Download to read offline
Uploaded byQA InfoTech
Security and Penetration Testing Overview
The document outlines an agenda for a security and penetration testing discussion, introducing key concepts including information security, vulnerability scanning, and penetration testing methodologies. It emphasizes the importance of ethical hacking, the need for security tests, and details the phases of penetration testing, such as reconnaissance and gaining access. The final deliverables of a penetration test include a comprehensive report detailing findings, analyses, and recommended remediation measures.
More Related Content
Similar to Security and Penetration Testing Overview
Security and Penetration Testing Overview
- 1.
- 2. Agenda What are wegoing to talk about … ● Introduction to Information security and Security Testing ● Introduction to Vulnerability Scanning, Penetration Testing, and Ethical Hacking ● Overview of Penetration Testing Methodologies ● Penetration Testing Steps ● Overview of the Pen-Test Legal Framework ● Pen-Test Deliverables Copyright © by QAInfoTech. All rights reserved.
- 3. What is informationsecurity Information security is the process of protecting information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction. The goal is to protect the confidentiality, integrity and availability of information. Confidentiality - Confidentiality is the term used to prevent the disclosure of information to unauthorized individuals or systems Integrity - In information security, integrity means that data cannot be modified without authorization. Availability - For any information system to serve its purpose, the information must be available when it is needed Copyright © by QAInfoTech. All rights reserved.
- 4. Information security categories ●Computer Security ● Network Security ● Web Application Security ● Code Review ● Threat Modeling ● Forensics ● Security Practice Copyright © by QAInfoTech. All rights reserved.
- 5. Security Testing Copyright ©by QAInfoTech. All rights reserved.
- 6. Vulnerability Scanning ❏ Vulnerabilityscanning can help you to secure your own network or it can be used by the bad guys to identify weaknesses in your system to mount an attack against. The idea is for you to use VS tools to identify and fix these weaknesses before the bad guys use them against you. ❏ The goal of running a vulnerability scanner is to identify devices on your network that are open to known vulnerabilities. ❏ Different scanners accomplish this goal through different means. Some may look for signs such as registry entries in Microsoft Windows operating systems while others may actually exploit the vulnerability of Network devices. Copyright © by QAInfoTech. All rights reserved.
- 7. Penetration Testing ❏ Itsimulates methods that intruders use to gain unauthorized access into organization’s network and systems to compromise them ❏ The purpose is to test the security implementations and security policy of an organization ❏ A penetration tester’s intent to gain unauthorized access to an organization’s network is very different from a hacker. ❏ Penetration tester lacks malice and uses their skills to improve an organization’s network security Copyright © by QAInfoTech. All rights reserved.
- 8. Ethical Hacking ❏ Anethical hacker is a computer and network expert who attacks a security system on behalf of its owners, seeking vulnerabilities that a malicious hacker could exploit. ❏ This work is ethical because it is performed to increase the safety of the computer systems, but only at the request of the company that owns the system and specifically to prevent others from attacking it. ❏ Ethical hacking is also known as penetration testing, intrusion testing and red teaming. Copyright © by QAInfoTech. All rights reserved.
- 9. Need of Securityand Penetration Testing? ❏ Direct impact of security breach on corporate asset base and goodwill. ❏ Increasing complexity of computer infrastructure administration and management. ❏ Evolution of technology focused on ease of use. ❏ Increased network environment and network based applications. ❏ Decreasing skills level for creating exploits. Copyright © by QAInfoTech. All rights reserved.
- 10. Essential Terminologies ❏ Threat ❏Vulnerability ❏ Target of evaluation ❏ Attack ❏ Exploit Copyright © by QAInfoTech. All rights reserved.
- 11. Essential Terminologies Cont.….. Copyright© by QAInfoTech. All rights reserved.
- 12. Phases of PenetrationTesting Copyright © by QAInfoTech. All rights reserved.
- 13. Phase I Reconnaissance Reconnaissancerepresents preparatory phase where a penetration tester gather as much information as possible about a target of evaluation prior to launching an attack Copyright © by QAInfoTech. All rights reserved.
- 14. Phase II Scanning Copyright© by QAInfoTech. All rights reserved.
- 15. Phase III GainingAccess ❏ Gaining access refers to the penetration phase. The Pen Tester exploits the vulnerability in the system. ❏ Examples include buffer overflows, denial of service, session hijacking, and password cracking. ❏ Influencing factors include architecture and configuration of the target system, the skill level of the perpetrator, and the initial level of access obtained. ❏ Business Risk: Highest — The hacker can gain access at the operating system level, application level, or network Copyright © by QAInfoTech. All rights reserved.
- 16. Phase IV MaintainingAccess ❏ It is the phase when the Pen Tester tries to retain his ownership of the system. But ❏ Hackers may harden the system from other hackers as Well (to own the system) by securing their exclusive access with Backdoors, RootKits, or Trojans ❏ Hackers can upload, download, or manipulate data, applications, and configurations on the owned system. Copyright © by QAInfoTech. All rights reserved.
- 17. Phase V ClearingTracks ❏ Refer to the activities that the hacker does to hide his misdeeds ❏ Reasons include the need for prolonged stay, continued use of resources, removing evidence of hacking. ❏ Examples include Steganography, tunnelling, and altering log files. ❏ A Pen Tester should watch out such kind of activities on the system. Copyright © by QAInfoTech. All rights reserved.
- 18. Always Remember ❏ Ifa hacker Wants to get inside your system, he/she will and there is nothing you can do about it. ❏ The only thing you can do is make it harder for him to get in. Copyright © by QAInfoTech. All rights reserved.
- 19. What does PenetrationTester Do? Penetration Tester tries to answer the following questions: ❏ What can the intruder see on the target system? (Reconnaissance and Scanning phases) ❏ What can an intruder do with that information? (Gaining Access and Maintaining Access phases) ❏ Does anyone at the target notice the intruders’ attempts or successes? (Reconnaissance and Clearing Tracks phases) Copyright © by QAInfoTech. All rights reserved.
- 20. Overview of thePen-Test Deliverables The main deliverable is the Pen Testing Report ❏ List of your findings, in order of highest risk ❏ Analysis of your findings ❏ Conclusion or explanation of your findings ❏ Remediation measures for your findings ❏ Log files from tools that provide supporting evidence of your findings ❏ Executive summary of the organization’s security posture ❏ Name of the tester and the date testing occurred ❏ Any positive findings or good security implementations Copyright © by QAInfoTech. All rights reserved.
- 21.