2 cissp ® Official Study Guide Eighth Edition

Implementing Detective and Preventive Measures 
769
Security professionals try to avoid outages when performing penetration testing. 
However, penetration testing is intrusive and can affect the availability of a system. Because 
of this, it’s extremely important for security professionals to get written approval from 
senior management before performing any testing. 
NIST SP 800-115, “Technical Guide to Information Security Testing and 
Assessment,” includes a significant amount of information about testing, 
including penetration testing.
Regularly staged penetration tests are a good way to evaluate the effectiveness of secu-
rity controls used within an organization. Penetration testing may reveal areas where 
patches or security settings are insuffi cient, where new vulnerabilities have developed or 
become exposed, and where security policies are either ineffective or not being followed. 
Attackers can exploit any of these vulnerabilities. 
A penetration test will commonly include a vulnerability scan or vulnerability assess-
ment to detect weaknesses. However, the penetration test goes a step further and attempts 
to exploit the weaknesses. For example, a vulnerability scanner may discover that a website 
with a backend database is not using input validation techniques and is susceptible to a 
SQL injection attack. The penetration test may then use a SQL injection attack to access 
the entire database. Similarly, a vulnerability assessment may discover that employees aren’t 
educated about social-engineering attacks, and a penetration test may use social-engineering 
methods to gain access to a secure area or obtain sensitive information from employees. 
Here are some of the goals of a penetration test: 
■
Determine how well a system can tolerate an attack 
■
Identify employees’ ability to detect and respond to attacks in real time 
■
Identify additional controls that can be implemented to reduce risk
Penetration testing typically includes social-engineering attacks, network 
and system configuration reviews, and environment vulnerability assess-
ments. A penetration test takes vulnerability assessments and vulnerabil-
ity scans a step further by verifying that vulnerabilities can be exploited.

Download 19,3 Mb.

Do'stlaringiz bilan baham: