Penetration Testing
Penetration testing is a non-cooperative effort to introduce security failure. Side-effects can be severe, including downtime and corruption or loss of data. These tests have the shortest shelf-life by far, providing a list of successfully-executed attacks into the system, but being unable to assess such issues as policy, procedure, or practice -- all critical components of overall information assurance. Penetration testing teams are known as "Red Teams" in military jargon.
Interhack's penetration tests involve several major steps. First, we get clear identification of the target and secure proper authorization from an executive sponsor of the organization involved. Next, the sponsor identifies areas of concern for providing priority to the testing within the defined scope. A set of tests is then constructed and performed, collecting data indicating success of penetration. Depending on the scope of the project, the testing phase is repeated, going a level deeper into the system with each successive pass. An initial report is then released to the sponsor, showing findings, and providing opportunity to raise questions or concerns. Last, a final report is issued, identifying which attacks were most successful against the areas of greatest concern to the sponsor, as well as the effectiveness of any defenses against the attack.
Being the ultimate test of whether the policy and technology are effectively addressing the needs of the organization, penetration tests are the final step of a comprehensive information assurance program. Information assurance is a process, the result of policy, technology, and procedure. Just as a runner cannot achieve success by skipping to the last mile of a marathon, an organization cannot test information security by skipping to the last step of an information assurance program.
The key benefit of penetration testing is that after the policy has been defined and assessed and after the systems have been evaluated, the sponsoring organization can evaluate its detection and response capability, ensuring that all of the components of the information security program are doing their parts in protection of the organization's assets.
