Audit Knowledge Base

Your FREE resource for Audit information

Home IT Audit What is a Penetration Test?
What is a Penetration Test? Print E-mail
Written by Adam Ellis, CISSP, CISA   
Wednesday, 25 March 2009 21:24

A Penetration Test (also sometimes referred to as a Vulnerability Assessment or Technical Risk Assessment) involves the process of evaluating a company or entity’s security posture.  Most often, a Penetration Test will combine the use of automated scanning tools and hands-on assessment on the part of the Tester.

Point of note: NEVER perform a penetration test without first having received a “Rules of Engagement” from the Auditee, and make sure that the appropriate level of executive (i.e. the Chief Information Security Officer - CISO) has signed off.

When performing a Vulnerability Assessment, like any other audit, it is important to follow a systematic process.  An example overview of the Penetration Test process is included below:

  • Step 1: Scope the Assessment
  • Step 2: Receive CISO signoff, via Rules of Engagement, for all in-scope activities and testing.
  • Step 3: Footprint and Scan the environment
  • Step 4: Enumerate vulnerable host(s)
  • Step 5: Confirm vulnerabilities on host(s)
  • Step 6: Issue report

General Note: Depending on the environment being tested, the scope of the audit, and the tools available to the Auditor, this list may be added to or subtracted from; it is by no means exhaustive.

Some key points to consider when performing a Penetration Test include whether or not you are recording all observations as you go, if you are concentrating on high-risk assets to maximize the use of your time, and perhaps the most important of all, are you staying within scope and within the parameters set forth for you by the Rules of Engagement.

If you are interested in learning more about this topic, please consider visiting the ISECOM website.  They maintain the OSSTMM testing framework, which is a widely used and openly available testing methodology.  Also available to you are our IT Audit Forums, if you would like to post a specific question or point of discussion. 

Other frameworks to consider would include the NSA IAM and NSA IEM testing methodologies, but information is less widely available for those methodologies within the public arena.

 

If you have any questions or comments regarding this article, please send them to us.  


Bookmark and Share

 

Sponsored Links

Most Read

Tag Cloud



IT Audit Financial Audit Internal Audit Audit 101 Sarbanes-Oxley PCI-DSS