NIST SP 800-53A Appendix G
ASSESSMENT TOOLS AND TECHNIQUES TO IDENTIFY INFORMATION SYSTEM WEAKNESSES
Organizations should consider adding controlled penetration testing to their arsenal of tools and techniques used to assess the security controls in the information system. Penetration testing is a specific type of assessment methodology in which assessors simulate the actions of a given class of attacker by using a defined set of documentation (that is, the documentation representative of what that class of attacker is likely to possess) and working under other specific constraints to attempt to circumvent the security features of an information system. Penetration testing is conducted as a controlled attempt to breach the security controls employed within the information system using the attacker's techniques and appropriate hardware and software tools. Penetration testing represents the results of a specific assessor or group of assessors at a specific point in time using agreed-upon rules of engagement. As such, and considering the complexity of the information technologies commonly employed by organizations today, penetration testing should be viewed not as a means to verify the security of an information system, but rather as a means to: (i) enhance the organization's understanding of the system; (ii) uncover some weaknesses or deficiencies in the system; and (iii) indicate the level of effort required on the part of adversaries to breach the system safeguards.60 
Keeping in mind reasonable expectations toward penetration testing results, organizations should consider performing controlled penetration testing on moderate-impact and high-impact information systems. Penetration testing exercises can be scheduled and/or random in accordance with organizational policy and organizational assessments of risk. Consideration should be given to performing penetration tests: (i) on any newly developed information system (or legacy system undergoing a major upgrade) before the system is authorized for operation; (ii) after important changes are made to the environment in which the information system operates; and (iii) when a new type of attack is discovered that may impact the system. Organizations actively monitor the information systems environment and the threat landscape (e.g., new vulnerabilities, attack techniques, new technology deployments, user security awareness and training) to identify changes that require out-of-cycle penetration testing.
Organizations specify which components within the information system are subject to penetration testing and the attacker's profile to be adopted throughout the penetration testing exercises. Organizations train selected personnel in the use and maintenance of penetration testing tools and techniques. Effective penetration testing tools should have the capability to readily update the list of attack techniques and exploitable vulnerabilities used during the exercises. Organizations should update the list of attack techniques and exploitable vulnerabilities used in penetration testing in accordance with an organizational assessment of risk or when significant new vulnerabilities or threats are identified and reported. Whenever possible, organizations should employ tools and attack techniques that include the capability to perform penetration testing exercises on information systems and security controls in an automated manner.
The information obtained from the penetration testing process should be shared with appropriate personnel throughout the organization to help prioritize the vulnerabilities in the information system that are demonstrably subject to compromise by attackers of a profile equivalent to the ones used in the penetration testing exercises. The prioritization helps to determine effective strategies for eliminating the identified vulnerabilities and mitigating associated risks to the organization's operations and assets, to individuals, to other organizations, and to the Nation resulting from the operation and use of the information system. Penetration testing should be integrated into the network security testing process and the patch and vulnerability management process. NIST Special Publication 800-40 (Version 2) provides guidance on patch and vulnerability management. NIST Special Publication 800-42 provides guidance on network security testing. NIST Special Publication 800-115 provides guidance on information security testing.
Penetration Testing Considerations
Organizations should consider the following in developing and implementing a controlled penetration testing program:
- An effective penetration test goes beyond vulnerability scanning, to provide an explicit and often dramatic proof of mission risks and an indicator of the level of effort an adversary would need to expend in order to cause harm to the organization's operations and assets, to individuals, to other organizations, or to the Nation;
- An effective penetration test approaches the information system as the adversary would, considering vulnerabilities, incorrect system configurations, trust relationships between organizations, and architectural weaknesses in the environment under test;
- An effective penetration test has a clearly defined scope and contains as a minimum:
- A definition of the environment subject to test (e.g., facilities, users, organizational groups, etc.);
- A definition of the attack surface to be tested (e.g., servers, desktop systems, wireless networks, web applications, intrusion detection and prevention systems, firewalls, email accounts, user security awareness and training posture, incident response posture, etc.);
- A definition of the threat sources to simulate (e.g., an enumeration of attacker's profiles to be used: internal attacker, casual attacker, single or group of external targeted attackers, criminal organization, etc.);
- A definition of level of effort (time and resources) to be expended; and
- A definition of the rules of engagement.
- An effective penetration test thoroughly documents all activities performed during the test, including all exploited vulnerabilities, and how the vulnerabilities were combined into attacks;
- An effective penetration test produces results indicating a risk level for a given attacker by using the level of effort the team needed to expend in penetrating the information system as an indicator of the penetration resistance of the system;
- An effective penetration test validates existing security controls (including risk mitigation mechanisms such as firewalls, intrusion detection and prevention systems);
- An effective penetration test provides a verifiable and reproducible log of all the activities performed during the test; and
- An effective penetration test provides actionable results with information about possible remediation measures for the successful attacks performed.
- The failure of an assessor or group of assessors to penetrate an information system may be more indicative of team expertise, resources applied, or hindrance by rules of engagement than a statement of overall system security.