NIST Recommends Penetration Testing
The National Institute of Standards and Technology (NIST) is recommending penetration testing in its forthcoming "Guide for Assessing Security Controls in Federal Information Systems”, due out in March, 2008. The recommendations NIST develops for federal systems are applicable to commercial sites as well, so it's worth taking note of what they say. For example, from SC Magazine:
NIST recommends that government agencies train selected personnel in penetration testing tools and techniques, which should be updated on a regular basis to address newly discovered exploitable vulnerabilities.The guidelines also express a preference for the use of automated penetration tools.
But cautions:
"significant oversight and resources" should be applied to the testing process and that tests must be carefully planned to avoid potentially disruptive attacks that are not fully authorized.
and
The use of outside auditors to conduct penetration tests also would limit the number of federal employees trained to undertake sophisticated attacks, reducing the possibility that a disgruntled government staffer could use the knowledge gleaned from simulated tests to mount a real attack, Larson [executive managing director of computer forensics consultants Stroz Friedberg] noted.
Developing penetration testing skills and plans will take time. This isn't as simple a matter as installing and patching AV software. There are serious downsides to penetration testing gone wrong.
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
