[2] The test is performed to identify weaknesses (or vulnerabilities), including the potential for unauthorized parties to gain access to the system's features and data,[3][4] as well as strengths,[5] enabling a full risk assessment to be completed.
For example, the Payment Card Industry Data Security Standard requires penetration testing on a regular schedule, and after system changes.
There are different types of penetration testing, depending upon the goal of the organization which include: Network (external and internal), Wireless, Web Application, Social Engineering, and Remediation Verification.
By the mid 1960s, growing popularity of time-sharing computer systems that made resources accessible over communication lines created new security concerns.
In other words, the conference participants initiated one of the first formal requests to use computer penetration as a tool for studying system security.
His colleagues Petersen and Turn shared the same concerns, observing that online communication systems "...are vulnerable to threats to privacy," including "deliberate penetration."
Bernard Peters of the NSA made the same point, insisting that computer input and output "...could provide large amounts of information to a penetrating program."
[16]: 8 The threat that computer penetration posed was next outlined in a major report organized by the United States Department of Defense (DoD) in late 1967.
[16] Jeffrey R. Yost of the Charles Babbage Institute has more recently described the Ware report as "...by far the most important and thorough study on technical and operational issues regarding secure computing systems of its time period.
"[18][19] Jeffrey R. Yost of the Charles Babbage Institute, in his own work on the history of computer security, also acknowledges that both the RAND Corporation and the SDC had "engaged in some of the first so-called 'penetration studies' to try to infiltrate time-sharing systems in order to test their vulnerability.
Of early tiger team actions, efforts at the RAND Corporation demonstrated the usefulness of penetration as a tool for assessing system security.
At the time, one RAND analyst noted that the tests had "...demonstrated the practicality of system-penetration as a tool for evaluating the effectiveness and adequacy of implemented data security safeguards."
In addition, a number of the RAND analysts insisted that the penetration test exercises all offered several benefits that justified its continued use.
As they noted in one paper, "A penetrator seems to develop a diabolical frame of mind in his search for operating system weaknesses and incompleteness, which is difficult to emulate."
For these reasons and others, many analysts at RAND recommended the continued study of penetration techniques for their usefulness in assessing system security.
[16]: 9 Presumably the leading computer penetration expert during these formative years was James P. Anderson, who had worked with the NSA, RAND, and other government agencies to study system security.
In the early 1971, the U.S. Air Force contracted Anderson's private company to study the security of its time-sharing system at the Pentagon.
In the early 1980s, the journalist William Broad briefly summarized the ongoing efforts of tiger teams to assess system security.
Errors are useful because they either expose more information, such as HTTP server crashes with full info trace-backs—or are directly usable, such as buffer overflows.
The illegal operation, or payload in Metasploit terminology, can include functions for logging keystrokes, taking screenshots, installing adware, stealing credentials, creating backdoors using shellcode, or altering data.
In the UK penetration testing services are standardized via professional bodies working in collaboration with National Cyber Security Centre.