pbnetworks - Computer Security Solutions

pbnetworks - Computer Security Solutions

Pen-testing

Penetration testing is an often confused term.  Its focus is on finding security vulnerabilities in a target environment that could let an attacker penetrate the network or computer systems, or steal information.

  • Using tools and techniques very similar to those employed by criminals
  • To prevent a thief, you may need to think like a thief
  • The goal is actual penetration - compromising target systems and getting access to information
Penetration testing is a subset of ethical hacking.

From a business perspective, penetration testing helps safeguard your organization against failure, through:
  • Preventing financial loss through fraud (hackers, extortionists and disgruntled employees) or through lost revenue due to unreliable business systems and processes.
  • Proving due diligence and compliance to your industry regulators, customers and shareholders. Non-compliance can result in your organization losing business, receiving heavy fines, gathering bad PR or ultimately failing. At a personal level it can also mean the loss of your job, prosecution and sometimes even imprisonment.
  • Protecting your brand by avoiding loss of consumer confidence and business reputation.

From an operational perspective, penetration testing helps shape information security strategy through:

  • Identifying vulnerabilities and quantifying their impact and likelihood so that they can be managed proactively; budget can be allocated and corrective measures implemented.
All parts of the way that your organization captures, stores and processes information should be assessed; the systems that the information is stored in, the transmission channels that transport it, and the processes and personnel that manage it. Examples of areas that are commonly tested are:
  • Off-the-shelf products (operating systems, applications, databases, networking equipment etc.)
  • Dynamic web sites, in-house applications etc.
  • Telephony (war-dialling, remote access etc.)
  • Wireless (WIFI, Bluetooth, IR, GSM, RFID etc.)
  • Personnel (screening process, social engineering etc.)
  • Physical (access controls, dumpster diving etc.)
What should be tested and how do we ensure success?

Your organization should of conducted a risk assessment, so will be aware of the main threats (such as communications failure, e-commerce failure, loss of confidential information etc.), and can now use a security assessment to identify any vulnerabilities that are related to these threats.  It is important to understand what security assessment, vulnerability assessment, audit, and penetration test are.

Many people use the phrases "Security Assessment" and "Vulnerability Assessments" to describe the work done by penetration testers and ethical hackers.  But, there is a subtile distinction between the ideas of a penetration test and a security assessment.

A penetration test is focused on getting in or stealing data.  The emphasis is on penetration of the target environment by exploiting discovered vulnerabilities.

Security assessments and vulnerability assessments are focused on finding vulnerabilities, often without regard to actually exploiting them and getting in.

Thus, penetration testing often goes deeper, with its goal of taking over systems and stealing data, while security and vulnerability assessments are broader, involving the process of looking for security flaws.

Security Audits is a measuring of things against a fixed, pre-determined, rigorous set of standards.  These audits are almost always done with detailed checklists.

Define a limited scope.  Most organizations don't and can't test everything, due to resource constraints.  We test those elements of your infrastructure that are deemed most vital.

Penetration testing and ethical hacking should be components of an overall security vulnerability discovery and remediation process in an organization, applied throughout the lifecycle of various IT projects.  This process should then be applied regularly as changes are made to the environment, as new security weaknesses are discovered by researchers, and as new threats are manifested against the organization.

Testing Methodologies used:

Open Source Security Testing Methodology Manual (OSSTMM)
NIST Special Publication 800-42: Guideline to Network Security Testing
Open Web Application Security Project (OWASP) Testing Guide
Penetration Testing Framework

Our aim is to help provide the right solution for your business needs.  Let pbnetworks be your solution provider.

Return to Home
Copyright © 2024 pbnetworks. All Rights Reserved. ip information