Penetration Testing

Penetration testing, also called pentesting, is an attack method which scans for broad vulnerabilities in networked computers. It is primarily used in professional settings in order to ascertain the status of security in a machine.

In 1965, one of the first computer conferences was held. Participants shared information about their systems and it was revealed that basic security measures had been somewhat easily undermined on System Development Corporation’s AN/FSQ-32. SDC was a government contractor developing computer infrastructure alongside other vendors of the day, including IBM and Bell. Thus was born the first request for security auditing and penetration testing or, as they put it, “studies to be conducted in such areas as breaking security protection in the time-shared system,” as described in US Government Computer Penetration Programs and the Implications for Cyberwar by Edward Hunt.

At the time, the risk of people at home or around the world simply breaking into systems was low, and computers were not relied on for the same level of data as they are now. Even thirty years later, in 1995, computer reliance was minimal. It’s only in the two decades since that the inverse has become true, and computers are relied on for more important data whereas analog methods of data storage and retrieval are used less frequently.

Nevertheless, only two years later, in 1967, government officials began to better understand the need for tight network security. In the 70s, organized teams of penetration testers called “Tiger Teams.” The teams were overwhelmingly successful, but their ultimate purpose was to find better ways to lock time sharing computer systems down.

An early leader in computer security was James P. Anderson, who had worked for the NSA as well as various IT firms. In 1971, his company was hired to probe the defenses of the computer system at the Pentagon. He later outlined what is perhaps the first known penetration testing routine:

  1. Find an exploitable vulnerability.
  2. Design an attack around it.
  3. Test the attack.
  4. Seize a line in use.
  5. Enter the attack.
  6. Exploit the entry for information recovery.

Modern security consultants can go out for the Information Assurance Certification Review Board’s Certified Penetration Tester (CPT) certificate. The exam involves both a multiple choice questionnaire and a practical implementation test in which the candidate must pentest a virtual server.

For an individual to take the test at one of IACRB’s facilities costs $499 as of December, 2015, although it is less expensive for vouchers provided by employers.

See our List of Security Auditing Firms.

See our List of Pentest Tools.