Information Security - Controlled Penetration Testing

Frequently Asked Questions

Updated March 2015​

Controlled Penetration Testing (CPT)

Is a CPT confidential?

Yes, pursuant to TGC 2054.077, TGC 2059.055, and TGC 552.139, all data derived from a CPT is exempt from disclosure and is NOT public information. Reports may be provided to the State Auditor’s Office (SAO) or the Legislative Budget Board (LBB) upon request, and DIR may disclose certain information to appropriate law enforcement agencies if warranted.

What impact does CPT have on our agency staff or network?

Virtually, none. CPT does not require any agency staff or network resources and should not interfere with daily business operations. It does require a minor, temporary reconfiguration of an IDS/IPS to allow DIR access to run tools necessary for the engagement.

Will CPT cause a DOS attack or bring the network down?

No. This is a CONTROLLED penetration test and is not designed to intentionally flood a network with IP traffic, maliciously gain control of computer systems, or cause a loss of control to systems or services. DIR will endeavor not to disrupt services. However, some scanning, probing, and vulnerability assessment tools are aggressive in their actions and may affect the serviceability of poorly configured or overextended systems or services.

How long does a CPT engagement last?

A CPT engagement can last four to seven weeks, depending on the complexity or size of the network. The first phase involves scanning the network with various tools to gather a list of responding hosts and associated vulnerabilities. In the later phases, DIR attempts to leverage the vulnerabilities in order to exploit the systems.

Why provide DIR with our IP addresses?

DIR is legally bound to scan only IPs and URLs assigned or hosted by an agency. The primary goal is to focus on the methods of penetration and provide an agency with the best possible vulnerability assessment given the engagement timeframe.

If our IDS/IPS detects DIR, is the CPT engagement over?

No, but it is an excellent way to test the investment an agency has made into an IDS/IPS and to ensure that it is properly configured and working.

Why allow DIR past the IDS/IPS?

Trusted source access is required. One of the reasons for this requirement is to mimic real world attacks. For example, the CPT is performed from a limited range of IP addresses over a short period of time, whereas a malicious attacker could attack from multiple IP addresses over any amount of time. So it’s critical to allow testing to continue to gain a true assessment of vulnerabilities within a network.

What types of tools or software does DIR use?

DIR uses commercially available software, shareware, freeware, and tools that are easily available for purchase off the shelf or from the Internet. These are typically the same tools or software used by hackers and malicious users to scan, probe, exploit, and control computer systems. DIR also uses custom-built scripts it creates.

Will DIR help us mitigate vulnerabilities if we have any?

DIR will contact your agency promptly if any CRITICAL risks or vulnerabilities are found that require immediate attention. DIR will provide analysis, descriptions of, and recommendations for protecting against confirmed vulnerabilities but will not mitigate vulnerabilities. DIR will also work with you to verify that the mitigation and/or remedies are effective.

What kind of deliverable or report will our agency receive?

DIR will develop a customized report that provides a summary of activities, vulnerabilities identified, and exploit cases describing how objectives were met. Other deliverables include generated network and web application scan reports and remediation verification reports.

Are we required to mitigate the vulnerabilities detailed in the CPT report?

The statement of work (SOW) includes a requirement to complete and return the provided Remediation Survey to DIR within 60 days of receipt of the final report. This survey confirms that your agency has received the CPT results and has taken a proactive approach to address the discovered issues, including developing a plan to address, mitigate/remediate, or accept the risk of identified vulnerabilities.

For more information, contact The Office of the CISO.