Uncategorized

What is Penetration testing ?

info savvy

Penetration testing is a method of evaluating the security of an information system or network by simulating an attack to find out vulnerabilities that an attacker could exploit. Penetration test (or “pen-testing”) exposes the gaps in the security model of an organization and helps organizations reach a balance between technical prowess and business functionality from the perspective of potential security breaches. This can help in disaster recovery and business continuity planning. It simulates methods used by intruders to gain unauthorized access to an organization’s networked systems and then compromise them and involves using proprietary and open-source tools to conduct the test. Apart from automated techniques, penetration testing involves manual techniques for conducting targeted testing on specific systems to ensure that there are no security flaws that previously might have gone undetected. In the context of penetration testing, the tester is limited by resources; namely, time, skilled resources, and access to equipment as outlined in the penetration testing agreement.

Penetration testing involves an active analysis of system configurations, design weaknesses, network architecture, technical flaws, and vulnerabilities. A penetration test will not only point out vulnerabilities, but will also document how the weaknesses can be exploited. On completion of the penetration testing process, pen-testers deliver a comprehensive report with details of vulnerabilities discovered and suite of recommended countermeasures to the executive, management, and technical audiences.

A penetration tester is different from an attacker only by intent, lack of malice, and authorization. Incomplete and unprofessional penetration testing can result in a loss of services and disruption of business continuity. Therefore, employees or external experts must not conduct pen-tests without proper authorization.

The management of the client organization should provide clear written permission to perform penetration testing. This approval should include a clear scope, a description of what to test,and when the testing will take place. Because of the nature of pen-testing, a failure to contain this approval might result in committing a computer crime, despite one’s best intentions.
What Makes a Good Penetration Test?

The following activities will ensure a good penetration test:

  • Establishing the parameters for the penetration test, such as objectives, limitations, and justifications of the procedures
  • Hiring highly skilled and experienced professionals to perform the pen-test
  • Appointing a legal penetration tester, who follows the rules in the nondisclosure agreement
  • Choosing a suitable set of tests that balance costs and benefits
  • Following a methodology with proper planning and documentation
  • Documenting the results carefully and making them comprehensible to the client. The penetration tester must be available to answer any queries whenever there is a need.
  • Clearly stating findings and recommendations in the final report

Why Penetration Testing

Penetration testing is important to the organizations for the following reasons:

Identifying the threats facing an organization’s information assets

• Reducing an organization’s expenditure on IT security and enhancing Return on Security Investment (R051) by identifying and re mediating vulnerabilities or weaknesses

• Providing assurance with comprehensive assessment of organization’s security including policy, procedure, design, and implementation

• Gaining and maintaining certification to an industry regulation (B57799, HIPAA etc.)

• Adopting best practices in compliance to legal and industry regulations

• Testing and validating the efficacy of security protections and controls

• Changing or upgrading existing infrastructure of software, hardware, or network design

• Focusing on high-severity vulnerabilities and emphasize application-level security issues to development teams and management

• Providing a comprehensive approach of preparation steps that can be taken to prevent upcoming exploitation

• Evaluating the efficacy of network security devices such as firewalls, routers,. and web servers

Comparing Security Audit, Vulnerability Assessment, and Penetration Testing

Although many people use the term security audit, vulnerability assessment, and penetration testing interchangeably to mean security assessment, there are considerable differences, as discussed below.

Security Audit

A security audit just checks whether the organization is following a set of standard security policies and procedures. It is systematic method of technical assessment of an organization’s system that includes conducting manual interviews with staff, performing security scans, reviewing security of various access controls, and analyzing physical access to the organizational resources.

Vulnerability Assessment

A vulnerability assessment focuses on discovering the vulnerabilities in the information system but provides no indication if the vulnerabilities can be exploited or of the amount of damage that may result from the successful exploitation of the vulnerability.

Penetration Testing

Penetration testing is a methodological approach to security assessment that encompasses the security audit and vulnerability assessment and demonstrates if the vulnerabilities in system can be successfully exploited by attackers.

Unknown's avatar

Published by info savvy

Infosavvy is a training institute providing trainings and certifications in multiple domains viz IT Management,Information Security Management, Cyber Security & Quality management to aspiring technology professionals. High quality educational services is prime focus at Infosavvy. A wide variety of certification courses are designed as per learning & career needs of working professionals & students.

Leave a comment