Why is the Scope of a Penetration Test so Important?

Note from the Editor: This blog is the penultimate installment of an 8-part blog series entitled, “Everything you need to know about an External Penetration Test.” To read series from the beginning, start at “What is an External Penetration Test?”

The scope of a penetration test is one of the most important parameters that will define whether the test meets your expectations. It is usually comprised of a detailed listing of targets. It may be represented by the number of systems that are to be tested, the number of roles in a web application, or the number of interviews required to complete an audit of your infrastructure.

In this blog, we will explore why the scope of a penetration test is so important. Specifically, we will discuss its importance in terms of cost, evaluating risk, and avoiding problems during your test.

The Scope of a Penetration Test Directly Affects Cost

Perhaps the most obvious, reason why the scope of a penetration test is so important comes down to cost. Simply put, the cost of a penetration test is directly related to the amount of time it takes to complete. The more systems or larger the scope of a penetration test, the longer it is going to take the engineer to complete the test.

There are many situations where a full penetration test of all systems on your network is required and recommended. However, there may be certain situations where a sample of devices can be used to reduce the cost of the assessment.

Penetration Test Scope Can Impact Risk

How much of your risk landscape you are actually evaluating impacts the test scope. If the scope does not include the entire Internet perimeter, then you are not fully evaluating the risk. Sometimes this makes sense. For example, you may want to conduct a penetration test of just a specific platform. Or, perhaps you want to test only customer-facing applications that have changed recently.

But to get a true picture of your risk, you need to evaluate the entire perimeter. Likewise, an external penetration will not uncover the same risks and vulnerabilities that a social engineering engagement would. So the scope of your test will directly correlate to the amount of risk you are evaluating during an assessment.

Proper Scoping Can Help Avoid Problems

A final way that the scope of a penetration test will have an impact is in terms of avoiding problems during the test. Simply put, the scope of a penetration test tells the test team which items are able to be targeted and tested. While we make every effort to avoid problems during an assessment, issues can still happen.

If you have a site or system where availability is a huge factor and primary concern, the scope of the engagement can be used to specify testing will be performed on a mirrored site instead of the production site. Similarly problematic systems, such as older printers or mainframes, can be specifically scoped out of penetration tests to avoid problems.

To learn more about how we can help your institution with an external penetration test, please schedule a call today.

About the Author:

Matt is Director of Penetration Testing at SIG. He currently has his PCI QSA, CISSP, OSCP, C|EH, GSEC, GCIH, and CISA certifications. You can find Matt on Twitter @InfoSecMatthew.


Have Questions?
We look forward to hearing from you.