When planning a penetration test, involve all stakeholders, including managers, CEO, and IT. Take the necessary steps before beginning, such as obtaining policies and network documentation.
- [Instructor] When planning a penetration testing exercise, it's not just the IT department making this decision and moving forward with the test, it's the entire organization. All stakeholders are involved, including managers, CEO, key department heads, and IT. The planning and approach to the penetration test is determined in a kickoff meeting with all stakeholders that establishes the goals of the security assessment.
Keep in mind that a company undergoes penetration testing in order to assess the strength of a company's security defenses against attacks. This is a serious undertaking, and some participants may feel uneasy, confused, or even threatened by this exercise. - I have the outline for the proposed penetration testing, so let's get into the details as to what we would like to achieve. - I have a question. You listed a phishing test for our employees in HR and customer service.
We did phishing training last year and it went really well. Why are we doing this again? - You're right, Jamie, we did the phishing training and test last summer. The first test we had 87% of employees fall for the phishing email, and by the third test we had dropped that number to 17%. And after another round of training, we felt confident that most employees understood how to spot a phishing email. But, a year has gone by and we need to test if employees will fall for this type of phishing attack.
And more importantly, we need to see how far into the system we can get with the information obtained from the phishing attack. - [Instructor] It's important to take the necessary steps before beginning a penetration testing exercise. The penetration testing team should be well-trained and knowledgeable, and many times will work alongside managers, administrators, and technical professionals. Before beginning the test, the ethical hacking team will need basic data and documentation in order to navigate and analyze the systems.
- The analysts will require some documentation. Jamie, can you get copies of all relevant policies such as passwords, acceptable use, incident handling, and any other organizational policies? - Sure, that's no problem. - [Instructor] Documentation can vary with the scope and nature of the audit. Along with policies, other documentation includes procedures such as disaster recovery, data backup, and incidence response.
Other documentation includes network topology, operating systems, applications, and security devices. Choose a team based on the organization's needs. Involving managers early will help ensure a successful outcome.
- Auditing security mechanisms
- Locating vulnerabilities
- Exploring types of penetration testing
- Pen testing techniques
- Following a pen-testing blueprint
- Testing physical, wireless, website, database, and email security
- Outsourcing penetration testing