Subscribe by Email

Sunday, April 29, 2012

What is meant by penetration testing?

The term “penetration testing” is not so rare and perhaps many of us familiar with this type of testing. In this piece of writing we have discussed the penetration testing in more detail. 

About Penetration Testing

- Penetration testing is another testing methodology adopted for testing the security of a computer network or system against the malicious attacks. 
- Penetration testing evaluates the security level of the computer network by bombarding the network with false simulated attacks as malicious attacks from outside as well as inside attackers.
- The outside attackers do not hold any authorized access to the computer system or network but the inside attackers do have than access but only to a certain level. 
- The whole process of the penetration is based on an active analysis.
- This active analysis assesses all the potential vulnerabilities of the computer network or system that are merely a result of its poor security level as well as configuration level.
- Apart from this, the known and unknown flaws form both the hardware as well as software system contribute to these vulnerabilities rather than only operational weaknesses. 
- This active analysis is carried out from the view point of a malicious attacker and is all about the active exploitation of the recognized vulnerabilities. 

Steps in Penetration Testing

- First step in the penetration testing is always the identification of the vulnerabilities. 
- The identified issues and vulnerabilities are then brought to the notice of the whole development team.
- A number of penetration tests are then carried out on that particular system along with the coupling of the information with the active assessment of the risks associated with the computer system or network. 
- A whole lot of effective procedures are designed to reduce the affect of these vulnerabilities. 

Advantages of Penetration Testing

There are several other reasons why the penetration testing holds good:
  1. It is effective for the determination of the feasibility of the similar vectors of attack.
  2. Helps in the identification of the vulnerabilities which possess a very high risk when the exploitation of a combination of low level risks is done following a particular sequence.
  3. Proves quite effective in the determination of the vulnerabilities that cannot be detected with the help of application vulnerability scanning software or automated testing processes.
  4. Assists in the assessment of the measure of the operational and business impacts of the attacks on the computer network or system.
  5. Successfully tests the effectiveness of the network defenders in detecting and responding to the attacks.
  6. Provides the evidences in support of the investments that need to be made in the security field of the computer system or network.
Penetration testing has been recognized as an important component of the security audits. The penetration testing can be carried either way round i.e., either through the black box testing route or through the white box testing route. 

The path to be taken is decided by the amount of knowledge that the tester has about the system or network under testing. If the tester has got a brief knowledge then the black box testing route is followed else the white box testing techniques are preferred. 

Another thing to be determined before starting the testing is the location of the system that has to be tested and also its extent. 

Penetration testing if carried through white box testing

For following the white box approach to penetration testing, the testers needs:
- to have the full knowledge of the system infrastructure,
- to have the full knowledge of the source code, 
- to have the full knowledge of the IP address and
- to have the full knowledge of the network diagrams etc. 

In some cases the grey box approach to penetration testing can also be followed based on how much information is available. Black box approach is useful for simulating an outsider attack whereas the white box approach can simulate and insider attack.  

No comments:

Facebook activity