I normally recommend that you try to exploit your vulnerabilities as long as there is no negative impact on the production environment or on the integrity of your storage. I feel that the exploitation process can add a lot of value and help get the attention of network administrators, developers and even upper management. A screenshot of a remote command prompt on a server or some other host in your storage environment can be a powerful vehicle for change.
Be sure to wrap your testing into a higher level ethical hacking methodology that includes planning things out so that everyone knows what is being tested. Next, perform the testing and analyze the results from your testing tools and manual assessments. Prioritize your findings and make recommendations before reporting the results. Finally, implement your changes to address any issues that you might have discovered.
Listen to the Storage Security FAQ audiocast here.
Go to the beginning of the Storage Security FAQ Guide.
This was first published in March 2007