Updated Thursday, Dec. 27, 2007, at 6:01 EST.

In the final draft of its upcoming security guidelines for protecting federal information systems, the National Institute of Standards and Technology (NIST) is recommending that federal agencies conduct regular penetration tests to determine whether their networks can be breached.
The NIST draft guidelines, which will be published next March, suggest that federal agencies “should consider adding controlled penetration testing to their arsenal of tools and techniques used to assess the security controls” in their information systems.
NIST recommends that government agencies train selected personnel in penetration testing tools and techniques, which should be updated on a regular basis to address newly discovered exploitable vulnerabilities.

The guidelines also express a preference for the use of automated penetration tools.

Scott Larson, executive managing director of computer forensics consultants Stroz Friedberg, who formerly headed the investigative unit of the FBI's National Infrastructure and Computer Investigations division, told SCMagazineUS.com that many government agencies already are conducting regular penetration tests.

Larson supported the proposed NIST guidelines, but cautioned that "significant oversight and resources" should be applied to the testing process and that tests must be carefully planned to avoid potentially disruptive attacks that are not fully authorized.

"Anyone who [is designated by a government agency] to undertake this activity needs to have adequate technical and legal training," Larson told SCMagazineUS.com, adding that each agency should also arrange to have an outside auditor conduct penetration tests to ensure that agency specialists do not downplay problems in the systems they administer.

The use of outside auditors to conduct penetration tests also would limit the number of federal employees trained to undertake sophisticated attacks, reducing the possibility that a disgruntled government staffer could use the knowledge gleaned from simulated tests to mount a real attack, Larson noted.  

According to a draft of the NIST guidelines, special consideration should be given to penetration tests on newly developed information systems before it is authorized for operation, on any legacy system undergoing a major upgrade or “when a new type of attack is discovered that may impact the system,” according to the draft of the NIST guidelines.
NIST recommends performing controlled penetration testing on both moderate- and high-impact information systems, and says that the tests can be scheduled in advance or be random, depending on each agency's organizational policy regarding assessments of risk. The proposed guidelines caution that penetration tests should be conducted using "agreed-upon rules of engagement," and they warn against using test results as a final verification of the security of an information system.
The guidelines, which will be finalized at the end of January and published in March 2008 as the Guide for Assessing Security Controls in Federal Information Systems, detail comprehensive security control assessment procedures federal agencies should follow to protect their information systems. The draft was produced at the Computer Security Division of NIST's Information Technology Laboratory.