Page 1232 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1232

Penetration testing is another preventive measure an organization can
               use to counter attacks. A penetration test (often shortened to pentest)

               mimics an actual attack in an attempt to identify what techniques
               attackers can use to circumvent security in an application, system,
               network, or organization. It may include vulnerability scans, port
               scans, packet sniffing, DoS attacks, and social-engineering techniques.

               Security professionals try to avoid outages when performing
               penetration testing. However, penetration testing is intrusive and can

               affect the availability of a system. Because of this, it’s extremely
               important for security professionals to get written approval from
               senior management before performing any testing.




                             NIST SP 800-115, “Technical Guide to Information

                  Security Testing and Assessment,” includes a significant amount of
                  information about testing, including penetration testing.



               Regularly staged penetration tests are a good way to evaluate the
               effectiveness of security controls used within an organization.
               Penetration testing may reveal areas where patches or security settings
               are insufficient, where new vulnerabilities have developed or become
               exposed, and where security policies are either ineffective or not being

               followed. Attackers can exploit any of these vulnerabilities.

               A penetration test will commonly include a vulnerability scan or
               vulnerability assessment to detect weaknesses. However, the
               penetration test goes a step further and attempts to exploit the
               weaknesses. For example, a vulnerability scanner may discover that a
               website with a backend database is not using input validation
               techniques and is susceptible to a SQL injection attack. The

               penetration test may then use a SQL injection attack to access the
               entire database. Similarly, a vulnerability assessment may discover
               that employees aren’t educated about social-engineering attacks, and a
               penetration test may use social-engineering methods to gain access to
               a secure area or obtain sensitive information from employees.

               Here are some of the goals of a penetration test:
   1227   1228   1229   1230   1231   1232   1233   1234   1235   1236   1237