SCOPINGQUESTIONNAIREFORPENETRATIONTESTING

PathMaker Group adheres to the OSSTMM penetration testing methodology and code of ethics regarding
this level and classification of test. The analysts performing these tests will each be certified security
practitioners holding at least one certification of Certified Information Systems Security Professional
(CISSP).
Penetration tests can range in a number of varieties from testing one application based on known
vulnerabilitiestofarreachingtestswherenovulnerabilityinformationisprovidedandeverysystemand
networkisinscope.Additionally,apenetrationcangoasfarastogaincontrolofthesystembyanymeans
(aggressive) or to simply illustrate that it could be done by taking these next steps, without actually
takingthesteps.
Thefollowingquestionsareintendedtodetermineandrefinethescopeandextentofadesiredpenetrationtest.Thistemplateshouldbereviewedby
our client and answered as thoroughly as possible. In the event that the client is not able to answer these questions, it is recommended that a
PathMakerGroupsecuritypractitionerrevieweachquestionwiththeclienttoensureadequateinformationisobtained.
United States laws require that PathMaker Group obtain written permission by an authorized representative of the client to perform a
penetration/securityassessment.PleasereferenceAppendixAentitled,SecurityTestingandPenetrationTestingAuthorizationAgreement.

#
1)

2)

QUESTIONS
Whatisthebusinessrequirementforthispenetrationtest?
1. Thisisrequiredbyaregulatoryauditorstandard?
2. Proactiveinternaldecisiontodetermineallweaknesses?

Forexample,isthedriverforthistocomplywithanauditrequirement,or
areyouseekingtoproactivelyevaluatethesecurityinyourenvironment?

Willthisbeawhiteboxtestorablackboxtest?

WhiteBoxcanbebestdescribedasatestwherespecificinformationhas
beenprovidedinordertofocustheeffort.

BlackBoxcanbebestdescribedasatestwherenoinformationis
providedbytheclientandtheapproachisleftentirelytothepenetration
tester(analyst)todetermineameansforexploitation.

ANSWER

COMMENTS

#
3)

QUESTIONS
HowmanyIPaddressesand/orapplicationsareincludedasinscopefor
thistesting?Pleaselistthem,includingmultiplesites,etc.

ANSWER

4)

Whataretheobjectives?
a.) Mapoutvulnerabilities
b.) Demonstratethatthevulnerabilitiesexist
c.) TesttheIncidenceResponse
d.) Actualexploitationofavulnerabilityinanetwork,system,or
application.Obtainprivilegedaccess,exploitbufferoverflows,
SQLinjectionattacks,etc.Thisleveloftestwouldcarryoutthe
exploitationofaweaknessandcanimpactsystemavailability.
e.) Alloftheabove

5)

WhatisthetargetofthePenetrationtest?Isit;
a.) AnApplication
b.) AWebsite
c.) ANetwork
d.) ApplicationandNetwork
e.) Wireless
f.) Other,pleaseexplain

6)

Doyoualsowantthefollowingteststobeperformed?

a.) Physicalsecuritytesttogainaccesstophysicalspacebyevading
physicalsecuritycontrols
b.) SocialEngineeringtesttogainsensitiveinformationfromone
ormoreofyouremployees(toinferorsolicitsensitive
information)

COMMENTS

#
7)

QUESTIONS
Whatprotocolshouldbefollowedforalertingonvulnerabilitiesfound?
a.) Waituntiltheendofthetestingtoreportallvulnerabilities
b.) Reportvulnerabilitiesaswefindthem
c.) Dailyreportonthestatusofthetesting
d.) Reportonlycriticalfindingsimmediately

8)

ANSWER

COMMENTS

Willthistestingbedoneonaproductionenvironment?

Youneedtounderstandthatcertainexploitationofvulnerabilitiesto
determineand/orproveaweaknesscouldcrashyoursystemorcauseit
toreboot.PathMakerGroupisnotliablefordowntimecausedbyproving
thesystemsweaknesstoattack.

9)

Ifproductionenvironmentsmustnotbeaffected,doesasimilar
environment(developmentand/ortestsystems)existthatcanbeusedto
conductthepentest?

10)

Arethebusinessownersawareofthispentest?

Arekeystakeholders(businessowners)awarethatthenatureofapen
testistoattackthesystemasahacker(orhostileactor)wouldinorderto
learnandprovethesystemsweakness?

#
11)

QUESTIONS
Atwhattimedoyouwanttheseteststobeperformed?
a.) Duringbusinesshours
b.) Afterbusinesshours
c.) Weekendhours
d.) Duringsystemmaintenancewindow

12)

Whoisthetechnicalpointofcontact,assumingthisisnotacovert(black
box)testoftheincidentresponsefunction?

Name:
Cellularphonenumber(availableduringthisproject)

AlternateName:
Cellularphonenumber(availableduringthisproject)

AdditionalInformation?

13)

ANSWER

COMMENTS

APPENDIXASECURITYTESTINGANDPENETRATIONTESTINGAUTHORIZATIONAGREEMENT

SecurityTestingandPenetrationTestingAuthorizationAgreement
Toauthorizetechnicalsecurityassessmentorpenetrationtesting,pleasecompletethisformandfaxto:

PathMakerGroup
InformationSecurityServices
Facsimile:8176857980

ContactandScopeDefinitions

TechnicalContactTelephone:

Client/CompanyName:(pleaseprint)

TechnicalContactName:

TechnicalContactEmail:

IPAddresses/Rangestobetested:(pleaseidentifyinternalorexternaladdresses)

DomainName(s):

RequestedDateandTimeofAssessment(s):

Pleaseinitialeachoftheboxesindicatingyouracceptanceofthefollowingstatements:

[_______________]

I am authorized to authorize PathMaker Group to test the IP address(s) listed herein and hereby
permitPathMakerGroupsrepresentativestoperformpenetrationtestingofsaidIPaddress(s).

[_______________]

Ihavebeeninformedandunderstandthattestingofthisnaturemayormaynotimpacttheuptimeof
thenetworkand/orthehardwarebeingtested.Ihavebeeninformedofoptionsforschedulingtesting
to be run at hours convenient to my business, allowing me to limit the impact of events that could
occur.

ClientAuthorizingNameandSignature(required)

AuthorizedName:(pleaseprint)

AuthorizedSignature:

Date: