Instead of demonstrating disaster, Winkler suggests that at the end of your penetration test you simply present your findings and note any plausible fallout. For example, if you were able to obtain a username and password, provide the two pieces of data along with a list of scenarios in which the information could have been misused or abused by a truly malicious attacker, as well as the kinds of data exposed in this manner.
And it always helps to frame your prevention advice in terms of cost. "You say, 'Here's what I could have done with that password'," Winkler says. "'If you would have had these things in place, you would have been able to mitigate these things at low cost.'"
Keep in mind that putting on your pretexting mask for a penetration test is more than just a matter of raising the specter that a real social engineer could hack a particular company. If you're going to earn your pay, you'll have to dig a little deeper and consult.
As Winkler says, "The message is, 'You're screwed, but there are ways to prevent this.'"
10 reasons to be paranoid
Every bit of your virtual existence is being monitored -- get scared accordingly
Stupid hacker tricks
Looking to enter a life of cybercrime? Beware the boneheaded miscues of these infamous cyberschnooks
The 7 dirtiest jobs in IT
Somebody's got to do them -- and hopefully that somebody isn't you
More stupider user tricks: IT horror stories redux
Idiot-proof your enterprise with these 10 hard-luck lessons of boneheaded IT miscues
Stupid user tricks: Eleven IT horror stories
A long-suffering consultant and InfoWorld contributor recounts his tales of user catastrophe and lessons learned -- and shares astounding stories from readers, too
Test your geek IQ
If you truly want to know how smart you are when it counts, then InfoWorld's Geek IQ test is the puzzler for you
Test your network security IQ
So you think you know something about security? Not so fast, smart guy. We've got a hunch you might not know as much as you think
You don't know tech: The InfoWorld news quiz
Match your tech news wits against our snarky quiz master