Editor’s Note: The study “A Penetration Testing Model” by the Federal Republic of Germany’s Federal Office for Information Security is attached here.
The study’s Introduction and Objectives is reprineted below.
This study on “A Penetration Testing Model” addresses the use of penetration testing in security relevant IT systems. The security of systems that are linked to public networks can be compromised by unauthorized, and usually anonymous, attempts to access them. This situation calls for test methods that are devised from the attacker’s perspective to ensure that test conditions are as realistic as possible.
Technically speaking, a penetration test is the controlled attempt at penetrating a computer system or network from “outside” in order to detect vulnerabilities. It employs the same or similar techniques to those used in a genuine attack. Appropriate measures can then be taken to eliminate the vulnerabilities before they can be exploited by unauthorized third parties.
This study is aimed at businesses and institutions which offer, or are planning to offer, penetration tests. It presents a structured approach to penetration testing that facilitates -and can ensure -the efficient and focused performance of such tests. The study is also designed to provide assistance with selection criteria to decision-makers in private and public entities who are planning to commission a penetration test.
This study is not a guide to hacking networks and systems, which is why the authors have consciously refrained from including detailed technical instructions and descriptions of the tools used in penetration testing.
Leave a Reply