SlideShare une entreprise Scribd logo

What is Penetration Testing?

Rapid7
Rapid7

A penetration test is often a key requirement for compliance with key regulations. But while many organizations know they need penetration testing, it can be hard to know how to fit them in to a larger security program, or even how to get started. Our whitepaper, "What is Penetration Testing? An Introduction for IT Managers," is a clear and succinct introduction to the core principles and best practices of penetration testing.

Technologie
1  sur  7
Télécharger pour lire hors ligne
White Paper What is Penetration Testing? An Introduction for IT Managers
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com What Is Penetration Testing? Penetration testing is the process of identifying security gaps in your IT infrastructure by mimicking an attacker. Think about it as quality assurance for your IT security. Like most people, you probably think that quality assurance for software is both sensible and necessary before you roll out software into production. It’s sensible not because you don’t trust the software developers to do a good job, but because it’s good business practice to ensure that the code works as expected. It verifies that your production systems are secure. Some penetration testers prefer the term “security assessment” over “penetration testing,” although they relate to the exact same process. Penetration testers are sometimes called the Red Team, a term that comes from the early days of penetration testing in the military, whereas the Blue Team is the defensive team. If you wonder how penetration testing relates to port scanning and vulnerability management, you’re not alone. Although they are related, they are quite different: Port scanning identifies active services on hosts. Vulnerability management identifies potential vulnerabilities on systems based on the installed software version of the operating system or applications. Penetration testing involves trying to take control over the systems and obtain data. The differences between the three are easier to understand if you think of your network as a house: Port scanning is like counting the doors and windows on the house. Vulnerability management is like walking around the house and lists all the doors, windows and locks that are reportedly insecure based on the vendor and model information. Penetration testing is like trying to break into the house by picking the weak locks and smashing a window. Why Penetration Test? People conduct penetration tests for a number of different reasons: • Prevent data breaches: Since a penetration test is a benign way to simulate an attack on the network, you can learn whether and how you are exposed. It’s a fire drill to ensure you’re optimally prepared if there’s ever a real fire. • Check security controls: You probably have a number of security measures in place in your network already, such as firewalls, encryption, DLP, and IDS/IPS. Penetration tests enable you to test if your defenses are working—both the systems and your teams. • Ensure the security of new applications: When you roll out a new application, whether hosted by you or a SaaS provider, it makes sense to conduct a security assessment before the roll-out, especially if the applications handle sensitive data. Some example applications includes customer relationship management (CRM), marketing automation program (MAP), HR’s applicant tracking system, health insurance providers’ benefits management software, et cetera.
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com • Get a baseline on your security program: New CISOs often conduct a security assessment when they join a new company to obtain a gap analysis of the security program. This shows them how effective the organization is in dealing with cyber-attacks. These security assessments are sometimes conducted without the knowledge of the IT security team because it could otherwise influence the results. • Compliance: Some regulations, such as PCI DSS, require penetration tests. Make sure you understand how the penetration test should be conducted to ensure that you will pass the audit. How to conduct a Security Assessment: Typical steps Every penetration tester has a slightly different method, and similarly each security assessment is different depending on the environment and goals. That said, this graphic illustrates the typical steps of a security assessment: A typical penetration test goes through these stages: 1. Goal: Setting the objective of the security assessment. 2. Reconnaissance: Finding out as much as possible about the target company and the systems being audited. This occurs both online and offline. 3. Discovery: Port or vulnerability scanning of the IP ranges in question to learn more about the environment. 4. Exploitation: Using the knowledge of vulnerabilities and systems to exploit systems to gain access, either at the operating system or application level. 5. Brute forcing: Testing all systems for weak passwords and gaining access if they do.
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com 6. Social engineering: Exploiting people though phishing emails, malicious USB sticks, phone conversations, and other methods to gain access to information and systems. 7. Taking Control: Accessing data on the machine, such as passwords, password hashes, screenshots, files, installing keyloggers, and taking over the screen control. Often this can open new doors to more exploitation, brute forcing, and social engineering. 8. Pivoting: Jumping to different network segments, providing the host has multiple network interfaces, such as some machines in the DMZ. 9. Gathering Evidence: Collecting screenshots, passwords hashes, files as proof that you got in. 10. Reporting: Generating a report about how the penetration tester was able to breach the network and the information they were able to access. 11. Remediation: Addressing the issues that enabled the penetration tester to enter the network. This is typically not done by the penetration tester but by other resources in the IT department. Setting the Scope of a Penetration Test Asking a penetration tester simply to “try and break in” is not necessarily a good way to frame a penetration test. Before you start, ask yourself this question: What is the most important digital asset that your company needs to protect? If you are in retail, it may be the database that stores all of your customers’ credit card numbers. If you are a software vendor, it may be your source code. If you are a bank, it may be your online banking application. You get the idea. Once you’ve identified your most precious asset, instruct the penetration tester to try to access those systems. This will make the engagement much more impactful and realistic, providing you with a real learning experience and a clear indicator of whether the penetration tester has achieved his or her goal. If you are conducting a penetration test for compliance reasons, such as PCI DSS, then the goal should be to access the systems inside the PCI scope to extract cardholder data. External and Internal Security Assessments Security assessments can be carried out from the perspective of an outsider who tries to attack the organization over the internet, or from the view of a malicious insider. These two approaches are called external and internal security assessments. You should choose an external security assessment if you are worries about your organization getting attacked from the Internet. Most organizations start with an external penetration test. An internal penetration test always assumes that you have internal network access. It can provide valuable insight if you are worried that a rogue employee could try to access data that they’re not authorized to view. However, its uses go much further: Internal penetration tests can also tell you how much damage an intruder could do if one of your
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com employees mistakenly opens an attachment on a phishing email, or how far a visitor to your site could get by plugging their laptop into the local network. Denial of Service Testing You may not only be worried about whether people can break into your network to steal information but also whether someone on the Internet could bring down your servers to disrupt your business. If you are running a large online retail store or an online banking site, a system outage could cost you millions. Denial of service (DOS) testing should be carried out with ultimate care because the DOS modules are designed to bring services down. You should either try them out on a development system or choose to conduct the tests during times when a successful DOS attack would have minimal impact on your business. How to Safely Conduct Penetration Tests In the same way that you wouldn’t let just anyone work on your servers, you should ensure that the person carrying out a penetration test on your systems is qualified to do so. If you hire an external penetration tester, ask for references. If you are asking an internal resource to conduct a penetration test, you should ensure this individual has sufficient experience or received training. Exploits talk to systems in a way that was never intended by the developers. However, many exploits are perfectly safe to use on a production system. The penetration testing software Metasploit automatically chooses only tested, safe exploits by default to avoid any issues with your production environment. Some organizations restrict the penetration test to development systems that mimic the production systems. This is especially common when the production system is instable or the risks of running an active penetration test are very high, such as conducting a security assessment on a nuclear power station. At the same time, this approach has some drawbacks. The production system will in most cases by slightly different from the development system, and these differences may be critical. Especially when conducting an external security assessment, it can make sense to pull out all the stops from an engagement, because only then will a test reveal the true risks an organization faces every day from attacks over the internet. In-House and Outsourced Security Assessments Whether you want to do your security assessments in-house or outsource them depends on a number of factors. The first one is the size of your organization. Do you have enough work to employ a penetration tester full-time? If not, do you have a security professional who can take this task on as a part-time job? Given the right tools, such as Metasploit Pro, security professionals can quickly and easily get up to speed to conduct security assessments on your network. Outsourcing may be the right decision if you only have one penetration test to carry out each year that wouldn’t justify the cost of a tool and the training for a particular individual. It may also be the right choice if you want a truly independent assessment of your network’s security. It may be a good idea to switch your external penetration tester once a year to get a fresh pair of eyes on the network. This doesn’t mean that you’ll have to switch companies, just that you’ll ask for a different consultant for the next engagement. Some companies decide to run a hybrid model: They conduct monthly or quarterly penetration tests using a junior in-house resource to identify the low-hanging fruit, such as unpatched systems and weak passwords. It makes
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com sense to do this more often as these issues also carry a higher risk of a data breach. In addition, once a year these organizations call in a specialized penetration tester to go deeper into the systems to identify the more advanced security issues. Compliance may also factor into your decision. PCI DSS requirement 11.3 requires an annual security assessment. You can either outsource it or do it internally; if you choose an internal security assessment, the penetration tester must be able to prove expertise in this area (e.g., training certification) and must be organizationally separate from the people managing the network that is being assessed. How to select a penetration tester Whether you’re looking to hire an internal penetration tester or a consultant, you should ensure that the person is well trained and highly trustworthy. For penetration testing consultants, you should ask for references and buy services from a reputable firm. For internal resources, conduct a background check and ask for references. Training may or may not be a good indicator of someone’s skills since many of the best people in this fast-moving industry are self-taught. As part of their engagement, penetration testers may get access to data that they would ordinarily not be authorized to see, including intellectual property, credit card numbers, and human resources records. This is why trustworthiness is so important. However, this should not put you off from hiring a penetration tester because the alternative is worse: If you do not identify and fix the security issues on your network by hiring someone who is on your side, your most sensitive data will likely be accessed by someone who is not.
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com What is Metasploit? Metasploit is the leading software used by penetration testers around the world. A collaboration between the open source community and Rapid7, Metasploit software helps security and IT professionals identify security issues, verify vulnerability mitigations, and manage expert-driven security assessments, providing true security risk intelligence. Capabilities include smart exploitation, password auditing, web application scanning, and social engineering. Teams can collaborate in Metasploit and present their findings in consolidated reports. Metasploit editions range from a free edition to professional enterprise editions, all based on the Metasploit Framework, an open source software development kit with the world’s largest, public collection of quality-assured exploits. To learn more about Metasploit or for a free trial, visit www.rapid7.com/metasploit. Additional Metasploit Use Cases Apart from security assessments, Metasploit can also be used for other purposes: • Vulnerability Verification: If you are using a vulnerability scanner, you may be overwhelmed by the number of vulnerabilities reported on your network. Usually restrained by tight resources, most IT teams don’t have the time to fix all of them. Metasploit enables IT teams to verify whether a vulnerability is posing a real risk or whether it can be disregarded. This greatly reduces the time for remediation and increases the overall security posture of your organization. • Password Auditing: Most people know they should use strong passwords, yet a surprising number of data breaches involve issues with passwords, such as weak passwords or passwords shared across trust zones and accounts. Metasploit enables you to audit the passwords used on your network across a large number of services, not just for Windows accounts. • Measuring Security Awareness: Phishing attacks can compromise the security of entire organizations. One effective countermeasure is security awareness training. With Metasploit’s social engineering module, organizations can send out phishing campaigns to their users to report metrics on user security awareness. About Rapid7 Rapid7 is a leading provider of IT security risk management software. Its integrated vulnerability management and penetration testing products, Nexpose and Metasploit, and mobile risk management solution, Mobilisafe, enable defenders to gain contextual visibility and manage the risk associated with the IT environment, users and threats relevant to their organization. Rapid7’s simple and innovative solutions are used by more than 2,000 enterprises and government agencies in more than 65 countries, while the Company’s free products are downloaded more than one million times per year and enhanced by more than 175,000 members of its open source security community. Rapid7 has been recognized as one of the fastest growing security companies by Inc. Magazine and as a “Top Place to Work” by the Boston Globe. Its products are top rated by Gartner®, Forrester® and SC Magazine. The Company is backed by Bain Capital and Technology Crossover Ventures. For more information about Rapid7, please visit http://www.rapid7. com.

Recommandé

Combating Phishing Attacks
Combating Phishing AttacksCombating Phishing Attacks
Combating Phishing AttacksRapid7
 
VAPT Infomagnum
VAPT InfomagnumVAPT Infomagnum
VAPT InfomagnumARUN REDDY M
 
VAPT- A Service on Eucalyptus Cloud
VAPT- A Service on Eucalyptus CloudVAPT- A Service on Eucalyptus Cloud
VAPT- A Service on Eucalyptus CloudSwapna Shetye
 
Malware in a JAR: How Rogue Java Applications Compromise your Endpoints
Malware in a JAR: How Rogue Java Applications Compromise your EndpointsMalware in a JAR: How Rogue Java Applications Compromise your Endpoints
Malware in a JAR: How Rogue Java Applications Compromise your EndpointsIBM Security
 
Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!centralohioissa
 
Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Mohammed Adam
 
Cyber Security for Financial Planners
Cyber Security for Financial PlannersCyber Security for Financial Planners
Cyber Security for Financial PlannersMichael O'Phelan
 
Penetration Testing, Auditing & Standards Issue : 02_2012-1
Penetration Testing, Auditing & Standards Issue : 02_2012-1Penetration Testing, Auditing & Standards Issue : 02_2012-1
Penetration Testing, Auditing & Standards Issue : 02_2012-1Falgun Rathod
 

Recommandé

Combating Phishing Attacks
Combating Phishing AttacksCombating Phishing Attacks
Combating Phishing AttacksRapid7
 
VAPT Infomagnum
VAPT InfomagnumVAPT Infomagnum
VAPT InfomagnumARUN REDDY M
 
VAPT- A Service on Eucalyptus Cloud
VAPT- A Service on Eucalyptus CloudVAPT- A Service on Eucalyptus Cloud
VAPT- A Service on Eucalyptus CloudSwapna Shetye
 
Malware in a JAR: How Rogue Java Applications Compromise your Endpoints
Malware in a JAR: How Rogue Java Applications Compromise your EndpointsMalware in a JAR: How Rogue Java Applications Compromise your Endpoints
Malware in a JAR: How Rogue Java Applications Compromise your EndpointsIBM Security
 
Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!centralohioissa
 
Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Mohammed Adam
 
Cyber Security for Financial Planners
Cyber Security for Financial PlannersCyber Security for Financial Planners
Cyber Security for Financial PlannersMichael O'Phelan
 
Penetration Testing, Auditing & Standards Issue : 02_2012-1
Penetration Testing, Auditing & Standards Issue : 02_2012-1Penetration Testing, Auditing & Standards Issue : 02_2012-1
Penetration Testing, Auditing & Standards Issue : 02_2012-1Falgun Rathod
 
Hijacking a Pizza Delivery Robot (using SQL injection)
Hijacking a Pizza Delivery Robot (using SQL injection)Hijacking a Pizza Delivery Robot (using SQL injection)
Hijacking a Pizza Delivery Robot (using SQL injection)Priyanka Aash
 
C02
C02C02
C02newbie2019
 
Ethical hacking and social engineering
Ethical hacking and social engineeringEthical hacking and social engineering
Ethical hacking and social engineeringSweta Kumari Barnwal
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security TestingMarco Morana
 
AI for CyberSecurity
AI for CyberSecurityAI for CyberSecurity
AI for CyberSecuritySatnam Singh
 
Footprintig(Haching)
Footprintig(Haching)Footprintig(Haching)
Footprintig(Haching)Asif Iqbal
 
Insight Brief: Security Analytics to Identify the 12 Indicators of Compromise
Insight Brief: Security Analytics to Identify the 12 Indicators of CompromiseInsight Brief: Security Analytics to Identify the 12 Indicators of Compromise
Insight Brief: Security Analytics to Identify the 12 Indicators of Compromise21CT Inc.
 
Uncover What's Inside the Mind of a Hacker
Uncover What's Inside the Mind of a HackerUncover What's Inside the Mind of a Hacker
Uncover What's Inside the Mind of a HackerIBM Security
 
[CB16] Security in the IoT World: Analyzing the Security of Mobile Apps for A...
[CB16] Security in the IoT World: Analyzing the Security of Mobile Apps for A...[CB16] Security in the IoT World: Analyzing the Security of Mobile Apps for A...
[CB16] Security in the IoT World: Analyzing the Security of Mobile Apps for A...CODE BLUE
 
Module 3-cyber security
Module 3-cyber securityModule 3-cyber security
Module 3-cyber securitySweta Kumari Barnwal
 
Attack Autopsy: A Study of the Dynamic Attack Chain
Attack Autopsy: A Study of the Dynamic Attack ChainAttack Autopsy: A Study of the Dynamic Attack Chain
Attack Autopsy: A Study of the Dynamic Attack ChainIBM Security
 
IT system security principles practices
IT system security principles practicesIT system security principles practices
IT system security principles practicesgufranresearcher
 
Module 2 (footprinting)
Module 2 (footprinting)Module 2 (footprinting)
Module 2 (footprinting)Wail Hassan
 
Chapter 4
Chapter 4Chapter 4
Chapter 4NorazlinaAbdullah4
 
Proactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider ThreatProactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider ThreatAndrew Case
 
Module 5 (system hacking)
Module 5 (system hacking)Module 5 (system hacking)
Module 5 (system hacking)Wail Hassan
 
IRJET- Impact of Ethical Hacking on Business and Governments
IRJET- Impact of Ethical Hacking on Business and GovernmentsIRJET- Impact of Ethical Hacking on Business and Governments
IRJET- Impact of Ethical Hacking on Business and GovernmentsIRJET Journal
 
Securing Your Remote Access Desktop Connection
Securing Your Remote Access Desktop ConnectionSecuring Your Remote Access Desktop Connection
Securing Your Remote Access Desktop ConnectionSecurityMetrics
 
Adrian Aldea - IBM X-Force 2013 Mid-Year Trend and Risk Report #uisgcon9
Adrian Aldea - IBM X-Force 2013 Mid-Year Trend and Risk Report #uisgcon9Adrian Aldea - IBM X-Force 2013 Mid-Year Trend and Risk Report #uisgcon9
Adrian Aldea - IBM X-Force 2013 Mid-Year Trend and Risk Report #uisgcon9UISGCON
 
BASICS OF ETHICAL HACKING
BASICS OF ETHICAL HACKINGBASICS OF ETHICAL HACKING
BASICS OF ETHICAL HACKINGDrm Kapoor
 
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodVulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodFalgun Rathod
 
Backtrack manual Part1
Backtrack manual Part1Backtrack manual Part1
Backtrack manual Part1Nutan Kumar Panda
 

Contenu connexe

Tendances

Hijacking a Pizza Delivery Robot (using SQL injection)
Hijacking a Pizza Delivery Robot (using SQL injection)Hijacking a Pizza Delivery Robot (using SQL injection)
Hijacking a Pizza Delivery Robot (using SQL injection)Priyanka Aash
 
Ethical hacking and social engineering
Ethical hacking and social engineeringEthical hacking and social engineering
Ethical hacking and social engineeringSweta Kumari Barnwal
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security TestingMarco Morana
 
AI for CyberSecurity
AI for CyberSecurityAI for CyberSecurity
AI for CyberSecuritySatnam Singh
 
Footprintig(Haching)
Footprintig(Haching)Footprintig(Haching)
Footprintig(Haching)Asif Iqbal
 
Insight Brief: Security Analytics to Identify the 12 Indicators of Compromise
Insight Brief: Security Analytics to Identify the 12 Indicators of CompromiseInsight Brief: Security Analytics to Identify the 12 Indicators of Compromise
Insight Brief: Security Analytics to Identify the 12 Indicators of Compromise21CT Inc.
 
Uncover What's Inside the Mind of a Hacker
Uncover What's Inside the Mind of a HackerUncover What's Inside the Mind of a Hacker
Uncover What's Inside the Mind of a HackerIBM Security
 
[CB16] Security in the IoT World: Analyzing the Security of Mobile Apps for A...
[CB16] Security in the IoT World: Analyzing the Security of Mobile Apps for A...[CB16] Security in the IoT World: Analyzing the Security of Mobile Apps for A...
[CB16] Security in the IoT World: Analyzing the Security of Mobile Apps for A...CODE BLUE
 
Attack Autopsy: A Study of the Dynamic Attack Chain
Attack Autopsy: A Study of the Dynamic Attack ChainAttack Autopsy: A Study of the Dynamic Attack Chain
Attack Autopsy: A Study of the Dynamic Attack ChainIBM Security
 
IT system security principles practices
IT system security principles practicesIT system security principles practices
IT system security principles practicesgufranresearcher
 
Module 2 (footprinting)
Module 2 (footprinting)Module 2 (footprinting)
Module 2 (footprinting)Wail Hassan
 
Proactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider ThreatProactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider ThreatAndrew Case
 
Module 5 (system hacking)
Module 5 (system hacking)Module 5 (system hacking)
Module 5 (system hacking)Wail Hassan
 
IRJET- Impact of Ethical Hacking on Business and Governments
IRJET- Impact of Ethical Hacking on Business and GovernmentsIRJET- Impact of Ethical Hacking on Business and Governments
IRJET- Impact of Ethical Hacking on Business and GovernmentsIRJET Journal
 
Securing Your Remote Access Desktop Connection
Securing Your Remote Access Desktop ConnectionSecuring Your Remote Access Desktop Connection
Securing Your Remote Access Desktop ConnectionSecurityMetrics
 
Adrian Aldea - IBM X-Force 2013 Mid-Year Trend and Risk Report #uisgcon9
Adrian Aldea - IBM X-Force 2013 Mid-Year Trend and Risk Report #uisgcon9Adrian Aldea - IBM X-Force 2013 Mid-Year Trend and Risk Report #uisgcon9
Adrian Aldea - IBM X-Force 2013 Mid-Year Trend and Risk Report #uisgcon9UISGCON
 
BASICS OF ETHICAL HACKING
BASICS OF ETHICAL HACKINGBASICS OF ETHICAL HACKING
BASICS OF ETHICAL HACKINGDrm Kapoor
 

Tendances (20)

Hijacking a Pizza Delivery Robot (using SQL injection)
Hijacking a Pizza Delivery Robot (using SQL injection)Hijacking a Pizza Delivery Robot (using SQL injection)
Hijacking a Pizza Delivery Robot (using SQL injection)
 
C02
C02C02
C02
 
Ethical hacking and social engineering
Ethical hacking and social engineeringEthical hacking and social engineering
Ethical hacking and social engineering
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security Testing
 
AI for CyberSecurity
AI for CyberSecurityAI for CyberSecurity
AI for CyberSecurity
 
Footprintig(Haching)
Footprintig(Haching)Footprintig(Haching)
Footprintig(Haching)
 
Insight Brief: Security Analytics to Identify the 12 Indicators of Compromise
Insight Brief: Security Analytics to Identify the 12 Indicators of CompromiseInsight Brief: Security Analytics to Identify the 12 Indicators of Compromise
Insight Brief: Security Analytics to Identify the 12 Indicators of Compromise
 
Uncover What's Inside the Mind of a Hacker
Uncover What's Inside the Mind of a HackerUncover What's Inside the Mind of a Hacker
Uncover What's Inside the Mind of a Hacker
 
[CB16] Security in the IoT World: Analyzing the Security of Mobile Apps for A...
[CB16] Security in the IoT World: Analyzing the Security of Mobile Apps for A...[CB16] Security in the IoT World: Analyzing the Security of Mobile Apps for A...
[CB16] Security in the IoT World: Analyzing the Security of Mobile Apps for A...
 
Module 3-cyber security
Module 3-cyber securityModule 3-cyber security
Module 3-cyber security
 
Attack Autopsy: A Study of the Dynamic Attack Chain
Attack Autopsy: A Study of the Dynamic Attack ChainAttack Autopsy: A Study of the Dynamic Attack Chain
Attack Autopsy: A Study of the Dynamic Attack Chain
 
IT system security principles practices
IT system security principles practicesIT system security principles practices
IT system security principles practices
 
Module 2 (footprinting)
Module 2 (footprinting)Module 2 (footprinting)
Module 2 (footprinting)
 
Chapter 4
Chapter 4Chapter 4
Chapter 4
 
Proactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider ThreatProactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider Threat
 
Module 5 (system hacking)
Module 5 (system hacking)Module 5 (system hacking)
Module 5 (system hacking)
 
IRJET- Impact of Ethical Hacking on Business and Governments
IRJET- Impact of Ethical Hacking on Business and GovernmentsIRJET- Impact of Ethical Hacking on Business and Governments
IRJET- Impact of Ethical Hacking on Business and Governments
 
Securing Your Remote Access Desktop Connection
Securing Your Remote Access Desktop ConnectionSecuring Your Remote Access Desktop Connection
Securing Your Remote Access Desktop Connection
 
Adrian Aldea - IBM X-Force 2013 Mid-Year Trend and Risk Report #uisgcon9
Adrian Aldea - IBM X-Force 2013 Mid-Year Trend and Risk Report #uisgcon9Adrian Aldea - IBM X-Force 2013 Mid-Year Trend and Risk Report #uisgcon9
Adrian Aldea - IBM X-Force 2013 Mid-Year Trend and Risk Report #uisgcon9
 
BASICS OF ETHICAL HACKING
BASICS OF ETHICAL HACKINGBASICS OF ETHICAL HACKING
BASICS OF ETHICAL HACKING
 

Similaire à What is Penetration Testing?

Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodVulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodFalgun Rathod
 
Why Penetration Tests Are Important Cyber51
Why Penetration Tests Are Important Cyber51Why Penetration Tests Are Important Cyber51
Why Penetration Tests Are Important Cyber51martinvoelk
 
Top 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answerTop 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answerShivamSharma909
 
pentration testing.pdf
pentration testing.pdfpentration testing.pdf
pentration testing.pdfRamya Nellutla
 
Pen Testing Explained
Pen Testing ExplainedPen Testing Explained
Pen Testing ExplainedRand W. Hirt
 
Penetration testing 5 reasons Why Organizations Should Adopt it
Penetration testing 5 reasons Why Organizations Should Adopt itPenetration testing 5 reasons Why Organizations Should Adopt it
Penetration testing 5 reasons Why Organizations Should Adopt itTestingXperts
 
Penetration Testing for Cybersecurity Professionals
Penetration Testing for Cybersecurity ProfessionalsPenetration Testing for Cybersecurity Professionals
Penetration Testing for Cybersecurity Professionals211 Check
 
Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?Jorge Orchilles
 
Whitepaper: Network Penetration Testing - Happiest Minds
Whitepaper: Network Penetration Testing - Happiest MindsWhitepaper: Network Penetration Testing - Happiest Minds
Whitepaper: Network Penetration Testing - Happiest MindsHappiest Minds Technologies
 
Threat Intelligence Making your Bespoke Security Operations Centre Work for Y...
Threat Intelligence Making your Bespoke Security Operations Centre Work for Y...Threat Intelligence Making your Bespoke Security Operations Centre Work for Y...
Threat Intelligence Making your Bespoke Security Operations Centre Work for Y...maximumnetworks
 
(VAPT) Vulnerability Assessment And Penetration Testing
(VAPT) Vulnerability Assessment And Penetration Testing(VAPT) Vulnerability Assessment And Penetration Testing
(VAPT) Vulnerability Assessment And Penetration TestingBluechip Gulf IT Services
 
Infrastructure & Network Vulnerability Assessment and Penetration Testing
Infrastructure & Network Vulnerability Assessment and Penetration TestingInfrastructure & Network Vulnerability Assessment and Penetration Testing
Infrastructure & Network Vulnerability Assessment and Penetration TestingElanusTechnologies
 
Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherSecurity engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherWendy Knox Everette
 
Security Testing In The Secured World
Security Testing In The Secured WorldSecurity Testing In The Secured World
Security Testing In The Secured WorldJennifer Mary
 
Exploring the Key Types of Cybersecurity Testing
Exploring the Key Types of Cybersecurity TestingExploring the Key Types of Cybersecurity Testing
Exploring the Key Types of Cybersecurity Testingjatniwalafizza786
 
Phi 235 social media security users guide presentation
Phi 235 social media security users guide presentationPhi 235 social media security users guide presentation
Phi 235 social media security users guide presentationAlan Holyoke
 

Similaire à What is Penetration Testing? (20)

Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodVulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
 
Backtrack manual Part1
Backtrack manual Part1Backtrack manual Part1
Backtrack manual Part1
 
Why Penetration Tests Are Important Cyber51
Why Penetration Tests Are Important Cyber51Why Penetration Tests Are Important Cyber51
Why Penetration Tests Are Important Cyber51
 
Top 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answerTop 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answer
 
Information Security
Information SecurityInformation Security
Information Security
 
Penetration Testing Guide
Penetration Testing GuidePenetration Testing Guide
Penetration Testing Guide
 
pentration testing.pdf
pentration testing.pdfpentration testing.pdf
pentration testing.pdf
 
Pen Testing Explained
Pen Testing ExplainedPen Testing Explained
Pen Testing Explained
 
Penetration testing 5 reasons Why Organizations Should Adopt it
Penetration testing 5 reasons Why Organizations Should Adopt itPenetration testing 5 reasons Why Organizations Should Adopt it
Penetration testing 5 reasons Why Organizations Should Adopt it
 
Penetration Testing for Cybersecurity Professionals
Penetration Testing for Cybersecurity ProfessionalsPenetration Testing for Cybersecurity Professionals
Penetration Testing for Cybersecurity Professionals
 
Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?
 
Whitepaper: Network Penetration Testing - Happiest Minds
Whitepaper: Network Penetration Testing - Happiest MindsWhitepaper: Network Penetration Testing - Happiest Minds
Whitepaper: Network Penetration Testing - Happiest Minds
 
Threat Intelligence Making your Bespoke Security Operations Centre Work for Y...
Threat Intelligence Making your Bespoke Security Operations Centre Work for Y...Threat Intelligence Making your Bespoke Security Operations Centre Work for Y...
Threat Intelligence Making your Bespoke Security Operations Centre Work for Y...
 
(VAPT) Vulnerability Assessment And Penetration Testing
(VAPT) Vulnerability Assessment And Penetration Testing(VAPT) Vulnerability Assessment And Penetration Testing
(VAPT) Vulnerability Assessment And Penetration Testing
 
Infrastructure & Network Vulnerability Assessment and Penetration Testing
Infrastructure & Network Vulnerability Assessment and Penetration TestingInfrastructure & Network Vulnerability Assessment and Penetration Testing
Infrastructure & Network Vulnerability Assessment and Penetration Testing
 
Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherSecurity engineering 101 when good design & security work together
Security engineering 101 when good design & security work together
 
Security Testing In The Secured World
Security Testing In The Secured WorldSecurity Testing In The Secured World
Security Testing In The Secured World
 
Exploring the Key Types of Cybersecurity Testing
Exploring the Key Types of Cybersecurity TestingExploring the Key Types of Cybersecurity Testing
Exploring the Key Types of Cybersecurity Testing
 
Phi 235 social media security users guide presentation
Phi 235 social media security users guide presentationPhi 235 social media security users guide presentation
Phi 235 social media security users guide presentation
 
1. penetration-testing-cyber51
1. penetration-testing-cyber511. penetration-testing-cyber51
1. penetration-testing-cyber51
 

Plus de Rapid7

The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7Rapid7
 
[INFOGRAPHIC] The Credit Card Criminal's Playbook: A Retail Data Breach Attac...
[INFOGRAPHIC] The Credit Card Criminal's Playbook: A Retail Data Breach Attac...[INFOGRAPHIC] The Credit Card Criminal's Playbook: A Retail Data Breach Attac...
[INFOGRAPHIC] The Credit Card Criminal's Playbook: A Retail Data Breach Attac...Rapid7
 
OpenSSL Heartbleed Vulnerability Explained & Tips for Protection
OpenSSL Heartbleed Vulnerability Explained & Tips for ProtectionOpenSSL Heartbleed Vulnerability Explained & Tips for Protection
OpenSSL Heartbleed Vulnerability Explained & Tips for ProtectionRapid7
 
How to Manage Your Security Control's Effectiveness
How to Manage Your Security Control's EffectivenessHow to Manage Your Security Control's Effectiveness
How to Manage Your Security Control's EffectivenessRapid7
 
Penetration Testing Techniques - DREAD Methodology
Penetration Testing Techniques - DREAD MethodologyPenetration Testing Techniques - DREAD Methodology
Penetration Testing Techniques - DREAD MethodologyRapid7
 
Life's a Breach: Yahoo Gets Burned by SQL Injection
Life's a Breach: Yahoo Gets Burned by SQL InjectionLife's a Breach: Yahoo Gets Burned by SQL Injection
Life's a Breach: Yahoo Gets Burned by SQL InjectionRapid7
 
Rapid7 Report: Data Breaches in the Government Sector
Rapid7 Report: Data Breaches in the Government SectorRapid7 Report: Data Breaches in the Government Sector
Rapid7 Report: Data Breaches in the Government SectorRapid7
 
Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.
Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.
Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.Rapid7
 
Rapid7 CAG Compliance Guide
Rapid7 CAG Compliance GuideRapid7 CAG Compliance Guide
Rapid7 CAG Compliance GuideRapid7
 
Rapid7 NERC-CIP Compliance Guide
Rapid7 NERC-CIP Compliance GuideRapid7 NERC-CIP Compliance Guide
Rapid7 NERC-CIP Compliance GuideRapid7
 
Rapid7 FISMA Compliance Guide
Rapid7 FISMA Compliance GuideRapid7 FISMA Compliance Guide
Rapid7 FISMA Compliance GuideRapid7
 
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...Rapid7
 
Best Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI ComplianceBest Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI ComplianceRapid7
 
IT Security in Higher Education
IT Security in Higher EducationIT Security in Higher Education
IT Security in Higher EducationRapid7
 
Protecting Patient Health Information in the HITECH Era
Protecting Patient Health Information in the HITECH EraProtecting Patient Health Information in the HITECH Era
Protecting Patient Health Information in the HITECH EraRapid7
 
The Dynamic Nature of Virtualization Security
The Dynamic Nature of Virtualization SecurityThe Dynamic Nature of Virtualization Security
The Dynamic Nature of Virtualization SecurityRapid7
 
Get Real-Time Cyber Threat Protection with Risk Management and SIEM
Get Real-Time Cyber Threat Protection with Risk Management and SIEMGet Real-Time Cyber Threat Protection with Risk Management and SIEM
Get Real-Time Cyber Threat Protection with Risk Management and SIEMRapid7
 
How to Sell Security to Your CIO
How to Sell Security to Your CIOHow to Sell Security to Your CIO
How to Sell Security to Your CIORapid7
 

Plus de Rapid7 (18)

The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
 
[INFOGRAPHIC] The Credit Card Criminal's Playbook: A Retail Data Breach Attac...
[INFOGRAPHIC] The Credit Card Criminal's Playbook: A Retail Data Breach Attac...[INFOGRAPHIC] The Credit Card Criminal's Playbook: A Retail Data Breach Attac...
[INFOGRAPHIC] The Credit Card Criminal's Playbook: A Retail Data Breach Attac...
 
OpenSSL Heartbleed Vulnerability Explained & Tips for Protection
OpenSSL Heartbleed Vulnerability Explained & Tips for ProtectionOpenSSL Heartbleed Vulnerability Explained & Tips for Protection
OpenSSL Heartbleed Vulnerability Explained & Tips for Protection
 
How to Manage Your Security Control's Effectiveness
How to Manage Your Security Control's EffectivenessHow to Manage Your Security Control's Effectiveness
How to Manage Your Security Control's Effectiveness
 
Penetration Testing Techniques - DREAD Methodology
Penetration Testing Techniques - DREAD MethodologyPenetration Testing Techniques - DREAD Methodology
Penetration Testing Techniques - DREAD Methodology
 
Life's a Breach: Yahoo Gets Burned by SQL Injection
Life's a Breach: Yahoo Gets Burned by SQL InjectionLife's a Breach: Yahoo Gets Burned by SQL Injection
Life's a Breach: Yahoo Gets Burned by SQL Injection
 
Rapid7 Report: Data Breaches in the Government Sector
Rapid7 Report: Data Breaches in the Government SectorRapid7 Report: Data Breaches in the Government Sector
Rapid7 Report: Data Breaches in the Government Sector
 
Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.
Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.
Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.
 
Rapid7 CAG Compliance Guide
Rapid7 CAG Compliance GuideRapid7 CAG Compliance Guide
Rapid7 CAG Compliance Guide
 
Rapid7 NERC-CIP Compliance Guide
Rapid7 NERC-CIP Compliance GuideRapid7 NERC-CIP Compliance Guide
Rapid7 NERC-CIP Compliance Guide
 
Rapid7 FISMA Compliance Guide
Rapid7 FISMA Compliance GuideRapid7 FISMA Compliance Guide
Rapid7 FISMA Compliance Guide
 
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...
 
Best Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI ComplianceBest Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
 
IT Security in Higher Education
IT Security in Higher EducationIT Security in Higher Education
IT Security in Higher Education
 
Protecting Patient Health Information in the HITECH Era
Protecting Patient Health Information in the HITECH EraProtecting Patient Health Information in the HITECH Era
Protecting Patient Health Information in the HITECH Era
 
The Dynamic Nature of Virtualization Security
The Dynamic Nature of Virtualization SecurityThe Dynamic Nature of Virtualization Security
The Dynamic Nature of Virtualization Security
 
Get Real-Time Cyber Threat Protection with Risk Management and SIEM
Get Real-Time Cyber Threat Protection with Risk Management and SIEMGet Real-Time Cyber Threat Protection with Risk Management and SIEM
Get Real-Time Cyber Threat Protection with Risk Management and SIEM
 
How to Sell Security to Your CIO
How to Sell Security to Your CIOHow to Sell Security to Your CIO
How to Sell Security to Your CIO
 

Dernier

WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 

Dernier (20)

WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 

What is Penetration Testing?

  • 1. White Paper What is Penetration Testing? An Introduction for IT Managers
  • 2. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com What Is Penetration Testing? Penetration testing is the process of identifying security gaps in your IT infrastructure by mimicking an attacker. Think about it as quality assurance for your IT security. Like most people, you probably think that quality assurance for software is both sensible and necessary before you roll out software into production. It’s sensible not because you don’t trust the software developers to do a good job, but because it’s good business practice to ensure that the code works as expected. It verifies that your production systems are secure. Some penetration testers prefer the term “security assessment” over “penetration testing,” although they relate to the exact same process. Penetration testers are sometimes called the Red Team, a term that comes from the early days of penetration testing in the military, whereas the Blue Team is the defensive team. If you wonder how penetration testing relates to port scanning and vulnerability management, you’re not alone. Although they are related, they are quite different: Port scanning identifies active services on hosts. Vulnerability management identifies potential vulnerabilities on systems based on the installed software version of the operating system or applications. Penetration testing involves trying to take control over the systems and obtain data. The differences between the three are easier to understand if you think of your network as a house: Port scanning is like counting the doors and windows on the house. Vulnerability management is like walking around the house and lists all the doors, windows and locks that are reportedly insecure based on the vendor and model information. Penetration testing is like trying to break into the house by picking the weak locks and smashing a window. Why Penetration Test? People conduct penetration tests for a number of different reasons: • Prevent data breaches: Since a penetration test is a benign way to simulate an attack on the network, you can learn whether and how you are exposed. It’s a fire drill to ensure you’re optimally prepared if there’s ever a real fire. • Check security controls: You probably have a number of security measures in place in your network already, such as firewalls, encryption, DLP, and IDS/IPS. Penetration tests enable you to test if your defenses are working—both the systems and your teams. • Ensure the security of new applications: When you roll out a new application, whether hosted by you or a SaaS provider, it makes sense to conduct a security assessment before the roll-out, especially if the applications handle sensitive data. Some example applications includes customer relationship management (CRM), marketing automation program (MAP), HR’s applicant tracking system, health insurance providers’ benefits management software, et cetera.
  • 3. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com • Get a baseline on your security program: New CISOs often conduct a security assessment when they join a new company to obtain a gap analysis of the security program. This shows them how effective the organization is in dealing with cyber-attacks. These security assessments are sometimes conducted without the knowledge of the IT security team because it could otherwise influence the results. • Compliance: Some regulations, such as PCI DSS, require penetration tests. Make sure you understand how the penetration test should be conducted to ensure that you will pass the audit. How to conduct a Security Assessment: Typical steps Every penetration tester has a slightly different method, and similarly each security assessment is different depending on the environment and goals. That said, this graphic illustrates the typical steps of a security assessment: A typical penetration test goes through these stages: 1. Goal: Setting the objective of the security assessment. 2. Reconnaissance: Finding out as much as possible about the target company and the systems being audited. This occurs both online and offline. 3. Discovery: Port or vulnerability scanning of the IP ranges in question to learn more about the environment. 4. Exploitation: Using the knowledge of vulnerabilities and systems to exploit systems to gain access, either at the operating system or application level. 5. Brute forcing: Testing all systems for weak passwords and gaining access if they do.
  • 4. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com 6. Social engineering: Exploiting people though phishing emails, malicious USB sticks, phone conversations, and other methods to gain access to information and systems. 7. Taking Control: Accessing data on the machine, such as passwords, password hashes, screenshots, files, installing keyloggers, and taking over the screen control. Often this can open new doors to more exploitation, brute forcing, and social engineering. 8. Pivoting: Jumping to different network segments, providing the host has multiple network interfaces, such as some machines in the DMZ. 9. Gathering Evidence: Collecting screenshots, passwords hashes, files as proof that you got in. 10. Reporting: Generating a report about how the penetration tester was able to breach the network and the information they were able to access. 11. Remediation: Addressing the issues that enabled the penetration tester to enter the network. This is typically not done by the penetration tester but by other resources in the IT department. Setting the Scope of a Penetration Test Asking a penetration tester simply to “try and break in” is not necessarily a good way to frame a penetration test. Before you start, ask yourself this question: What is the most important digital asset that your company needs to protect? If you are in retail, it may be the database that stores all of your customers’ credit card numbers. If you are a software vendor, it may be your source code. If you are a bank, it may be your online banking application. You get the idea. Once you’ve identified your most precious asset, instruct the penetration tester to try to access those systems. This will make the engagement much more impactful and realistic, providing you with a real learning experience and a clear indicator of whether the penetration tester has achieved his or her goal. If you are conducting a penetration test for compliance reasons, such as PCI DSS, then the goal should be to access the systems inside the PCI scope to extract cardholder data. External and Internal Security Assessments Security assessments can be carried out from the perspective of an outsider who tries to attack the organization over the internet, or from the view of a malicious insider. These two approaches are called external and internal security assessments. You should choose an external security assessment if you are worries about your organization getting attacked from the Internet. Most organizations start with an external penetration test. An internal penetration test always assumes that you have internal network access. It can provide valuable insight if you are worried that a rogue employee could try to access data that they’re not authorized to view. However, its uses go much further: Internal penetration tests can also tell you how much damage an intruder could do if one of your
  • 5. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com employees mistakenly opens an attachment on a phishing email, or how far a visitor to your site could get by plugging their laptop into the local network. Denial of Service Testing You may not only be worried about whether people can break into your network to steal information but also whether someone on the Internet could bring down your servers to disrupt your business. If you are running a large online retail store or an online banking site, a system outage could cost you millions. Denial of service (DOS) testing should be carried out with ultimate care because the DOS modules are designed to bring services down. You should either try them out on a development system or choose to conduct the tests during times when a successful DOS attack would have minimal impact on your business. How to Safely Conduct Penetration Tests In the same way that you wouldn’t let just anyone work on your servers, you should ensure that the person carrying out a penetration test on your systems is qualified to do so. If you hire an external penetration tester, ask for references. If you are asking an internal resource to conduct a penetration test, you should ensure this individual has sufficient experience or received training. Exploits talk to systems in a way that was never intended by the developers. However, many exploits are perfectly safe to use on a production system. The penetration testing software Metasploit automatically chooses only tested, safe exploits by default to avoid any issues with your production environment. Some organizations restrict the penetration test to development systems that mimic the production systems. This is especially common when the production system is instable or the risks of running an active penetration test are very high, such as conducting a security assessment on a nuclear power station. At the same time, this approach has some drawbacks. The production system will in most cases by slightly different from the development system, and these differences may be critical. Especially when conducting an external security assessment, it can make sense to pull out all the stops from an engagement, because only then will a test reveal the true risks an organization faces every day from attacks over the internet. In-House and Outsourced Security Assessments Whether you want to do your security assessments in-house or outsource them depends on a number of factors. The first one is the size of your organization. Do you have enough work to employ a penetration tester full-time? If not, do you have a security professional who can take this task on as a part-time job? Given the right tools, such as Metasploit Pro, security professionals can quickly and easily get up to speed to conduct security assessments on your network. Outsourcing may be the right decision if you only have one penetration test to carry out each year that wouldn’t justify the cost of a tool and the training for a particular individual. It may also be the right choice if you want a truly independent assessment of your network’s security. It may be a good idea to switch your external penetration tester once a year to get a fresh pair of eyes on the network. This doesn’t mean that you’ll have to switch companies, just that you’ll ask for a different consultant for the next engagement. Some companies decide to run a hybrid model: They conduct monthly or quarterly penetration tests using a junior in-house resource to identify the low-hanging fruit, such as unpatched systems and weak passwords. It makes
  • 6. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com sense to do this more often as these issues also carry a higher risk of a data breach. In addition, once a year these organizations call in a specialized penetration tester to go deeper into the systems to identify the more advanced security issues. Compliance may also factor into your decision. PCI DSS requirement 11.3 requires an annual security assessment. You can either outsource it or do it internally; if you choose an internal security assessment, the penetration tester must be able to prove expertise in this area (e.g., training certification) and must be organizationally separate from the people managing the network that is being assessed. How to select a penetration tester Whether you’re looking to hire an internal penetration tester or a consultant, you should ensure that the person is well trained and highly trustworthy. For penetration testing consultants, you should ask for references and buy services from a reputable firm. For internal resources, conduct a background check and ask for references. Training may or may not be a good indicator of someone’s skills since many of the best people in this fast-moving industry are self-taught. As part of their engagement, penetration testers may get access to data that they would ordinarily not be authorized to see, including intellectual property, credit card numbers, and human resources records. This is why trustworthiness is so important. However, this should not put you off from hiring a penetration tester because the alternative is worse: If you do not identify and fix the security issues on your network by hiring someone who is on your side, your most sensitive data will likely be accessed by someone who is not.
  • 7. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com What is Metasploit? Metasploit is the leading software used by penetration testers around the world. A collaboration between the open source community and Rapid7, Metasploit software helps security and IT professionals identify security issues, verify vulnerability mitigations, and manage expert-driven security assessments, providing true security risk intelligence. Capabilities include smart exploitation, password auditing, web application scanning, and social engineering. Teams can collaborate in Metasploit and present their findings in consolidated reports. Metasploit editions range from a free edition to professional enterprise editions, all based on the Metasploit Framework, an open source software development kit with the world’s largest, public collection of quality-assured exploits. To learn more about Metasploit or for a free trial, visit www.rapid7.com/metasploit. Additional Metasploit Use Cases Apart from security assessments, Metasploit can also be used for other purposes: • Vulnerability Verification: If you are using a vulnerability scanner, you may be overwhelmed by the number of vulnerabilities reported on your network. Usually restrained by tight resources, most IT teams don’t have the time to fix all of them. Metasploit enables IT teams to verify whether a vulnerability is posing a real risk or whether it can be disregarded. This greatly reduces the time for remediation and increases the overall security posture of your organization. • Password Auditing: Most people know they should use strong passwords, yet a surprising number of data breaches involve issues with passwords, such as weak passwords or passwords shared across trust zones and accounts. Metasploit enables you to audit the passwords used on your network across a large number of services, not just for Windows accounts. • Measuring Security Awareness: Phishing attacks can compromise the security of entire organizations. One effective countermeasure is security awareness training. With Metasploit’s social engineering module, organizations can send out phishing campaigns to their users to report metrics on user security awareness. About Rapid7 Rapid7 is a leading provider of IT security risk management software. Its integrated vulnerability management and penetration testing products, Nexpose and Metasploit, and mobile risk management solution, Mobilisafe, enable defenders to gain contextual visibility and manage the risk associated with the IT environment, users and threats relevant to their organization. Rapid7’s simple and innovative solutions are used by more than 2,000 enterprises and government agencies in more than 65 countries, while the Company’s free products are downloaded more than one million times per year and enhanced by more than 175,000 members of its open source security community. Rapid7 has been recognized as one of the fastest growing security companies by Inc. Magazine and as a “Top Place to Work” by the Boston Globe. Its products are top rated by Gartner®, Forrester® and SC Magazine. The Company is backed by Bain Capital and Technology Crossover Ventures. For more information about Rapid7, please visit http://www.rapid7. com.