A security administrator is aware that a portion of the company’s Internet-facing network tends to
be non-secure due to poorly configured and patched systems. The business owner has accepted
the risk of those systems being compromised, but the administrator wants to determine the degree
to which those systems can be used to gain access to the company intranet. Which of the
following should the administrator perform?

A.
Patch management assessment

B.
Business impact assessment

C.
Penetration test

D.
Vulnerability assessment

Explanation:
Penetration testing is the most intrusive type of testing because you are actively trying to
circumvent the system’s security controls to gain access to the system. It is also used to determine
the degree to which the systems can be used to gain access to the company intranet (the degree
of access to local network resources).
Penetration testing (also called pen testing) is the practice of testing a computer system, network
or Web application to find vulnerabilities that an attacker could exploit.
Pen tests can be automated with software applications or they can be performed manually. Either
way, the process includes gathering information about the target before the test (reconnaissance),
identifying possible entry points, attempting to break in (either virtually or for real) and reporting
back the findings.
The main objective of penetration testing is to determine security weaknesses. A pen test can also
be used to test an organization’s security policy compliance, its employees’ security awareness
and the organization’s ability to identify and respond to security incidents.
Penetration tests are sometimes called white hat attacks because in a pen test, the good guys are
attempting to break in.
Pen test strategies include:
Targeted testing
Targeted testing is performed by the organization’s IT team and the penetration testing team
working together. It’s sometimes referred to as a “lights-turned-on” approach because everyone
can see the test being carried out.

External testing
This type of pen test targets a company’s externally visible servers or devices including domain
name servers (DNS), e-mail servers, Web servers or firewalls. The objective is to find out if an
outside attacker can get in and how far they can get in once they’ve gained access.
Internal testing
This test mimics an inside attack behind the firewall by an authorized user with standard access
privileges. This kind of test is useful for estimating how much damage a disgruntled employee
could cause.
Blind testing
A blind test strategy simulates the actions and procedures of a real attacker by severely limiting
the information given to the person or team that’s performing the test beforehand. Typically, they
may only be given the name of the company. Because this type of test can require a considerable
amount of time for reconnaissance, it can be expensive.
Double blind testing
Double blind testing takes the blind test and carries it a step further. In this type of pen test, only
one or two people within the organization might be aware a test is being conducted. Double-blind
tests can be useful for testing an organization’s security monitoring and incident identification as
well as its response procedures.