Answering a CEOs Penetrating Question | eWeek

Answering a CEOs Penetrating Question

Écrit par
eWEEK EDITORS
eWEEK EDITORS
Apr 2, 2001
2 minute read
eWeek Le contenu et les recommandations de produits sont indépendants de la rédaction. Nous pouvons gagner de l'argent lorsque vous cliquez sur des liens vers nos partenaires. En savoir plus

It can begin with a friendly lunch conversation with your boss. “Hey, did you hear Egghead and Travelocity got hacked?” you begin. “Yeah, with credit card numbers lifted and everything,” says the boss. “Dont worry, Boss, our security is solid.” “How can you be sure? Have we ever tested it?” Suddenly, youre faced with the delicate task of finding someone to do a coherent penetration test on your enterprise. But where do you begin?

A properly conducted penetration test can yield tremendous benefits. It can reduce the possibility of financial losses and corporate embarrassment by providing tangible evidence of exposures before they are exploited. Such efforts can teach some real-life lessons to in-house IT staff and facilitate continual security improvement while demonstrating due diligence for publicly held or heavily regulated organizations.

But its important to have a sense of the good, the bad and the ugly of penetration testing going in. For one thing, its important that your organization—and your security vendor—approach a penetration test with the correct mind-set. Penetration testing is not intended to be—nor can it be—a full security assessment. Even if you pass unscathed, it is no guarantee of security. And it is not an alternative to other prudent security measures such as conducting continual, companywide assessments and having appropriately trained internal staff.

At the same time, its important to understand that having a penetration test done can never precisely mimic a true hostile attack. Thats because the test will frequently have time limitations that a dedicated and methodical attacker would not face. In addition, there will always be limitations on allowed system targets, with production systems often off-limits—ironically, the very systems that a malicious agent might gun for. Technique limitations will sometimes be invoked—such as no denial-of-service attacks allowed—and the attacks themselves will be more obvious and concentrated, thus not providing a true intrusion-detection testbed.

Penetration tests can be a waste of money and pointless if theyre the only security efforts youre making. They can also bring political trouble to your doorstep—especially if youre responsible for hiring the wrong people to do the testing and the results are turned against your organization.

Next month, well discuss what to look for and expect from a good penetration-testing company.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Propriété de TechnologyAdvice. © 2026 TechnologyAdvice. Tous droits réservés

Divulgation publicitaire : Certains des produits qui apparaissent sur ce site proviennent d'entreprises dont TechnologyAdvice reçoit une compensation. Cette compensation peut influencer la façon dont les produits apparaissent sur ce site, notamment l'ordre dans lequel ils apparaissent. TechnologyAdvice n'inclut pas toutes les entreprises ou tous les types de produits disponibles sur le marché.