These tests or pseudo-attacks are conducted by an objective evaluation team and emulate an attack on one or more computer systems to discover ways to breach the system’s security controls, to obtain sensitive information, to obtain unauthorized services, or to simulate damage to the system by denying service to legitimate users. Security testing comprises a detailed inventory of network assets and a set of controlled attacks intended to find vulnerabilities in those network assets. The words attack and test are used to mean the same in the context of a security assessment.
Penetration tests (pen-tests) usually refer to tests against perimeter defenses, while vulnerability testing refers to tests against specific systems (host, applications, or networks). External assessments can be loosely defined as testing that is launched from outside the perimeter of the private network. This kind of testing emulates the threat from hackers and other external parties and is often concerned with breaching firewalls and other forms of perimeter security. On the other hand, for vulnerability testing the analyst is located somewhere within the perimeter of the private network and emulates the threat experienced from internal staff, consultants, disgruntled employees, or, in the event of unauthorized physical access or a compromise of the perimeter security, a hacker. The general rule of thumb is that internal threats comprise more than 60 percent of the total threat portfolio.
Testing can consist of something as simple as an Nmap or Nessus scan, or it can be as detailed as tests against a multitiered business application architecture requiring months of code review and application testing. The ground rules for testing define successful completion. Testing is successfully concluded when:
- A defined number of flaws are found.
- A set level of penetration time has transpired.
- A dummy target object is accessed by unauthorized means.
- The security policy is violated sufficiently.
- Money and resources are exhausted.
- Internal resources are accessed.
- Transaction data is captured.
- A particular program or transaction is executed.
- Access is gained to any user account.
- Access is gained to a root/administrative account.
- Network management systems are subverted.
- The ability to remotely control resources is demonstrated.