Giving consultants three days to hack a system is no way to replicate what a hacker might do, argues Peiter "Mudge" Zatko, a well-known hacker and consultant who is now a division scientist at BBN Technologies."Somebody on the outside can take as much time as they wanttheyll eventually stumble across something," he says.Companies cant pay consultants to hack at will for months on end. But they can open up things like the configuration files from the routers, the firewall rules and the network maps to give the consultant a head start. It will also help the consultant understand how a company views security in light of its business. "It will save you time and money," says Zatko. In fact, he says that if the consultants find things in this document phase, the company can fix them, and then let the penetration testing begin. Zatko says companies should combine external pen tests with internal ones, to see what might already be compromised inside the perimeterinformation that wont appear in a pen test. M.F.