Developing an effective Attack and Penetration Testing team presents unique management challenges. It can be difficult to find talented personnel, testers gain access to the most sensitive corporate data, and the assessed system owners may not be cooperative.
Business needs drive corporations today to connect their enterprise to the Internet. The core intellectual property of any company with a computer network connected to the Internet is at risk from attacks via the Internet. Regulations in the United States of America, such as Sarbanes-Oxley, California Senate Bill 1386 (SB 1386), and the Health Insurance Portability and Accountability Act (HIPAA) require companies to safeguard personally identifiable information. IT organizations should consider many options to enhance the security of their corporate networks.
IT organizations should assess risks, create policies to mitigate those risks, and develop systems to enforce compliance to the policies. Once a policy is in place, the organization should have mechanisms to test compliance to the policy. Attack and Penetration testing is a set of techniques and methodologies to test compliance to security policies, and to detect previously unknown vulnerabilities. The overall goal is to limit the points of exposure and to restrict the ability of unknown attackers to gain entry.