Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

1. Define Penetration Testing and describe its objectives. 2. What are the steps

ID: 3733786 • Letter: 1

Question

1. Define Penetration Testing and describe its objectives.

2. What are the steps included in the penetration testing process.

Penetration testing is classified by the knowledge that the attacker and system personnel have
prior to the attack.

3. What are the classifications of penetration testing? Describe the classification of
     Penetration Testing. (Hint. There are five classification of Penetration testing.)

4. Describe the following types of Penetration Testing. Give examples.

   [a] Physical Penetration Testing

   [b] Operations Penetration Testing

   [c] Electronic Penetration testing.

5. Before starting a penetration test (also called a pen test), it is important to define the Rules of Engagement (ROE), or the scope of work, of the test. The ROE defines the parameters and limits of the test; however, it usually does not include a complete list of all vulnerabilities.

(a) List those important actions to take before penetration test that should be included in rules of engagement.

Explanation / Answer

1)Answer:

Penetration Testing:

Penetration testing (pen-testing or pentesting) is a method of testing, measuring and enhancing established security measures on information systems and support areas.

Pen-testing is also known as a security assessment.

Pen-testing may be conducted to complement background investigations and ensure social engineering and networking safety.

Pen-testing is implemented by simulating malicious attacks from an organization's internal and external users. The entire system is then analyzed for potential vulnerabilities. A plan that communicates test objectives, timetables and resources is developed prior to actual pen-testing.

Pen-testing is an invaluable process for a number of reasons, including the following:

Pen-testing tools include:

The main objective of penetration testing is to determine security weaknesses. A pen test can also be used to test an organization's security policy compliance, its employees' security awareness and theorganization's ability to identify and respond to security incidents.

2)Answer:

Steps or phases of Pen test:

The first stage involves:

The next step is to understand how the target application will respond to various intrusion attempts. This is typically done using:

This stage uses web application attacks, such as cross-site scripting, SQL injection and backdoors, to uncover a target's vulnerabilities. Testers then try and exploit these vulnerabilities, typically by escalating privileges, stealing data, intercepting traffic, etc., to understand the damage they can cause.

The results of the penetration test are then compiled into a report detailing:

This information is analyzed by security personnel to help configure an enterprise's WAF settings and other application security solutions to patch vulnerabilities and protect against future attacks

The goal of this stage is to see if the vulnerability can be used to achieve a persistent presence in the exploited system— long enough for a bad actor to gain in-depth access. The idea is to imitate advanced persistent threats, which often remain in a system for months in order to steal an organization’s most sensitive data.

4)Answer:

a)Physical Penetration Testing:

The primary objective for a physical penetration test is to measure the strength of existing physical security controls and uncover their weaknesses before bad actors are able to discover and exploit them. Physical penetration testing, or physical intrusion testing, will reveal real-world opportunities for malicious insiders or bad actors to be able to compromise physical barriers (ie: locks, sensors, cameras, mantraps)  in such a way that allows for unauthorized physical access to sensitive areas leading up to data breaches and system/network compromise.

This type of test is an attack simulation carried out by our highly trained security consultants in an effort to:

b)Operations penetration testing:

Another type of testing examines the operational aspects of an organization. Whereas physical testing investigates physical access to company computers, networks, or facilities, operational testing attempts to determine the effectiveness of the operational procedures of an organization by attempting to bypass those procedures. For example, if the company’s help desk requires each user to give personal or secret information before help can be rendered, can the tester bypass those controls by telling a particularly believable “sob story” to the technician answering the call? If the policy of the company is to “scramble” or demagnetize disks before disposal, are these procedures followed? If not, what sensitive information will the tester find on disposed disks and computers? If a company has strict policies concerning the authority and process required to initiate ID or password changes to a system, can someone simply claiming to have the proper authority (without any actual proof of that authority) cause an ID to be created, removed, or changed? All these are attacks against the operational processes a company may have, and all of these techniques have been used successfully in the past to gain entry into computers or gain access to sensitive information

Electronic Penetration testing:

The final type of penetration test is the electronic test. Electronic testing consists of attacks on the computer systems, networks, or communications facilities of an organization. This can be accomplished either manually or through the use of automated tools. The goal of electronic testing is to determine if the subject’s internal systems are vulnerable to an attack through the data network or communications facilities used by the subject. Depending on the scope and parameters of a particular test, a tester may use one, two, or all three types of tests. If the goal of the test is to gain access to a particular computer system, the tester may attempt a physical penetration to gain access to the computer’s console or try an electronic test to attack the machine over the network. If the goal of the test is to see if unauthorized personnel can obtain valuable research data, the tester may use operational testing to see if the information is tracked or logged when accessed or copied and determine who reviews those access logs. The tester may then switch to electronic penetration to gain access to the computers where the information is stored.

Related Questions

1. Dave Inc.\'s inventory records for a particular development program show the
Question #2601602
1. Dave is managing a new project to create a radio-operated model plane. The pr
Question #397119
1. David Friedman said that free (international) trade is a technology. Explain
Question #1114171
1. David buys fruits and vegetables wholesale and retails them at David\'s Produ
Question #3355627
1. David has a driveway easement over Carol’s property. By the terms of the ease
Question #427379
1. David is driving a steady 29.0 m/s when he passes Tina, who is sitting in her
Question #1572722
1. Davis Enterprises, Inc. has a December 31 year end. On January 11, 2017, Davi
Question #2564374
1. Davis, Inc., a music gorup, entertained at a black-tie dinner dance on April
Question #2398544

Navigate

Previous
1. Define Omni - Channel Distribution and state how it is impacting the job of S
Next
1. Define Type I and Type II error. Which error do we work to minimize? How do w

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.