Your organization hired an external security team to conduct penetration testing to assess the security and privacy controls in organizational information systems. Which of the following is your organization least concerned in terms of the penetration test?
A. Thoroughly document all activities performed during the test.
B. Produce results indicating the risk exposure for exploited and validated vulnerabilities.
C. Validate existing security and privacy controls.
D. Provide actionable results with information about possible remediation measures.
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is B. Produce results indicating the risk exposure for exploited and validated vulnerabilities.
Organizations typically conduct penetration testing to validate existing security and privacy controls and enhance their understanding of the system by uncovering vulnerabilities and exploiting them, thoroughly documenting all activities performed during the test, and providing actionable results with information about possible remediation measures. Please refer to Appendix E: Penetration Testing in NIST SP 800-53A for detail.
Uncertainty: Likelihood Analysis
Likelihood analysis is required and crucial in a penetration test. According to NIST SP 800-53A, an effective penetration test produces results indicating the likelihood of a compromise by an attacker as the indicator of the system’s penetration resistance, based on the team’s level of effort in penetrating the system.
Effect: Impact Analysis
Business impact analysis is not mandatory or even infeasible. Organizations are more interested in business value and business impact analysis. It’s difficult for an external security team, as an outsider, to analyze the business impact and evaluate the risk exposure. Even though it can evaluate the risk exposure of exploited vulnerabilities in terms of technical impact, your organization has to evaluate the business impact by itself and may not expect or be concerned that the external security team can submit a report with estimated risk exposure.
Risk exposure is commonly defined as the product of the uncertainty and effect of risk, as an expected value or expected exposure.
- Potential loss presented to an individual, project, or organization by a risk. (ISO/IEC 16085:2006 Systems and software engineering — Life cycle processes — Risk management)
- Function of the likelihood that the risk will occur and the magnitude of the consequences of its occurrence. (ISO/IEC 16085:2006 Systems and software engineering — Life cycle processes — Risk management)
- Product of probability times potential loss for a risk factor. (ISO/IEC/IEEE 24765:2017 Systems and software engineering — Vocabulary)
- NIST SP 800-53A
- Rules of engagement
- Penetration Testing Rules of Engagement on Microsoft Cloud
- 5 pen testing rules of engagement: What to consider while performing Penetration testing
- Why Are Rules Of Engagement Important To My Penetration Test?
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.
B. 產出結果，指出被利用(exploited)和已驗證(validated)的漏洞的曝險值(risk exposure)。