Previous
Assess and validate your security with PurpleSec’s penetration testing services.
Author: Rich Selvidge, CISSP / Last Updated: 11/20/22
Reviewed By: Michael Swanagan, CISSP, CISA, CISM
View Our: Editorial Process
A penetration test is a simulated cyber-attack that seeks to identify security gaps including misconfigurations, software vulnerabilities, access security flaws, and business logic flaws.
In general, the process attempts to exploit security weaknesses to gain access, modify functionality, or corrupt the business logic of the target system. This includes compromising the confidentiality, integrity, or availability (known as the CIA Triad) of the systems and data that {Company Name} depends on for its business operations.
Careful consideration is taken during the pen testing process to avoid creating additional risk to {Company Name}.
Read More: Types Of Penetration Testing
A penetration testing policy framework document provides guidance for managing a penetration testing program and performing penetration testing activities with the goal of improving defensive IT security for {Company Name}’s infrastructure, systems, services, and applications.
This document defines the roles and responsibilities of {Company Name}’s executives, managers, and IT security team personnel as well as external third-party security service providers.
This document also outlines a set of penetration testing activity terminology, definitions, scopes, limitations, and procedures that should be applied to ensure reliable and effective penetration test activities.
This policy document also describes the high-level goals of {Company Name}’s penetration testing program as well as any formal requirements defined by {Company Name}’s responsibilities to its customers and partners through contracts, service level agreements, or compliance standards, and specific penetration testing activities that should be conducted to meet these goals and requirements.
The general scope of this policy applies to all equipment owned and/or operated by {Company Name}, and to employees connecting to any {Company Name}-owned network domains or cloud applications managed by {Company Name}.
Defining the general scope of this policy ensures that penetration test activities are focused on relevant components and safeguard {Company Name} against violating authorized system boundaries.
All penetration testing activity conducted on equipment owned or controlled by {Company Name} must conform to all national and regional laws that govern the physical location of the asset and the nature of the data, as well as any acceptable use policy limitations imposed by the contracts and agreements between {Company Name} and third-party infrastructure service providers and application licenses.
It should also be noted that this policy document does not provide a comprehensive definition of all scenarios, terminology, and activities that may be encountered during penetration testing activities.
Therefore, all parties should also use their best judgment when performing pen testing activities and communication should be used to clarify any potentially conflicting situations.
The primary goal of {Company Name}’s penetration testing program is to identify security gaps impacting the Confidentiality, Integrity, and Availability (CIA Triad) of all systems and data used by {Company Name}.
Ultimately, the discovery of vulnerabilities shall facilitate risk remediation in line with internal corporate governance objectives.
This includes meeting both internal risk objectives and external IT security standards including PCI-DSS for merchant payment processing and SOC-2 for the protection of customer personal data, <List Additional Compliance Frameworks>.
{Company Name}’s penetration testing program will include the categories of testing engagements described below.
Network penetration testing is to identify any exposed vulnerabilities and security weaknesses in <Company Names>’s network infrastructure that includes but is not limited to servers, firewalls, switches, routers, printers, workstations, security appliances, peripherals, and any software applications, services, or APIs within <Company Names>’s network environment.
Both internal and external activities shall be performed as separate engagements.
Additionally, network penetration testing activities may include credentialed and non-credentialed testing activities to provide increased protection against attacks that may happen from sensitive internal network positions.
The high-level goals of network penetration testing should include testing all potential MITRE CVE vulnerabilities and attempting to evaluate the resilience against known attacker TTP included in the MITRE ATT&CK framework.
Web application penetration testing is to identify any vulnerability, security flaws, or threats in web applications owned by <Company Names>. Activities may use any known malicious attacks on the application including both manual and automated penetration testing activities.
The high-level goals of web-application penetration testing should include all vulnerabilities listed in the OWASP Top Ten web-application vulnerabilities, MITRE CWE software weaknesses, and attempt to evaluate the application’s resilience against known attacker TTP included in the MITRE ATT&CK framework.
Wireless penetration tests seek to assess <Company Names>’s wireless network security for all of the CIA Triad components. Targets should include any workstations, laptops, tablets, smartphones, and printers, as well as any other peripherals and IoT devices. Testing activities should also comprehensively include all wireless protocols used by <Company Names>’s infrastructure.
Wireless penetration testing should verify that wireless access points (AP) are segmented with respect to guest wireless networks and internal corporate wireless networks. This includes testing that <Company Names>’s wireless access points appropriately restrict access to <Company Names>’s corporate wireless networks and that no information about <Company Names>’s internal network can be accessed by attackers.
Other high-level goals of wireless penetration testing are to ensure that all data passing over the wireless channels is protected from discovery by an attacker, that wireless networks are reliable and available, and that data passing over the wireless network cannot be modified by an attacker.
Social engineering penetration testing is to increase security assurances to <Company Names>’s to business operations by testing personnel resilience to social engineering attacks and providing user awareness training where weaknesses are uncovered.
Social engineering penetration testing should include both technical and non-technical attempts to persuade or trick <Company Names>’s staff into performing actions that may reveal sensitive information. This should include both directly providing the sensitive information to an attacker, or performing actions that may result in giving an attacker access to sensitive information such as executing files provided by an attacker.
The high-level goal of social engineering pen testing activities is to educate personnel about the potential implications of the actions they perform in their day-to-day duties, and the various contexts in which a cyber-attack may involve them.
Physical penetration testing seeks to gain access to restricted physical locations within <Company Names>’s buildings, critical IT infrastructure, systems, data, or employees.
The primary benefit of a physical penetration test is to expose weaknesses and vulnerabilities in physical controls including but not limited to locks, elevators, barriers, surveillance cameras or systems, and access control technologies such as access card readers and biometric scanners.
The high-level goal of physical penetration testing is to eliminate security weaknesses that provide unauthorized physical access to <Company Names>’s assets.
Security Policies
Security Resources
Popular Articles