Every day new threats tend to occur where security experts are not expecting them. Naturally an intruder will not spend much time trying to force a well-locked door, but he will look for weak points and vulnerabilities in those information systems where security is not a priority. In combination with negligence and seemingly minor vulnerabilities may end up with serious consequences and in future lead to the system being compromised. The acknowledged way to reduce such risks is to employ penetration testing.
Here we going to list some simple penetration testing steps so you will be able better understand what it is and for what do you need it.
- Pre-attack phase: Planning
- Defining the intruder model (internal or external, with rights and privileges or no)
- Defining goals, data sources, scope of work and targets
- Determining the scope of a targeted environment
- Developing the testing methodology or choosing from available list
- Defining interaction and communication procedures and issues
- Penetration testing
- Attack phase: Testing
- Fieldwork, service identification
- Custom scanning or intrusion tools are developed if needed
- Vulnerabilities detection and scanning, checking for false positives
- Vulnerabilities exploit and gaining an unauthorized access
- Utilization of compromised systems as a springboard for further intrusion
- Reporting
- Result analysis and reporting with recommendations for reducing risks
- [Optional] Visual demonstration of the damage that can be inflicted to the system by an intruder