Thoroughly assessing security controls serves a vital part in determining whether or not a business is compliant with its policies, procedures, and standards.
The evaluation of security controls in its simplest form validates whether or not the control adequately addresses policy, best practice, and law.
Testing security controls for effectiveness and measuring them against standards are of the best ways to help an organization meet its obligations to shareholders and regulatory responsibilities.
Testing security as a system, however, involves significantly more than launching carefully crafted evil packets at the network to see what happens.
It is important to note that this is not a chapter about hacking.
Security testing as a process is covered, but the focus is on gathering the evidence useful for an audit.
Assessing security controls involves more than simply scanning a firewall to see what ports are open and then running off to a quiet room to generate a report.
In passive mode, the client establishes the connection.
In general, FTP user agents use active mode and Web user agents use passive mode.
There's more to network security than just penetration testing.
This chapter discusses software tools and techniques auditors can use to test network security controls.
It is natural for security engineers to gravitate toward technology and focus on technical security control testing (otherwise known as penetration testing), because it is likely the "fun" part of security for most engineers.