This chapter introduced security testing methodologies and some of the tools used to conduct those tests. It is not an exhaustive list of all potentially useful security testing tools, but should give a sampling of some of the most popular that any auditor can find useful. If you are interested in learning more about penetration testing or want to take a class with hands on practice, the SANS Institute offers a fantastic class called Security 560: Network Penetration Testing and Ethical Hacking.
- Evaluating security controls requires testing three elements: people, process, and technology. If one area is weak, it can leave an organization vulnerable to attack.
- Penetration testing is a discipline that requires a structured and repeatable methodology. Without one, you are simply launching exploits and hoping to get in.
- Commercial tools such as Core Impact and open source tools such as Metasploit assist with testing security controls. Which one you choose depends on your budget, skill level, and desired reportability.
- The easiest way to get access to many of the tools discussed in this chapter is to download and launch Backtrack3. Not only does it save you many hours of setup, but it also gives you a powerful suite of tools with strong community support.