Scribd
Upload
35 views

Fact Pen Testing Final

Penetration testing (pen testing) involves security professionals mimicking real-world hacker attacks to identify vulnerabilities in an organization's systems without disrupting operations. A pen tester will seek approval to conduct white, black, or gray-box tests, then compile a report detailing any successful attacks and recommended fixes. Regular pen testing is important for compliance and prevention, helping organizations discover and address issues before malicious actors do.

Uploaded by

Popa Eugen
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
35 views

Fact Pen Testing Final

Penetration testing (pen testing) involves security professionals mimicking real-world hacker attacks to identify vulnerabilities in an organization's systems without disrupting operations. A pen tester will seek approval to conduct white, black, or gray-box tests, then compile a report detailing any successful attacks and recommended fixes. Regular pen testing is important for compliance and prevention, helping organizations discover and address issues before malicious actors do.

Uploaded by

Popa Eugen
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

PEN TESTING

Penetration Testing (pen testing) is a process used to determine weaknesses


that could be exploited by hackers to gain access to critical systems and data.
IT security professionals outside the organization conduct the test to mimic real
work conditions without negatively effecting operations. Typically, pen testers
will provide the organization an overview of the process and will seek to obtain
approval from management to conduct the test.

The “pen-tester” is hired to think like a hacker, determine what types of attacks
DID YOU the system may be susceptible to, and then implement them to see if they
work. Once the technical work is complete, the pen-tester compiles a report for

KNOW…
the organization. The report usually provides a step-by-step explanation of the
types of attacks tried; which attacks were blocked and which were successful;
and which actions are needed to correct, in priority order. At a minimum, the
test will identify insecure configurations, software patches that weren’t applied,
ü The Open Web Application open ports, software or systems not supported by manufacturers. The test may
Security Project (OWASP) also include a phishing scam to determine if employees fall victim to this type
lists the top ten most critical of attack.
web application security risks.
OWASP 17 was recently
released. FACT 1: TYPES OF PEN TESTS
ü Pen testers typically refer to There are three different types of pen tests that an organization can perform. A
OWASP to conduct pen tests. “white-box” pen test provides testers with full knowledge of the information
system and all system documentation, such as vulnerability assessments and
ü Remember – start with a risk system diagrams. A “black-box” pen test occurs when the tester takes on the
based approach – determine role of an attacker and has no prior knowledge of the information system. The
the likelihood of an event and pen tester in a black-box scenario must conduct their own reconnaissance to
the requisite impact. Rank the determine how to best “exploit” the weaknesses in the system. A “gray-box”
risk and correct! test is when the testers are provided partial knowledge of the system and
limited documentation. The type of test conducted is likely to be determined by
ü Back up important data often the organization and what they are trying to learn from the test.
to reduce overall vulnerability
and mitigate potential impacts FACT 2: COMPLIANCE
of an attack.
If you are an organization that accepts payment for goods and services via
ü Employee training is an
credit card, you may be required to have annual pen tests completed, under
essential prevention strategy
to keep your systems safe.

PEN TESTING continued….


PCI-DSS #6 – Patch and Correct Vulnerabilities. See NCSS Tip Sheet for more information about the
Payment Card Industry Data Security Standard. (PCI-DSS).

FACT 3: PENETRATION TESTING APPROVALS

One of the most important aspects of a penetration test is it must be approved by management. A signed
agreement between management and the IT security firm must be in place before the test begins, or there
could be legal ramifications should something go wrong. While not everyone in the organization needs to be
aware of the test, upper management should know when it is occurring. The agreement between the
managers and the testers may include information such as what type of tests will be performed; what if any
systems are off limits/excluded from the test; where and when will the test be performed; and under what
circumstances would the test be stopped and the organization notified immediately. These are just some of
the elements in a penetration test agreement.

FACT 4: PREVENTION MEASURES


Conducting frequently scheduled penetration tests are important for organizations no matter their size.
Because new cyber attacks are always being developed, system protections need to evolve in order to
maintain a strong defensive security posture. Conducting a penetration test is one of the best ways to
ensure that this is being done. By conducting a pen-test, your organization will be able to discover
vulnerabilities on your system before malicious hackers do. Additionally, your organization can use the test
to determine whether or not safeguards you have put in place are truly effective.

FACT 5: RESOURCES

The General Services Administration (GSA) has developed standardized IT security penetration
services for federal, state and local governments. These services referred to as Highly Adaptive
Cybersecurity Services (HACS) are listed at the U.S. GSA Advantage website. While these are
resources for the public sector, they do have a list of approved vendors and examples of statements of
work and items to consider for pen testing.
HACS 132-45A Penetration Testing, lists services to consider including: Network Mapping,
Vulnerability Scanning, Phishing Assessment, Wireless Assessment, Web Application Assessment,
Operating System Security Assessment (OSSA), and Database Assessment.

PEN TESTING continued….


NCSS is currently working with approved and vetted service providers to help small businesses access pen
testing firms and professionals, see Membership Perks. Additionally, there are several vendors listed on the
GSA Advantage website.

Reference: GSA Gallery Risk and Vulnerability Assessments:

https://www.gsaelibrary.gsa.gov/ElibMain/sinDetails.do?executeQuery=YES&scheduleNumber=70&flag=&fi
lter=&specialItemNumber=132+45D

OWASP Top 10 - 2017 – Open Web Application Security Project, The Ten Most Critical Web Application
Security Risks:

https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf

You might also like