January 2008

	If your Internet provider filters incoming e-mail, please add ncxgroup.com to your list of approved senders to make sure you receive NCX Group Security Updates.
	WHAT TO EXPECT FROM A PENETRATION TEST The main objective of a penetration test is to discover, identify, and exploit vulnerabilities that an attacker may find. These tests have a tremendous value in that they disclose the weaknesses of your network, applications, and systems by verifying potential threats so action can be taken to reduce the probability and impact of a successful attack. What is important to remember, though, is that a penetration test takes only a snapshot of your network or Web application at the time it is being performed. It is not intended as a full security audit, which uses both standards and best practices like an accounting audit. Approach a penetration test as a “first step” to identifying network or Web application weaknesses prior to conducting a full security review, which includes a review of business risk and liability within your technology infrastructure and business processes. When contracting for a penetration test, it is best to choose a security partner that has no affiliation to the systems being tested. This eliminates a conflict of interest and potential recommendations for additional products or solutions you may

ISSUE: January 2008


		Subscribe to Security Update

	2008 Reported Data Breaches Keep yourself updated on the latest security breach disclosures




	Looking for Managed Security Services? Call us at 888-448-5451 or contact us below

	To have an NCX Group Representative Contact You Email us here

not need. Your goal is best achieved by a consulting firm whose focus is on the results of the test, not future product sales. The benefits and value of utilizing qualified testers that have the skills, tools, and in-depth knowledge will be evident in the way the tests are conducted as well as the final reporting document.

It is extremely important you clearly define the objectives (rules of engagement) and scope for your penetration test. This includes identifying systems to be tested, the timeframe for testing, the level of testing required, and the personnel involved. It should also include escalation procedures in the event a high-risk vulnerability is found. A well-defined plan will ensure the service delivered meets your expectations.

The heart of any penetration test is the quality and value of the report. Conducting the test is very time consuming, and documenting the discovery detail is even more laborious. A professional report will have an executive summary describing general findings and the overall security posture of your network, systems, or Web applications. The report should then contain detailed findings on all vulnerabilities and the level of risk they pose, a remediation section that specifies a corrective action or recommended solution for each threat and vulnerability discovered, and a remediation matrix to help prioritize and guide the remediation effort.

Tests can vary considerably based on methods used, the scope of the tests and the type of practitioner you engage to do the testing, so have the testing firm thoroughly review the processes performed and have it in writing.

For information on conducting a penetration test for your company, please contact us at 888-448-5451 or request a representative to call you.

NCX Group, Inc.
5000 Birch Street, West Tower, Suite 3000
Newport Beach, CA 92660
888-448-5451
www.ncxgroup.com