Motivated attackers don’t know about “rules of engagement”, narrow scopes of work, “not bruteforing allowed”, etc. Attackers would follow any available path to accomplish their goal, whatever that is. It is not unrealistic to think that a highly motivated attacker would go to great lengths to perform an attack, such as for example compromising a slightly weaker “Application A” to gain access to the DMZ and in turn compromise the real objective “Application B”. Or to test the corporate wireless network in order to gain network access to the internal network…
Although this may seem an obvious statement, many cutting edge companies forget who they are protecting against and what their real outcome for their testing programs should be.
Nowadays the most common penetration testing requirement is application or system focused with a defined scope to which penetration testing consultancies need to adhere. This is a natural approach, as dynamic companies very often develop new applications and systems which require security testing before being deployed in production. However, we see a trend among our customers where they complement their normal testing strategy with an annual holistic penetration testing.
A holistic approach would include penetration testing of the infrastructure, physical penetration testing of premises, wireless testing, social engineering attacks and any other angle which is deemed relevant for the specific customer.
Results, of course, differ, but they are always very interesting. The most recurrent discovery is the realisation of the lack of security awareness of the staff, who would handle confidential information such as their username and password when presented with a credible and well delivered phishing attack.
The fact that people are the weakest link is very often proven right and inevitably prompts the question whether the investment in defensive security should be somehow split and more resources should be invested in security awareness programs.