1. Why is the customer having the penetration test performed against their environment?

Transcription

1 General Questions 1. Why is the customer having the penetration test performed against their environment? Assess vulnerabilities in order to improve security and protect client information. 2. Is the penetration test required for compliance requirements? 3. Are we allowed to attempt to gain the highest privileges (root on Unix machines, SYSTEM or Administrator on Windows machines) on the compromised machine? 4. Are we allowed to perform password attacks against local password hashes obtained (for example, etc / shadow on Unix machines)? 5. When does the customer want the active portions (scanning, enumeration, exploitation, etc.) of the penetration test conducted? a. During business hours? b. On the weekends? Weekends preferred but depends on potential interruption of services 6. How many physical locations will be tested, and what country or countries are these systems operated in? Four United States (Florida) 7. Will this penetration test be done from all angles, or just outside points of entry? Example, malicious users may work for you, as a w-2 employee, 1099 contractor, or a vendor installing a new HVAC system that connects to your network. Outside & socially-engineered internal access. 8. In the case that a system is penetrated, what is our next step? Page 1 of 6

2 Document & report. Avoid interruption of services. 9. Can you identify your fragile systems? These would be systems that have a tendency to crash, or run outdated and unstable applications. Windows 2000 Advanced Server running IIS 5.0, printers & other devices with possible default root/administrator access, possible passwords stored in plain text, 10. Do you have any systems monitoring software in place? Minimal perimeter and client-based anti-virus monitoring, egress monitoring of with personally identifying information (PII) included, web-filtering and bandwidth usage monitoring at the perimeter. 11. What are your most critical servers and applications? Microsoft Exchange 2010, Content Central (custom document imaging software), Domain Controllers & file shares. 12. Do you test backups on a regular basis? No 13. When was the last time you ve restored from backup? 12/14/2015 Granular file/folder restore from file share Page 2 of 6

3 Network Penetration Test 1. How many total IP addresses are being tested? We have How many internal IP addresses, if applicable? We have How many external IP addresses, if applicable? 4. Are there any devices in place that may impact the results of a penetration test such as a firewall, intrusion detection/prevention system, web application firewall, or load balancer? Firewall with intrusion detection, web filter, spam filter/rate control Web Application Test 1. How many web applications are being assessed? 2. How many login systems are being assessed? 3. How many static pages are being assessed? (approximately) Page 3 of 6

4 4. How many dynamic pages are being assessed? (approximately) 5. Will the source code be readily for viewing? In some cases. 6. Will there be any kind of documentation, and if yes what kind of documentation? 7. Will we be performing static analysis on this application? 8. Does the client want us to perform fuzzing against this application? No 9. What credentials does the application support and level of access is granted for each type of account. For example, many applications support manager, administrator and user-level accounts Wordpress Administrators, Authors, Contributors, Editors, Event Contributors, Subscribers 10. If the application supports multiple levels of accounts will it be possible for the testers to have test accounts created for authenticated testing. Wireless Network Penetration Test 1. How many wireless networks are in place, and how many different locations? Eight, in four locations 2. Is a guest wireless network used? If so: Page 4 of 6

5 a. Does the guest network require authentication? No b. What type of encryption is used on the wireless networks? WPA2-PSK combination of TKIP and AES 3. Will we be enumerating rogue devices? 4. Will we be assessing wireless attacks against clients? 5. Approximately how many clients will be using the wireless network? Social Engineering 1. Will the client provide addresses of personnel that we can attempt to social engineer? Would prefer testing agent uses and documents methods for obtaining addresses 2. Will the client provide phone numbers of personnel that we can attempt to social engineer? Would prefer testing agent uses and documents methods for obtaining phone numbers 5. Will we be attempting to social engineer physical access, if so: Page 5 of 6

6 a. How many people will be targeted? Two from each location Physical Penetration Test None 1. How many locations are being assessed? Page 6 of 6