The main objective of a pentest is to identify the actual risk, distinguishing it from the risk rating provided by the scanner and providing a firm with a risk value for each asset as well as the risk to the organization's reputation. It matters more how exposed people are and how simple it is to take advantage of that exposure than it does how much risk they actually have.
An identified danger does not actually represent a risk and does not require proof; one such threat is Cross-Site Scripting (XSS), a script injection vulnerability that allows for the theft of user credentials. It might not have a big effect on the business if a client who runs a trading company's brochure website—which offers static information to its clients—was susceptible to cross-site scripting attacks (XSS). In this scenario, a client may choose to take the risk and implement a Web Application Firewall (WAF)-based mitigation strategy in order to stop XSS assaults.
However, if the same weakness was found on their primary trading website, it would be a serious problem that needed to be fixed right away because the business would run the danger of customers losing faith in it if hackers were able to obtain their login credentials.
Objective-based penetration testing is time-based, depending on the specific problem that an organization faces. An example of an objective is:
We are most worried about our data being stolen and the regulatory fines incurred as a consequence of these breaches
.
So, the objective now is to compromise the data either by exploiting a system flaw or by manipulating the employees through phishing; sometimes it will be a surprise to see some of their data is already available on the dark web. Every objective comes with its own Tactics, Techniques, and Procedures (TTP) that will support the primary goal of the penetration test activity.
Top comments (0)