Page 18 - The IT Guidebook
P. 18
Upon completion, a comprehensive report INTERNAL PEN TESTING:
VULNERABILITY should be provided on the results and include
recommended remediation actions where needed. Over seventy percent of attacks occur from inside
ASSESSMENTS AND Variations of pen tests can include: the network. This number continues to grow
with espionage, rogue employees, and social
PENETRATION TESTS ► blind testing, in which the tester tries to engineering at a high. The goal of an internal pen
simulate an attack without knowing much
test is to determine the potential impact a security
about the organization and only using
publicly available information (i.e., domain breach can have on your organization and
name, company website, etc.) to target the validating how easy an attacker can maneuver
here is some confusion between what a security policies, its
or escalate your environment to overcome your
T vulnerability assessment accomplishes regulatory compliance, organization. security infrastructure. This is performed from
versus a penetration test. While both its employees’ security ► double blind testing, where only a few people within the organization. Upon completion, a
are critical in reducing cybersecurity attacks, a awareness, and the organization’s in the organization know that a test will be comprehensive report should be provided on the
vulnerability assessment encompasses scanning ability to identify and respond to occurring and can then assess how effective results and include recommended remediation
the environment for anomalies within your IT security issues and incidents such as the organization’s security monitoring, actions where needed.
environment. There are several software products unauthorized access, as they occur. escalation procedures, and incident and
that can be used to scan the environment and response protocols are working.
report on when changes have occurred and As a simulated cyberattack, ethical hacking ► target testing, which involves both the IT and
highlight those events that warrant further techniques help security professionals evaluate testing teams work together to assess security
investigation, and scans should be performed the effectiveness of information security measures vulnerabilities as well as incident and response
regularly to ensure the environment is secured. within their organizations. The pen test attempts protocols. This is also known as the “lights-
When new equipment is deployed or changes to pierce the armor of an organization’s cyber turned-on” test.
in equipment occur, a vulnerability scan should defenses, checking for exploitable vulnerabilities
be performed. It is a good practice to establish a in networks, web apps, and user security. The EXTERNAL PEN TESTING:
baseline of key equipment to facilitate the review objective is to find weaknesses in systems before
if there are any changes and to quickly identify attackers do. The results of the pen test can An external pen test involves performing a
any unauthorized changes. The scans can report identify where you need more or better controls dynamic analysis of the organization’s network
on issues such as missing patches, and outdated for monitoring, detecting and responding. perimeter for any potential vulnerabilities, which
protocols. Some organizations do not have the may result from an inadequate or improper
staffing to adequately monitor the scan reports There are different types of pen test strategies that configuration, known and unknown software/
and should consider having their outsourced can be implemented depending on what aspect hardware flaws, or operational weaknesses in
IT provider perform this or contract with a of the technology environment is being assessed processes and technical countermeasures. The
cybersecurity company. and the reason why the pen testing is being done. analysis is carried out from the position of an
advisory/hacker and involves active exploitation
Penetration testing, also known as pen testing, WEB APPLICATION PEN TESTING: of vulnerabilities where the testing team attempts
security pen testing, and security testing, is a to compromise external and internal assets. All
form of ethical hacking and requires expertise. It Web Application testing is essential to ensure technology vulnerabilities should be analyzed
describes the intentional launching of simulated your front-facing systems are protected. The against known CVE’s. Upon completion, a
cyberattacks by “white hat” penetration testers test evaluates the security of a web application comprehensive report should be provided on the
using strategies and tools designed to access or with Penetration Testing Execution Standards results and include recommended remediation
exploit computer systems, networks, websites, and, should use the OWASP standard testing actions where needed.
and applications. Although the main objective of checklist. Web application testing will check for
pen testing is to identify exploitable issues so that application technology weaknesses, technical
effective security controls can be implemented, flaws, or other vulnerabilities, and should also
security professionals can also use penetration test for any account takeover privileges through
testing techniques, along with specialized testing host header attacks.
tools, to test the robustness of an organization’s
17 18
