Assessment of Vulnerabilities in an IT System

The most accurate way to assess vulnerabilities in an IT system is by penetration testing, which simulates an actual attack. It can be dangerous to both the targeted organization, as well as the penetration team. Since the testers use the same tools as an actual attacker, systems and networks could really be brought down during the “attack.” One of the biggest advantages to penetration testing is that it tests not only the security of the infrastructure, but the readiness of the response team as well. Even though a more realistic test would be performed during normal working hours when productivity would be affected, even after hours tests could cause problems. A successful attack could bring resources down and it may take time for them to come back up. All penetration testing should be signed off on by management prior to the test commencing. There are several steps that need to take place while planning and executing a penetration test. The first is the planning and preparation stage. During this stage, penetration testers and management personnel should hold a meeting to determine the exact scope, goals, and method of the penetration test. Failure to do this will only result in a list of exploitable vulnerabilities without any type of prioritization or guidelines for the organization. Since these tests can cause networks to crash or connectivity to slow tremendously, it is very important the penetration testers know what kinds of tests are and are not acceptable to management. Legal documents should also be drafted during this time to protect the penetration testers. Since the testing involves acts that would normally be illegal and could compromise confidential information, these documents can outline how the information will be handled, returned and/or destroyed. A liability waiver should also be included to protect the testers from and ramifications of any system damage during the test. After the initial planning, the next step is information