Penetration Tests
A penetration usually follows a certain scenario and has a goal defined by the customer. It can be something broad like "We want to know if a total outsider from the Internet can gain access to any internal confidential data" or can be more specific: "We have a very sensitive application and want to know if unauthorised users can acces it".A penetration test is performed in a pre-defined time frame. Some limitations can be set on what the testers are allowed to do. For example, no denial of service attacks, or no social engineering.
Penetration test results can have a very diverse use in a security-minded organisation. Examples include the following:
- Awareness generation. Penetration test results can be an eye-opener for the company. A demonstration such as "Here is how one can break into web mail system and read CEO's email" generates awareness of the need for securitymeasures. A test can also identify areas of concern where more in-depth testing is warranted.
- Incident response testing. A penetration test simulates a hacking attack. As such, it tests the organization's incident handling procedures - whether the attack wasdetected and how the personnel responded.
- Vulnerability identification. One of the major steps in a risk assessment is identifying vulnerabilities. The results of a penetration test can provide valuable input for this step, since they include vulnerabilities which were discovered and whose relevance was verified (elimination of false-positives).
- Attack likelihood and impact assessment. Once the vulnerabilities have been identified in a risk assessment, their occurrence likelihoods and impacts need to be estimated. The results of a penetration test may provide useful input for this process, since they are based upon real hacker tools and techniques and hence are representative of the real threat environment.