, a set of parameters, and a procedure to cover any event that may occur as a result of executing the scenario. The reasons for putting so much effort in to the scenario design are threefold. First, the value of a penetration test is in its ability to help measure a system's response to real world attack inputs. Defining those techniques up front is critical to delivering that value. Second, any test should be repeatable. By defining and documenting the test, this makes follow-up tests much more consistent and the results directly related. Third, because penetration testing uses real attacks on real production systems, having a plan for success and failure conditions is critical to the safety of personnel and data alike.
To best simulate any real-world attack, a number of scenarios can be designed and chained together to be executed as one coordinated attack. For example, a denial of service attack can be coupled with physical intrusion to measure the ability of personnel to respond to physical threats while verification systems may be unavailable. Another example is to execute a social engineering attack as a component of a direct system intrusion, where information gathered by one activity is used to make the other more effective. The possibilities are endless, and can be crafted to your organization's exacting needs.
Contact White Badger Group today to discuss your organization's needs, and to start outlining your penetration testing scenarios today. To get you started, here is a sample list of scenarios for your planning:
- Social Engineering Exercise
- Authentication System Attack
- Denial of Service Attacks
- Physical Intrustion
- Data Exfiltration
- DLP Bypass
- Vulnerability Exploitation and System Compromise