You'll learn much of what you need to know about the threat level associated with particular applications, the value of the data and the assets that are important in the risk equation.
An important part of this process is to work with people who understand the business logic of the application. Knowing what the application is supposed to do and how it's supposed to work will help you find its weaknesses and exploit them.
"Define the scope that includes critical information assets and business transaction processing," said InGuardians' Skoudis. "Brainstorm with the pen test team and management together."
Skoudis also suggests asking for management to give their worst case scenario, "what's the worst thing that could happen if someone hacks you?" The exercise helps scope the project by determining where "the real crown jewels" are.
Tip 4: Test Against the Risk
The value of the data/applications should determine the type of testing to be conducted. For low-risk assets, periodic vulnerability scanning is a cost-effective use of resources. Medium risk might call for a combination of vulnerability scans and manual vulnerability investigation. For high-risk assets, conduct exploitative penetration testing.
For example, the security director for a large university said they started performing pen testing to meet PCI DSS requirements. Once that program was in place, it became the model for testing a potential attacker's ability to penetrate their systems. The university classifies data as public, internal, sensitive and highly sensitive.
For information that's highly sensitive, we perform pen testing under much the same guidelines as PCI," he said. "We back off from there, based on some specific criteria and some subjective judgment that goes into what level of pen testing, if any, will be done for system."
So, for example, on the lower end of the risk spectrum the university will test a random sample of systems and/or applications, depending on criteria for a particular category and time and budget constraints. With tens of thousands of devices on a campus network, even a low-level scan of all of them would be infeasible.
"You can test on a business system that has a clear owner and systems administrator," he said. "But when you have 3,000 Wiis attached to the network, you don't want to scan those and figure out who they belong to."
Tip 5: Develop attacker profiles
Your pen testers need to think like and act like real attackers. But attackers don't fit into one neat category. Build profiles of potential attackers.