1)
What is Penetration Testing?
It’s the process to identify security vulnerabilities in an application by evaluating the system or network with various malicious techniques. Purpose of this test is to secure important data from outsiders like hackers who can have unauthorized access to system. Once vulnerability is identified it is used to exploit system in order to gain access to sensitive information.
Causes of vulnerabilities:
- Design and development errors
- Poor system configuration
- Human errors
- Design and development errors
- Poor system configuration
- Human errors
2) Why Penetration testing?
- Financial data must be secured
while transferring between different systems
- Many clients are asking for pen testing as part of the software release cycle
- To secure user data
- To find security vulnerabilities in an application
- Many clients are asking for pen testing as part of the software release cycle
- To secure user data
- To find security vulnerabilities in an application
It’s very important for any
organization to identify security issues present in internal network and
computers. Using this information organization can plan defense against any
hacking attempt. User privacy and data security are the biggest concerns
nowadays. Imagine if any hacker manage to get user details of social networking
site like Facebook. Organization can face legal issues due to a small loophole
left in a software system. Hence big organizations are looking for PCI
compliance certifications before doing any business with third party clients.
What should be tested?
- Software
- Hardware
- Network
- Process
- Software
- Hardware
- Network
- Process
3) Penetration Testing Types:
1) Social Engineering: Human errors are the main causes of
security vulnerability. Security standards and policies should be followed by
all staff members to avoid social engineering penetration attempt. Example of
these standards include not to mention any sensitive information in email or
phone communication. Security audits can be conducted to identify and correct
process flaws.
2) Application Security Testing: Using software methods one can verify if
the system is exposed to security vulnerabilities.
3) Physical Penetration Test: Strong physical security methods are
applied to protect sensitive data. This is generally useful in military and
government facilities. All physical network devices and access points are
tested for possibilities of any security breach.
Pen Testing Techniques :
1) Manual penetration test
2) Using automated penetration test tools
3) Combination of both manual and automated process
The third process is more common to identify all kinds of vulnerabilities.
1) Manual penetration test
2) Using automated penetration test tools
3) Combination of both manual and automated process
The third process is more common to identify all kinds of vulnerabilities.
4) Penetration Testing Tools:
Automated
tools can be used to identify some standard vulnerability present in an
application. Pentest tools scan code to check if there is malicious code
present which can lead to potential security breach. Pentest tools can verify
security loopholes present in the system like data encryption techniques and
hard coded values like username and password.
Criteria to select the best penetration tool:
- It should be easy to deploy, configure and use.
- It should scan your system easily.
- It should categorize vulnerabilities based on severity that needs immediate fix.
- It should be able to automate verification of vulnerabilities.
- It should re-verify exploits found previously.
- It should generate detailed vulnerability reports and logs.
- It should be easy to deploy, configure and use.
- It should scan your system easily.
- It should categorize vulnerabilities based on severity that needs immediate fix.
- It should be able to automate verification of vulnerabilities.
- It should re-verify exploits found previously.
- It should generate detailed vulnerability reports and logs.
Once
you know what tests you need to perform you can either train your internal test
resources or hire expert consultants to do the penetration task for you.
5) Manual Penetration Test:
It’s
difficult to find all vulnerabilities using automated tools. There are some
vulnerabilities which can be identified by manual scan only. Penetration
testers can perform better attacks on application based on their skills and
knowledge of system being penetrated. The methods like social engineering can
be done by humans only. Manual checking includes design, business logic as well
as code verification.
Penetration Test Process:
The actual process followed by test agencies or penetration testers:
Identifying vulnerabilities present in system is the first
important step in this process. Corrective action is taken on these
vulnerability and same penetration tests are repeated until system is negative
to all those tests.
We
can categorize this process in following methods:
1) Data collection: Various methods including Google search are used to get target system data. One can also use web page source code analysis technique to get more info about the system, software and plugin versions. There are many free tools and services available in the market which can give you information like database or table names, DB versions, software versions, hardware used and various third party plugins used in the target system.
2) Vulnerability Assessment: Based on the data collected in first step
one can find the security weakness in the target system. This helps penetration
testers to launch attacks using identified entry points in the system.
3) Actual Exploit: This is crucial step. It requires special
skills and techniques to launch attack on target system. Experienced
penetration testers can use their skills to launch attack on the system.
4) Result analysis and report preparation: After completion of penetration tests
detailed reports are prepared for taking corrective actions. All identified
vulnerabilities and recommended corrective methods are listed in these reports.
You can customize vulnerability report format (HTML, XML, MS Word or PDF) as
per your organization needs.
No comments:
Post a Comment