Page 1233 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1233
Determine how well a system can tolerate an attack
Identify employees’ ability to detect and respond to attacks in real
time
Identify additional controls that can be implemented to reduce risk
Penetration testing typically includes social-engineering
attacks, network and system configuration reviews, and
environment vulnerability assessments. A penetration test takes
vulnerability assessments and vulnerability scans a step further by
verifying that vulnerabilities can be exploited.
Risks of Penetration Testing
A significant danger with penetration tests is that some methods can
cause outages. For example, if a vulnerability scan discovers that an
internet-based server is susceptible to a buffer overflow attack, a
penetration test can exploit that vulnerability, which may result in the
server shutting down or rebooting.
Ideally, penetration tests should stop before they cause any actual
damage. Unfortunately, testers often don’t know what step will cause
the damage until they take that step. For example, fuzz testers send
invalid or random data to applications or systems to check for the
response. It is possible for a fuzz tester to send a stream of data that
causes a buffer overflow and locks up an application, but testers don’t
know that will happen until they run the fuzz tester. Experienced
penetration testers can minimize the risk of a test causing damage, but
they cannot eliminate the risk.
Whenever possible, testers perform penetration tests on a test system
instead of a live production system. For example, when testing an
application, testers can run and test the application in an isolated
environment such as a sandbox. If the testing causes damage, it only
affects the test system and does not impact the live network. The
challenge is that test systems often don’t provide a true view of a
