- Organizational policies are formalized statements defining how the organization intends to meet its long-term goals.
- They can cover numerous topics, including security, privacy, compliance, and acceptable use of resources.
- Pen test engagements should be designed so as to be in concert with existing organizational policies.
- Some organizations provide ways to apply for policy exceptions, where certain organizational policies are not enforced for identified technologies or resources.
- Existing security exceptions should be identified as being either within or outside of the engagement's scope.
- Network Access Control encompasses the collected protocols, policies, and hardware that govern if and how devices can connect to a network.
- If a device can pass a health check, it can connect to the network.
- Devices are agent-based or agentless.
Whitelisting and blacklisting (IPS/WAF whitelisting)
- Whitelisting blocks all users or IP addresses except those included on the whitelist, while blacklisting allows all users or IP addresses except those included on the blacklist.
- These practices are commonly used with intrusion protection systems (IPSs) and web application firewalls (WAFs).
- It is generally recognized that implementing whitelists is more restrictive and thus more secure than implementing blacklists.
Certificate and public key pinning
- Certificate and public key pinning is the process of associating a host with its expected X.509 certificate or public key.
- Pinning bypasses the certificate authority (CA) hierarchy and chain of trust to lessen the impact of man-in-the-middle attacks.
- Used in securing wireless channels, the act of pinning a certificate or public key helps guard against vulnerabilities in well-known protocols such as VPN, SSL, and TLS.