Cybersecurity is becoming commodity skill and therefore same terminology will have different interpretation by different parties.
Pick penetration test (pTest) as an example. For beginners they simply pick up automated scanner then scan the network and hosts. Whatever reported in the scanner and recommendations are their findings and that’s all.
A more skillful pTester will review the reported finding, validate its applicability with owner for a practical and achievable follow up before reporting.
A professional pTester will go beyond further.
- Before engagement
- Understand what is the target of evaluation
- Advise owner the risk of doing automated scan rather than blindly perform the scan because others say so
- Agree on approach of execution to set expectation
- Agree on picking representable samples to manage resources (for both sides)
- Determine where to place the scanner – before or behind any network perimeter
- Before execution
- Load scanner with updated signature and agree on types of test (brute force password attack? DoS test?)
- Validate target node is accessible
- Ensure scanner runs with known system process
- After execution
- Interview with owner if compensating controls (including process like segregation of duties, detective control etc.) to determine the risk level to the business.
That said, if you are going to hire service provider to conduct a pTest, discuss the scope in terms of:
- Objective of the test, i.e. what are to be verified
- Reference, company policies or industry standard, or both
- Coverage, full or representable components
- Whether the people and process aspects are in scope for a holistic view
It is best positioned as vulnerability assessment, rather than just pTest.