Virtually, none. The impact is minimal. A QPT does not require any network resources and should not interfere with daily business operations. It does require a minor, temporary reconfiguration of an IDS/IPS to allow QCP access to run tools necessary for the testing.
No. This is a Quantum penetration test and is not designed to intentionally flood a network with IP traffic, maliciously gain control of computer systems, or cause a loss of control to systems or services. QCP will endeavor not to disrupt services. However, some scanning, probing, and vulnerability assessment tools are aggressive in their actions and may affect the serviceability of poorly configured or overextended systems or services.
A QPT engagement can last on average four weeks to seven weeks, depending on the complexity and/or size of the network under engagement. The first phase involves scanning the network with various tools to gather a list of responding (live) hosts and enumerate associated vulnerabilities. In the later phases, QCP attempts to leverage the vulnerabilities using advanced techniques in order to exploit the systems.
QCP is legally and ethically bound and authorized to scan only IPs and URLs assigned or hosted by a company, organization or enterprise. The IP address testing range is provided in the SOW (statement of work). The primary goal is to focus on the methods of penetration and provide an enterprise with the best possible vulnerability assessment given the engagement timeframe.
Trusted source access is required. One of the reasons for this requirement is to mimic real world attacks. For example, the QPT is performed from a limited range of IP addresses over a short period of time, whereas a malicious attacker could attack from multiple IP addresses over any amount of time. So it’s critical to allow testing to continue to gain a true assessment of vulnerabilities within a network.
QCP uses commercially available software, shareware, freeware, and tools that are easily available for purchase off the shelf or from the Internet. These are typically the same tools or software used by hackers and malicious users to scan, probe, exploit, and control computer systems. QCP also uses custom-built scripts it creates.
QCP will contact your enterprise promptly if any CRITICAL risks or vulnerabilities are found that require immediate attention. QCP will provide analysis, descriptions of, and recommendations for protecting against confirmed vulnerabilities but will not mitigate vulnerabilities. QCP will also work with your company to verify that the mitigation and/or remedies are effective.
QCP will develop a customized report that provides a summary of activities, vulnerabilities identified, and exploit cases describing how objectives were met. Other deliverables include generated network and web application scan reports and remediation verification reports.
The statement of work (SOW) includes a requirement to complete and return the provided Remediation Survey to QCP within 60 days of receipt of the final report. This survey confirms that your organization has received the QPT results and has taken a proactive approach to address the discovered issues, including developing a plan to address, mitigate/remediate, or accept the risk of identified vulnerabilities.