Security Testing

Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by the National Institute of Standards and Technology, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose. Acknowledgements The authors, John Wack of NIST and Miles Tracy of Booz, Allen, and Hamilton (BAH), wish to acknowledge staff at NIST and BAH who reviewed drafts of this publication and made substantial improvements to its quality, including Network security testing should be integrated into an organization's security program to evaluate system security mechanisms and validate that systems are operating according to the organization's security policies and system security requirements. To maximize their usefulness and ensure that they are affordable, organizations should prioritize network testing activities according to system criticality, testing costs, and the benefits that testing will provide. Organizations can use a prioritization process, described in this document, to determine minimum required sets of tests and appropriate frequencies for these tests Routine testing of networks can greatly reduce the chances of a network compromise by helping to ensure that critical systems, e.g., firewalls, routers, servers, are configured, maintained , and operated according to the organization's security policy. Exploitation of a system could have a costly impact on an organization's operations. Network testing can be a valuable and cost effective measure of protecting a network and preventing costly compromise .