Network security involves more than the technical aspects of protecting an electronic information system. Social and physical aspects are additional parts intruders use to break into a system. The physical part of network security involves finding ways an intruder could break into a building or go through trash to find usernames and passwords, but what about the other two?
An engineer performing a network risk assessment does a penetration test to find vulnerabilities, or weak points, along the perimeter and inside. Any one or more vulnerabilities can serve as an open gateway for an intruder to go through and steal data, possibly exploiting it soon after. In order to find these vulnerabilities in a network risk assessment, the engineer essentially acts like a hacker, albeit an ethical one. Employing these ethical hacking techniques, a network engineer simulates an attack to bypass security and enter a system.
In performing an attack, an engineer looks for the following features: how well a system handles attacks, the degree of sophistication attackers need to break into the system, the measures in place for reducing attacks, and how attacks are identified and defended. To enter a system and find vulnerabilities, an engineer goes through a four-step process: planning, discovery, attack, and report. Essentially, he obtains port numbers, host names, IP addresses, system information, and employee names and identification to attack a network internally and externally; finds vulnerabilities; and reports and offers solutions for addressing all weak points.
While penetration testing often pertains to the network itself, social engineering may also be employed for testing workers' alertness to threats. Through phishing, hackers can obtain usernames and passwords and may utilize instant messages, emails, or telephone calls to obtain the information, and a social engineering test essentially examines the human judgment of the workplace: how easily do workers unwittingly give away passwords through digital or telephone media?
In testing the social component during a network risk assessment, an engineer creates a phishing attack to exploit workers' lack of awareness. He will call, email, or instant message workers, who aren't aware an assessment is being performed. For digital media, the engineer will create authentic-looking emails that request usernames, passwords, social security numbers, or account information. Hackers, in many cases, target specific employees in a company, particularly executives or high-ranking officials, and a social engineering test may specifically test these individuals.
Although workers may not be aware an attack - real or simulated - is going on, they should be able to identify a phishing scheme or know well enough to never give away any passwords, social security numbers, and non-public company information. Otherwise, a true intruder can enter a network, steal data, and exploit it, which can possibly result in identity theft, lawsuits, and customer dissatisfaction.
Article Source: https://EzineArticles.com/expert/Irene_Test/70451
0 Comments
If you have any doubts, Please let me know