| Penetration Test |
Article Index for Penetration |
Website Links For Penetration |
Information AboutPenetration Test |
| CATEGORIES ABOUT PENETRATION TEST | |
| computer security procedures | |
|
Black box vs. White box Penetration tests can be conducted in several ways. The most common difference is the amount of knowledge of the implementation details of the system being tested that are available to the testers. Black Box Testing assumes no prior knowledge of the infrastructure to be tested. The testers must first determine the location and extent of the systems before commencing their analysis. At the other end of the spectrum, White Box Testing provides the testers with complete knowledge of the infrastructure to be tested, often including network diagrams, source code and IP addressing information. There are also several variations in between, often known as Gray Box Tests . Penetration tests may also be described as Full disclosure, partial disclosure or blind tests based on the amount of information provided to the testing party. The relative merits of these approaches are debatable. It is argued that black box testing most closely simulates the actions of an actual malicious user. This ignores the fact that any targeted attack on a system will most probably require some knowledge of the system. Typically, an insider may have access to as much information as the system owners. In most cases it is preferable to assume a worst-case scenario and provide the testers with as much information as they require, assuming that any determined attacker would already have acquired this through some other means. In practice, the services offered by penetration testing firms range from a simple scan of an organisation's IP Address space for open ports and identification banners to a full audit of source code for an application. RATIONALE A penetration test should be carried out on any computer system that is to be deployed in a hostile environment, in particular any Internet facing site, before it is deployed. This provides a level of practical assurance that any Malicious User will not be able to penetrate the system. METHODOLOGY and Social Engineering control levels, computer and Telecommunications Networks , wireless devices, mobile devices, Physical Security access controls, security processes, and physical locations such as buildings, perimeters, and military bases. The OSSTMM focuses on the technical details of exactly which items need to be tested, what to do before, during, and after a security test, and how to measure the results. OSSTMM is also known for its Rules Of Engagement which define for both the tester and the client how the test needs to properly run starting from denying false advertising from testers to how the client can expect to receive the report. New tests for international best practices, laws, regulations, and ethical concerns are regularly added and updated. The National Institute Of Standards And Technology (NIST) discusses penetration testing in Special Publication 800-42, Guideline on Network Security Testing. NIST's methodology is less comprehensive than the OSSTMM; however, it is more likely to be accepted by regulatory agencies. For this reason NIST refers to the OSSTMM. There is a new Methodology known as the Information Systems Security Assessment Framework (ISSAF) by the Open Information Systems Security Group . The Information Systems Security Assessment Framework (ISSAF) is a peer reviewed structured framework that categorizes information system security assessment into various domains and details specific evaluation or testing criteria for each of these domains. It aims to provide field inputs on security assessment that reflect real life scenarios. ISSAF should primarily be used to fulfill an organization's security assessment requirements and may additionally be used as a reference for meeting other information security needs. ISSAF includes the crucial facet of security processes and, their assessment and hardening to get a complete picture of the vulnerabilities that might exist. The ISSAF however is still in its infancy. Methodology for penetration testing : # Port Scanning # task to perform for a through port scan # system fingerprint # service probing STANDARDS & CERTIFICATION The process of carrying out a penetration test can reveal sensitive information about an organization. It is for this reason that most security firms are at pains to show that they do not employ ex- Black Hat Hackers and that all employees adhere to a strict ethical code. There are several professional and government certifications that indicate the firms trustworthiness and conformance to industry best practice. In the UK, there are three main standards. For many years the only standard/accreditation was the CHECK scheme, administered by CESG (formerly known as the "Communications and Electronic Security Group"; part of GCHQ ). This standard is a mandatory pre-requisite for Central government testing but, due to EU rules, cannot be enforced for local government and government agency work (c.f. the CLAS consultancy qualification. It has also been favored by many commercial blue-chip organizations. Subscriber organizations to the scheme are required to maintain strict ethical standards, and certified individuals are automatically vetted to at least SC level Security Clearance . The TIGER Scheme provides a means of independently certifying the skills of vulnerability test ('penetration test') engineers. The Scheme is managed independently by a Management Committee comprised of industry stakeholders with a vested interest in maintaining standards and in meeting market requirements. The three main strengths of the TIGER Scheme are: independence; a University-based examination; and strong end-customer involvement on the Management Committee. A new standard has recently emerged from the industry itself, and is intended to be more relevant to the commercial market. CREST (Council of Registered Ethical Security Testers) has a mission to represent the information security testing industry and offer a provable level of assurance as to the competency of organisations and individuals within those organisations. It maintains and publishes a register of those accredited organisations and individuals who have met the CREST standard. It follows closely the CHECK model, including vetting, but mandates far higher standards which are more relevant to the private sector. Government backed testing also exists in the US with standards such as the NSA Infrastructure Evaluation Methodology IEM For web applications, the Open Web Application Security Project ( OWASP ) provides a framework of recommendations that can be used as a benchmark. The International Council of E-Commerce Consultants (EC-Council) has created the Certified Ethical Hacker ( CEH ) certification, which covers penetration testing as well as many other nefarious computer skills. ISECOM provides a Professional Security Testing certification and a Professional Security Analyst certification. The University of Glamorgan has a specialist Masters Course (MSC Computer Systems Security) that focuses on the technical aspects of computer system security and penetration testing. The award is designed to provide up-to-date, relevant and practical information on the technical aspects of computer security. WEB APPLICATION PENETRATION TESTING ''Web application penetration testing'' refers to a set of services used to detect various security issues with Web Applications . Enterprises across the world are performing their business on the web, yet only a meager percentage of websites are regularly and professionally tested for vulnerabilities. This increases the chances of website attacks and eventually leads to compromise of applications. Web Application Penetration Testing services help identify issues related to:
SEE ALSO EXTERNAL LINKS
|
|
|