What is Penetration Testing

What is penetration testing?

A penetration test involves the use of a variety of manual and automated techniques to stimulate an attack on an organization’s security arrangements. The penetration test should be conducted by the qualified penetration testing expert who is known as the ethical security tester.

What are the most common forms of penetration testing?
  • Application
  • Infrastructure penetration testing
What are the uses of penetration testing?

The use of pen test or commonly called as penetration testing is used to augment a web application firewall .

The penetration test is typically the assessment of IT infrastructure, networks and business applications to identify vulnerabilities and attacks.

What are the goals of penetration testing?
  • To check how an unwanted user can gain unauthorized access to the system that affects the fundamental security of the system, files.
  • To confirm the applicable controls required by the pci dss compliant  such as vulnerability management, segmentation is in place.
Other forms of penetration testing:
  • Mobile application penetration testing
  • Client server application penetration testing
  • Device penetration testing
  • Wireless penetration testing
  • Telephony penetration testing
The Penetration Testing Process
  • Planning and reconnaissance
  • Scanning
  • Gaining access
  • Maintaining access
  • Analysis
First StagePlanning and reconnaissance
  • Defining the goals of a test including the computer system that should be addressed.
  • Gathering intelligence to understand that how a target works in the system and its potential vulnerabilities.
Second Stage – Scanning

In this scanning stage it is used to understand how the target application will react to various outsiders attempts

  • Static Analysis – Checking the code to see the way it behaves while it is running. The code should be entirely in a single go.
  • Dynamic Analysis – The code should be in a running state. It provides a real time view into an applications performance.
Third Stage  – Gaining Access

In this third stage it uses the web application attacks such as the SQL Injection, cross-site scripting to remove the targets vulnerabilities. Testers try and exploit these vulnerabilities that should be stealing data, intercepting traffic to know the damage they can cause.

Fourth Stage  – Maintaining Access

This stage uses to see if the vulnerability is used to achieve the persistent presence in the exploited system. The idea is to imitate the advanced persistent threats, which remain in a system for months in order to steal an organization’s most sensitive data.

Fifth Stage – Analysis

The results of the pen test are compiled into a report detailing:

  • Sensitive data that was accessed
  • The system will remain undetected when the amount of time the pen tester takes
PENETRATION TESTING METHODS
  • External testing
  • Internal testing
  • Blind testing
  • Double- blind testing
  • Targeted testing
External Testing

External penetration tests the target of the assets of the company that are visible on the internet. Ex: Domain name servers . The goal is to gain the access and to extract the valuable data.

Internal Testing 

 In an internal test, the tester with permission to an application behind its firewall that simulates an attack by a malicious insider.

Blind Testing

In a blind test, a tester is only given the name of the enterprise that is being targeted. This gives the security people a real time look into how an actual application assault would occur.

Double-blind Testing

In a double-blind test, security personnel have no prior knowledge of the their simulated attack. In the real time world, they don’t have any time to shore up their defenses before an attempted breach.

Targeted Testing

In this testing, both the tester and the security personnel will work together and keep each other appraised of their movements.

simulate ddos attack online

Penetration Testing and Web Application Firewalls

Penetration testing and Web Application Firewall are exclusive, yet mutually beneficial security measures. For many kinds of pen testing, the tester is likely to use Web Application Firewall data, such as logs, to locate and exploit an application’s weak spots. Web Application Firewall administrators can benefit from pen testing data. Web Application Firewall configurations can be updated to secure against the weak spots that are discovered in the test.

STYLE OF PENETRATION TESTING

    • Black box
    • Grey box
    • White box
BLACK BOX
  • In this there is no information given to the tester.
  • It is useful for the external attacks with no prior knowledge of the environment.
GREY BOX (TRANSLUCENT BOX)
  • In this box, there is limited information is given.
  • To understand the degree of access that the authorized users of the computer system can obtain.
WHITE BOX (CRYSTAL BOX)
  • In this box, full information is provided.
  • That supports more targeted test in the system that is required to check the vulnerabilities.

 

Disadvantages of Penetration Testing
  • Plays a small part in seeing the people element.
  • Penetration Testing has  only the snapshot of the system at a point of time.
  • Provides technical results in nature and need to be interpreted in a business context.
  • Can be limited by legal considerations, limiting the breadth.

Cyber Security Hive provides penetration testing on various platforms such as the web, iOS, Android, IoT, and thick clients. Please get in touch to know more information about our services.

 

Leave a comment

Contact Us
close slider

Are you looking for a quote or general enquiry? Please fill in the details below, we will get back to you in 24 hours.

error: Content is protected !!
Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.