Standard Penetration Test

A standard penetration test is the process of actively evaluating information security measures. There are a numerous ways that this can be done. The most common procedure is that the security measures are actively analyzed for design weaknesses, technical flaws and vulnerabilities. Understanding these basic areas is essential for creating a successful and efficient system. After testing the results are given comprehensively in a report to the appropriate audience be it the Executive, Management or the IT group.

There are several reasons why organizations choose to perform a standard penetration test; they range from technical to commercial. The most common reasons are to identify any threats on your organization's information so that you can quantify your information risk and provide adequate security. Another reason is to reduce your organization's IT security costs and provide a better return on any IT security investment by identifying vulnerabilities and weaknesses. These may be known vulnerabilities in the underlying technologies or weaknesses in the design or implementation. Other reasons include simply providing your organization with assurance. A thorough and comprehensive assessment of organizational security, covering policy, procedure, design and implementation will bring confidence. Lastly many organizations choose to perform a standard penetration test in order to gain and maintain special certification to an industry regulation.

A standard penetration test will involve the systematic analysis of all the security measures in place. A full project should include some of the following areas. Each test will differ depending on the organization's needs. All of tasks are written up and prepared before the standard penetration test is started. There is a lot of work involved prior to testing. However, the real value of a penetration test is in the report that you receive at the end. If the results are not clear and easy to understand, then the whole exercise is of little value. Ideally the report should be broken into sections that are specifically targeted at their intended audience. Board members, for example, need the risks and possible solutions described in simple terms. Technical managers need a broad overview of the situation without getting buried in details, and system administrators need a list of technical vulnerabilities to address. Basically, a standard penetration test is only as good as the reports that are given at the end. If it is not clearly understood by each intended party it is of little worth.

With many IT companies now providing penetration testing services the quality of the reports varies enormously; everything from a page of bullet points, to three-hundred pages of mind numbing repetition. Both of these types are useless. As a result of this wide variation, it is wise to ask for a sample report before proceeding with any new supplier of penetration testing services. Additionally, some service providers will charge separately to present the findings of the report to your team; clarify this before making a final choice. The quality of your standard penetration test will be the direct result of the quality of the consultants that will be supplied for the project. Make sure they are qualified and experienced. Equally important is that they are personable and a good communicator. As discussed earlier, if the information for the test is not easily comprehended the test is a waste of time.

Mark Keller is an internet marketer for 10xmarketing. For more information on a standard penetration test visit aculis.com.