More good advice to CISOs on penetration testing

If your IT staff isn’t doing penetration testing of the organization — or hiring an outside firm to do it — at least once a year then you’re missing the ability to find some of the weak points in your defences.

One of the most knowledgeable Canadians on pen-testing is Ottawa-based IT security consultant Adrien de Beaupre, who I interviewed in April about the art of penetration testing. At the time he offered a number of handy tips, which you can read here.

Want more? Last week in a blog for the Internet Storm Center’s InfoSec Handlers Diary he set down answers to some of the more common questions he gets asked, including the tools most often used.

Most are simple: To start, a Web browser, a project manager for scheduling, a database to track target data, a port scanner, a vulnerability scanner such as OpenVas or Tenable Nessus, and an exploitation kit such as Core Impact Pro or Metasploit. For web applications, wireless, or other forms of testing other tools will be needed.

But, he adds, “the only required tool is the matter most people have between their ears.”

As he told me, the real ingredients for a successful penetration test by a good team are people, process, and technology.

And while  there are a number of tricks a pen tester can perform — like sending an unsuspecting employee a “gift” iPad to see if it will be used on the corporate network — de Beaupre warns the worst thing a tester can do is violate the rules of engagement or go out of scope. You can ask for clarification or modification if needed. But, he stresses, “there is no cheating in penetration testing. Only those things that are illegal, immoral, unethical, or illogical. ”

There’s more in this blog worth reading.

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web