Here’s a great post illustrating the top 5 common infrastructure issues found in penetration testing. There’s a lot more to this type of penetration testing than just running software and attacking servers etc. There’s what the author calls ‘adaptive thinking’, thinking around the ways an attacker can get at and into a resource using whatever methods are available.
To be honest, none of the items on this list are rocket science but they are more often overlooked, bypassed or have a compensating control written for them. We, as leaders in information security have to be able to enforce the level of protection necessary to keep the ‘entity’ safe. Can you say that is the case in your environment?
In order to be effective we have to train the ‘C’ level staff on the risk, and that can be difficult. How do you enforce the level of security necessary to keep your company safe?