Penetration testing is in the news as a leader in the practice was able to prove that he could hack into the FBI's NCIC crime database in less than six hours. The hack required a number of techniques including network vulnerability scanning, Web server vulnerability exploits, and escalation of privileges; and by simply installing remote control and keylogging software on machines under his administrative control, the tester would have been able to capture credentials to log on to NCIC (he did not actually perform those last two actions).
Another researcher was able to gain control of a "Big Four" company's computing infrastructure in 20 minutes using a tool that takes "zero knowledge" to use.
Six Hours to Hack the FBI (Computerworld)
Another security researcher has presented a proof-of-concept paper that outlines a rootkit attack that could be used against Cisco's ubiquitous IOS, particularly since so many organizations take such a hands-off approach when it comes to switch and router patching. Penetration testing requires knowledge of many different techniques, but good pen testers develop the ability to think like one who would do harm. Still, as always, there are lots of white-hat guys out there who give us plenty of warnings, but how many of us heed them and actually do things like penetration testing on a regular basis?
Rootkit Threatens Cisco Routers (ZDNet)
Penetration Testing (Microsoft Security Briefs)
I have never had the opportunity to oversee a penetration test, as at my last job, the administration never seemed to want to pay for the service. At my new job, I am not part of the security team for the network as a whole, but I suspect I will want to have a pen test done on our PCI network. Plus, I have always been almost anal about the most frequent suggestion from security researchers, which is to patch your systems early and often. Has your network been penetrated lately?