What is Penetration testing ?  ـــــــــــــــــــــــــــــــــــــــــــــــ ـــــــــــــــــــــــــــــــــــــــــــــــ ــــــــــــــــــــــــــــــــــــــــــــــ 1- Penetration testing is a type of security testing that evaluates an organization’s ability to protect its infrastructure such as network, applications, systems, and users from external as well as internal threats 2- It is an effective way of determining how well the organization’s security policies, controls and technologies are working 3- It involves an active evaluation of the security of the organization’s infrastructure by simulating an attack like what an attacker does 4- During penetration test, security measures are actively analyzed for design weaknesses, technical flaws, and vulnerabilities 5- The results of the test are documented and delivered in a comprehensive report to executive management and technical audiences |
| Benefits of conducting a Penetration testing ? ـــــــــــــــــــــــــــــــــــــــــــــــ ـــــــــــــــــــــــــــــــــــــــــــــــ ــــــــــــــــــــــــــــــــــــــــــــــ 1- Proactively identifies the threats and determines the probability of an attack on information assets 2- A comprehensive pen test provides an assurance that the organization is operating within an acceptable limit of information security risks 3- Helps in determining the feasibility of a s et of attack vectors and determines potential business impact of a successful attack 4- Provides a comprehensive approach for preparation steps that can be taken to prevent upcoming exploitation 5- Ensures effective implementation of security controls and a better Return On Investment (ROI) on IT security 6- Achieves compliance to regulations and industry standards (SO/IEC 27001:2013, PCI-DSS, HIPPA, FISMA, etc.) 7- Focuses on high-severity vulnerabilities and emphasizes application-level security issues to development teams and management 8- Evaluates the efficiency of network security devices Such as firewalls routers and web servers |
| Comparing Security Audit, Vulnerability Assessment, Penetration Testing ـــــــــــــــــــــــــــــــــــــــــــــــ ـــــــــــــــــــــــــــــــــــــــــــــــ ــــــــــــــــــــــــــــــــــــــــــــــ Security Audit A security audit checks whether the organization is following a set of standard security policies and procedures Vulnerability Assessment A vulnerability assessment focuses on discovering the vulnerabilities in the information system but provides no indication if the vulnerabilities can be exploited or the amount of damage that may result from the successful exploitation of the vulnerability Penetration Testing Penetration testing is a methodological approach to security assessment that encompasses the security audit and vulnerability assessment and demonstrates if the vulnerabilities in the system can be successfully exploited by attackers |
| Black-box Penetration testing ? ـــــــــــــــــــــــــــــــــــــــــــــــ ـــــــــــــــــــــــــــــــــــــــــــــــ ــــــــــــــــــــــــــــــــــــــــــــــ 1- Black-box testing assumes that the pen tester has no previous knowledge of the infrastructure to be tested 2- Tester only knows the limited information about the target company 3- Penetration test must be carried out after extensive information gathering and research 4- This test simulates the process of real hacking and gathers publicly available information such as domain and IP address 5- It takes a considerable amount of time allocated for the project on discovering the nature of the infrastructure and how it connects and interrelates 6- It is time consuming and expensive |
| White-box Penetration testing ? ـــــــــــــــــــــــــــــــــــــــــــــــ ـــــــــــــــــــــــــــــــــــــــــــــــ ــــــــــــــــــــــــــــــــــــــــــــــ 1- You will be given complete. knowledge of the infrastructure to be tested 2- This test simulates the process of a company’s employees 3- It helps in revealing bugs and vulnerabilities more quickly 4- It provides assurance on complete testing coverage as the tester knows what exactly they have to test |
| Gray-box Penetration testing ? ـــــــــــــــــــــــــــــــــــــــــــــــ ـــــــــــــــــــــــــــــــــــــــــــــــ ــــــــــــــــــــــــــــــــــــــــــــــ This test is the combination of black-box and white-box penetration testing In a gray-box test, the tester usually has a limited knowledge of information Performs security assessment and testing internally Tests applications for all Vulnerabilities, which a hacker might find and exploit Performed mostly when a penetration tester starts a black-box test on well-protected systems and finds that a little prior knowledge is required to conduct a thorough review |
