The scope of a penetration test is one of the most important parameters that will define whether the test meets your expectation. The scope of an assessment is usually comprised of a detailed listing of targets. The scope of a penetration test may be represented by the number of systems that are to be tested, the number of roles in a web application, or the number of interviews required to complete an audit of your infrastructure. In this blog, we will explore why the scope of a penetration test is so important. Specifically, we will discuss its importance in terms of cost, evaluating risk, and avoiding problems during your test.
The Scope of a Penetration Test Directly Affects Cost
The first, and perhaps most obvious, reason why the scope of a penetration test is so important comes down to cost. Simply put, the cost of a penetration test is directly related to the amount of time it will take an engineer to complete the test. The more systems or larger the scope of a penetration test, the longer it is going to take the engineer to complete the test. There are many situations where a full penetration test of all systems on your network is required and recommended. However, there may be certain situations where a sample of devices can be utilized to reduce the cost of the assessment. For example, if you are a retailer with 500 stores nationwide and need to have wireless penetration testing performed, it might make sense to sample those, rather than sending an engineer to each of the 500 stores. Of course, you would want to make sure that each store was an exact copy of the others and you had chosen a representative sample of stores to test. But testing each and every location would likely be cost prohibitive.
Scope Can Impact Risk
A less obvious way that the scope of a penetration test will affect the outcome centers around how much of your risk landscape you are actually evaluating. As an example, an external penetration test is designed to evaluate the risk of an external threat actor gaining access to your organization/data through your perimeter infrastructure. If the scope does not include the entire Internet perimeter, then you are not fully evaluating the risk. Sometimes this makes sense. For example, you may want to conduct a penetration test of just a specific platform or only customer-facing applications that have changed recently. But to get a true picture of your risk, you need to evaluate the entire perimeter. Likewise, an external penetration will not uncover the same risks and vulnerabilities that a social engineering engagement would. So the scope of your test will directly correlate to the amount of risk you are evaluating during an assessment.
Proper Scoping Can Help Avoid Problems
A final way that the scope of a penetration test will have an impact is in terms of avoiding problems during the test. Simply put, the scope of a penetration test tells the test team which items are able to be targeted and tested. While we make every effort to avoid problems during an assessment, issues can still happen. If you have a site or system where availability is a huge factor and primary concern, the scope of the engagement can be used to specify testing will be performed on a mirrored site instead of the production site. Similarly problematic systems, such as older printers or mainframes, can be specifically scoped out of penetration tests to avoid problems.