44 chapter 3 Penetration "Testing" EPIC fAIL Sometimes organizations will request testers to refrain from assessing entire networks because they contain "critical assets." Many times the reason for the exclusion of specific targets is to ensure customers do not experience a degradation of service quality. This is understandable from a business perspective; however, from a testing methodology standpoint, it is a severely flawed practice. Business rules and SLAs are in place during penetration tests to protect the reliability of service provided to internal and external customers. However, excluding the assessment of resources can provide a false sense of security for organizations that do not ensure penetration tests emulate real-world attacks. Critical systems should be tested just as any other system to ensure critical operations are not exposed to significant vulnerabilities. If the system is critical, it should have load- balancing capabilities and redundancy implemented to protect against possible outages or degradation. Consider allowing the assessment to be conducted during nonpeak hours to reduce the impact if an unexpected condition occurs. This will be far better than finding out an attacker has taken control of critical systems because of a poor configuration or missing patch that was not identified. Penetration testers and malicious attackers may use the same tools; in some cases,