DIR Banner and Tagline 
Skip Navigation LinksFrequently Asked Questions > Security FAQs > Controlled Penetration Testing (CPT)

Controlled Penetration Testing FAQs 

1.     Is a CPT confidential?
2.    What impact does this have on our agency staff or network?
3.    Will this cause a DOS attack or bring the network down?
4.    How long does an engagement last?
5.    Why provide DIR with our IP addresses?  
6.    If our IDS/IPS detects DIR, is the engagement over? 
7.    Why allow DIR past the IDS/IPS?
8.    What types of tools  or software does DIR use?
9.    Will DIR help us mitigate vulnerabilities if we have any?
10.  What kind of deliverable or report will our agency receive?  
11.   Are we required to mitigate the vulnerabilities detailed in the CPT report?

1.   Is a CPT confidential?

Yes, pursuant to Texas Government Code, Sec. 2054.077 and 552.139, any data derived from a CPT is NOT public information and exempt from the public records act.  A copy may be provided to the State Auditor’s Office or the LBB upon request and DIR may disclose certain information to appropriate law enforcement agencies if warranted.

2.   What impact does this have on our agency staff or network?

Virtually, none.  A CPT does not require any agency staff or network resources and should not interfere with daily business operations.  It may require a minor (temporary) reconfiguration to an IDS/IPS to allow DIR access to run tools necessary for the engagement.

 
3.   Will this cause a DOS attack or bring the network down?

No. This is a CONTROLLED penetration test and is not designed to intentionally flood a network with IP traffic, gain control of computer systems or disrupt and cause a loss of control to systems or services.

4.   How long does an engagement last?

An engagement can last 3 to 5 weeks, depending on the complexity or size of the network.  The first phase involves scanning the network with different tools to gather a list of answering hosts and vulnerabilities.  Later phases are used to exploit the penetration of those hosts and vulnerabilities.
 

5.   Why provide DIR with our IP addresses?

DIR is legally bound to only scan IP’s and domains that are assigned or hosted by an agency. The main goal is to focus on the methods of penetration and provide an agency with the best possible assessment of vulnerabilities given the engagement timeframe.

6.   If our IDS/IPS detects DIR, is the engagement over?

No, but it is an excellent way to test the investment an agency has made into an IDS/IPS and to ensure that it is properly configured and working. 

 
7.   Why allow DIR past the IDS/IPS?

Trusted source access is required. These devices have been known to fail or intrusions have been known to occur undetected so it’s critical to allow testing to continue to gain a true assessment of vulnerabilities within a network.
 

8.   What types of tools  or software does DIR use?

DIR uses commercially available software, shareware, freeware and tools that are easily available for purchase off the shelf or on the internet.  These are typically the same types of tools or software used by hackers and malicious users to scan, probe, exploit, and control computer systems.
 

9.   Will DIR help us mitigate vulnerabilities if we have any?

Your agency will be contacted promptly if any HIGH risks or vulnerabilities are found that require immediate attention.  DIR will provide analysis, descriptions of and recommendations for protecting against confirmed vulnerabilities but will not mitigate vulnerabilities.

10.   What kind of deliverable or report will our agency receive?

A customized report is written by DIR that provides a summary of activities, vulnerabilities identified, and any exploit cases describing how objectives were met.  Documentation can also be provided to justify cost for mitigation and/or policy changes.
 

11.   Are we required to mitigate the vulnerabilities detailed in the CPT report?
 
The statement of work (SOW) includes a requirement to complete and return the remediation survey to DIR within 30 days of receipt of the final report.  This survey confirms your agency has received/ the results of the CPT and has taken a proactive approach to address, including developing a plan to address, mitigate/remediate or accept the risk of identified vulnerabilities.  Extensions to this 30 day timeframe may be requested.

© Department of Information Resources 2010