A penetration test, colloquially known as a pen test, is an authorized simulated attack on a computer system, performed to evaluate the security of the system. The test is performed to identify both weaknesses (or vulnerabilities), including the potential for unauthorized parties to gain access to the system’s features and data, as well as strengths, enabling a full risk assessment to be completed.
A Penetration Test Target
The process identifies the target systems and a particular goal, then reviews available information and undertakes various means to attain that goal. A penetration test target may be a white box (which provides background and system information) or black box (which provides only basic or no information except the company name). A gray box penetration test is a combination of the two (where limited knowledge of the target is shared with the auditor). A penetration test can help determine whether a system is vulnerable to attack if the defenses were sufficient, and which defenses the test defeated.Security issues that the penetration test uncovers should be reported to the system owner. Penetration test reports may also assess potential impacts to the organization and suggest countermeasures to reduce risk.
Flaw Hypothesis Methodology
Flaw hypothesis methodology is a systems analysis and penetration prediction technique where a list of hypothesized flaws in a software system are compiled through analysis of the specifications and documentation for the system. The list of hypothesized flaws is then prioritized on the basis of the estimated probability that a flaw actually exists, and on the ease of exploiting it to the extent of control or compromise. The prioritized list is used to direct the actual testing of the system.“A method for gaining assurance in the security of an IT system by attempting to breach some or all of that system’s security, using the same tools and techniques as an adversary might.” – describes The National Cyber Security Center.
The goals of a penetration test vary depending on the type of approved activity for any given engagement with the primary goal focused on finding vulnerabilities that could be exploited by a nefarious actor and informing the client of those vulnerabilities along with recommended mitigation strategies. Penetration tests are a part of a full security audit. For instance, Payment Card Industry Data Security Standard requires penetration testing on a regular schedule, and after system changes.
Below there are some key terms related to penetration testing:
1. Penetration Testing (Pen Test): The practice of testing a computer system, network, or web application to find security vulnerabilities that an attacker could exploit.
2. Vulnerability Assessment: The process of identifying, classifying, and prioritizing vulnerabilities in a system.
3. Exploit: A piece of software or code that takes advantage of a vulnerability to compromise a system.
4. Payload: The part of an exploit that performs a specific action, such as delivering malware or gaining unauthorized access.
5. White Box Testing: Penetration testing where the tester has full knowledge of the system, including source code and infrastructure.
6. Black Box Testing: Penetration testing where the tester has no prior knowledge of the system being tested.
7. Social Engineering: Techniques used to manipulate individuals into divulging confidential information or performing actions that compromise security.
8. Phishing: A type of social engineering attack where attackers trick individuals into providing sensitive information by posing as a trustworthy entity.
9. Zero-Day Vulnerability: A software vulnerability that is unknown to the vendor or has not yet been patched.
10. Firewall: A network security device that monitors and controls incoming and outgoing network traffic based on predetermined security rules.
11. Intrusion Detection System (IDS): A security tool that monitors network or system activities for malicious activities or security policy violations.
12. Man-in-the-Middle (MitM) Attack: An attack where an attacker intercepts and potentially alters communication between two parties without their knowledge.
13. Cryptography: The practice of securing communication and data through the use of codes and ciphers.
14. Patch Management: The process of managing updates, or patches, for software applications and systems to address security vulnerabilities.
15. Footprinting: The process of gathering information about a target system before launching an attack.
These are just a few terms, and the field of penetration testing is extensive. If you have specific questions or need more explanations, feel free to contact NYDS at 212-234-3444.