means necessary. It is common for organizations to hire external consultants to perform the penetration testing so the testers are not privy to confidential elements of the security’s config- uration, network design, and other internal secrets. Planning Penetration Testing Penetration testing is the art and science of evaluating implemented safeguards. It is just another name for launching intrusion attempts and attacks against a network. The activity in either is exactly the same, but penetration testing is performed with the approval and knowledge of senior management by security professionals in a controlled and monitored environment. Mali- cious users intent on violating the security of your IT environment perform intrusion attacks. If an internal user performs a test against a security measure without authorization, then it will be viewed as an attack rather than as a penetration test. Penetration testing will typically include social engineering attacks, network and system configuration review, and environment vulnerability assessment. Vulnerability analysis or vulnerability assessment is an element or phase within penetration testing where networks or hosts are evaluated or tested to determine whether or not they are vulnerable to known attacks. Penetration testing can be performed using automated attack tools or manually. Automated attack tools range from professional vulnerability scanners to wild, underground cracker hacker tools discovered on the Internet. Manual attacks often employ tools, such as penetration suites like ISS, Ballista and SATAN, but much more onus is placed on the attacker to know the details involved in perpetrating an attack. It is generally considered unethical and a poor business practice to hire ex- hackers, especially those with a criminal record, for any security activity includ- ing security assessment, penetration testing, or ethical hacking. Penetration testing should be performed only with the consent and knowledge of the man- agement staff. Performing unapproved security testing could result in productivity loss, trig- ger emergency response teams, or even cost you your job. However, even with full consent of senior management, your security assessment activities should fall short of actual damage to the target systems. Subversion or target destruction is never a valid or ethical activity of a pen- etration test. Furthermore, demonstration of the effect or flaws, weaknesses, and vulnerabil- ities should not be included as part of a penetration test. If such evidence is required, it should be performed only on a dedicated and isolated lab system created for the sole purpose of exploit demonstration. Regularly staged penetration attempts are a good way to accurately judge the security mech- anisms deployed by an organization. Penetration testing may also reveal areas where patches or security settings are insufficient and where new vulnerabilities have developed.