| 1888 Articles Home | Internet & E Commerce Articles | Security Articles | Security RSS |  |
||
Penetration Testing Part1 |
||||
|
This is a short article on penetration testing for further technical how to search for Penetration Testing Part2 |
||||||||||||
| Author: Raheel Ahmad |
|
|||||||||||
Penetration testing is the process of evaluating the organization�s security measures using the Same tools and techniques as a hacker this type of security evaluation is also known as ethical Hacking the idea is to look at the network of the organization from the same view as hacker does.
This article is divided into four sections.
1. Why you need penetration testing?
2. If you need a pen-test, who you should approach for?
3. How to conduct a penetration testing?
4. Summary
1. Why you need penetration testing?
From business perspective penetration testing can help you in safeguarding your organization from threats against your IT infrastructure from external sources as well as threats emerging from inside your own network.
a. Provide due diligence
b. Preventing financial loss
c. Compliance/legal requirements
d. Protection of critical assets
e. More �..!
2. Who should conduct pen testing?
You need a third party to conduct a pen test on your organization although it�s a security task your employee could do the test but a main reason for conducting a penetration test is to evaluate your network/countermeasures from a external eye as hackers do for this you need a third party although proper service level agreements should be signed and legal requirements should be fulfilled before starting a regular pen test.
3. How to conduct a penetration testing?
Several good documents detail ways to conduct penetration testing. One is NIST-800-42. Below lists the different phases of penetration testing, according to NIST.
1. Planning At this step, a signed letter of authorization is obtained. The rules of engagement are established here. The team must have goals, know the time frame, and know the limits and boundaries.
2. Discovery This stage is divided into two distinct phases:
Passive�This step is concerned with information gathered in a very covert manner. Examples of passive information gathering include surfing the organization�s website to mine valuable
Information and reviewing job openings to gain a better understanding of the technologies and equipment used by the organization.
Active�This step of the test is split between network scanning and host scanning. As individual networks are enumerated, they are further probed to discover all hosts, determine their open ports, and attempt to pinpoint
the OS. Nmap is a popular scanning program.
3. Attack At this step, the pen testers attempt to gain access, escalate their privilege, browse the system, and finally expand their influence.
4. Reporting In this final step, documentation is used to compile the final report. This report serves as the basis for corrective action, which can range from nothing more than enforcing existing policies to closing unneeded ports and adding patches and service packs.
Throughout this pen test process, the security team should be in close contact with management to keep them abreast of any findings. The team should never exceed its level of authorization or attempt any type of test that has not been previously approved in writing. There shouldn�t be any big surprises at the conclusion of these pen tests. Leading a pen test team is a huge undertaking that requires managerial, technical, and project-management skills. Although these activities can help uncover previously unknown vulnerabilities, other types of network security tests are also effective. Vulnerability scanning is probably the most effective of these techniques.
About Author
Raheel Ahmad
Penetration Tester, Information Security Analyst
Article Source:
http://www.1888articles.com
