Penetration Testing

Introduction

Safeguard 18 - Penetration Testing

Penetration tests (pentests) use vulnerability scans but also go a step further by attempting exploitation of systems and devices to confirm the existence of vulnerabilities. This method of testing provides much more information by simulating what an actual attack would find.

Procedures

18.1 - Establish and Maintain a Penetration Testing Program

The VT IT Security Office (ITSO) offers custom penetration testing for departments via 4Help. Penetration tests are designed to find potential security vulnerabilities with operating systems, application software, and web applications, and network configurations.

Once a pentest is completed by ITSO, a report will be delivered with a findings section detailing each found vulnerability and its criticality: Critical, High, Medium, Low, and Informational. The report additionally includes information to guide the remediation process.

Retesting is done once all vulnerabilities have been remediated. This ensures that found security issues have been appropriately resolved.

18.2 - Perform Periodic External Penetration Tests

Departments may request custom penetration tests through 4Help.

  1. Go to the Penetration Test 4Help request item.
  2. Click Request this service. Make sure to log in if not already logged in.
  3. Fill out the form, including a comma-separated list of hostnames or IP addresses and the preferred time to test, and adding any relevant attachments.
  4. Click Submit.

18.3 - Remediate Penetration Test Findings

Typically remediation takes one to two weeks and rarely takes longer than a month. This time may vary depending on the situation, so the report will include remediation information such as the steps to take and the amount of time it should take to complete.

  1. Review the report delivered by the IT Security Office.
  2. Prioritize remediation of critical and high vulnerabilities as soon as possible, following the recommendations in the report.
  3. Remediate remaining medium, low, and informational vulnerabilities.
  4. Notify ITSO that remediation is complete to begin their retesting process.

Other

If you have questions that are not covered in these procedures, please contact the VT IT Security Office itso@vt.edu for a consultation.