Penetration Testing: It is becoming more common for companies to hire penetration testers to test their system’s defense. Essentially, a penetration tester will use the same techniques a hacker would use to find any flaws in your system’s security.
NOTE: Hacking and penetration testing are areas that seem quite exciting to many people. Unfortunately, this has led to a number of unqualified (or at least underqualified) people calling themselves penetration testers.
It is imperative when hiring a penetration tester that you ensure the person in question has the requisite skill set.
Check their reference and verify their training and skills. It is also important to do a thorough background check on the person in question, as you are giving this person permission to try hacking techniques on your network. You will want to be certain that they conduct themselves in an ethical manner.
What Should You Test?
One of the first steps in penetration testing is deciding what needs to be tested. This is a question of verifying what actual threats exist to your network. For example, if you are the network administrator of a public school, it is unlikely that highly skilled cyber terrorists are trying to infiltrate your network.
The most likely threat to your network is low-to-moderately skilled student. The most likely threats are what should determine the exact nature of a penetration test.
Essentially, all tests will have a few similar steps, regardless of the threat. Those steps include some attempt to bypass security controls. The penetration tester will attempt to bypass whatever security controls have been implemented on your network. This is the best way to actively test security controls.
The three types of testing are described here:
Black Box: The tester has absolutely no knowledge of the system and is functioning in the same manner as an outside attacker.
White Box: The tester has significant knowledge of your system. This simulates an attack from an insider—a rogue employee.
Gray Box: This is a middle ground between the first two types of testing. In gray box testing, the tester has some limited knowledge of the target system.
In addition to classifying a penetration test based on the amount of information given to the tester, it is also possible to classify the test as intrusive versus nonintrusive.
Nonintrusive tests involve passively testing security controls—performing vulnerability scans, probing for weaknesses, but not exploiting them.
Intrusive Test involves actually trying to break into the network. In the strictest sense, passive tests are really just vulnerability scan and penetration tests, while active tests provide more meaningful results.
With active tests, it is possible that they may disrupt business operations in the same way as a real attack.
SYBEX | EMMET DULANEY AND CHUCK EASTTOM