HomeHome » Contact Us   » This domain available at at DomainFest NYC!!!

Penetration Testing Should Not Be Overlooked In Enterprise Security Programs

Penetration Testing is the art of using known "Hacker" techniques to identify potential attack vectors both internally and externally in computer networks. Quite often, companies overlook the need for this type of testing when performing scheduled security assessments. This may be caused by fear of service disruption of just a lack of knowledge on the subject. Also, Penetration testing should not be confused with a vulnerability assessment or audit. Penetration Testing uses manual and automated techniques to validate vulnerabilities. When done correctly, this eliminates false-positives and ensures that internal IT admin spend time correcting issues that actually exist.

At PacketFocus, we recommend that our clients use a mixture of internal security assessments and external penetration tests. Internally, this will help identify policy and procedures that need development. Externally, this will identify potential attack vectors that may be used to gain access to your internal network or sensitive data.

When looking for a 3rd party security company to perform these services there are several questions that need to be asked.

What methodology do you use?

What experience do your testers have?

What certifications do your testers have?

Is your reports based on Nessus or do you perform real analysis?

How many pen-tests have you done?

What type of vulnerabilities do you usually find?

What tools do you use?

The questions above should give you a good example if the firm has a solid methodology such as the ISECOM testing standard. Most importantly, security tests should NOT be a Nessus or other commercial tool report with the Logos changed. The report should clearly define Business and Technical risk.

About Joshua Perrymon

Josh is CEO PacketFocus.com and RFIDAudits.com. For more than ten years, he has been involved in penetration testing, ethical hacking, security auditing and research. Josh has held senior positions and overseen network security at several Fortune 500 companies in America, including banks, chemical manufacturers and federal government agencies.

For the past three years, Josh has specialized in wireless and RFID security and has recently released a first-to-market hands-on RFID audit targeting Management, Operational, and Technological risk. Josh is also writing the RFID chapter for "Hacking Exposed-Linux Edition" and is currently developing an RFID intrusion detection appliance known as the "RFDefender." Josh hopes to release this device commercially Q4 2007

Source: www.articledashboard.com