Agung Primamorista

What is a penetration test is not.

A penetration test is not an uncoordinated attempt to access an unauthorized resource. The event must be coordinated and scheduled with support staff. At a minimum, some of these tests will log alerts in an Intrusion Detection System. Additionally, some tests have the ability to cause an outage of network equipment or systems. For that reason, management and staff awareness is required in most cases. The exception to complete notification could be a penetration test intended to test the Intrusion Detection System (and staff response). Management should also consider providing printed documentation authorizing the test be performed. This will address any legal liabilities that might be associated with the performance of the test.

Why perform a Penetration Test?

If a vulnerability is utilized by an unauthorized individual to access company resources, company resources can be compromised. The objective of a penetration test is to address vulnerabilities before they can be utilized.

What should be tested?

The core services offered by the company should be tested. These include: Mail, DNS, firewall systems, password syntax, File Transfer Protocol (FTP) systems and Web servers. The most recent information indicates that company wireless systems and Public Branch Exchange (PBX) systems should also be tested. Companies should also test other potential methods for accessing the computing, network resources and or obtaining information. These include physical access to the computing/network and backup areas in addition to social engineering access attempts.