In software development they say “Clients don’t even know what they want, they just want it and want it now!” no wonder they keep showing them prototypes. The case is similar in Information security as well, they just want it “secure”. As a penetration tester when you go out to perform Penetration testing engagement, you must have a clear mind on what the client wants. What are the do’s and don’t? What matters to them the most? Chances are that even if you performed technically sound pentest, they would still not be pleased. Maybe it’s the “first time getting their boxes penetrated” and they had different expectations from the results.
The below client penetration testing questions are not a checklist of questions but from my experience with penetration testing assessments on what to look for, and what type of questions you must ask, you could develop checklists based on the concepts discussed. There are a lot more usual questions one must ask, but I included the ones that are generally ignored and must be given due importance.
What matters you the most, Confidentiality, Availability or integrity?
Do expect to hear “All of them”, but ask them to categorize, which one would be first, second and third. This is really important for them to answer and for you to understand their expectations. In some cases, expect Availability – Confidentiality – Integrity in that order of importance. I am not sure if the example of a news website sets fit in, they don’t have external users, only internal administrators and editors, their data could mean less than what effects their core business i.e Availability of the website. So lets say you get the answer Availability Confidentiality Integrity, you should alter your approach for penetration testing accordingly, for example in the case where Availability is utmost priority, so if I find a DOS vulnerability in their DMZ Webservers, I would work on that and make sure I get a good POC, because that is what the client expects. Under normal circumstances of C.I.A approach I would barely write couple of lines for DOS vulnerability at the end of my penetration testing report.
What is the scope of this engagement?
A Common question that is usually asked but sometimes not properly understood by both parties (The penetration tester and the client). The usual answer is, list of IP addresses in case of graybox testing, or incase of blackbox testing, you are own your own, they might even won’t give you a WIFI access. Do they want some domains or IP’s explicitly excluded?. The last thing you want to find an RCE just to know the box wasn’t in scope. Ask them if social engineering is in scope, or can i do physical penetration testing?, it is better to give them sometime and explain what social engineering is and how physical penetration testing can be an effective approach.
What is the time scheduling
This question should be characterized in terms of overall time limitations of how many day/weeks/months they engagement would last as well as time schedules. Ask them can you work after office hours? I would personally love to work at nights, that is where the “hacker” in me is really up and kicking, and its quiet at night.
Ask them which time or day do you want me to perform a certain action, for example it is a common case where clients prefer you to perform heavy scanning or brute forcing in hours/days where peak-factor is at the lowest on their network so that it won’t impact the availability or causes interruption in business activity. You do not want to be blamed by the network guys for any interruptions (I warn you, those fellows could get nasty).
What are the emergency Lines of communication?
This is a simple yet important information to ask pre-engagement, you would need this at critical times, imagine you are in a penetration testing engagement sitting at the client’s building, suddenly the network is down, or the credentials they provided (in case of White box testing) are not working anymore, or any other concern and they do happen!. You don’t want running around the building asking people who to contact, and this is not a time to send hopeless emails.. It would be unprofessional and time consuming, remember you are costing them good sum of cash per hour. You have to be specific on who to call!. Before the engagement. take names and numbers of relevant team and managers who would guide you in any unforeseen circumstances. Ask the client to let the relevant people know they can expect a call from you.
Secondly ask them how frequently they expect you to keep them posted, in my experience it comes down to the personal preference of clients. Some clients want you to tell them when you comprise a machine, some of them would only talk after you have performed the whole engagement.
So what is the goal ?
Goals of a penetration test could be different for different clients, some of them would answer, “we have to fulfil the obligations of compliance for such and such standards “. For some of them its a third party review. You must ask what is the goal I have to achieve as a penetration tester for you to consider this a successful engagement ? You as a Penetration tester must have a goal to follow, this could be as specific as “We want you to compromise our Domain Controller” or as general as, “we want you to break into as many systems as possible”. The problem with the latter answer is that you don’t have a specific goal, you don’t know when to stop testing. Try your best to convince for a goal oriented approach.
These are some of the client penetration testing questions you must ask the client before starting a penetration testing assessment, please note that there are many more usual questions like scoping, NDA etc but I have only included Client penetration testing questions that are normally not asked unless you get into trouble, so it is possible to be clear on these before starting out the penetration testing assessment.