Penetration Testing

Introduction

● penetration test - is an authorized simulated attack on a computer system that looks for security weaknesses, potentially gaining access to the system's features and data ● also known as pen test

www.cde.sk

Types of Penetration Testing to Know ● internal testing ● external testing ● double-blind testing

www.cde.sk Internal Testing

● goal - to simulate what would happen if a company's own employee attempted to carry out an attack from within ● many breaches occur from someone inside the company ● helps to identify weaknesses in second or third lines of defense (insider attack will bypass perimeter safeguards altogether)

www.cde.sk

External Testing

● probing application security as an external threat ● finding vulnerabilities in everything from firewall protection to domain name servers ● the most widely used form of penetration testing

www.cde.sk

Double-Blind Testing

● goal - to catch dev teams and IT staff by surprise ● in other types of penetration testing is everyone aware that the app's security is going to be probed, in this type only the bare minimum ● QA teams can determine how the organization and software will actually react in the event of a breach attempt

www.cde.sk Automated Security Tools

● automated tools not fixing security vulnerabilities ○ effective in finding them ○ provide suggestions for fixing them ● many (non)free tools are available ● security Linux distributions - fully loaded od pen test tools ○ Kali Linux ○ Parrot Security OS ○ BackBox ○ BlackArch www.cde.sk

Example of Automated Security Tools ● Nmap - port scanner ● Metasploit - vulnerability exploitation framework ● John the Ripper, Aircrack-ng - password cracker ● Kismet - packet sniffer ● sqlmap - detecting and exploiting SQL injection flaws tool

www.cde.sk

Questions?