Thorough pen tests will leverage any and all of these potential attack vectors, based on the attacker's end goal, rather than the vulnerability of each.
"A few years ago we would do network penetration testing, and application pen testing and wireless pen testing, and then we stepped back and said 'that makes absolutely no sense," said Solino. "The bad guy doesn't say, 'I can only break into a system using the network.'"
Successful pen tests, like real attacks, may leverage any number of paths that include a number of steps till you hit pay dirt. A print server may not seem particularly interesting, but it may use the same admin login credentials as a database containing credit card information.
"Pen testers find flaws and exploit them, then pivot from that machine to another machine, to yet another," said InGuardians' Skoudis.
An attack on a Web application might fail in terms of exploitation, but yield information that helps exploit other assets on the network. Or an attacker might get information about employees without high privileges, but with access to the internal network that act as a springboard.
So, a critical resource may not be directly assailable, but can be compromised through other systems.
For example, said Khawaja, Verizon pen testers were unable to directly compromise a Web server that had access to a sensitive database. If the testers focused narrowly on testing the Web application on that server, the conclusion would be that the data was safe. But by taking a data-centric approach, they discovered that the Web server was connected to a second Web server, which had a critical vulnerability that an attacker could exploit to gain access to the first Web server and, hence, the database. (Read more about Web application attacks in How to evaluate and use Web application security scanners.)
"We care about anything that isn't cordoned off from the network segment we are targeting," he said. "Are there any network controls to prevent an attacker from jumping from a vulnerable low-value system to a more critical system?"