That’s an absolutely fair question.
I don’t want to techno-babble at you, it doesn’t help with this question. Rather, let’s answer this by analogy.
At night, you check to make certain that your doors are locked. So you do a walk-around, trying to turn your locked doorknobs, testing them, making sure the doorknobs won’t twist, and you pull on the doorknob, to make sure the locking bolt has slid into the wall plate.
So, you are “testing” to see if someone can “penetrate” the security of your house. You’re doing a “pentest”!
As the owner of your home, you absolutely have the right to do this.
However, other people may try your doorknobs, too. A burglar may also try to turn them, to see if they can get in easily. A police officer who thinks your house may have been broken into will probably try to turn the doorknobs and see if any turn, indicating the lock has been forced.
All three – you, a burglar, a policeman,– use the same tool (a hand) and the same technique (twisting a doorknob), but they have different motives and goals. That’s the difference.
Pen-Testing is us walking around your house, at your company, trying to “turn doorknobs”, making sure all the doors are indeed looked, the windows won’t open, the alarm actually trips and works, and so forth. But our goal is to find and fix any security weaknesses before something bad happens. It’s far better for us to find out that a lock is broken, and fix it, than for you to find out you’ve been burglarized.
By analogy, certainly, we understand locks; we have to, in order to be sure your locks are working. In general, this is the case with our tools. We have good tools. We work on them constantly, improving them. This magazine is mostly about improving tools and improving our knowledge of vulnerabilities that need to be fixed.
We’re security professionals. We don’t go around breaking and entering computers any more than a locksmith goes around breaking and entering houses. Yes, there are computer system crackers, and we have a dim opinion of them indeed. Computers can do great things and help people. We don’t much like people who vandalize them.
Society has long had special rules for people in professions whose tools could be misused. Often the professionals in a given field must take classes, be tested, and be certified. (A locksmith is a good example). Some professions also require posting a bond, for example.
The computer profession, and in particular, the security profession, is just so new, and changing so rapidly, that these classes, tests, and certifications are still being defined, and new ones are being issued to try to remain current. There are some certifications (CISSP) in place, and as you’d expect, people are earnestly discussing the requirements for newer certifications. (Since people are people, sometimes this devolves into arguments.). In general, the change in computers, and the rate of change, are both going exponential, and keeping up with that is a very hard challenge.
You should absolutely feel free to ask for references, as with any other professional.
by David Small
(This is a excerpt from David's article "Why Would You Want a Pentest?" which you can find in our June 2011 issue).