Cyber Security Tutorial

Cyber Security Overview Cyber Security Introduction Cyber Crime Cyber Space Cyber Criminals Cyber Law Cyber Attackers Types of Hackers Functions of Cyber Security Method to Improve Data Security Cyber security frameworks Importance of Cyber Security Types of Cyber Security Cyber Security Fundamentals Applications of cyber security Cyber security in education sector Cyber security in health care industry Cyber security tools Cyber security policies Types of security policies Characteristics of cyber security policies Digital signature Cyber Security Standards NIST- National Institute of Standard and technology Information Technology Act ISO - International Standard for Organization ISO certification PCI DSS Standard FINRA Difference between Information Security and Cyber Security Cyber Security Vulnerability Elements of vulnerability management Social Engineering Vulnerability Assessment Vulnerability management Types of cyber security vulnerabilities Identification of security vulnerability Types of social engineering attacks Penetration Testing Penetration Testing Tools Types of penetration testing Process of Penetration Testing What is Phishing Elements of cyber security Difference between Spoofing and Phishing Difference between Network Security and Cyber Security Difference between Ethical Hacking & Cyber Security Role of artificial engineering in cyber security Cyber Forensics Definition Cyber Security job qualifications Cyber Security Prerequisites Cyber Security Identity and Access Management What is Cyber Forensics Different Types of Cybercrime Different types of cybercrime Tunneling Techniques in Cyber Security

Process of Penetration Testing
2022-08-08 18:50:15

Process of Penetration Testing

Companies or organizations use penetration testing manually or automatically to identify the system's vulnerabilities. All companies need to protect their assets and themselves from cyber-criminal attacks by updating their security measures simultaneously.

At the same time, it is difficult to know which and how the method is being used in the attack. Organizations hire skilled, ethical hackers to help identity, update and replace the defective or attacked parts of their system. Ethical hackers use penetration testing to detect weaknesses in the system because it is unique from other cyber security evaluation methods.

Depending on the organization's infrastructure and operation, penetration testing can be adapted to any organization or industry, but this follows a certain process that creates a set of results to help the organization. Let’s discuss the process of penetration testing step by step.

Stages of penetration testing

The penetration testing process starts long before a simulated attack. An ethical hacker is allowed to study the system to explore its strength and weakness and to identify the right tools & strategies to break into the system. Penetration is based on the structured procedure and performed step by step such as follows:-

Process of Penetration Testing
  • Planning and Reconnaissance

This is the first step in the testing module, where planning and preparation are executed depending on the organization's needs. This step can be short or lengthy according to the requirement. Here, clients and testers properly aligned the test's scope, goal, and execution. They must have some knowledge about the tests like:

  1. What kind of test are they running?
  2. Who has to be aware about the test is running?
  3. With how much information and access permission tester should start the work
  4. Some of the other important details ensure that the test is a success
  5. Emails address and names of the company's employees to a network topology with the IP address, among others
  6. For the planning and searching process, these methodologies are used:
    • Dumpster diving
    • Social engineering
    •  Network scanning
    • Domain registration information retrieval
  • Discovery/ Scanning

After the planning phase, the discovery and planning phase is designed to identify the threats and how the target system responds to all the attempts at intrusion.

For the scanning purpose of initial vulnerabilities, the tester uses automated testing tools. This phase is necessary to obtain all the information about the system accurately, which includes usernames, passwords, and all the data in the system. This process is called fingerprinting. It probes and scans the ports where vulnerabilities exist. Here three types of discoveries are carried i.e.

Host discovery = It discovers the open ports on the devices

Service interrogation = In this, all the services running on ports are discovered by interrogating them

Network discovery = It includes the discovery of servers, additional systems, and other devices   

  • Gaining system access
    After learning about all the system vulnerabilities, pen-testers mimic an actual attack in a simulated and controlled environment. This phase analyses how far a tester can get into an IT environment without detection.
    After controlling a device, the tester performs a web application attack or a physical attack like cross-scripting or SQL injection attack. This pen tester infiltrates the system or infrastructure by exploiting security weakness, demonstrating how the target gets deep into the environment.    
  • Persistent access
    In this step, once the penetration tester gets access to the device and holds the access or their presence as long as possible, it also simulates an attack long enough to accomplish & replicate malicious hacker goals. This phase is designed to obtain the maximum level of privileges and access to many systems as much as possible and network information by identification of data or services are available.
  • Analysis and reporting
    It is the last stage of penetration testing, where the testing team prepares a detailed report describing the entire penetration testing process. The pen tester writes all the detail of each step, consisting of how the pen tester took steps to in-filtrate systems and process, clean up after stress test, details of all the vulnerabilities, and suggestions for fixing the vulnerabilities.

    Reporting is important for both parties because it is the base of working of the IT staff and non-technical managers; therefore, it is suggested to prepare a separate report. One part is on general explanation (executive report) and the other on a more technical aspect (technical report).