Oct 21., 2017 / Penetration Test
Types Of Penetration Test
When performing a security or penetration test, an ethical hacker uses one or more types of tests in the system.
Black Box Tests
Black-box testing involves conducting a security assessment and testing without prior knowledge of the infrastructure or network infrastructure to be tested. The test simulates an attack by a malicious hacker outside the security perimeter of the organization.
White Box Tests
White-box testing involves evaluating security and testing is with complete knowledge of the network infrastructure, as a network administrator could do.
Gray Box Tests
Gray-box testing involves conducting safety assessment and internal testing. The tests examine the degree of access to privileged information within the network. The purpose of this test is to simulate the most common forms of attack, which are initiated from within the network. The idea is to test or audit the level of access of employees, or contractors and see if those privileges can be scaled to a higher level.
Triangle Of Security, Functionality And Ease Of Use
As a security professional, it is difficult to find a balance between establishing security barriers to prevent an attack and allowing the system to remain functional for users. The triangle of security, functionality and ease is a representation of the balance between security, functionality and ease of use for system users (see Figure 1.3). In general, when security increases, functionality and ease of use for system users decreases.
In an ideal world, security professionals would like to have the highest level of security in all systems; However, sometimes this is not possible. Too many security barriers make it difficult for users to use systems and prevent system functionality.
Vulnerability Research And Tools
The study of vulnerabilities is the process of discovering vulnerabilities and design weaknesses that could lead to an attack on a system. There are several websites and tools to help ethical hackers in maintaining an up-to-date list of vulnerabilities and potential security holes in systems or networks. It is essential that system administrators keep up-to-date on the latest viruses, Trojans and other common attacks in order to properly protect their systems and networks. In addition, by becoming familiar with the new threats, an administrator can learn to detect, prevent and recover from an attack.
Ethical Hacking Report
The result of a penetration test in a network or a security audit is an ethical hacking or pen test report. Any name is acceptable, and can be used interchangeably. This report details the results of the hacking activity, the types of tests performed and the hacking methods used. The results are compared to the expectations initially agreed with the client.
How To Be Ethical
Ethical hacking is usually carried out in a structured and organized manner, usually as part of a penetration test or security audit. The depth and breadth of the systems and applications to be verified is usually fixed based on the needs and concerns of the client. Many ethical hackers are members of a tiger team. A tiger team works together to conduct a large-scale test that covers all aspects of network, physical and intrusion into systems.
The following steps are a framework for conducting a security audit in an organization and will help ensure that the test is conducted in an organized, efficient and ethical manner:
- Talk to the client, and discuss the needs to be considered during the test.
- Prepare and sign NDA documents with the client.
- Organize an ethical hacking team, and prepare a schedule for the test.
- Carry out the test.
- Analyze test results, and prepare a report.
- Present the results of the report to the client.
Conducting A Penetration Test
Many ethical hackers who play the role of security professionals use their skills to conduct security assessments or penetration testing essentials. These tests and evaluations have three phases, generally ordered as follows:
This phase consists of a formal agreement between the ethical hacker and the organization. This agreement should include the full scope of the test, the types of attacks (Internal or External) to use, and types of tests: white, black or gray box
Carry Out Safety Assessment
During this phase, the tests are carried out, after which the pentester prepares a formal report of vulnerabilities and other findings.