Penetration testing is an important tool for most information security risk management efforts. We recognize the importance of going beyond paper tests to actually exploit vulnerabilities and understand their severity. This goes beyond network penetration testing to include human threats, such as the tendency of staff toward the careless disclosure of sensitive information.

While penetration testing is one of InfoScreens core competencies, we never utilize a penetration test without a specific assessment objective. We always detail our penetration test activities and any obstacles confronted. We recognize the pitfalls of advising management, for example, that we obtained root command of an AS400 without also assessing the likelihood that potential adversaries will engage in the sort of activities that InfoScreen used to compromise the machine.

Similarly, when considering social engineering threats and vulnerabilities it is important to detail the ruses used to lower the guard of employees, contractors, and business partners. For example, if the InfoScreen security analyst claimed that he was employed by the corporate accounting department and also utilized other tricks to gain trust, management may determine that the requester of even highly sensitive information had been sufficiently authenticated.