1 Introduction
A penetration test is an authorized simulation of a cyber-attack which is used to identify security weaknesses by way of technical flaws, misconfigurations, software vulnerabilities, and/or business logic. A penetration tester will attempt to exploit weaknesses to gain access, modify functionality, and/or corrupt the business logic of the target system without creating additional risk to the agency or organization. The penetration tester will attempt to perform activities of a malicious actor; however, such activities will be conducted ethically and with the permission of the General Services Administration (GSA) Office of the Chief Information Security Officer (OCISO) prior to execution.
A penetration test exercise supports the overall security process by identifying security risks and demonstrating exploitability of findings that may not be readily apparent when performing a security review. A penetration test can be performed with or without knowledge of the system, and involves the execution of a scenario and abuse cases that focus on violating technical, administrative, and management controls to gain access to the system or data.
Penetration tests can be used to verify and prove scan results that are false positives or false negatives. Penetration tests, as opposed to vulnerability scans, should not have false positive findings since they report only on found vulnerabilities. Penetration tests while capable of verifying or proving a specific false negative finding, are not exhaustive and therefore cannot prove there are no vulnerabilities to a system. The test processes described in this document are used for measuring, evaluating, and testing the security posture of an information system, but test findings should not be used to the exclusion of other security processes (e.g., architecture analyses, configuration checks.)
