Penetration Testing Debate: Security Controls On or Off: article 201002

Take away: Topics: To turn off security measures for a penetration test or not.

I have just started the SANS 560 course Network Penetration Testing and Ethical Hacking and the initial reading brought some topics back to mind.
I have discussed and seen debates on such sites as Linkedin.com that covers the topic of whether or not to turn off security controls during a penetration test. My stance is against turning off such controls. If the security controls block such attacks doesn't that equate to a successful test of your security? I have heard and seen arguments against this such as, what if there is ever a misconfiguration and the attacker gets past the first levels of defense. To that my answer is; that is the purpose of change control, audit, and future testing. Organizations should not just test once and then feel pacified indefinitely. The amount and recurrence of change in an organization should dictate how often Pen Tests occur. At the least they should be once a year even if changes have not been made new found vulnerabilities could have developed in the systems used.

.