Penetration TestingPenetration Testing DefinedThere is a considerable amount of confusion in the industry regarding the differences between vulnerability scanning and penetration testing as the two phrases are commonly interchanged. However, their meaning, and implicaitons are very different. A vulnerability assessment simply identifies and reports noted vulnerabilities, whereas a penetration test attempts to exploit the vulnerabilities to determine whether unauthorized access or other malicious activity is possible. Penetration testing typically includes network and application security testing as well as controls and processes around the networks and applications, and should occur from both outside the network trying to come in (external testing) and from inside the network. Penetration Testing MethodologyOnce the threats and vulnerabilities have been evaluated, design the penetration testing to address the risks identified throughout the environment. The penetration testing should be appropriate for the complexity and size of an organization. All locations of sensitive data, all key applications that store, process, or transmit such data, all key network connections, and all key access points should be included. The penetration testing should attempt to exploit security vulnerabilities and weaknesses throughout the environment, attempting to penetrate both at the network level and key applications. The goal of penetration testing is to determine if unauthorized access to key systems and files can be achieved. If access is achieved, the vulnerability should be corrected and the penetration testing re-performed until the test is clean and no longer allows unauthorized access or other malicious activity. Penetration Testing Guides and ResourcesThere are a number of standards-based guides and resources to aid organizations in understanding and conducting penetration testing including: |
