Part 1- Planning Stage
Introduction
The principal behind writing this article is to put forward a precise approach that needs to be followed to perform a successful penetration test by selecting right tools and by making a good Development of assessment plan (ROE). This plan document includes different types of penetration testing; a different penetration testing technique a web application penetration testing methodology and a high level tools and techniques for analysing the security of a particular web application. The reason for making plan document is to make a robust security assessment plan.
The main objective of penetration testing is to secure organisation confidential data from outsider like black hat hacker or business
…show more content…
There are two types of penetration test; 1.Black-box test. 2. White-box test. 3. Grey-box test. Giving organization a flexibility to choose that bests meets their requirements.
• Black-box test
In this test the pentester has no prior knowledge about the target system, extensive reconnaissance is needed as organization doesn’t provide any information about the system to be tested to the penetration tester, the penetration tester himself have to gather as much information about the target system or a network and perform the test.
• White-box test
In a white-Box test the pentester has the complete knowledge of the computer/network infrastructure, the organization provide the full detail about their IT infrastructure to the pen tester has a complete. It simulates what might happen during an "inside job" or after a "leak" of sensitive information.
• Grey-box Test
In this test the pentester has a partial knowledge. Pentester has a level of authority as user.
Document Scope:
The main purpose of this document is to explain the details information about the various tools and techniques that are going to be used in executing the web penetration test. We will also have a look on the features and the outcomes of each particular tool, and the vulnerabilities that the particular tool can able to find out. There are many different open source tools listed in this document which has ability to perform different
* Perform a vulnerability assessment scan on the targeted IP subnet to discover what the weakest link in the system.
* Check existing security scan reports, from WireShark and NetWitness Investigator, and see if we can identify data leakage, and setup new policies and procedures for monitoring web servers and applications.
Companies should develop a control that requires that routine vulnerability assessment of their customer facing web sites, network infrastructure, and associated systems (such as database systems). Vulnerability assessment can help identify potential weaknesses to systems and also provide a sort of feedback to the organization’s IT department on their current operational policy and security posture. The cost of performing a routine vulnerability assessment is considerably less than that of an actual data breach.
Our company is looking for security threats inside and outside their network. The best way to see what our network is vulnerable to is to use penetration testing (pen-testing) to find the leaks in and out of our network. Penetration testing is a network security approach that simulates an attack from an intruder trying to get unauthorized access to the infrastructure. With this type of testing the intent is to discover flaws in the security settings of the system before they can be exploited. Information Assurance Research Corporation (IARC) should conduct penetration testing on a regular basis, so we have the ability to locate weaknesses in the hardware and software, check the security controls currently established and determine if the
Penetration testing is the attempt to identify security weaknesses within the IT infrastructure of an
There are two common strategies for integration testing. These strategies are top-down & bottom-up. The top-down approach tests the highest-level code first down to the lowest level codes. This show defects at the top level of the software earlier in the process. The bottom-up integrated testing method test from the sub-units to the main-units of the program.
Discuss approaches to a penetration test and vulnerability scan in terms of black box, white box and gray box tests.
The penetration tools provided in this document allow us to review our network from a security standpoint. This paper focused predominantly on phase two of a penetration test, the exploitation phase; however, a successful penetration test typically starts with the reconnaissance phase. In this phase, the tester attempts to gain as much information about the target company and its network as possible. He or she will test the physical infrastructure (how do people gain access to the building?) and other organizational aspects of the company to find a weakness and a way to get in. Also during this portion of the test, the penetration tester will use tools such as NMAP, whois.com, and other resources to obtain information regarding the network
We should perform Attack and Penetration tests to identify vulnerabilities in our network which can be accessed by hackers. Attackers sniffing on the network look for weak points in the network, thus knowing the weak points using internal and external attack and penetration tests will make our network more secure.
10. There are four phases of penetration testing, according to NIST. They are planning, discovery, attack, and reporting. In the planning phase, rules are identified, management approval is finalized, and testing goals are set. The discovery phase starts the actual testing. Techniques commonly used in the discovery phase include port scanning, DNS interrogation, whois queries, search of the target organizations web servers, search of the LDAP, packet capture, NetBIOS enumeration, and Banner grabbing. While vulnerability scanners only check that a vulnerability may exist, the attack phase of a penetration test exploits the vulnerability, confirming its existence. The reporting phase occurs simultaneously with the other three phases of the penetration test.
3.1.6 Vulnerability testing: by conducting vulnerability tests allows the organization to see if the system can be penetrated and if there are any weak areas in the system. If vulnerabilities are found this allows the organization time to fix the problem.
A pen tester is someone who attempts to exploit security vulnerabilities in web-based applications, networks, as well as systems. Pen testers must conduct physical assessments of servers and network devices, design and make new penetration tools and tests, and work on improvements and find new ways to improve security services, including numerous enhancements to different systems.
Penetration testing is when a company pays a specialist to try and break into their network and relay back to them any vulnerabilities they may find. Now
This report contains an overview of the testing process and issues that were found, details of the testing process, results found, the risks associated with the vulnerability and recommendations for rectifying the vulnerability. The results of the test can be of assistance to Ernst & Young when making decisions regarding information security.
Web applications are nowadays serving as a company’s public face to the internet. This has created the need to identify threats and attacks directed to data servers and web applications. Hackers exploit vulnerabilities in input validation and authentication affecting the web application in order to gain illegal access and disclose sensitive data or manipulate it to their benefits.