Why Security Penetration Test is required?
With the advent of sophisticated, automated exploitation tools, anyone with a network connection is potentially vulnerable. Although there are many ways to secure systems and applications, the only way to truly know how secure you are is to test yourself.
Penetration testing, occasionally pentest is the process of attempting to gain access to resources without knowledge of user-names, passwords and other normal means of access. The goal is to ensure that the software performs reliably and securely under reasonable and even unreasonable production scenarios.
The process involves an active analysis of the system for any potential vulnerabilities that could result from poor or improper system configuration, both known and unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures. This analysis is performed from the position of a potential attacker and can involve active exploitation of security vulnerabilities. A successful penetration may resulted in obtaining or subverting confidential documents, pricelists, databases and other protected information.
There are a variety of reasons for performing a penetration test. One of the main reasons is to find vulnerabilities and fix them before an attacker does. Higher-risk vulnerabilities that resulted from a combination of lower-risk vulnerabilities exploited in a particular sequence may be discovered in this case. Penetration test also provides evidence to support increased investments in security personnel and technology. Having a second set of eyes check out a critical computer system is a good security practice. Another reason for a penetration test is to assess the magnitude of potential business and operational impacts of successful attacks and give the IT department at the target company a chance to respond to an attack.
Penetration tests can be conducted in several ways. The most common difference is the amount of knowledge of the implementation details of the system being tested that are available to the testers. Black box testing assumes no prior knowledge of the infrastructure to be tested. The testers must first determine the location and extent of the systems before commencing their analysis. At the other end of the spectrum, white box testing provides the testers with complete knowledge of the infrastructure to be tested, often including network diagrams, source code, and IP addressing information. In this case, a penetration tester will be given user-level access. The goal would be to elevate the status of the account or user other means to gain access to additional information that a user of that level should not have access to.
Although most penetration testing methods have traditionally been somewhat ad-hoc, that has changed in the last several years. Today penetration testing is performed in a far more methodical manner. The Open Source Security Testing Methodology Manual (OSSTMM) is a mecahnism for performing security tests and metrics of a target scope. The goal of OSSTMM is to provide a rigorous methodology for penetration testing that is consistent, repeatable, and reliable. It includes technical details of exactly which items need to be tested, what to do before, during, and after a security test, and how to measure the results. New tests for international best practices, laws, regulations, and ethical concerns are regularly added and updated.
The main thing that separates a penetration tester from an attacker is permission. The penetration tester will have permission from the owner of the computing resources that are being tested. At completion of penetration testing, detailed report, which includes recommended actions for improving security measures are presented to the system's owner. One common structure for these reports is to include an Executive Summary, a Management Summary that includes some high-level operational details such as server IP addresses and what needs to be fixed immediately, and a Technical Summary with very specific results and procedural countermeasures to reduce risks.
There is no such thing as perfect security. It is very unlikely that all the security issues are discovered in one set of penetration test. For example, an organization passed a penetration test conducted yesterday. However, a brand new vulnerability in some Exchange mail servers that were previously considered secure is published today. In this case, this issue may not be included in the report. As such, penetration test is a continual effort an organization needs to ensure that it's network and system are securely implemented all the time.
Penetration testing, occasionally pentest is the process of attempting to gain access to resources without knowledge of user-names, passwords and other normal means of access. The goal is to ensure that the software performs reliably and securely under reasonable and even unreasonable production scenarios.
The process involves an active analysis of the system for any potential vulnerabilities that could result from poor or improper system configuration, both known and unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures. This analysis is performed from the position of a potential attacker and can involve active exploitation of security vulnerabilities. A successful penetration may resulted in obtaining or subverting confidential documents, pricelists, databases and other protected information.
There are a variety of reasons for performing a penetration test. One of the main reasons is to find vulnerabilities and fix them before an attacker does. Higher-risk vulnerabilities that resulted from a combination of lower-risk vulnerabilities exploited in a particular sequence may be discovered in this case. Penetration test also provides evidence to support increased investments in security personnel and technology. Having a second set of eyes check out a critical computer system is a good security practice. Another reason for a penetration test is to assess the magnitude of potential business and operational impacts of successful attacks and give the IT department at the target company a chance to respond to an attack.
Penetration tests can be conducted in several ways. The most common difference is the amount of knowledge of the implementation details of the system being tested that are available to the testers. Black box testing assumes no prior knowledge of the infrastructure to be tested. The testers must first determine the location and extent of the systems before commencing their analysis. At the other end of the spectrum, white box testing provides the testers with complete knowledge of the infrastructure to be tested, often including network diagrams, source code, and IP addressing information. In this case, a penetration tester will be given user-level access. The goal would be to elevate the status of the account or user other means to gain access to additional information that a user of that level should not have access to.
Although most penetration testing methods have traditionally been somewhat ad-hoc, that has changed in the last several years. Today penetration testing is performed in a far more methodical manner. The Open Source Security Testing Methodology Manual (OSSTMM) is a mecahnism for performing security tests and metrics of a target scope. The goal of OSSTMM is to provide a rigorous methodology for penetration testing that is consistent, repeatable, and reliable. It includes technical details of exactly which items need to be tested, what to do before, during, and after a security test, and how to measure the results. New tests for international best practices, laws, regulations, and ethical concerns are regularly added and updated.
The main thing that separates a penetration tester from an attacker is permission. The penetration tester will have permission from the owner of the computing resources that are being tested. At completion of penetration testing, detailed report, which includes recommended actions for improving security measures are presented to the system's owner. One common structure for these reports is to include an Executive Summary, a Management Summary that includes some high-level operational details such as server IP addresses and what needs to be fixed immediately, and a Technical Summary with very specific results and procedural countermeasures to reduce risks.
There is no such thing as perfect security. It is very unlikely that all the security issues are discovered in one set of penetration test. For example, an organization passed a penetration test conducted yesterday. However, a brand new vulnerability in some Exchange mail servers that were previously considered secure is published today. In this case, this issue may not be included in the report. As such, penetration test is a continual effort an organization needs to ensure that it's network and system are securely implemented all the time.
Comments
Post a Comment