Abstract: How often should your organization conduct a penetration test and what is in scope? I get this question quite often from customers and colleagues. There really is no one correct answer but there is some guidelines I promote and adhere to. A penetration test or sometimes called a ‘pentest’ is a technique of assessing computer and network security by simulating real time attacks from external and internal positions. Penetration tests are simply a snap shot of your attack vectors. It is a means of identifying your high-risk vulnerabilities and assessing the business impact should an exploit occur. A penetration test is typically done using commercial and freeware tools, followed up by a human that verifies vulnerabilities and attempts to exploit systems or gain escalated privileges. This is the primary difference between a Penetration test and a Vulnerability scan. In my professional opinion, anyone in the organization can run a scan by hitting the ‘enter’ button. I highly recommend vulnerability scans to be run from time to time but they are not a substitute for a true penetration test, which does require the human element. A good ‘pentester’ will understand what the vulnerability and exploit is capable of doing. A great ‘pentester’ will write their own exploit to attack a system. With threat landscaping changing daily I am not suggesting you perform a ‘pentest’ daily or weekly but it is very necessary to complete one.

Back to Circle City Con 2014 Videos list