Vulnerability Management Made Simple - Your Scoping Guide
Vulnerability Management Made Simple - Your Scoping Guide
In this guide, we'll go over what to expect during the scoping phase of your vulnerability assessment or penetration test. We think that it's important for our clients to know the ins and outs of this stage because this is when you have the chance to ensure that you're getting the most value for money from our services. We've heard plenty of stories of customers getting caught out by questionable pricing models, so we will always strive to be as transparent as possible.
What is Scoping?
The scope of a vulnerability scan or a penetration test is the particular targets, objectives, and the overall depth of the assessment. It gives the testing engineers explicit boundaries and allows them to understand the effort, time, and any technical aspects of the engagement.The scoping process is the initial, pre-engagement phase where we ask questions and discuss what should be included in your test. Some of the questions and information that we will cover:
- Point of contact.
- Your reasons for needing a test.
- Is compliance driving the test requirements?
- What type of test? Network, web application, etc?
- Testing perspective. Black, grey, white box?
- Where are your assets located?
- Hostnames and IP addresses.
It’s not an issue if any of these points are not immediately obvious, we are here to help!
Vulnerability Scanning vs Penetration Testing
Before we can understand the ins and outs of the engagement, we will need to understand if you are after a vulnerability scan or a penetration test.A vulnerability scan or assessment is a high-level, semi-automated test that looks for signs of vulnerabilities and potential weaknesses on the targets in scope.Penetration testing, on the other hand, is a manual, hands-on process that involves engineers performing fingerprinting, enumeration and actively exploiting identified issues on the targets. Exploitation allows for a true understanding of business risk and can involve chaining multiple vulnerabilities together to increase the overall severity.Vulnerability scanning is not a replacement for penetration testing and solely performing penetration testing cannot secure an entire environment. They are both key activities in their own right and are requirements for a cyber risk analysis and meeting compliance for PCI DSS, HIPAA and ISO 27001.Vulnerability scanning is a recurring activity that should be conducted weekly, monthly, or quarterly to gain an insight into your overall network’s security. Penetration testing on the other hand is a very thorough test that scrutinizes every corner of your business’s assets (the way a malicious hacker would) and should be performed on occasion, in development cycles and after substantial changes to your environment.
The general scoping questions.
What is the purpose of the engagement?
What is your reasoning for needing a vulnerability scan or penetration test? Is compliance driving the testing requirements or is this a supplier or an internal requirement? Maybe it’s just for peace of mind or part of a new vulnerability management programme? Understanding the exact reasoning behind the engagement allows us to tweak the scanning profile, configuration, and testing steps to get the best results.
Who is the engagement point of contact?
Who can we contact during the engagement if we have any questions, concerns or need further access? It is common that during an engagement, we will come across something that requires further information. If we identify a critical severity vulnerability, we will stop the testing process and escalate this immediately. Having the contact information for various people throughout the business means we can be as efficient as possible with gathering information and escalating any issues.
What type of testing would you like?
Our testing engagements can be performed against a wide range of targets. The most common targets are web applications and networks.Within a penetration testing engagement, web application penetration testing is a manual approach to assess the underlying architecture, site configuration and overall design of the web applications in scope. Network penetration testing, on the other hand, involves fingerprinting devices and infrastructure on a given network and attempting to exploit vulnerabilities on the underlying software.Within a vulnerability scanning engagement, web application scanning involves crawling the website in scope, while documenting the technologies in use. Simulated attacks are performed against the application and the results are analysed. Network scanning discovers and fingerprints the devices on the network in scope and performs various checks on the hosts response to determine if vulnerabilities or security weaknesses are present.Once we identify the type of testing, we can discuss the exact details around the particular hosts, webpages, and services. If you have another type of target in mind, let us know and we will determine if we can offer you our services.
How long does an engagement take?
Once the pre-engagement and scoping process has concluded, we can give you an estimate for the amount of time it will take. We can then provide a high-level timeline for the test detailing when the different phases will be conducted.Vulnerability scanning will typically be conducted over a week period. On average, a penetration test will take around two weeks to complete as this is a manual process. Penetration testing is an effort-driven activity and can greatly vary in terms of time. Ultimately, the time frame for testing is your decision, usually influenced by your availability, budget and resources, with a longer test being more expensive but resulting in a more in-depth and complete picture of your systems. Once the testing process has been completed, whether this is a vulnerability scan or a penetration test, the following week will be used to parse through the findings and create a testing report. This will contain a high-level executive summary as well as a technical breakdown of each finding.Once you have received your deliverable and have had time to perform remediation and action the findings within the report. We offer complementary retesting to ensure that the patches and fixes that have been put in place are adequate. An additional report to reflect these changes will also be issued.
Your next steps
Hopefully this has given you greater insight into scoping calls. This can give you an idea of what to expect and can ensure that you're getting the best value for money out of your penetration testing or vulnerability scanning services. If you would like to get in touch regarding any of our services, please head over to our contact page and fill out the form or give us a call.