IT Examiner School, Seaside, CA

Penetration Test (Pen Test)

Pen Test “tests” a system to find and exploit known vulnerabilities that an attacker could exploit

• Determine if there are weaknesses and if able to access system functionality and data • Are intrusive as actual “attack” tools are used • Require a high degree of skill to perform • Require management’s knowledge & consent • Pen Test report will describe any weaknesses as “high”, “medium” or “low”

Pen Test Strategies

• Targeted Testing - performed by the entity’s IT team and external testing team

• External Testing - targets externally visible servers or devices (seen by anybody on Internet) to see if they can get into internal systems and how far

• Internal Testing - mimics an insider attack by an authorized user with standard access privileges (what can happen with a disgruntled employee)