The goals and objectives of the penetration test will be defined at first.
It is essential that the client and tester define the goals of the penetration test together, such that both parties have the same understanding of the objectives and targets. The common objectives of a penetration test are the following:
- Identify vulnerabilities and improve the security of the company network and its systems.
- Test the IT security by an experienced external third party.
- Increase and/or certify the security of the IT infrastructure.
In the first technical step the tester will scan the defined target, typically the company network. The goal is to discover the externally accessible services. Using automated scanning tools, the tester can further identify outdated software and check for publicly disclosed vulnerabilities. After completing the scan, the tester will have an overview of the exposed services and can consider possible attacks.
Attacking is the most critical step that must be performed with due care. By attacking the system, the tester will verify the identified potential vulnerabilities of the scanning phase. Depending on the agreed objective, the attacker will aim not to harm the productive system but at the same time reveal whether the attacks impose actual risks. Recovery procedures for critical system must be in place to prevent unintended harm. The limitations of the testers capabilities have to be balanced, considering risks of harm by testing and the possibility of overlooking critical vulnerabilities and risks.
Evaluating the vulnerabilities and attacks, the tester is now able to assess the identified security risks. Vulnerabilities can be categorized and rated by risk and exploitability. Additional the tester can provide recommendations, typically suggest updates or a necessary change in configuration. Since a penetration test is limited in scope, aggressiveness, and time it is important for the tester to transparently disclose the scope and limitations of the test. This enables the client to genuinely assess the security and guarantees obtained by the test.
Finally, the objectives, scope, procedures, and findings will be reported. Ideally the report follows the same structure as the test itself. Starting with the agreed objectives and scope in the first step and followed by the scanning methodology, tools, and results. The evaluated findings can then be listed in order of risk priority, followed by the recommendations and ending with the conclusion.
A report should focus on the following parts:
- An overall summary of the penetration test.
- Details of each procedure step and the information gathered during the pen testing.
- Details of all the vulnerabilities and risks discovered and their assessment.
- Recommendations for improving the security.
- The objectives, scope, and limitations of the test.