Approaching your security testing from the perspective of ethical hacking is not just for fun or show. For numerous business reasons, it’s the only effective way to find the security vulnerabilities that matter in your organization.

The Bad Guys Think Bad Thoughts, Use Good Tools, and Develop New Methods

If you’re going to keep up with external attackers and malicious insiders, you have to stay current on the latest attack methods and tools that they’re using. I cover some of the latest tricks, techniques, and tools throughout this book.

IT Governance and Compliance Are More than High-Level Checklist Audits

With all the government and industry regulations in place, your business likely doesn’t have a choice in the matter. You have to address security. The problem is that being compliant with these laws and regulations doesn’t automatically mean your network and information are secure. The Payment Card Industry Data Security Standard (PCI DSS) comes to mind here. There are countless businesses running their vulnerability scans and answering their self-assessment questionnaires assuming that that’s all that’s needed to manage their information security programs. You have to take off the checklist audit blinders and move from a compliance-centric approach to a threat-centric approach. Using the tools and techniques covered in this book enables you to dig deeper into your business’s true vulnerabilities.

Hacking Complements Audits and Security Evaluations

No doubt, someone in your organization understands higher-level security audits better than this ethical hacking stuff. However, if you can sell that person on more in-depth security testing and integrate it into existing security initiatives (such as internal audits and compliance spot checks), the auditing process can go much deeper and improve your outcomes. Everyone wins.

Customers and Partners Will Ask, ‘How Secure Are Your Systems?’

Many businesses now require in-depth security assessments of their business partners. The same goes for certain customers. The bigger companies almost always want to know how secure their information is while being processed or stored in your environment. You cannot rely on data center audit reports such as the commonly-referenced SSAE16 Service Organizational Controls (SOC) 2 standard for data center security audits. The only way to definitively know where things stand is to use the methods and tools I cover in this book.

The Law of Averages Works Against Businesses

Information systems are becoming more complex by the day. Literally. With the cloud, virtualization, and mobile being front and center in most enterprises, it’s getting more and more difficult for IT and security managers to keep up. It’s just a matter of time before these complexities work against you and in the bad guys’ favor. A criminal hacker needs to find only one critical flaw to be successful. You have to find them all. If you’re going to stay informed and ensure that your critical business systems and the sensitive information they process and store stay secure, you have to look at things with a malicious mindset and do so periodically and consistently over time, not just once every now and then.

Security Assessments Improve the Understanding of Business Threats

You can say passwords are weak or patches are missing, but actually exploiting such flaws and showing the outcome are quite different matters. There’s no better way to prove there’s a problem and motivate management to do something about it than by showing the outcomes of the testing methods that I outline in this book.

If a Breach Occurs, You Have Something to Fall Back On

In the event a malicious insider or external attacker still breaches your security, your business is sued, or your business falls out of compliance with laws or regulations, the management team can at least demonstrate that it was performing its due care to uncover security risks through the proper testing. A related area that can be problematic is knowing about a problem and not fixing it. The last thing you need is a lawyer and his expert witness pointing out how your business was lax in the area of information security testing or follow-through. That’s a road you don’t want to go down.

In-Depth Testing Brings Out the Worst in Your Systems

Someone walking around doing a self-assessment or high-level audit can find security “best practices” you’re missing, but he isn’t going to find most of the security flaws that in-depth security vulnerability and penetration testing is going to uncover. The testing methods I outline in this book will bring out the warts and all.

Combining the Best of Penetration Testing and Vulnerability Assessments Is What You Need

Penetration testing is rarely enough to find everything in your systems because the scope of traditional penetration testing is simply too limited. The same goes for vulnerability assessments, especially those that mostly involve basic vulnerability scans. When you combine both, you get the most bang for your buck.

Proper Testing Can Uncover Weaknesses That Might Go Overlooked for Years

Performing the proper security assessments not only uncovers technical, physical, and human weaknesses, but they can also reveal problems with IT and security operations, such as patch management, change management, and lack of user awareness, which may not be found otherwise or until it’s too late.