Penetration tests are a great way to identify vulnerabilities present in a system or network that has existing security measures in place. A penetration test usually involves the use of attacking methods conducted by trusted individuals that are similarly used by hostile intruders or hackers.
Depending on the type of test that is conducted, this may involve a simple scan of IP addresses to identify machines that are offering services with known vulnerabilities or even exploiting known vulnerabilities that exist in an un-patched operating system. The results of these tests or attacks are then documented and presented as a report to the owner of the system and the vulnerabilities identified can then be resolved.
Penetration tests are often done for two reasons. This is either to increase upper management awareness of security issues or to test intrusion detection and response capabilities. It also helps in assisting the higher management in decision-making processes.
The management of an organization might not want to address all the vulnerabilities that are found in a vulnerability assessment, but might want to address its system weaknesses that are found through a penetration test. This can happen as addressing all the weaknesses that are found in a vulnerability assessment can be costly and most organizations might not be able to allocate the budget to do this.