scope agreements There is often a limited time frame in which to conduct a PenTest. Because of this, stakeholders need to specify and define the assets to be included in the scope of the test, a process known as target selection.
Assets selected may include the following:
- Internet Protocol (IP) addresses: Identify public IP addresses used by the organization as well as private IP ranges critical to network operations. Include possible autonomous system numbers (ASNs) the organization is using. Define specific IP addresses to be tested.
- Classless Inter-Domain Routing (CIDR) Ranges: Identify internal network ranges that are critical for business operations. Focus on CIDR ranges hosting critical infrastructure such as servers, databases, and applications and define specific CIDR ranges that will be tested.
- Domain and/or subdomains: List primary and secondary corporate domains (example.com, subsidiary.example.com). Identify domains hosting critical services or sensitive information and specify the domains and subdomains to be included in the PenTest.
- Uniform Resource Locators (URLs): List URLs for all web applications and services and identify URLs of applications handling sensitive data or critical functions.
- Application programming interfaces (APIs): These could be either public-facing applications or those that allow access to the details of a specific user. Include URLs for API endpoints that may be critical to operations, and make sure to specify the URLs that will be included in the PenTest.
- Users: Users can also be an in-scope asset, as they are susceptible to social engineering and are generally considered to be the easiest attack vector. In addition, they will generally have access to resources that might be restricted to outside parties.
- Service set identifiers (SSIDs): These can be targets when an attacker is attempting to access a wireless network. However, using an evil twin or other Wi-Fi attack generally requires close physical proximity to the premises.
Target selection is a structured approach for identifying, assessing, prioritizing, and documenting various types of assets. By clearly defining the scope and involving stakeholders, organizations can ensure that the PenTesting activities are focused, effective, and aligned with their security objectives. This thorough preparation is essential for identifying and mitigating critical vulnerabilities while minimizing risks and ensuring compliance with relevant standards and regulations.
Physical Locations
Physical locations can be considered in-scope assets; they may be on-site or off-site.
| Location | Description |
| On-site | An asset that is physically located where an attack is being carried out. On-site testing can include attempting to compromise a business’s physical barriers to gain access to systems, server rooms, infrastructure, and employees. |
| Off-site | An asset that provides a service for a company but is not necessarily located at the same place, such as remote offices and/or satellite locations. These locations can be a softer target as they are less likely to have as many security controls as headquarters. |
| Another consideration is whether the team will test external or internal assets: |
- External assets are visible on the Internet, such as a website, web application, email, or DNS server. An external asset is not a good candidate for attacks that require direct access to the network segment, such as sniffing or ARP poisoning.
- Internal assets can be accessed from within the organization. Access to these resources can be achieved by the efforts of either a malicious insider or an external hacker who has gained credentials through a phishing attack. If direct access to the internal network can be established, these assets are excellent candidates for all attack types.
Defining First-Party and Third-Party Hosted
The team should also define how the assets are hosted.
| Type | Description |
| First-party hosted | This includes assets that are hosted by the client organization. In some cases, first-party hosted assets are easier to attack than third-party hosted services, as most companies do not have the same resources, expertise, or security focus as a service provider. |
| Third-party hosted | This includes assets that are hosted by a vendor or partner of the client organization, such as cloud-based hosting. This type of asset is not an impossible target; however, established providers are generally more likely to have more stringent controls in place. In contrast, smaller, newer hosting companies may have fewer resources and less security expertise and so may be easier to attack than larger, more mature providers. |
| Once the team has identified the scope and the assets that are to be tested, they must review with the stakeholders any restrictions that will influence their testing. |