Soe people ae under the mistaken impression that a Pen Test simulates a hacker’s action. We get ridiculous statements in RFPs such as:
The tests shall be conducted in a broader way like a hacker will do.
LOL! If a real hacker is doing it then its not a test 🙂
Seriously: what a hacker does might involve a lot more, a lot more background research, some social engineering and other things. It might involve “borrowing” the laptop or smartphone from one of your salesmen or executives.
Further, a real hacker is not going to be polite, is not going to care about what collateral damage he does while penetrating your system, what lives he may harm in any number of ways.
And a real hacker is not going to record the results and present them in a nicely formatted Powerpoint presentation to management along with recommendations for remediation.
And beyond that, as Donn Parker keeps pointing out, the objectives of a real hacker may not coincide with your view of your assets and how you are defending them, so your security efforts and your “pen testing” may be misplaced.
Then, oops!, next week a new, as in “yet another” zero-day vulnerability is published, and you have to scurry to test for and patch that. No, I mis-speak, a *batch* of vulnerabilities is published
(by SANS and
- http://www.net-security.org/dl/insecure/INSECURE-Mag-29.pdf p59 )
(oh and p 20 as well 🙂 )