IS Penetration Testing
Information Security A y t e k i n G u ze l i s , C I S A , C R I S C
�Penetration Testing IS
Penetration tests (pen tests) are point-in-time assessments of cybersecurity. They
allow IT and security professionals to assess the adequacy of security controls,
including intrusion detection and response systems, and identify weaknesses that
need attention.
Penetration testing includes identifying existing vulnerabilities and then using
common exploit methods to:
• Assess the level of effectiveness and quality of existing security controls
• Identify how specific vulnerabilities expose IT resources and assets
• Ensure compliance
A pen test is ethical hacking designed to improve protection against attacks. Simulate
cyber attacks by penetrating vulnerable systems, applications, and services using both
manual and automated tools 2
�Penetration Testing IS
Since penetration testing simulates actual attacks, it is important to plan these tests
carefully. Failure to do so may result in ineffective results, negative impact on or
damage to the organization’s IT infrastructure or potential liability or criminal
prosecution. Several considerations are important prior to any penetration testing:
• Clearly define the scope of the test including what systems or networks are within
and out of scope, the type of exploits that may be used and the level of access
allowed. These exploits can include network, social engineering, web, mobile
application and other kinds of testing.
• Gather explicit, written permission from the organization authorizing the testing.
This is the only accepted industry standard that distinguishes the service as
authorized and legal.
• Ensure testers implement “Do no harm” procedures to ensure no assets are
harmed, such as deletions, denial-of-service (DoS) or other negative impacts.
3
� IS
Penetration Testing
Penetration testing requires specialized knowledge of vulnerabilities, exploits, IT
technology and the use of testing tools. It should not be performed by untrained or
unqualified practitioners. Any penetration tests should be carefully planned to
mitigate the risk of causing a service outage, and the results require careful
interpretation and elimination of false positives.
Penetration testing can be covert (the general IT staff do not know the testing is going
to take place) so that the reactions of the organization to detect and respond are also
tested.
Also, penetration testing can be external, from outside the organization, or internal,
starting from a system behind the organization’s firewall.
4
� IS
Penetration Test Types
Penetration tests can be tailored for a variety of products, needs, and situations.
• Black box tests are performed with no prior knowledge of the tested network
ecosystem. A black box test is an objective assessment of security as seen from
outside the network by third parties.
• White box tests are performed with full knowledge of the internal design and
structure of the tested ecosystem.
• Grey box tests combine aspects of white and black box testing into one. For this
variety of test, experts will assess the level of software security seen by a
legitimate user with an account.
5
