What differentiates a pentest from other tests?

Paul Asadoorian has summed it up quite nicely in EP 373 of the Security Weekly Podcast. 

A good pentest not only answers the question “can my controls be breached?” but also the following questions:

  • How can I be breached?
  • How much damage to my business can a breach do?
  • Where am I most likely to be breached given my current defenses?
  • What can an attacker do once he has breached one system?
  • Do I have capabilities to detect a breach? 
  • How long will it take me to detect the breach?
  • How well will people in my organization react to a breach or someone trying to breach one of my systems?

I just wanted to take down those questions for you and me, because they might come in handy when arguing once again over what a good or bad pentest is.

Views: 307

Comment

You need to be a member of Dissecting The Hack to add comments!

Join Dissecting The Hack

© 2017   Created by Marcus J. Carey.   Powered by

Badges  |  Report an Issue  |  Terms of Service