Doing so allows your penetration test to be more effective! _ Software Testing

Article Source: http://www.51testing.com penetration test needs to confirm the initial state of penetration test project first. The most common way to define a starting state is to select a black box test or a white box test or a gray box test.
　　 Selection of test types black box testing has many problems. It is difficult to estimate how long the reconnaissance phase can last because of the reasons for the system being tested and because the testers are familiar with the environment, and the length of the reconnaissance phase involves cost. However, if the test time is insufficient, penetration testing may often be "aborted". A less realistic factor is that an attacker with a strong motivation will not take into account the constraints when carefully studying the target, as he is often a professional penetration tester. 　　Therefore, we recommend the implementation of gray-box testing rather than black-box testing. If the penetration tester is in close contact with the system being tested, or if the test system is fully understood, the target of the penetration test can be clearly defined, and the results of the test report are often predictable. Participants are asked to provide some details about the target system, such as network information, system type, company's process, service, etc. White-Box testing typically focuses on specific business objectives, such as meeting compliance needs rather than general evaluations, and white-box testing is often a shorter task due to the scope limitations of the target system. White-Box testing can reduce the amount of information collected, such as reconnaissance services, to reduce the cost of penetration testing services. 　　As a result, internal security teams often conduct white-box testing. Under what circumstances is a gray-box test implemented? The answer is to allow penetration testers to skip this section when the customer or system owner agrees to find some unknown information during the reconnaissance phase. 　　The penetration tester obtains basic information about the target system from the system owner; however, internal work and some privileged information remain confidential to the penetration tester. The real attacker collects information about the target before attacking the target. Most attackers do not choose a random target. Attackers often have a strong incentive to interact with an attack target in some way before attacking it. 　　Gray-Box testing is attractive to many security experts who perform penetration testing, as this test mimics the true approach used by attackers and focuses on vulnerabilities rather than reconnaissance. The test scope defines how the penetration service starts and how it is executed. 　　Penetration testing should collect information to record the target environment and define the scope of the task in order to avoid unnecessary reconnaissance services or out-of-scope attack systems. Real attackers are often not limited by time, money, morals, and tools, which means that limiting the scope of penetration testing does not represent the real situation. For example, a penetration tester can capture the credentials of a user logging on to a critical system and can access these systems without testing whether they are vulnerable to network-based attacks. It is also important to know which people should be aware of penetration testing. 　 　A real attacker could launch an attack at any time. Determining the scope of penetration testing you should pay attention to the following basic points when developing the scope of penetration testing: · Determination of the target system: Determining which should be testedwhich systems. These include network locations, system types, business use of these systems, and so on. · 　　Time span of test work: When should the test start? What is the time range to meet the specified test objectives? · How to evaluate the target system: What test methods do you allow (such as scans and exploits)? What are the risks if you allow specific test methods to be used? What is the impact if the target system is not operational due to penetration testing? For example, by impersonating an employee and using a social network, Use denial of service attacks on critical systems, execute scripts for vulnerable services, and more. Some methods may pose higher risks to the system than others. · Tools and Software: What software and tools do you use during penetration testing? Many security experts believe that if the tool is leaked, it is tantamount to revealing a secret weapon. You may need to keep a secret only when security professionals are using a wide range of commercially available products and simply re building their brand based on reports from these products. Experienced security experts disclose the tools they use, and when exposing vulnerabilities, they also record which commands use the tool to uncover the vulnerability. This can reproduce the exploit and allow the customer to really understand how the system is compromised and to understand the difficulty of exploiting the vulnerability. Who should be informed: who should know the penetration test? What do you want them to do? is the response to the penetration test a part of the test scope? If so, it makes sense to not notify the security operations team before testing. If you are testing a Web application hosted by another party (for example, a cloud service provider), it is important to notify the other because your service may affect the supplier. 　　Initial access level: What types of information and access are available before the penetration test begins? can penetration testers access servers via the Internet or intranet? What types of initial-level accounts are allowed to access? For each target system, is this a black-box test, a white-box test, or a gray-box test? · Definition of target scope: this is to determine the specific business functions in the penetration test. For example, performing penetration tests on specific Web applications used by salespeople does not affect the different applications hosted on the same server. Determination of key operational areas: Penetrant testers must determine which systems should be avoided and which are designed to prevent negative effects of penetration testing services. Should access to the active authentication server be prevented? It is very important that you explicitly define which assets to test before penetrating the target. · 　　Standard definition: To what extent should penetration testing attack systems or processes? Should the data be purged or should an attacker only need to obtain a specific level of unauthorized access? · What is delivered: What is the final delivery report like? What are the goals that customers expect when completing the Penetration Test service agreement?The goal of testing is not open-ended, to avoid testing beyond the expected service. Do you classify or specify data for specific people? How should the final report be delivered? It is very important that testers deliver a sample report or update the report on a regular basis in order to avoid the surprising results of the final report. · 　 　Fix expectations: Do you expect to record a few possible repair actions when you detect vulnerabilities? If the system is not available during penetration testing, who should we notify? What happens if sensitive data is found? Most penetration testing services do not provide corrective action for the problems identified. Vulnerability assessment in many cases, security tests or audits based on auditing standards or benchmarks give customers a false sense of security. Most standards and benchmarks have a process of long-term renewal that cannot keep pace with the threat of rapid growth in today's world. 　　As a result, security testing and auditing should provide security services that exceed safety standards and benchmarks, raising the level of security to a level of protection against realistic threats. Vulnerability assessment is a process of scanning network devices, operating systems, and application software for the purpose of identifying known and unknown vulnerabilities. After a vulnerability is discovered, the Penetrant tester does not attack the vulnerability to verify that it is real. The results of the vulnerability assessment delivery provide a potential risk associated with all vulnerabilities. 　　There are many solutions, such as Kali Linux, that can be used to scan vulnerabilities based on the type of system or server, an open communication port, or other means. Only a vulnerability scan can calculate the risk to have real value. The problem with many security audits is that the results of vulnerability scans make security audits cumbersome, but with little real value. Many vulnerability scanners provide false information or identify vulnerabilities that are not stored. Why? This is because the vulnerability scanner incorrectly confirms the operating system, or incorrectly finds a specific patch to fix the vulnerability, but does not care about the version of the software. Combining risk and vulnerability analysis can provide a clear definition and know exactly how vulnerable a system is. In many cases, this means that the vulnerability reported by the automated tool needs to be checked.