Penetration services are designed to verify the vulnerability of vulnerabilities and the extent to which they can be exploited, that is, the amount of threats that could be created. The attack of the Enterprise Information Security defense system is various, not only from the external intrusion, but also from the internal categories of personnel stealing and tampering. How to choose the starting point of infiltration, it is important to simulate the role of the intruder.
People of different roles have a great diversity of knowledge about the information defense system, the more they know, the easier it is to bypass the defensive measures, the easier the intrusion, and the less time it takes.
As a commercial security service, the choice of different roles, means that the difficulty of attack, different workload, the final goal of the penetration time is different, the effect of infiltration may also be different.
Does not measure technical difficulty and workload, can not determine the commercial value of services, if the pursuit of low-cost policies, penetration service providers can not provide a high level of infiltration personnel participation, can not use High-tech, the latest security technology tools, penetration service quality will be greatly reduced, thus unable to verify the security vulnerabilities can bring threat level, Also lost the meaning of penetrating service.
One, by role classification:
The role is to simulate the identity of the intruder. Identifying roles can determine the extent to which infiltrators understand the target network architecture, security systems, and business logic, and the more they know, the closer they are to the target.
Infiltration of technical difficulty is mainly to see the goal of the safety defense system is perfect, generally speaking, the penetration of the intranet Business Server than the Internet server is difficult, the defense of the perfect system penetration technology difficult to increase significantly.
Depending on the role of the infiltrators, penetration services can be divided into:
1, free infiltration: the knowledge of the intruder is limited to the public information media, generally from the Internet to initiate infiltration. Users of the penetration service may not have a clear goal, is to test their own protection system loopholes, infiltrators can tamper with the page, can control the "broiler", you can choose the target server;
2, ordinary users: as a user of ordinary users of the business, can be from the Internet, can also be from the intranet of a terminal to initiate infiltration. The user network architecture part of the understanding of the security system is not understood, the user's business system has some understanding. User penetration target is clear, generally is the business system sensitive information steals;
3, network management personnel: Users within the operation and maintenance managers. Generally from the intranet began to penetrate, the network, security mechanisms are very familiar. The goal of penetrating service is very clear, that is to verify whether the safety monitoring system can be detected and whether the spy behavior of internal personnel can be collected;
4, management personnel: Managers generally have the network internal high-level access, familiar with the internal network and security mechanisms. Penetration service mainly verifies whether the internal security audit measures are perfect, if the user's business process has certain understanding, can verify the safety control mechanism in the business process is perfect;
5, third party maintenance personnel: outsourced operation and maintenance services are used by many enterprises, as operational personnel, the user's internal system is very familiar with, such as network maintainers, security Defenders, business system maintainers, Server maintainers, Office System Defenders, under normal circumstances are not familiar with other systems, But they have a lot of opportunities to get in touch with the maintenance staff of other systems, and the workspace may also be cross. The infiltration service is mainly to verify the security loopholes in the management of the third party operation and maintenance personnel;
The following table is the different types of penetration service, under normal conditions of technical difficulties and workload (if the target security system is perfect, technical difficulties should be increased by a level):
Goal |
Infiltration channels |
User Information |
Technical difficulty |
Technical workload |
Free infiltration |
Not clear |
Internet |
Unfamiliar, through google/Baidu search information |
In |
Big |
Ordinary users |
Clear |
Intranet/Internet |
Partially familiar with |
In |
Big |
Network management personnel |
Clear |
Intranet |
Familiar with |
Easy |
In |
Management staff |
Clear |
Intranet |
Familiar with |
Easy |
Small |
Third Party Maintenance |
Clear |
Intranet/Internet |
Partially familiar with |
Difficult |
In |
This column more highlights: http://www.bianceng.cnhttp://www.bianceng.cn/Network/Security/