Penetration Testing
Penetration
testing is the process of simulating attacks on a network and its systems at
the request of the owner, senior management. Penetration testing uses a set of
procedures and tools designed to test and possibly bypass the security controls
of a system. Its goal is to measure an organization’s level of resistance to an
attack and to uncover any weaknesses within the environment. Organizations need
to determine the effectiveness of their security measures and not just trust
the promises of the security vendors. A penetration test emulates the same
methods attackers would use. Attackers can be clever, creative, and resourceful
in their techniques, so penetration attacks should align with the newest
hacking techniques along with strong foundational testing methods.
The type of penetration test that should be used depends on the organization, its security
objectives, and the management’s goals. Some corporations perform periodic penetration
tests on themselves using different types of tools, or they use scanning
devices that continually examine the environment for new vulnerabilities in an
automated fashion. Other corporations ask a third party to perform the
vulnerability and penetration tests to provide a more objective view.
Penetration
tests can evaluate web servers, DNS servers, router configurations, workstation
vulnerabilities, access to sensitive information, remote dial-in access, open ports,
and available services’ properties that a real attacker might use to compromise
the company’s overall security. Some tests can be quite intrusive and
disruptive. The timeframe for the tests should be agreed upon so productivity
is not affected and personnel can bring systems back online if necessary.
The
result of a penetration test is a report given to management that describes the
vulnerabilities identified and the severity of those vulnerabilities, along
with suggestions on how to deal with them properly. From there, it is up to
management to determine how the vulnerabilities are actually dealt with and
what countermeasures are implemented.