Sunteți pe pagina 1din 5

Penetration Testing Service

QUESTION FORM
1 About Penetration Testing
Penetration testing is a practical demonstration of possible attack scenarios allowing a
malicious actor to bypass security controls in your corporate network and obtain high
privileges in important systems. The service allows you to obtain information on vulnerabilities
in your corporate resources that are available to different types of attackers and the possible
consequences of those vulnerabilities being exploited. The service also allows you to evaluate
the effectiveness of implemented security measures and to plan further actions to fix any
detected flaws and improve security. Penetration testing has much in common with a real
hacker attack and makes it possible to assess the effectiveness of protection measures on
practice. However, unlike a hacker attack, the service is performed by experienced security
experts from Kaspersky Lab who take particular care of system confidentiality, integrity and
availability in strict adherence with international laws and best practices.
If you are interested in the penetration testing service, please fill out the question form below.
Please note that penetration testing results will be of greater value if our experts operate in
the same conditions as a potential intruder. If you would like to significantly narrow the scope,
for instance to perform a detailed analysis of a single application, we recommend that you
refer to Kaspersky Lab’s other services, e.g. Application Security Assessment, Technological
Audit, etc.

2 Question Form

# Question Answer

1 General information
1.1 Company name
1.2 Official website
1.3 Contact details
1.4 Reasons for applying
1.5 Has your corporate network (or
specific systems) undergone an
audit or penetration testing before?
When (if applicable)?
1.6 Main goals of the assessment
(preparation for certification,
creation of an information security
management system, etc.)
1.7 Expected project start date and
duration

Penetration Testing Service Question Form | page 2 of 5


# Question Answer

2 Scope and approach


2.1 The number of branches/offices in
different locations and their
addresses (if they are in the scope)
2.2 Approximate number of employees/
workstations in the scope
2.3 Approximate number of servers
and network equipment
2.4 Approximate number of Class C
networks/hosts available from the
Internet
2.5 Approximate number of web
applications available from the
Internet
2.6 What major compliance
requirements are applicable to the
systems within the scope?
2.7 Should the penetration testing
cover the whole system or specific
parts? Please describe the scope
2.8 Is on-site work required? (If yes,
please list addresses)
2.9 Are there any legal restrictions on
accessing data processed in the
systems included in the scope?
2.10 Security assessment methods to be External penetration testing (black-box,
used (choose applicable methods, from the Internet without privileges), the
specify additional information about goal is to bypass the security perimeter and
expectations if necessary, e.g. access internal networks
specific threat actors to be External penetration testing with attack
considered) development (black-box or grey-box, from
the Internet without privileges), the goal is to
bypass the security perimeter and attempt
to gain high privileges in critical internal
systems
Internal penetration testing (black-box or
grey-box, as an internal intruder with
physical access to the territory or remotely
connected to the LAN), the goal is to

Penetration Testing Service Question Form | page 3 of 5


# Question Answer
escalate current privileges and gain high
privileges in critical systems
2.11 Use of social engineering As part of penetration testing - in this
techniques (choose applicable case social engineering will be used to gain
method, specify additional access to confidential data and/or internal
information about expectations if networks
necessary) As a method of assessing staff security
awareness - in this case statistical data
about employee reactions to different attack
simulations will be obtained (no attack
development)
Social engineering techniques are out of
the scope
2.12 Assessment of wireless networks As part of internal penetration testing - in
this case attempts to gain access to internal
corporate networks through available
wireless networks will be implemented
Separately - in this case wireless security is
assessed in general, attempts to gain
access to internal corporate networks are
also implemented, but no attack
development is performed for this vector
Wireless networks are not in the scope
2.13 Main target systems of penetration
testing
3 Additional information
3.1 Who will be informed about the Limited group of people
penetration testing? Business units
Information security and information
technology officers
All employees
3.2 Are there any legal restrictions on
accessing data processed in the
information system?
3.3 Are there any time limitations for
conducting the security assessment
(working days/hours)?
3.4 Requirements for duration of report
storage

Penetration Testing Service Question Form | page 4 of 5


# Question Answer

3.5 Extra conditions and/or requests

Penetration Testing Service Question Form | page 5 of 5