Join Our Community!Join Our WhiteHat Group On facebook & Stay Updated.

What is Penetration Testing | Concept Of Vulnerability assessments

A penetration test is when ethical hackers do their magic. They can test many of the vulnerabilities identified during the vulnerability assessment to quantify the actual threat and risk posed by the vulnerability.

 

When ethical hackers are carrying out a penetration test, their ultimate goal is usually to break into a system and hop from system to system until they  “own”  the domain or environment. They own the domain or environment when they either have root privileges on the most critical Unix or Linux system or own the domain administrator account that can access and control all of the resources on the network.

Source: file photo
Source: file photo

They do this to show the customer (company) what an actual attacker can do under the circumstances and current security posture of the network. Many times, while the ethical hacker is carrying out her procedures to gain total control of the network, she will pick up significant trophies along the way.

 

 

These trophies can include the CEO’s passwords, company trade-secret documentation, administrative passwords to all border routers, documents marked “confidential” held on the CFO’s and CIO’s laptops, or the combination to the company vault.

 

The reason these trophies are collected along the way is so the decision makers understand the ramifications of these vulnerabilities. A security professional can go on for hours to the CEO, CIO, or COO about services, open ports, misconfigurations, and hacker potential without making a point that this audience would understand or care about.

But as soon as you show the CFO his next year’s projections, or show the CIO all of the blueprints to the next year’s product line, or tell the CEO that his password is “IAmWearingJeans,” they will all want to learn more about the importance of a firewall and other counter- measures that should be put into place.

 

CAUTION: No security professional should ever try to embarrass a customer or make them feel inadequate for their lack of security. This is why the security professional has been invited into the environment. He is a guest and is there to help solve the problem, not point fingers. Also, in most cases, any sensitive data should not be read by the penetration team because of the possibilities of future lawsuits pertaining to the use of confidential information.

 

The goal of a vulnerability test is to provide a listing of all of the vulnerabilities within a network. The goal of a penetration test is to show the company how these vulnerabilities can be used against it by attackers. From here, the security professional (ethical hacker) provides advice on the necessary countermeasures that should be implemented to reduce the threats of these vulnerabilities individually and collectively.

In the next part, we will look at the ethical penetration testing process and see how it differs from that of unethical hacker activities.”

Comments

comments

Leave a Reply