I'm trying to determine whether or not penetration testing is an integral part of most organizations' information systems policies and procedures. I see penetration testing as vital for making sure systems are as tight as possible, but I suspect that it's only carried-out by a small percentage of organizations - even though there are so many GNU/Linux tools freely-available for this purpose. Please use this thread to share any insight or opinions you may have regarding these matters.

There is something I'd like to share and that's simply because people mostly think that when their computer is turned off,sleeping,locked or has an encrypted hard disk that they are safe.What you can see here and here is just something to think about.I'm working on the source code because I think this is something important and can be used in many security related issues.

One doesn't need a penetration test to know one is vulnerable to a cold boot attack!

Wikipedia says;
...having this definition in mind,cold boot attack can be considered as penetration testing.

That's true. It's just that, well, for example, I can tell you that all my boxes are vulnerable to a cold boot attack, yet I've never tested for it. But yeah, if you do test for it then that's definitely a type of penetration test. My bad.

I've added a poll and tweaked the topic a bit in the hopes of generating more feedback.

Agree.

Voted "no".

Within my own department, we really need to take a closer look at penetration testing. There is no policy at the moment.

Smaller organizations might not even have an IT policy, let alone a full timer in IT!

The last 3 projects I've worked on here (a largish, State government department) have stipulated pen testing as a requirement for sign off prior to production. I think it's smart, but the results are only as good as the participants and the environment.

Inexperienced testers and staff can really blow out a time-line, but that's a part of project life. Test environments that don't accurately reflect the production environment produce bad data and can leave you exposed to risk. The best results I've seen come when test plans are developed from the start of the project and testing is expected as part of the project and not an add-on to the process.

Is your department also the one who ends up running the systems or do you turn them over to another department once they have passed the tests? I'm wondering if social engineering vulnerabilities are part of what you test for, but that would probably only be applicable if you're not just building the systems but running them too.

No, we hand them over to the Operations area. There needs to be sign off for all levels of testing (I work mainly with system and user acceptance testing). I conduct penetration testing prior to the formal pen testing which is done by an external organisation. My work there is so we can keep re-work to a minimum and a little personal pride - I don't like surprises, but I'd rather be fixing things well before they get to production.

The social engineering side of things would be interesting to concentrate on. Several of the pen test reports stated "if the user does...". We have training for the users and we hope that the application will keep the opportunity for trickery to a minimum, but the human aspect is always the least predictable (for me, anyway). I'd be interested to hear how other people address this - the pseudo technical answer of popping up an "are you sure" dialog is useless as far as I'm concerned.

Yeah, social engineering (and reverse social engineering) vulnerabilities seem to me like one of the most interesting things to test for. I think the fact that one is able to deal directly with humans instead of machines is what makes it interesting for me. Plus it can really shake up an end user, making him/her much more aware of the danger, thereby reducing the chances of a real attack being successful. At least in theory (you know how end users are).

Security and {money, time, ease of use} are always at logger-heads. Opposing forces if you will. You can tighten security, but it's always at the expense of money, time, and ease of use. ie: It takes time to do this, which costs money, and will more than likely have an impact on the item's ease of use.

I was doing this for a while, before I was asked "Why bother? If a hacker gets this far into our organisation, we're in more trouble than what ever's on your PC...."

My 2c...

PenTesting is a requirement of PCI DSS https://www.pcisecuritystandards.org/ depending on the 'level' you fall into...

So if you take Credit cards at your organization depending on how many tx per month Pen testing would be a requirement.

for us that is a Yes,