KEY CONCEPTS
Penetration testing is typically deployed to gain an assessment of IT infrastructure, networks and business applications to identify attack vectors, vulnerabilities and control weaknesses. It involves an active analysis of the target system for any potential vulnerabilities that could result from poor or improper system configuration, both known and unknown hardware or software flaws, and operational weaknesses in process or technical countermeasures.
Penetration testing looks to exploit known vulnerabilities but should also use the expertise of the tester to identify specific weaknesses – unknown vulnerabilities – in an organisation’s security arrangements.
Penetration testing should be placed in the context of security management as a whole. To gain an appropriate level of assurance, a range of reviews should be conducted. These are often aligned to standards such as ISO27001, COBIT or the ISF Standard of Good Practice. Whilst these standards reference penetration testing, they only do it from a management perspective – and systems that comply with these standards may not be technically secure. A balanced approach of technical and non-technical testing should therefore be taken to ensure the overall integrity of security controls.
While other forms of security assurance provide only a theoretical articulation of vulnerability, penetration testing demonstrates actual vulnerability against defined and real threats. As such the results from a penetration test can be more compelling and demonstrable to both senior management and technical staff.
‘Organisations should not describe themselves as secure – there are only varying degrees of insecurity.’