Penetration Testing
ABSTRACT
Penetration testing has been well popularized by the media. Many companies are now offering penetration services to identify vulnerabilities in systems and the surrounding processes. This report will Discuss “Penetration Testing” as a means of strengthening a corporate network’s security. This report is divided into three parts. Introduction will give you a brief and basic overview of Penetration Testing and why we need Penetration Testing, The second part is the technical breakdown explains The strategy, model and type of Penetration Testing. In the conclusion, we will discuss both the value and limitation of Penetration Testing.
1. INTRODUCTION
As electronic commerce, online business-to-business operations, and global connectivity have become vital components of a successful business strategy, enterprises have adopted security processes and practices to protect information assets. But if you look at today's computing environments, system security is a horrible game of numbers: there are currently over 9,223 publicly released vulnerabilities covering known security holes in a massive range of applications from popular Operating Systems through to obscure and relatively unknown web applications. [01] Over 300 new vulnerabilities are being discovered and released each month. Most companies work diligently to maintain an efficient, effective security policy, implementing the latest products and services to prevent fraud, vandalism, sabotage, and denial of service attacks. But the fact is you have to patch every hole of your system, but an attacker need find only one to get into your environment. Whilst many organisations subscribe to major vendor's security alerts, these are just the tip of the security iceberg and even these are often ignored. For example, the patch for the Code Red worm was available some weeks before the worm was released. [02]
1.1 What is Penetration Testing?
Penetration testing - using tools and processes to scan the network environment for vulnerabilities, [03& T, J.K et al. 2002] there are many different types of vulnerability assessments. Penetration Testing focuses on understanding the vulnerabilities of components that you’ve made available on the network as seen from the perspective of a skilful and determined attacker who has access to that network. It will provide a thorough overview of the ...
... middle of paper ...
.../2005)
[03] http://en.wikipedia.org/wiki/Penetration_testing (Last Access 10/03/2005)
[04] http://www.istart.co.nz/index/HM20/PC0/PV21902/EX244/AR2341 (Last Access 10/03/2005)
[05] http://www.visionael.com/products/security_audit/FBI_CSI_2003.pdf (Last Access 10/03/2005)
[06] http://www.webopedia.com/TERM/I/intrusion_detection_system.html (Last Access 10/03/2005)
[07] http://www.corecom.com/external/livesecurity/pentest.html (Last Access 18/03/2005)
[08] http://www.securenetsol.com/na_pt_test_approach.html (Last Access 20/03/2005)
[09] http://www.securityfocus.com/infocus/1722 (Last Access 20/03/2005)
[10] http://www.local4you.co.uk/Security/security_test.htm (Last Access 20/03/2005)
[11] http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci546705,00.html (Last Access 20/03/2005)
[12] http://www.netstumbler.com/2004/06/04/wireless_attacks_and_penetration_testing_part_1_of_3/
(Last Access 20/03/2005)
[13] http://lineman.net/node/270 (Last Access 20/03/2005)
[14] http://www.penetration-testing.com/ (Last Access 15/03/2005)
[15] T. J. Klevinsky, Scott Laliberte, and Ajay Gupta. (2002). Hack I.T.: Security Through Penetration Testing. Addison-Wesley Professional.
Commencing penetration tests within the infrastructure of Alexander Rocco Corporation may be a strenuous, yet beneficial process. However, before commencing penetration tests, much planning, strategizing, and research is necessary in order to ensure successful, seamless, and legal operations. Based on information provided by the SANS Institute, an initial meeting should be coordinated between those responsible for conducting the tests, along with the appropriate leadership personnel of the company (source). Within the meeting, the scope of the project should be established, classifying company data appropriately, and determining which components of the company’s infrastructure require penetration testing, which may include Alexander Rocco Corporation’s
"Computer Security Training, Network Research & Resources." SANS: Computer Security Training, Network Security Research, InfoSec Resources. Web. 17 Mar. 2011. .
Despite investing one of top security system, and spend money to boost up their defense mechanism to meet industry standard, hackers still able to find the holes of the Target system. Target seem to run into a costly mistake in this cases. However, I believe, this mistake could be happened upon anyone, what we learn to prevent it in the future is more important. I believe, as a security standpoint, we have to look at it from multiple angles and not rely on only one defense mechanism. To succeed again the hackers, educating the workforce and assessing the human factors in not only technical but also strategy and risk management must be ensured for companies to guarding against any future attacks.
Penetration tests are typically conducted by ethical hackers whom exploit manual and automated practices to simulate attacks from both internal and external threats (Bace & Sinchak, 2014). Working hand-in-hand, vulnerability assessments and penetration tests afford the agile intelligence needed to help organizations deploy necessary security countermeasures to mitigate the likelihood and impact of attacks. This is especially important in a BYOD environment where devices models vary and are frequently refreshed.
Once the team has assembled and once the SITSA has completed the formalities associated with communicating to company leaders and stakeholders, the next stage is to begin assessing and analyzing the attack. Brandon (2014) provides the following guidelines for security analysts and those charged with evaluating the attack in terms of its specific dimensions. These include the processes of isolating the impacted networking components; protecting critical infrastructures against further compromise; detecting the source of the intrusion; analyzing the components and signatures associated with it; and making clear assessments based on this aggregate data. In total, this effort can be viewed as a strategy that analyzes an attack in terms of its technical aspects and the likely qualitative aspects connected with the attacker.
Security helps the organization meet its business objectives or mission by protecting its physical and financial resources, reputation, legal position, employees, and other tangible and intangible assets through the selection and application of appropriate safeguards. Businesses should establish roles and responsibilities of all personnel and staff members. However, a Chief Information Officer should be appointed to direct an organization’s day to day management of information assets. Supporting roles are performed by the service providers and include systems operations, whose personnel design and operate the computer systems. Each team member must be held accountable in ensuring all of the rules and policies are being followed, as well as, understanding their roles, responsibilities and functions. Organizations information processing systems are vulnerable to many threats that can inflict various types of damage that can result in significant losses (Harris, 2014). Losses can come from actions from trusted employees that defraud the system, outside hackers, or from careless data entry. The major threat to information protection is error and omissions that data entry personnel, users, system operators and programmers make. To better protect business information resources, organizations should conduct a risk analysis to see what
Abstract: This paper illustrates a moral dilemma regarding security measures of software releases. The presence of malicious hackers throughout the globe today is a practical reality; robust secure code ought to be a strong priority for software companies. However, faced with complications regarding deadline issues, language issues, security continues to pose problems with software today. Software companies must ultimately make a decision between balancing security robustness and commercial viability of their products. A cooperative effort by software companies and users to promote responsible and intelligent usage of products can lead to more security.
The term, “penetration testing”, often crosses our minds, but many a times we just let it go thinking of its literal meaning. A little curious folks give it a second thought, for, “what is it?” and “is it really needed?” So we are here to throw a little light on it and its benefits.
According to Forbes, security hackings were viewed as invasion of the ensured information and property that consequently establishes a malicious demonstration. The security business has seen on attacks from countries,
Network Vulnerability Scanning and Penetration Testing – PCI requires quarterly scanning. In order to meet this strict guideline a policy must be in place that covers what must be done to ready the company for the QSA. This includes who is able to conduct vulnerability testing and what testing method or tools are being use. Recommendations for any detected weaknesses 7. Physical Security – PCI requires this be addressed in the ISP.
Nessus is an efficient, comprehensive vulnerability scanner that provides less false positives than many other tools currently available in th...
Faircloth J, Beale J, Temmingh R, Meer H, van der Walt C, Moore HD (2006) Penetration Testers Open Source Toolkit.
Vulnerability testing will be done periodically by doing unannounced social engineering penetration testing. This will be conducted by an external company to make it more realistic. They will try to use various social engineering tricks to gather personal and company information from
Harvey, Brian. A. Computer Hacking and Ethics. Ed. Paul Goodman, P.G., a.k.a. Electrical Engineering and Computer Science.
The Art of exploring various security breaches is termed as Hacking.Computer Hackers have been around for so many years. Since the Internet became widely used in the World, We have started to hear more and more about hacking. Only a few Hackers, such as Kevin Mitnick, are well known.In a world of Black and White, it’s easy to describe the typical Hacker. A general outline of a typical Hacker is an Antisocial, Pimple-faced Teenage boy. But the Digital world has many types of Hackers.Hackers are human like the rest of us and are, therefore, unique individuals, so an exact profile is hard to outline.The best broad description of Hackers is that all Hackers aren’t equal. Each Hacker has Motives, Methods and Skills. But some general characteristics can help you understand them. Not all Hackers are Antisocial, PimplefacedTeenagers. Regardless, Hackers are curious about Knowing new things, Brave to take steps and they areoften very Sharp Minded..