8 End-to-End Penetration Test Analysis
The final task in any penetration test should be a gap analysis of communications that span the entire system. This should include a review of input and output from external systems that may not be in scope for this assessment. For instance, when testing an AMI meter system, a tester might have performed tests on all components from the meter to the headend. However this final end-to-end task should ensure that all possible inputs from external systems to in-scope systems have been tested and evaluated as possible attack angles, such as an out-of-scope backend systems dependent on data from the in-scope system. Also, malicious data from out-of-scope systems that is accepted and used by in-scope systems, such as public key infrastructure (PKI) servers, should be considered in this part of the assessment. Penetration testers should also identity if any vulnerabilities found later in the testing process affect components tested earlier or by other testing teams.
Table of Contents
- 1 Introduction
- 2 Penetration Test Scoping
- 3 Target System Setup
- 4 Embedded Device Penetration Tasks
- 5 Network Communications Penetration Tasks
- 6 Server OS Penetration Tasks
- 7 Server Application Penetration Tasks
- 8 End-to-End Penetration Test Analysis
- 9 Result Interpretation and Reporting