External Penetration Testing – Introduction and Scope |
Posted: November 14, 2014 |
An external pentest is usually organized by a company who wants to make sure that their exterior network perimeter is powerful enough to ward off attacks aimed at gaining access to the internal network. The customer interested in pentesting hires external penetration testing services of an independent security firm that will be finally responsible for the process of pentesting. In the end of pentesting, they will provide a report which will have all the “security holes” with the solutions to solve these issues. Number of Days Required for External Pentesting For any pentesting assignment, it is important to decide in advance the number of days that will be required to complete the security analysis of all systems that the customer wants to include in the penetration testing process. In an external penetration testing service, the correct number of days is normally chosen based on the number of live hosts that are reachable from an exterior point of view and by judging the range of IP to scan. For example, it is normal to conduct pentests by including 20/30 hosts scattered on 2 separate IP ranges and normally the number of days taken to complete such a project is 3 to 5 days. The decision about the number of days is usually taken by the sales forces. As they request for the advice of a Senior Penetration Tester, the following question is normally presented, “How many days do we need to test these X systems on these Y IP ranges?" The right number of days will be identified by a Senior Pentester based on his experience, but it rarely happens that the time interval identified is easily accepted by the customer. Pentesting is a very expensive process usually charged on a daily basis. Therefore, the customer will try his best to squeeze in the maximum number of activities, in the minimum number of days. This makes sense from the customers point of view, as he has to consider the budget. This is especially true when a customer is new to pentesting and has never gone through a security breach. It then becomes important to find a balance between the amount of money a client is willing to pay and the number of days the Security company would require for the pentesting activity. Once the planning as well as paperwork finishes and the pentesting activity is set to start, the security consultant will apply his personal methods in going through the various phases of the activity.
|
||||||||||||||||||||||||||||||||||||||||||
|