PENETRATION TEST PARTNER SELECTION AND RISK MITIGATION 1

Penetration Test Partner Selection and Risk Mitigation

Capella University

IAS5220 – Network Security Controls and Testing.

March 14, 2019

PENETRATION TEST PARTNER SELECTION AND RISK MITIGATION 2

Abstract

Flaws, weakness, will be avenues of vulnerabilities are an indication of outputs pen testing,

since from this paper review l will establish the relationship security controls plans that use the

international organization information security governance network system security defense and

pen testing is used to aid risk assessment, business continuity, and compliance.

This paper will review the mitigation plans that will minimize the weakness and flaws find

in pen testing. Examining further over the paper is the duty of the internal and outside pen testing

within an organization. This paper will discuss further the idea of flaw hypothesis and will be

avenues of finding vulnerabilities at a specific target by pen tester” (Capella, 2019, 23-24).

Keywords: flaw hypothesis, vulnerabilities, pen testing.

PENETRATION TEST PARTNER SELECTION AND RISK MITIGATION 3

Table of Content

 Cover Page,

 Abstract.

 Table of Content.

 Introduction/ Body

 Conclusion

 References
PENETRATION TEST PARTNER SELECTION AND RISK MITIGATION 4

Introduction

International organization runs information security governance policies which consist of

procedures and network management security control methodologies for the system

devices/application/OS weakness and flaws management plans, the review of the vulnerabilities

administration plans is from the further review of the organization risk assessment and

management which is for pen tester to seek and find weakness from specific targeted by

identification and assessment. Also, from the continuous network system management procedures

such as awareness and employees training, continuous network system monitoring and auditing,

organization business continuity and data recovery and finally documentation of organization

network management practices.

Also, the vulnerability administration procedures consist of patch deployment and

upgrades, setting priorities for information security applications/OS and devices patch

management and upgrades whiles there is also continuous risk management against any existing

vulnerabilities of application/OS, devices and human factor which was not implemented, and

updates and upgrades are done as soon as possible when prompted. Jason (2017) article states that

the implementation of antimalware and antivirus application reports and alerts which are generated

for better continuous network system protections.

Which will give the mitigation plans which can implemented to minimize any dangers from

flaws and weakness found in the pen testing, such as having pen testing policies structures which

will cover the whole corporate information system enterprise-wide including the pen testing

procedures, process, external/internal pen testing selection criteria and the framework for pen
PENETRATION TEST PARTNER SELECTION AND RISK MITIGATION 5

testing management. By Butler (2014) he examined that with the full support of management and

international organization technical team in define scope of work for pen testing and quality of

change management procedure with better performance metrics for the outcomes of pen testing.

Before mitigation of vulnerabilities by pen testing there are identification specific target areas of

the international organization which the testing is being carried on in very critical business

processes, web application and operating system, parts of the organization network system

infrastructure, outsources third-party IT services such as the cloud services, critical specialized

equipment and network system development life cycle whether they are under development or not.

Before the mitigation plan for vulnerabilities there is procedure for define the pen testing

needs since the pen testing needs should be define by the specification of the scope of work needed

and what are not needed, what part of the pen test is going to be continuous pen testing to carried

out at what times, the needs of pen testing what is going to affected on such as the international

organization sensitive data/information, IT infrastructure, storage centers, organization application

and operating system. What is pen tested should always be validated in the testing process is legal

processes, also not compromise existing organization data security needs whiles acting

professionally. Implementing methodologies of keeping mitigating risk at a minimum during pen

testing consist of carrying out processes ahead of time. Sticking the well define the scope of pen

testing work and predefined the ways of escalation of pen testing processes. Also, maintaining that

teams’ members of the pen testing have full knowledge of testing needs ad against unforeseen

organization hinderance whiles complying with and following any escalation processes (Jason,

2017, p 19-22).

In the compliance of the pen testing members are held responsible for keeping the

organization risk at an acceptable boundary, never leave risk issues unattended by constantly with
PENETRATION TEST PARTNER SELECTION AND RISK MITIGATION 6

any dangers as they arise, keep testing in place agreed upon, dealing with any escalated issues As

soon as possible.

Internal and external pen testing where the tester simulates inside attack or remote attack

on the organization network system to find any weakness and flaws in the system which are

accessible or inaccessible to the public network system. In Jason (2017) article he states that since

the tester is pen testing in automation against above many flaws and weakness in connection with

the manual process to get in more exploration vulnerabilities holes in the organization network

system. By the external pen testing, the tester is able to validate the testing outcomes for the

organization security resources needed for mitigating any security controls which will affect the It

infrastructure risk level. From the penetration testing reports the organization is able to implement

the needed compliance procedures and any complaints violations.

The ideas of flaw hypothesis and will be avenues of areas of vulnerabilities in the specific

target system, the flawed hypothesis is where a trusted system is required to perform network

system specification outline since the main goal of the flawed hypothesis finding these system

flaws and weakness is also not required to simulate demonstration of exploitation. Clark states

further (1996) since the flawed hypothesis is made of generation of flaw in given the evaluation of

the testing result in due progress by validating the flaws or understanding of flaw object system,

confirmation of the flaws evaluate the documentation of identify flaws evidence and code since

the process is prioritized or inventory of the flaws sort by the likelihood of existence, desk checking

of the flaws and finally live testing of the flaws, generalization of flaws is where the team goes to

meet to confirm the existing of system flaws and its elimination of the flaws where is flaw is either

repair or patch to improve its countermeasures of flaw being fix in the system, (Clark, 1996, p 18-

22).
PENETRATION TEST PARTNER SELECTION AND RISK MITIGATION 7

References

Capella University, 2019, Course room, unit 9, Penetration test partner selection, and risk

mitigation, Date retrieved 03/16/2019,

https://courserooma.capella.edu/webapps/blackboard/content/listContent.jsp?course_id=_

162482_1&content_id=_7268977_1&mode=reset

Jason Cressey, (2017) A guide for running an effective Penetration Testing program me, CREST,

Date retrieved 03/16/2019, https://www.crest-approved.org/wp-content/uploads/CREST-

Penetration-Testing-Guide.pdf

OWASP. (2004). OWASP Web Application Penetration Checklist Version 1.1. Date

retrieved03/14/2019,

https://mboulou.files.wordpress.com/2009/08/owaspwebapppentestlist1-1.pdf

Butler, C. (2014). SANS, Vulnerability Remediation. Date retrieved03/14/2019,

https://www.sans.org/reading-room/whitepapers/application/win-friends-remediate-

vulnerabilities-34530.

Clark, W., 1996, Security Penetration Testing Guideline, Handbook for the Computer Security

Certification of Trusted Systems, Date retrieved03/14/2019,

https://apps.dtic.mil/dtic/tr/fulltext/u2/a390673.pdf
PENETRATION TEST PARTNER SELECTION AND RISK MITIGATION 8
PENETRATION TEST PARTNER SELECTION AND RISK MITIGATION 9