Penetration Testing
Why Penetration Testing
The reason to penetration test is the same as the reason a business has a security policy: to leverage due diligence and due care data protection for the preservation of the company's capital investment.
How
- By Stimulating Attacks
All parts of the way that your organisation captures, stores and processes information can be assessed; the systems that the information is stored in, the transmission channels that transport it, and the processes and personnel that manage it.
- Off-the-shelf products (operating systems, applications, databases, networking equipment / VPN etc.)
- Bespoke development (dynamic web sites, in-house applications etc.)
- Telephony (war-dialling, remote access, VOIP, PABX, VMB etc.)
- Wireless (WIFI, Bluetooth, IR, GSM, RFID etc.)
- Personnel (screening process, surveillance, social engineering etc.)
- Physical (access controls, dumpster diving etc.)
- Under approved methodologies and standards
There are a number of applicable industry standard methodology and guidelines used while performing Information Security risk assessment depending on the nature of the projects. Notable organisations and standards used by RA are:
- The Open Source Security Testing Methodology Manual (OSSTMM)
- The Open Web Application Security Project (OWASP)
- The Payment Card Industry (PCI) Data Security Requirements
- The Web Application Security Consortium (WASC)
- To determine feasibility of a successful exploit
Password cracking - Trojan Horses – Backdoors - Buffer Overflows - SQL Injection Attack - Cross Site Scripting (XSS) - Reverse Engineering – Sniffers - Denial of Service - Social Engineering - Session Hijacking - Hacking Web Servers - Hacking Wireless Networks - Virus and Worms - Physical Security - Evading IDS, Firewalls, and Honeypots