- BackTrack 4: Assuring Security by Penetration Testing
- Shakeel Ali Tedi Heriyanto
- 350字
- 2021-04-09 21:21:00
Summary
In this chapter, we have discussed a detailed penetration testing methodology with its various views from the development lifecycle and risk management process. We have also described the basic terminology of penetration testing, its associated types, and the industry contradiction with other similar terms. The summary of these key points has been highlighted below:
- There are two types of penetration testings, namely, black-box and white-box. Black-box approach is also known as "external testing" where the auditor has no prior knowledge of the target system. White-box approach refers to an "internal testing" where the auditor is fully aware of target environment. The combination of both types is known as gray-box.
- The basic difference between vulnerability assessment and penetration testing is that the vulnerability assessments identify the flaws that exist on the system without measuring their impact, while the penetration testing takes a step forward and exploits these vulnerabilities in order to evaluate their consequences.
- There are a number of security testing methodologies, but a very few provide stepwise and consistent instructions on measuring the security of a system or application. We have discussed four such well-known open source security assessment methodologies highlighting their technical capabilities, key features and benefits. These include Open Source Security Testing Methodology Manual (OSSTMM), Information Systems Security Assessment Framework (ISSAF), Open Web Application Security Project (OWASP), and Web Application Security Consortium Threat Classification (WASC-TC).
- We have also presented a structured BackTrack testing methodology with a defined process for penetration testing. This process involves a number of steps which have been organized according to the industry approach towards security testing. These include Target Scoping, Information Gathering, Target Discovery, Enumerating Target, Vulnerability Mapping, Social Engineering, Target Exploitation, Privilege Escalation, Maintaining Access, and Documentation and Reporting.
- Finally, we have discussed the ethical view of penetration testing that should be justified and followed throughout the assessment process. Putting ethics on every single step of assessment engagement leads to a successful settlement between auditor and business entity.
The next chapter will guide you through the strategic engagement of acquiring and managing information taken from the client for the penetration testing assignment.
推薦閱讀
- 做好PPT就靠這幾招:圖解力+吸引力+說服力
- UG NX 9.0中文版 基礎教程 (UG工程師成才之路)
- UG NX 9.0中文版基礎與實例教程
- AutoCAD 2020從入門到精通
- 皮膚鏡圖像分析與識別
- 邊做邊學:平面廣告設計與制作(Photoshop 2020+Illustrator 2020·第3版·微課版)
- Premiere Pro CC 2018基礎教程(第3版)
- Designing and Implementing Linux Firewalls and QoS using netfilter, iproute2, NAT and l7/filter
- JBoss Tools 3 Developers Guide
- 好學、好用、好玩的Photoshop 寫給初學者的入門書(第4版)
- 短視頻剪輯基礎與實戰應用(剪映電腦版)
- 中文版Flash CS6動畫制作(慕課版)
- TopSolid Wood軟件設計技術與應用
- Transformer自然語言處理實戰:使用Hugging Face Transformers庫構建NLP應用
- AI設計時代:Midjourney實戰應用手冊