Security Essentials, Textbook page 76

Copyright Goodheart-Willcox Co., Inc. 76 Security Essentials penetration test uses skilled ethical hackers to test the security of a system and only for a specified time. A skilled ethical hacker, also referred to as a certified tester, uses skill and knowledge in an attempt to bypass a company’s security features, break into a network, and obtain information to return to the organization conducting the test. In Chapter 2, you learned about bug-bounty programs that organizations use to prevent zero-day attacks. A bug-bounty program is an initiative that offers rewards to those who identify flaws and vulnerabilities found in their program. Bug-bounty pro- grams are not penetration tests rather, they are continuous monitoring programs that ethical hackers use to find vulnerabilities. Many people could be searching for the bugs at the same time. When a bug is reported, it can be patched before being discovered and exploited by hackers. Rules of Engagement Rules of engagement (RoE) is a document that specifies in detail the manner in which penetration testing will be conducted. The RoE consists of testing details including scope of testing and type of testing. Scope The scope of a project is the description of the pen test, its complexity, size, and other details needed to perform a complete and accurate job. Without a defined scope, it is difficult to determine specific tasks to be performed as well as price for the services provided by the pen tester. In addition, without a scope, the testers may do too much or too little and the outcome not be as planned. Types of Pen Tests After scope is defined, it is necessary to identify the type of test to be performed, which determines specific information that the company will provide to the tester. There are three general types of penetration tests. ■ ■ Black box: A black box test is a penetration test in which the tester has no knowledge of the system. The organization does not provide any information. ■ ■ Gray box: A gray box test is a penetration test in which the tester has some knowledge of the system. The organization provides specific and limited amounts of information. ■ ■ White box: A white box test is a penetration test for which the tester is given complete information and full knowledge of the system. All three types of tests have merit. Having advanced knowledge of a system allows a tester to focus on the system and its configurations. On the other hand, if a tester has no knowledge of a system, the tester can approach the system just as a potential hacker may. This approach can reveal information that may lead to an actual hack. Exercise Types Penetration exercises are tests that examine the security defenses of an organiza- tion. Penetration exercise types are specific tests that simulate hacking attempts in targeted areas such as wireless, network intrusion, social engineering attacks, or on applications. These exercises locate weaknesses and vulnerabilities in an organiza- tion’s security configurations and evaluate the effectiveness of responses. However, some penetration exercises do more than conduct offensive security testing and may test the security responses or defenders. 1.8 1.8 1.8

Previous Page Next Page

Security Essentials, Textbook Page 76 (90 of 704)

Help