Show/Hide Toolbars

ABCI Consultants

Guidance for NIST 800-171 Assessment & Compliance

Navigation: APPENDIX E: TAILORING CRITERIA

Penetration Testing Considerations

Scroll Prev Top Next More

Organizations consider the following criteria in developing and implementing a controlled penetration testing program. An effective penetration test:

Goes beyond vulnerability scanning, to provide an explicit and often dramatic proof of mission risks and an indicator of the level of effort an adversary would need to expend in order to cause harm to the organization’s operations and assets, to individuals, to other organizations, or to the Nation;

Approaches the information system as the adversary would, considering vulnerabilities, incorrect system configurations, trust relationships between organizations, and architectural weaknesses in the environment under test;

Has a clearly defined scope and contains as a minimum:

-A definition of the environment subject to test (e.g., facilities, users, organizational groups);

-A definition of the attack surface to be tested (e.g., servers, desktop systems, wireless networks, Web applications, intrusion detection and prevention systems, firewalls, email accounts, user security awareness and training posture, incident response posture);

-A definition of the threat sources to simulate (e.g., an enumeration of attacker’s profiles to be used: internal attacker, casual attacker, single or group of external targeted attackers, criminal organization);

-A definition of the objectives for the simulated attacker (e.g., gain domain administrator access on the organization’s LDAP (Lightweight Directory Access Protocol) structure, access and modify information in the organization’s financial system);

-A definition of level of effort (time and resources) to be expended; and

-A definition of the rules of engagement.

Thoroughly documents all activities performed during the test, including all exploited vulnerabilities and how the vulnerabilities were combined into attacks;

Produces results indicating a likelihood of occurrence for a given attacker by using the level of effort the team needed to expend in penetrating the information system as an indicator of the penetration resistance of the system;

Validates existing security and privacy controls (including risk mitigation mechanisms such as firewalls, intrusion detection and prevention systems);

Provides a verifiable and reproducible log of all the activities performed during the test; and

Provides actionable results with information about possible remediation measures for the successful attacks performed.

Hosted by ABCI Consultants for Information Security Management Systems | Implementations, Training and Assessments for Compliance | (800) 644-2056