Penetration Testing References
NIST states: “Penetration testing services can be invaluable, but it is labor-intensive and requires great expertise to minimize the risk to targeted systems. Systems may be damaged or otherwise rendered inoperable during the course of penetration testing, even though the organization benefits in knowing how a system could be rendered inoperable by an intruder. Although experienced penetration testers can mitigate this risk, it can never be fully eliminated. Penetration testing should be performed only after careful consideration, notification, and planning.”
NIST 800 Warns “that caution should be exercised when performing physical security testing—security guards should be made aware of how to verify the validity of tester activity, such as via a point of contact or documentation. Another nontechnical means of attack is the use of social engineering, such as posing as a help desk agent and calling to request a user’s passwords, or calling the help desk posing as a user and asking for a password to be reset. “
NIST SP 800-115
“Penetration testing can be useful for determining:
- How well the system tolerates real-world-style attack patterns
- The likely level of sophistication an attacker needs to successfully compromise the system
- Additional countermeasures that could mitigate threats against the system
- Defenders’ ability to detect attacks and respond appropriately.
Penetration testing can be invaluable, but it is labor-intensive and requires great expertise to minimize the risk to targeted systems. Systems may be damaged or otherwise rendered inoperable during the course of penetration testing, even though the organization benefits in knowing how a system could be rendered inoperable by an intruder. Although experienced penetration testers can mitigate this risk, it can never be fully eliminated. Penetration testing should be performed only after careful consideration, notification, and planning”
Supplemental guidance for the RA controls can be found in the following documents:
- NIST SP 800-30 provides guidance on conducting risk assessments and updates [79].
- NIST SP 800-39 provides guidance on risk management at all organizational levels [20].
- NIST SP 800-40 provides guidance on handling security patches [40].
- NIST SP 800-115 provides guidance on network security testing [41].
- NIST SP 800-60 provides guidance on determining security categories for information types [25].
- NIST SP 800-100 provides guidance on information security governance and planning [27].
Redbot Social