National Institute of Standards and Technology (NIST) has developed specific guidance for agencies to test and assess the security of their information systems. Network vulnerability assessment and penetration testing of information systems are also procedures recommended in the Security Management and Access Controls portions of the Government Accountability Office (GAO) guidance provided in the Federal Information System Controls Audit Manual (FISCAM). NIST Special Publication (SP) 800-115, Technical Guide to Information Security Testing and Assessment, provides specific guidance for conducting these tests and assessments, including guidance for developing Rules of Engagement (ROE). Our approach to penetration testing follows the National Institute of Standards and Technology (NIST) SP 800-115 ROE format. This ROE establishes guidelines for staff and contracting staff to conduct vulnerability assessments and penetration testing of system and network components throughout the enterprise.
A network vulnerability assessment is a typically automated systematic examination of an information system or product intended to accomplish these objectives:
• Determine whether or not security controls are adequately designed and effectively implemented
• Identify security deficiencies and determine the effectiveness of external perimeter and internal security controls
• Provide a basis for evaluating the effectiveness of proposed or implemented security measures
• Map the vulnerabilities with associated exploits
• Post-implementation confirmation of changes made to the security baseline and other protective measures
Penetration testing is security testing in which assessors mimic real-world attacks to identify methods for circumventing the security features of an application, system, or network. It often involves launching real attacks on real systems and data, using tools and techniques commonly employed by attackers. Most penetration tests involve looking for combinations of vulnerabilities on one or more systems that can be used to gain more access than could be achieved through a single vulnerability.
Penetration testing can also be useful for determining:
• How well the system tolerates real-world attack patterns
• The likely level of sophistication an attacker needs to successfully compromise the system
• Additional countermeasures that could mitigate threats against the system
• The defenders’ ability to detect attacks and respond appropriately
• Assess the security posture of the target system
• Identify gaps in the implementation of defense in depth security
• Evaluate device configuration
The testing team will take the necessary steps to avoid any adverse impact on systems from authorized testing. For example, the individual or team will limit any load on the network segments caused by testing and thereby try to avoid a Denial of Service (DoS) for any network resources.
Our team approach facilitates testing in a controlled manner that addresses potential and realized impacts on operations while allowing for the most useful test results possible.
Our Talented team will work with the appropriate stakeholders (application/business owner, ISSO, contractor(s)) to determine the scope of the engagement, and will identify the correct options for testing.
The testing team will coordinate with, and report to a representative during test activities. Staff and contracting staff shall brief target system personnel on the results of testing and provide copies of supporting documents. Upon completing the activities identified in the test plan, the testing team will prepare a test report identifying the actions taken as well as the results of the test. This report will be provided to target environment staff and contracting personnel as appropriate. These test reports will provide both a narrative and the technical details of the test.
A briefing will be given to applicable data center/system POCs (e.g., Business Owner, Information System Security Officers, etc.) describing the overall methodology for the specific testing that will be conducted. This testing methodology will be detailed in the Penetration Test Plan, based upon the scope and magnitude of the specific test. The Test Plan will be updated as necessary based upon the discussions conducted at the Test Methodology Briefing.
Vulnerability assessment and penetration testing tools include commercial, non-commercial, custom-built, as well as network monitoring tools that have been pre-approved for use by staff. A general list of the current Vulnerability Assessment and Penetration Testing Tool Suite will be provided.