As a professional penetration tester and a business owner I am often asked, "Why should I pay you to break into my network?" There are many reasons for doing so and they have been discussed in many different places over the years.
In fact, there are probably as many reasons for performing a penetration test as there are for NOT performing a penetration test.
This article will explain what is penetration testing  and give some reasons for and against performing such tests.
This article will also describe some of the issues involved in deciding whether or not to perform penetration testing using internal staff or whether you should outsource the testing to a security vendor .
Penetration testing will also be discussed from an IT Security and Privacy perspective. The concept of Low Hanging Fruit (LHF) is then defined and the benefits of performing penetration tests to discover LHF are described.
What is Penetration Testing?
As a security professional I feel I have an obligation to my clients to try and persuade them to perform periodic testing from both an internal and external perspective.
I use the term "persuade" because often times it comes down to a passionate discussion about the risks and rewards of performing such tests.
Before going too much further I should define what I mean by "internal" and "external" testing. An "internal" penetration test is typically performed by plugging into the client network as would any normal employee.
One of the goals of penetration testing is to test for vulnerabilities that could be exploited by employees, contractors, guests and automated attack software such as worms, viruses and trojans.
The current use of malware by attackers is increasing and is often combined with other attacks such as phishing and can lead to identity theft.
There are many security and privacy concerns related to keeping such malware out of an organization. What once was controlled by simply installing anti-virus software has now grown into an industry separate from anti-virus programs.
An "external" penetration test is performed by attacking the client from the outside of the security perimeter. These tests model the attacks available to anyone around the world with the time, tools and motivation.
This is typically the area that most IT Security personnel spend the most time, energy and money controlling. Management understands the concepts of "perimeter security" and such purchases require less justification than other security initiatives.
This testing typically includes wireless, dial-in, and VPN access plus all Internet-facing computing resources.
Testing can also include social engineering components.
Some of the common social engineering tests include dumpster diving (going through an organization's trash), sending phishing emails to employees, trying to gain physical access to facilities dressed as repairmen and testing physical controls including doors, locks, cameras and fencing.
There are many regulations regarding the proper disposal of paper documents and the dumpster diving test is important to ensure that privacy concerns are being properly satisfied.
Phishing emails sent to employees are used to ensure that privacy procedures within the organization are being followed by testing the reaction of an employee to accept or send sensitive information via email.
For years security professionals have debated the definition and merits of penetration testing. Many security practitioners and vendors still debate the definition of terms.
While there are technical distinctions between the terms "vulnerability assessment" and "penetration test", for the purpose of this article I will stick to the use of "penetration test".
To differentiate themselves vendors use terms such as "vulnerability assessments", "tiger teams" , "white hat hacking", "black hat hacking", etc. Some vendors and clients do not like the word "hacking" in the title since it implies some illegal activity.
Regardless of what term you use the goal is to help protect the electronic assets of an organization and help it comply with all required privacy regulations.
There is a fair amount of overlap between IT Security and Privacy and by performing penetration tests we can satisfy a fair number of requirements for each.
Note: All references can be found in Part 7.