Article Preview
Top1. Introduction
As pointed out by Fahmida (2011), despite the fact that cyber attacks and malwares have been rocketing in this century of information, many companies and organizations today are not proactively testing their infrastructure to identity security vulnerability. Once connected to the Internet, companies’ systems can be probed, scanned, and even attacked constantly with the proliferation of free hacking tools and inexpensive devices like key loggers and Radio Frequency scanners (Chan & Schaeffer, 2008, p.44-46). As a result, every organization needs to seriously protect their systems against unauthorized access.
According to most security professionals, companies should defend themselves against the threat environment with different security strategies, for instance, periodic audit to assess risks, and proactive penetration testing. Instead of waiting for attacks to occur, which is obviously unsafe, uncontrolled, and inefficient, entrepreneurs should examine their system regularly to reveal any flaw existing in the network or website that can be taken advantage of to compromise the whole system.
Similar to the well-known saying, “the best defense is a good offense”, “the best method to test security implementation is to try it out”, said Hare (2001, p. 569-595). In other words, the best way to determine how secure a system is to attempt to break into it. This is where the term penetration testing makes its appearance. The following section of this report introduce several definitions as well as concepts related to penetration testing, while section 3 covers different methodologies to perform a penetration test, together with various penetration testing models. Section 4 presents a wide range of penetration testing tools available (either free open source or commercial) for further reference. Finally, issues related to penetration testing are concluded in the last section.