Our articles explaining Penetration Testing processes continue. In this study, we will explain the targets to be discussed in the Coordination article, which is the 1st Phase of the Penetration Testing Phases .
As you know, the first part of the Coordination activity is the PURPOSE ( see ). The primary, secondary and final goals to be achieved direct the tests to be carried out. Tests carried out in line with all these goals contribute to the general goals and policies of the service receiving company. Therefore, targets determined with the right approach always bring great benefits to the company receiving the service.
We have explained below the issues to be considered and the common mistakes made in determining the targets. These headings are divided into 3 sub-sections as primary, secondary and final targets. If we consider the flexibility of cyberspace, these sub-sections and items may change. They can be redesigned according to the need. Even new checklists and question and answer forms can be developed. We are using 3 sub-items as an example.
Primary Goals
The primary goal of the test should not be to provide standards. If a company is having a Penetration Test done to provide a standard, it should be known that Standard and Security are not the same thing.
For example, let’s assume an IT infrastructure where customer information or credit cards are processed in the system. The primary goals to be determined here may be how secure the system is and the level of resistance and durability against risks. These goals usually directly concern the management level and decision-making mechanisms.
Secondary Goals
The objectives that we mentioned in the first article as not being necessary are specified here. For example, determining compliance with the standard is exactly the subject of these secondary objectives. Again, if we give the same credit card system as an example, issues such as the security level of the encryption algorithm used during communication or the detection of the weak sides of the communication protocol used can be given as examples.
Primary and secondary goals are sometimes confused because it is not possible to separate them with clear rules and lines. In order to distinguish these goals, the following point should be taken into consideration. Primary goals are goals that directly concern the company management and are used to achieve general strategic results that should be presented to their attention.
Ultimate Goals
The ultimate goals we will talk about in this article are different from primary and secondary goals. These are the points where the tests performed contribute to the company’s long-term goals. Generally, they can be detected if an agreement has been made with the company providing the testing service for long-term testing at different times.
In one-time tests, it may be sufficient to determine the primary and secondary targets and shape the test accordingly. The final targets are related to medium and long-term plans. For example, the company has decided to invest in infrastructure to provide secure data storage and backup services at the end of the next 2 years. Before starting to provide this service, it may want to have its system tested every month for 2 years and reassure its customers with these test results. These types of issues can be determined as final targets if desired.
With this article, we have completed our review of the Coordination Phase. We will begin to examine the Information Gathering Phase in detail in our upcoming articles. You can let us know your opinions and comments.