Penetration Testing is a method that many companies follow in order to minimize their security breaches. This is a controlled way of hiring a professional who will try to hack your system and show you the loopholes that you should fix. Discover why its important to backup your data regularly.
Pentesting
Before
doing a penetration test, it is mandatory to have an agreement that will
explicitly mention the following parameters −
- what will be the time of penetration test,
- where will be the IP source of the attack, and
- what will be the penetration fields of the system.
Penetration
testing is conducted by professional ethical hackers who mainly use commercial,
open-source tools, automate tools and manual checks. There are no restrictions;
the most important objective here is to uncover as many security flaws as
possible.
Types of Penetration Testing
We
have five types of penetration testing −
Black
Box − Here, the ethical hacker doesn’t have any information regarding the
infrastructure or the network of the organization that he is trying to
penetrate. In black-box penetration testing, the hacker tries to find the
information by his own means.
Grey
Box − It is a type of penetration testing where the ethical hacker has a
partial knowledge of the infrastructure, like its domain name server.
White
Box − In white-box penetration testing, the ethical hacker is provided with all
the necessary information about the infrastructure and the network of the
organization that he needs to penetrate.
External
Penetration Testing − This type of penetration testing mainly focuses on
network infrastructure or servers and their software operating under the
infrastructure. In this case, the ethical hacker tries the attack using
public networks through the Internet. The hacker attempts to hack the company
infrastructure by attacking their webpages, webservers, public DNS servers,
etc.
Internal
Penetration Testing − In this type of penetration testing, the ethical hacker
is inside the network of the company and conducts his tests from there.
Penetration
testing can also cause problems such as system malfunctioning, system
crashing, or data loss. Therefore, a company should take calculated risks
before going ahead with penetration testing. The risk is calculated as follows
and it is a management risk.
RISK
= Threat × Vulnerability
Example
You
have an online e-commerce website that is in production. You want to do a
penetration testing before making it live. Here, you have to weigh the pros and
cons first. If you go ahead with penetration testing, it might cause
interruption of service. On the contrary, if you do not wish to perform a
penetration testing, then you can run the risk of having an unpatched
vulnerability that will remain as a threat all the time.
Before
doing a penetration test, it is recommended that you put down the scope of the
project in writing. You should be clear about what is going to be tested. For
example −
Your
company has a VPN or any other remote access techniques and you want to test
that particular point.
Your
application has webservers with databases, so you might want to get it tested
for SQL injection attacks which is one of the most crucial tests on a
webserver. In , you can check if your webserver is immune to DoS attacks.
Quick Tips
Before
going ahead with a penetration test, you should keep the following points in
mind −
First
understand your requirements and evaluate all the risks.
Hire
a certified person to conduct penetration test because they are trained to
apply all the possible methods and techniques to uncover possible loopholes in
a network or web application.
Always
sign an agreement before doing a penetration test.
0 Comments