Learning to swim is synonymous with learning the twists and turns of pen testing in security management.  The first step in learning to swim is to identify your goal.  There are so many reasons for swimming. For professional athletes, swimming increases flexibility, boosts metabolism, builds endurance and develops leaner muscles. For introverts, swimming increases the chance of meeting diverse individuals in a variety of social arenas. For dieters, swimming elevates the heart rate, burns calories and improves overall fitness. For everyday lives, swimming releases the dogma of everyday living. Let’s dive in.  Pen test, penetration testing, is an exploration and exploitation approach used by security professionals to learn of  vulnerabilities in their networks, applications and gateways. Two goals of pen testing are to demonstrate security vulnerabilities and to test security response times.  Other mission-critical goals are preserving customer loyalty, protecting the organization’s image, avoiding heavy penalties and reducing loss of profits.  Pen testers are different as there are different swimmers, which contribute to collaborative learning.  Self-improvement is active.  The more famous self-improvement guru and lecturer, Dale Carnegie had quoted, “Learning is an active process. We learn by doing. Only knowledge that is used sticks in your mind.”  Pen testing is a self-improvement cyclical process.  There are no known concrete steps for pen testing like Lockheed Martin’s Cyber Kill Chain; however, there are six or seven areas for exploration and exploitation in a pen test execution.  According the Wai’s article, the areas of pen test execution are planning and preparation, information gathering and analysis, vulnerability detection, penetration attempt, analysis and reporting and cleaning up.  The pen tester is an external threat actor, operates out of a Black Box and documents target-specific outcomes. Black Box refers to testing performed without knowledge of internal structure/design/implementation of the object being tested according to the PCI Security Standards Council’s Information Supplement.  Pen testing has limitations and additional vulnerabilities are not exorcised.   Pen testing covers several attack surfaces such as the cloud, human, network and software.  Two accreditation bodies for pen testers are CREST and Information Assurance Certification Review Board (IACRB).  Part two covers online tools used in pen testing.

^{Resources:
Bryson, A. “Penetration Testing in the Cloud.” 12 August 2011, Cisco Blog, https//blogs.cisco.com/security/penetration-testing-in-the-cloud. Accessed 28 November 2017.
Congdon.C. Rusty Tools 2. 14 June 2012. Flickr. https//www.flickr.com/photos/97138115@N02/12737572644/. Accessed 02 May 2017.
Core Security. Penetration Testing Overview. Enabling Security Professionals to Interpret, Prioritize, and Act on Data, https//www.coresecurity.com/content/penetration-testing. Accessed 25 December 2017.
Kostich, A. “9 Good Reasons Why You Should Get in the Pool.” Active.com, https//www.active.com/swimming/articles/9-good-reasons-why-you-should-get-in-the-pool. Accessed 25 December 2017.
Lockheed Martin Corporation. Seven Ways to Apply the Cyber Kill Chain with a Threat Intelligence Platform. 2015, https//lockheedmartin.com/content/dam/lockheed/data/corporate/documents/Seven_Ways_to_Apply_the_Cyber_Kill_Chain_with_a_Threat_Intelligence_Platform.PDF. Accessed 25 December 2017.
Northcutt, S. “The Attack Surface Problem”.  07 January 2011, SANS Technology Institute, https//www.sans.edu/cyber-research/security-laboratory/article/did-attack-surface. Accessed 25 December 2017.
Penetration Test Guidance Special Interest Group PCI Security Standards Council. “Information Supplement: Penetration Testing Supplement.” version 1, March 2015, PCI Security Standards Council, https//www.pcisecuritystandards.org/documents/Penetration_Testing_Guidance_March_2015.pdf. Accessed 25 December 2017.
Wai, C. “Conducting a Penetration Test on an Organization.” SANS Institute InfoSec Reading Room. https//www.sans.org/readingroom/whitepapers/auditing/conducting-penetration-test-organization-67. Accessed 25 December 2017.}