Penetration testing is the process of evaluating the organization's security measures using the same tools and techniques which a hacker may use. This type of security evaluation is also known as ethical hacking, the idea is to evaluate the security framework of organization from the same aspects as hacker can view.
This article is divided into four sections.
1. Why you need penetration testing?
2. If you need a pen-test, who you should approach for?
3. How to conduct a penetration testing?
4. Summary
1. Why you need penetration testing?
From business perspective penetration testing can help you in safeguarding your organization from threats against your IT infrastructure from external sources as well as threats emerging from inside of your own network.
a. Provide due diligence
b. Preventing financial loss
c. Compliance/legal requirements
d. Protection of critical assets
e. More .....!
2. Who should conduct penetration test ?
You need a third party to conduct a pen test on your organization, although it's a security task which your employees can perform but a main reason for conducting a penetration test is to evaluate your network as hackers do, for this you need a third party(which can conduct a pen-test) although proper service level agreements should be signed and legal requirements should be fulfilled before starting a regular pen test.
3. How to conduct a penetration test?
Several good documents details many ways to conduct penetration test. One is NIST-800-42. Below is the list which express phases of penetration testing, according to NIST.
* Planning
At this step, a signed letter of authorization is obtained. The rules of engagement are established here. The team must have goals, know the time frame, and know the limits and boundaries.
* Discovery
This stage is divided into two distinct phases:
Passive- This step is concerned with information gathered in a very covert manner. Examples of passive information gathering include surfing the organization's website to mine valuable
Information and reviewing job openings to gain a better understanding of the technologies and equipment used by the organization.
Active- This step of the test is split between network scanning and host scanning. As individual networks are enumerated, they are further probed to discover all hosts, determine their open ports, and attempt to pinpoint the OS. Nmap is a popular scanning program.
3. Attack At this step, the pen testers attempt to gain access, escalate their privilege, browse the system, and finally expand their influence.
4. Reporting In this final step, documentation is used to compile the final report. This report serves as the basis for corrective action, which can range from nothing more than enforcing existing policies to closing unneeded ports and adding patches and service packs.
Throughout this pen test process, the security team should be in close contact with management to keep them abreast of any findings. The team should never exceed its level of authorization or attempt any type of test that has not been previously approved in writing. There shouldn't be any big surprises at the conclusion of these pen tests. Leading a pen test team is a huge undertaking that requires managerial, technical, and project-management skills. Although these activities can help uncover previously unknown vulnerabilities, other types of network security tests are also effective. Vulnerability scanning is probably the most effective of these techniques.
5. Summary
This is a short article on penetration testing which shows how to conduct a pen test, why you need pen-test and who should conduct the test.
Article by Raheel Ahmad.
Article Source: https://EzineArticles.com/expert/Raheel_Ahmad/218389
0 Comments
If you have any doubts, Please let me know