A penetration test performed as part of evaluating network security:
provides assurance that all vulnerabilities are discovered.
should be performed without warning the organization’s management.
exploits the existing vulnerabilities to gain unauthorized access.
would not damage the information assets when performed at network perimeters.
Penetration tests are an effective method of identifying real-time risks to an information processing
environment. They attempt to break into a live site in order to gain unauthorized access to a system.
They do have the potential for damaging information assets or misusing information because they
mimic an experienced hacker attacking a live system. On the other hand, penetration tests do not
provide assurance that all vulnerabilities are discovered because they are based on a limited
number of procedures. Management should provide consent for the test to avoid false alarms to IT
personnel or to law enforcement bodies.