Proactive methods, employing system testing, can be used to identify system vulnerabilities
efficiently, depending on the criticality of the IT system and available resources (e.g., allocated
funds, available technology, persons with the expertise to conduct the test). Test methods
include.
• Automated vulnerability scanning tool
• Security test and evaluation (ST&E)
• Penetration testing.6
The automated vulnerability scanning tool is used to scan a group of hosts or a network for
known vulnerable services (e.g., system allows anonymous File Transfer Protocol [FTP],
sendmail relaying). However, it should be noted that some of the potential vulnerabilities
identified by the automated scanning tool may not represent real vulnerabilities in the context of
the system environment. For example, some of these scanning tools rate potential vulnerabilities
without considering the site’s environment and requirements. Some of the “vulnerabilities”
flagged by the automated scanning software may actually not be vulnerable for a particular site
but may be configured that way because their environment requires it. Thus, this test method
may produce false positives.
ST&E is another technique that can be used in identifying IT system vulnerabilities during the
risk assessment process. It includes the development and execution of a test plan (e.g., test
script, test procedures, and expected test results). The purpose of system security testing is to
test the effectiveness of the security controls of an IT system as they have been applied in an
operational environment. The objective is to ensure that the applied controls meet the approved
security specification for the software and hardware and implement the organization’s security
policy or meet industry standards.
Penetration testing can be used to complement the review of security controls and ensure that
different facets of the IT system are secured. Penetration testing, when employed in the risk
assessment process, can be used to assess an IT system’s ability to withstand intentional attempts
to circumvent system security. Its objective is to test the IT system from the viewpoint of a
threat-source and to identify potential failures in the IT system protection schemes.
efficiently, depending on the criticality of the IT system and available resources (e.g., allocated
funds, available technology, persons with the expertise to conduct the test). Test methods
include.
• Automated vulnerability scanning tool
• Security test and evaluation (ST&E)
• Penetration testing.6
The automated vulnerability scanning tool is used to scan a group of hosts or a network for
known vulnerable services (e.g., system allows anonymous File Transfer Protocol [FTP],
sendmail relaying). However, it should be noted that some of the potential vulnerabilities
identified by the automated scanning tool may not represent real vulnerabilities in the context of
the system environment. For example, some of these scanning tools rate potential vulnerabilities
without considering the site’s environment and requirements. Some of the “vulnerabilities”
flagged by the automated scanning software may actually not be vulnerable for a particular site
but may be configured that way because their environment requires it. Thus, this test method
may produce false positives.
ST&E is another technique that can be used in identifying IT system vulnerabilities during the
risk assessment process. It includes the development and execution of a test plan (e.g., test
script, test procedures, and expected test results). The purpose of system security testing is to
test the effectiveness of the security controls of an IT system as they have been applied in an
operational environment. The objective is to ensure that the applied controls meet the approved
security specification for the software and hardware and implement the organization’s security
policy or meet industry standards.
Penetration testing can be used to complement the review of security controls and ensure that
different facets of the IT system are secured. Penetration testing, when employed in the risk
assessment process, can be used to assess an IT system’s ability to withstand intentional attempts
to circumvent system security. Its objective is to test the IT system from the viewpoint of a
threat-source and to identify potential failures in the IT system protection schemes.