Page 19 - The IT Guidebook
P. 19

Upon  completion,  a  comprehensive  report   INTERNAL PEN TESTING:
 VULNERABILITY   should be  provided  on the  results  and  include
    recommended remediation actions where needed.  Over seventy percent of attacks occur from inside
 ASSESSMENTS AND  Variations of pen tests can include:  the  network.  This  number  continues  to  grow
                                          with  espionage,  rogue  employees,  and  social
 PENETRATION TESTS  ►  blind  testing,  in  which  the  tester  tries  to   engineering at a high. The goal of an internal pen
      simulate  an  attack  without  knowing  much
                                          test is to determine the potential impact a security
      about  the  organization  and  only  using
      publicly  available  information  (i.e.,  domain   breach  can  have  on  your  organization  and
      name,  company  website,  etc.) to  target  the   validating  how  easy  an  attacker  can  maneuver
 here is some confusion between what a  security policies, its
                                          or escalate your environment to overcome your
 T  vulnerability  assessment  accomplishes  regulatory compliance,   organization.  security  infrastructure.  This  is  performed  from
 versus a penetration  test.  While  both  its   employees’   security   ► double blind testing, where only a few people   within  the  organization.  Upon  completion,  a
 are critical in reducing cybersecurity attacks, a  awareness, and the organization’s   in  the  organization  know  that  a  test  will  be   comprehensive report should be provided on the
 vulnerability  assessment encompasses scanning  ability  to  identify  and  respond  to   occurring  and  can  then  assess  how  effective   results and include recommended  remediation
 the  environment  for  anomalies  within  your  IT  security issues and incidents such as   the   organization’s   security   monitoring,   actions where needed.
 environment. There are several software products  unauthorized access, as they occur.  escalation  procedures, and incident  and
 that  can  be  used to  scan  the  environment  and   response protocols are working.
 report  on  when  changes  have  occurred  and  As a simulated  cyberattack,  ethical  hacking   ►  target testing, which involves both the IT and
 highlight  those  events  that  warrant  further  techniques  help  security  professionals  evaluate   testing teams work together to assess security
 investigation,  and  scans  should  be  performed  the effectiveness of information security measures   vulnerabilities as well as incident and response
 regularly to ensure the environment is secured.  within their organizations. The pen test attempts   protocols. This is also known as the “lights-

 When  new  equipment  is  deployed  or  changes  to  pierce  the  armor  of  an  organization’s  cyber   turned-on” test.
 in equipment occur, a vulnerability scan should  defenses, checking for exploitable vulnerabilities
 be performed. It is a good practice to establish a  in  networks,  web  apps,  and  user  security.  The   EXTERNAL PEN TESTING:
 baseline of key equipment to facilitate the review  objective is to find weaknesses in systems before
 if there are any changes and to quickly identify  attackers  do.  The  results  of  the  pen  test  can   An  external  pen  test  involves  performing  a
 any unauthorized changes. The scans can report  identify where you need more or better controls   dynamic analysis of the organization’s network
 on issues such as missing patches, and outdated  for monitoring, detecting and responding.   perimeter for any potential vulnerabilities, which
 protocols.  Some  organizations  do  not  have  the   may  result  from  an  inadequate  or  improper
 staffing  to  adequately  monitor  the  scan  reports  There are different types of pen test strategies that   configuration,  known  and  unknown  software/
 and should consider having their outsourced  can be implemented depending on what aspect   hardware  flaws,  or  operational  weaknesses  in
 IT  provider  perform  this  or  contract  with  a  of the technology environment is being assessed   processes  and  technical  countermeasures.  The
 cybersecurity company.  and the reason why the pen testing is being done.   analysis  is  carried  out  from  the  position  of  an
    advisory/hacker and involves active exploitation
 Penetration  testing,  also  known  as  pen  testing,   WEB APPLICATION PEN TESTING:  of vulnerabilities where the testing team attempts
 security pen testing, and security testing, is a   to compromise external and internal assets. All
 form of ethical hacking and requires expertise. It  Web  Application  testing  is essential to ensure   technology  vulnerabilities  should  be  analyzed
 describes  the  intentional  launching  of  simulated  your  front-facing  systems  are  protected.  The   against  known  CVE’s.  Upon  completion,  a
 cyberattacks by  “white  hat” penetration testers  test evaluates the security of a web application   comprehensive report should be provided on the
 using strategies and tools designed to access or  with  Penetration  Testing  Execution  Standards   results and include recommended  remediation
 exploit  computer  systems,  networks,  websites,  and,  should  use  the  OWASP  standard  testing   actions where needed.
 and applications. Although the main objective of  checklist. Web application testing will check for
 pen testing is to identify exploitable issues so that  application  technology  weaknesses,  technical
 effective  security  controls  can  be  implemented,  flaws,  or  other  vulnerabilities,  and  should  also
 security  professionals  can  also  use  penetration  test for any account takeover privileges through
 testing techniques, along with specialized testing  host header attacks.
 tools,  to  test  the  robustness  of  an  organization’s







 17                                                                        18
   14   15   16   17   18   19   20   21   22   23   24