The scope of the internal penetration test is the internal perimeter of the CDE from the perspective of any out-of-scope LAN segment that has access to a unique type of attack on the CDE perimeter. Critical systems or those systems that may impact the security of the CDE should also be included in the scope.
Definition of Scope:
- The extent (in scope) of something to be considered:
- The extent (in scope) of something that may be done within a larger action:
- The area (in scope) within which a piece of motion-picture film can be projected and still be effectively focused:
- A specially defined area (in scope) within which a test is performed to determine the quality of a product or service.
Together, we can present: The area (in scope) within which a piece of motion-picture film can be projected and still be effectively focused.
Scope of your internal test should be considered in the context of the size of the client you work for, and the sensitivity of the data the client has. The scope of the penetration test is broken down into Threats, Vulnerabilities, and Countermeasures.
For example, the assets and environments of all clients tell a story. If the story is about uniqueness of the environment and is not as unique as they think, there may not be as much security or diversity in their systems.
But, if the story is about uniqueness, and it is very unique, it may be that the environment is not as unique as the client wants you to believe.
There are many aspects of internal penetration testing that are important to consider, but the scope of penetration testing is the biggest part of a complete plan.
The scope of the external test is the perimeter of the CDE from the perspective of any out-of-scope LAN segment that has access to the CDE perimeter.