| A penetration test is an assessment of
| |
| | from which to approach the testing.
|
| your network's security, including
| |
| | Basically, your approach is determined by
|
| potential vulnerabilities and how they
| |
| | your answers to these two questions:
|
| could be exploited. Businesses and
| |
| | 1. Who is the hacker? (Disgruntled
|
| individuals perform penetration tests in
| |
| | employee? Someone with no inside
|
| order to pinpoint and correct potential
| |
| | information or connection to the
|
| ways an individual could gain access to
| |
| | company?)
|
| their network. Penetration testing is
| |
| | 2. How much (if any) notice/information
|
| similar to ethical hacking in that a
| |
| | will you give your IT staff and/or
|
| trusted individual is given permission to
| |
| | employees about the testing?
|
| attack a network using the same methods
| |
| | For example, if you want to know what a
|
| as those employed by an illegal hacker.
| |
| | disgruntled employee could do, the
|
| The first step in conducting a
| |
| | testing will physically take place within
|
| penetration test is planning. Before the
| |
| | the walls of the company, using the
|
| testing begins, you should set out goals,
| |
| | company's computers and equipment.
|
| time tables, and parameters. That is,
| |
| | Another scenario, as mentioned above, is
|
| determine your major concerns, decide
| |
| | one where the hacker has no special
|
| which aspects of your network you want
| |
| | access; they are simply working from
|
| tested, and decide how long and when the
| |
| | their own computer and attempting to
|
| testing will be conducted.
| |
| | breach your network via the Internet.
|
| The second step consists of gathering
| |
| | The answer to the second questions
|
| information. Here is where the tester
| |
| | determines whether, and how, you'll
|
| puts themselves into the shoes of an
| |
| | involve your staff and employees. For
|
| illegal hacker. Imagine you're the
| |
| | instance, you may decide that one of your
|
| hacker, and all you have is the name of a
| |
| | goals is to find out if your IT staff
|
| company or its website. This company is
| |
| | will be alerted to attempted break-ins.
|
| your target, and your goal now is to dig
| |
| | In that case, you would not give them any
|
| up as much information as you can to help
| |
| | advance notice of the testing.
|
| you break into their network.
| |
| | Conversely, you could decide to have your
|
| Third, the tester will manually test all
| |
| | IT staff and the penetration testers work
|
| of the information gathered for possible
| |
| | together, focusing on a specific target.
|
| vulnerabilities. That is, they'll pull
| |
| | Related to the two questions above is the
|
| all the hacker tricks out of their hat,
| |
| | issue of "zero knowledge penetration
|
| so to speak, and see where and in what
| |
| | testing" versus "limited knowledge
|
| ways the system is vulnerable.
| |
| | penetration testing." With the zero
|
| Last is the actual "break-in" itself. The
| |
| | knowledge approach, the testing team has
|
| tester starts by selecting a target. For
| |
| | been given no knowledge or information
|
| instance, the tester could focus in on
| |
| | about the system and network from the
|
| the network's main server. From the
| |
| | company. Many consider the zero knowledge
|
| research done during the third step, the
| |
| | approach to be the most realistic, given
|
| tester has an arsenal of weapons and
| |
| | that the potential attacker would be
|
| potential ways into the network. Now it's
| |
| | starting from scratch with regards to the
|
| a matter of using that information to
| |
| | hacking.
|
| hack into the targeted server.
| |
| | The alternative is "limited knowledge
|
| Once the testing is complete, the tester
| |
| | penetration testing." This approach can
|
| provides the company with a report
| |
| | save both time and money. With limited
|
| detailing the vulnerabilities and
| |
| | knowledge testing, the testing team is
|
| explaining how to correct them.
| |
| | given the basic knowledge that a hacker
|
| Obviously, the overarching goal of
| |
| | would have come up with on their own
|
| penetration testing is to uncover holes
| |
| | anyway. That way, the team can move
|
| in your network security. There are,
| |
| | directly to the vulnerability assessment
|
| however, several different perspectives
| |
| | phase.
|