Guide To Basic Security, Penetration Testing And Everything Else Ethical Hacking (Part 2) - AndroGeek88

Latest

Download Latest Android Mod Apk . This is the Best Modded APK site of We share Modded Games and other android apps for Free and Hacking related stuff with proper details

Search

Guide To Basic Security, Penetration Testing And Everything Else Ethical Hacking (Part 2)

Penetration Testing

When the world became aware of the magnitude of the threat posed by hacking, various security measures were invented by computer experts and security specialists. One of the most prominent among such measures is the process called penetration testing. In this chapter, we shall look into this concept in detail and the various reasons for undertaking this testing.
Penetration Testing By Androgeek88.com_

What is it?

 Penetration testing is the process whereby a deliberate attack is mounted on a computer system, in which its weak spots are noted, and the data stored in it is accessed. The intention is to demonstrate and thereby ascertain the efficiency of the security safeguards installed in the system.

 The primary objective of penetration testing is to find out the vulnerable areas in a system and fix them before any external threat compromises them. The key areas to be tested in any penetration testing are the software, hardware, computer network, and the process.

 The testing can be done both in an automated way as well as manually. The automated method makes use of software and programs that the penetration tester has composed, which are then run through the system and network. However, it is not possible to find out all vulnerabilities solely through penetration testing.

 This is when manual testing comes in. For instance, the vulnerabilities in a system due to human errors, lack of employee security standards, design flaws or faulty employee privileges can be diagnosed better by way of manual penetration testing.

 Besides, the automated and manual methods of penetration testing, there is a third variety which is a combination of both automated and manual systems. This form of testing is more comprehensive in terms of area of coverage and hence it is used commonly to identify all possibilities of security breaches.

This is in many ways similar to the concept called "business process re-engineering" and is used as a management planning and decision-making tool. The process of penetration testing involves the execution of the following steps:
  • Identification of the network and in particular, the system on which the testing is to be carried out.
  • Fixing of targets and goals. Here, a clear demarcation is made between breaking into a system to prove its faults against breaking into and retrieving information contained in the system.
  • Gathering information about the structure of the system or network.
  • Reviewing the information that has been collected and based on such data, charting out a plan of action to be adopted. Multiple courses of action may be outlined and the most suitable one is selected.
  • Implementation of the most appropriate course of action.

There are two broad kinds of penetration tests. It may be in the form of a "White Box" test or a "Black Box" test. In the case of a white box test, the company or organization enlists the services of an agency or individual to carry out the penetration tests and provides them with all information concerning the structure of the system and its background.

The party carrying out the tests need not do any groundwork for the collection of information. On the other hand, where the penetration test is of the black box variety, very little or in most cases, no background information is provided to the agency except the name of the organization for which the test is being done.

Once the penetration test is completed, the system administrator or owner is briefed about the weaknesses in the system that has come to fore as a result of the test. The test report should list out in detail the weak spots as observed in the test, the severity of such flaws, the short term, and long term impact on the system and its contents and finally the methods to fix such shortcomings.

Various strategies employed

The following are the most commonly adopted strategies of penetration testing :

  • Targeted test
In this form of penetration testing, the procedure is performed by the organization's in-house security department. They may call for the help of external agencies but the decision making and implementation powers rest with the organization itself. One of the most characteristic features of this form of penetration testing is that employees in the organization are kept in the loop and are aware of the tests.
  • External approach
This form of penetration testing is carried out exclusively on those devices and servers of the organization that are visible to outsiders, for instance, the e-mail servers, domain name servers, etc. The intention of performing a penetration test with the external approach is to ascertain whether any outsider can attack the above mentioned devices and in case of such an attack, the repercussions of the same.
  • Internal approach
This is the exact opposite of a test as per the external approach. Here the intention is to mimic the situation where the system is under attack from inside by someone who has high-level access and privileges. The test can establish the extent of damages that can be caused in the event of such an attack.
  • Black box test
The basic principle behind a black box test has been mentioned in the earlier part of this chapter. The agency or individual carrying out the penetration test is given very little information about the organization or its system safeguards. This form of testing is very time and resource-intensive because the agency has to start from scratch and undertake the complete process of gathering information, planning, and execution.
  • Advanced black-box test
As is obvious from the name, this is a higher level of the black-box test. The major differentiating factor is the quantum of people inside the organization who are aware of the penetration test being carried out. In the case of a normal black-box test, although only a limited amount of information is provided to the testing agency, almost all the managerial level employees of the organization are aware of the tests being carried out. However, in the case of an advanced black-box test, only a few people in the top management of the company will be aware of the tests being conducted.

No comments:

Post a Comment

Hey Geek Welcome to Androgeek