How to take a measurement method for automated penetration testing
Automated penetration testing plays an important role in improving the penetration testing process and reducing required resources. However, if there is no proper method, it may be a waste of time. Kevin Beaver, a technical expert in this article, discusses this topic.
Will it be overwhelmed by penetration testing? This is the case for many people. Facing the needs of pci dss, business partners and customers, or similar responsibilities, the demand for penetration testing is endless. Given the number of systems and applications and the complexity of the network environment, penetration testing can be a very difficult task, as a result, many information security professionals simply "Go through the field" to meet compliance requirements or find a way to completely skip these tests. But what is the price for doing so? Just like everything in life, a half-hearted method to perform a penetration test will only get a half-hearted result, compliance troubles, information risks, and inevitable Data leaks will all follow.
However, those who shoulder such basic business work can take many other methods of information security management tasks and automate these tasks. For example, over the years, information security professionals have been able to automate such tasks as log management, patch repair, and source code analysis. In addition, by adding some automated to penetration testing, we can minimize the required resources while maintaining the integrity of the penetration testing process. In addition, it is important to adopt a measurement method.
Automated by measuring methods
First, define what is penetration testing by determining the target you want to accomplish ". Some people think penetration testing is a simple vulnerability scan to appease auditors. Others prove that they can find a vulnerability to exploit. I prefer a broader Vulnerability Assessment definition. Anything with an IP address or URL may be attacked.
Starting from the most critical system, professionals need to consider the network because external hackers and malicious employees know that the network has no boundaries. Then, test all aspects of your system to determine the vulnerable parts, no matter how you name them. Otherwise, this security plan is doomed to fail.
This method is particularly important in "Automated" penetration testing. Why? Because you cannot use existing tools to automate each test of each system and application. For example, most functions for searching for medium and low-intensity passwords on a network host can be automated, but logon prompts cannot be used to browse networks, operating files, and other related programs. These types of tests are often called authentication vulnerability scans, which can be performed by writing scripts, but are not really automated.
Vulnerabilities in Web application logon, user session management, and SQL injection are also discovered and used. Similarly, a single function (such as SQL injection and data extraction from a database) can also be automated, but the entire process cannot be automated. This process requires human interaction and expertise to know where to locate vulnerability exploitation and how to obtain the best results.
The tool is only an aid
The desire for automation adds many new features to popular vulnerability scanners, such as the Acunetix Web vulnerability scanner (which is good at cracking passwords in Web applications) and Metasploit Pro (which can be used to obtain command prompts and create Backdoor programs ).
But even these tools cannot completely automate the process. For example, using Metasploit Pro, IT must first run a vulnerability scanner (such as Nexpose or Nessus) to detect the vulnerability. Metasploit Pro and commercial vulnerability scanning tools have simple user interfaces, but not every penetration testing tool is simple. This is a problem for people who lack technical knowledge.
The biggest benefit of current penetration tests is that there are a wide range of security testing tools available on the market that allow penetration testers to crack unencrypted laptops or wireless network passwords in a matter of minutes, or simply initiate a tone email phishing activity. Network Sharing and insecure access PII can be achieved very quickly. However, these cannot be completely automated. Just like radiologists and house inspectors, penetration testers can use advanced tools, but discovery, enumeration, and report results cannot be completely automated, and I think this will happen in the future.
The deep security audit requires not only entering IP addresses or URLs, but also clicking OK. Of course, programs and workflows can become more effective, but creativity and past practical experience will determine the final outcome. Finally, no matter how many vulnerabilities are discovered in the penetration test, IT professionals still need to determine which are the real security risks and which are not.