Recently a security company was hired to test the security of a Credit Union. The security company (MSI) ran a penetration test and mailed a letter with a couple of CDROMS to the Credit Union. The letter appeared to come from a reliable source, but it was unexpected and the employee who received it was well trained and sounded the alarms. The result was that the National Credit Union Administration (NCUA) sent out an alert to their members and the press picked up the story as well.
A penetration test is no test at all if it is expected. The result of this test was that all of the credit Union’s, and many other people, learned a valuable lesson in security.
You can read about what happened, and the explanation of the story at http://stateofsecurity.com/?p=766#comment-19560
Director of Technical Education
Author ESET Research, ESET