What is Penetration Testing: Stages and Methods
What is Penetration Testing: Stages and Methods
Actually in the concept of internet security, there are many types of security testing that can be used, one of which is penetration testing. But many people tend to be unclear when explaining what penetration testing is. For this reason, we will explain what penetration testing is, what are the methods and stages.
What is Penetration Testing
Penetration testing, also known as a pen test, is a simulated cyber attack on a computer system to reveal vulnerabilities, threats, risks in software applications, networks or web applications that can be exploited by attackers. In the context of web application security, pen tests are usually used to add to a web application firewall (WAF).
Vulnerability is the risk that an attacker can compromise or gain authorized access to a system or any data contained therein. Vulnerabilities are usually introduced accidentally during the development and implementation phases of software. Common vulnerabilities include design or configuration errors, software bugs, etc. Penetration analysis depends on two mechanisms, namely Vulnerability Assessment and Penetration Testing (VAPT).
Penetration Testing Purpose?
Simply put, penetration testing is done for one purpose, to protect the organization. With efficient use of penetration test results, participating organizations can identify and mitigate their vulnerabilities.
Penetration is very important in a company because:
* Financial sectors such as Banks, Investment Banking, Stock Trading Exchanges want their data to be secured, and penetration testing is very important to ensure security
* If a software system has been hacked and the organization wants to determine if there are threats in the system to avoid future hacks.
* Proactive Penetration Testing is the best protection against hackers.
Penetration Testing Stages
1. Planning and reconnaissance
The first stage involves:
* Determine the scope and purpose of testing, including the systems to be handled and the test methods to be used.
* Collect data (eg, network and domain names, mail servers) to better understand how targets work and potential vulnerabilities.
The next step is to understand how the target application will respond to various intrusion attempts. This is usually done using:
* Static analysis – Inspects the application code to estimate how it behaves when running. These tools can scan the entire code in a single pass.
* Dynamic analysis – Checks the application code in running state. This is a more practical way of scanning, as it provides a real-time insight into an application's performance.
3. Gaining Access
This stage uses web application attacks, such as cross-site scripting, SQL injection and backdoors, to uncover target vulnerabilities. Testers then try and exploit these vulnerabilities, usually by privilege escalation, stealing data, intercepting traffic, etc. To understand the damage it caused.
4. Maintain access
The purpose of this stage is to see if the vulnerability can be used to achieve a perpetual presence in the exploited system. If that's long enough, it can become a problem for a bad hacker to gain deeper access. The idea is to impersonate advanced persistent threats, which remain in systems for months on end to steal an organization's most sensitive data.
The pen test results are then compiled into a report that details:
* Specific exploited vulnerabilities
* Sensitive data accessed
* Amount of time the penetration test can remain in the system undetected
This information is analyzed by security personnel to help configure enterprise WAF settings and other application security solutions to patch vulnerabilities and protect against future attacks.
Penetration Testing Methods
External penetration tests target company assets that are visible on the internet, for example, the web application itself, company website, email and domain name servers (DNS). The goal is to gain access and extract valuable data.
In internal testing, the tester with access to the application behind the firewall simulates an attack by a malicious insider. It doesn't necessarily simulate a rogue employee. A common initial scenario could be an employee whose credentials are stolen due to a phishing attack.
In the blind test, the testers are only given the name of the target company. This gives security personnel a real-time view of how an actual application attack would play out.
In a double blind test, security personnel have no prior knowledge of the simulated attack. Like in the real world, they wouldn't have time to shore up their defense before going on offense.
In this scenario, testers and security personnel work together and assess each other's movements. This is a valuable training exercise that gives the security team real-time feedback from the hacker's point of view.
Examples of Penetration Testing Tools
There are various tools used in penetration testing, but the most commonly used are:
1. NMap – This tool is used to perform port scanning, OS identification, router tracing and for vulnerability scanning.
2. Nessus – This is a traditional network-based vulnerability tool.
3. Pass-The-Hash – This tool is used for password cracking.
Roles And Responsibilities Of Penetration Testers
* The tester must gather the necessary information from the Organization to enable the penetration test.
* Find flaws that could allow hackers to attack target machines.
* Testers should think & act like real hackers even if ethically.
* The work done by the penetration tester must be reproducible so that it will be easy for the developer to fix it.
* The start date and end date of the test implementation must be determined in advance.
* Testers shall be held responsible for any loss in system or information during software testing.
* An examiner must keep data and information confidential.
So penetration testing is the process of evaluating an organization's security by exploiting vulnerabilities in ways an attacker can exploit them and thereby defending and documenting attack procedures.
Testers have to act like real hackers and test the application or system and need to check if a code is written securely. Penetration tests will be effective if there is a well-implemented security policy. Penetration testing policies and methodologies should be in place to make penetration testing more effective.
So many articles What is Penetration Testing: Stages and Methods. Look forward to other interesting articles and don't forget to share this article with your friends. Thank you…
Just an ordinary person who wants to share a little knowledge, hopefully the knowledge I provide can be useful for all of us. Keep in mind! Useful knowledge is an investment in the afterlife.
Post a Comment