Plan penetration tests
Overview
This standard is about planning penetration tests.
Penetration testers discover security weaknesses within organisational infrastructure and web applications by performing authorised security tests to identify new vulnerabilities and report findings. They carry out tests using a combination of industry standard tools, in-house developed tools and manual reviews. The objective of a penetration test is to uncover any form of vulnerability - from small implementation bugs to major design flaws resulting from coding errors, system configuration faults, design flaws or deployment weaknesses.
Planning penetration tests involves establishing the scope and requirements of penetration testing assessments, identifying targets and mapping attack vectors to discover exploitable vulnerabilities. It includes engaging with the client prior to testing to confirm logistics arrangements, and agree test goals. It also includes establishing an incident and escalation management process to handle any issues that may arise during the penetration testing process.
This standard is for those who need to plan penetration tests as part of their duties.
Performance criteria
You must be able to:
Agree the scope and requirements for penetration testing with the client to plan testing activities
Agree the type of penetration testing to be undertaken and the methodologies to be used to deliver client requirements
- Identify manual, automated or hybrid penetration testing tools and techniques to meet the assignment requirements
Identify and request information from the client that are needed to inform penetration testing activities
Select resources to deliver penetration testing assignments in line with organisational requirements
- Produce an accurate, penetration testing resource plan
- Identify penetration testing reporting requirements with the client in line with organisational procedures
- Perform a risk assessment to identify and mitigate risks arising from proposed penetration testing assignment activities
- Plan for potential incidents arising during penetration testing to identify escalation procedures and resolutions
Plan clean-up activities to be undertaken following penetration testing in line with organisational procedures
Document and communicate penetration testing plans with the client in line with organisational procedures
Knowledge and Understanding
You need to know and understand:
- The benefits and utility of penetration testing to the client
- How to interpret client requirements for penetration testing
- How to scope penetration tests and attack exercises
- The principles of penetration testing
- The main types of penetration test including infrastructure and web application penetration testing
- The methodologies associated with infrastructure and web application penetration testing
- The major steps applied in penetration testing including foot-printing, scanning, enumeration and exploitation
- How to develop penetration testing plans
- The steps involved in selecting resources to deliver penetration testing services
- The difference between a vulnerability assessment and a penetration test
- the differences between red team, blue team and purple team simulated attack exercises
- The main concepts of infrastructure and web application penetration testing
- The steps involved in penetration testing, including the relevant processes and procedures
- Industry standard and organisation specific manual, automated or hybrid penetration testing tools and techniques
- Technical, logistical, and financial constraints for penetration testing
- The risks associated with penetration testing and how to mitigate them
- The ethical issues related to penetration testing
- How to define checkpoints, escalation paths and emergency contacts for penetration issues
- Record keeping requirements mandated by organisational and external standards
- The importance of accurate and structured record keeping during the engagement
- The information required from clients prior to conducting penetration tests
- The reporting requirements and formats required for penetration testing results and recommendations
- UK legislation related to human rights, data protection, and computer misuse
- Impact of legislation on penetration testing planning activities
- Organisational and sector-specific standards and regulatory issues
- The steps involved in resolving security events and how to apply them
- The steps involved in performing clean-up activities after conducting penetration testing
- The importance of accurate and structured documentation for penetration testing planning