Introduction to the penetration assessment process in China

With the development of the network, more and more people are aware of the risks of network security. Everyone began to pay attention to network penetration assessment, and spent a lot of money asking third-party personnel to simulate hacker penetration attacks. Let's take a look at the penetration evaluation process of Chinese security companies.

Before learning about the penetration assessment process in China, we need to first know what is penetration assessment? Penetration evaluation requires third-party personnel to simulate hacker attacks and perform a product-level evaluation on the servers, important network devices, and information security measures of the Organization's core business, actively analyzes design defects, technical defects and weaknesses of security measures, and finally provides a comprehensive information security report to management houses and technical personnel of the organization. Penetration evaluation can be used to identify threats to the Organization's information resources and identify and solve existing vulnerabilities. Measure the test taker's knowledge about the basic technology, design, and implementation defects of vulnerabilities. Reduce the IT security cost of the organization, provide better security, and ensure a comprehensive and thorough security architecture for the Organization, including assessment policies, processes, design and implementation.

For the penetration evaluation process in China, each company has its own set of processes, but roughly as shown in:

In the process of penetration evaluation, you must first communicate with the customer and obtain the written authorization from the customer. Only the penetration assessment authorized in writing is legal, otherwise it is illegal. After obtaining written authorization, an implementation plan needs to be developed. The solution includes the work location, work cycle, and penetration target of the penetration evaluation. Generally, the customer needs to specify a work location for the penetration evaluation of major customers, and the customer will monitor the work process. The customer needs to control all the details and risks of the penetration evaluation to reduce other security risks arising from the penetration evaluation. Penetration targets public IP addresses of customers on the Internet, which can be accessed by people all over the world. Different customers have different targets. Some users have only one target IP address, while others have thousands of target IP addresses. Of course, charges vary depending on the target address.

After the penetration evaluation scheme is developed, it must be confirmed by the customer before further implementation of the scheme. During the validation of the solution, the customer may make further adjustments to the penetration evaluation time based on the actual business operation conditions to avoid penetration evaluation during peak business hours, when problems occur during the evaluation process, the normal business operation is affected. For DDOS tool testing, it should be clearly stated in the solution that such tools cannot be used for penetration evaluation. Most of the risks of all penetration evaluation solutions are implemented in a known and controllable manner. This is also the essential difference between professional penetration evaluation services and hacker attack intrusion.

Information collection and analysis is a prerequisite for all attacks. Information Collection is used to understand information about the information network structure, network devices, application servers, and other infrastructure and software in the Organization. Collects network information exposed by the target IP address, such as whois and finger, to determine the behavior of the security facilities of the target host. Analyze information such as the banner information, operating system fingerprint information, and application service system information returned by the target IP address, such as the system version of the security device related to the firewall, router, and application device. Various scanning tools can be used to collect relevant information, such as port scanning tools, weak password scanning tools, dedicated application scanning tools, commercial network security vulnerability scanning tools, and free security scanning tools. Tools only help reduce the time needed for assessment during penetration assessment, so you cannot be too lazy on security tools. The penetration evaluation mainly relies on the security experience and Security Vulnerability discovery and utilization experience of the evaluators to analyze network structures and business application vulnerabilities.

Permission acquisition is based on information collection. After analyzing security vulnerabilities in the network, you can obtain the permissions of the target host. Permission acquisition can be used to obtain the permissions of the target host based on the remote overflow vulnerability in the target address application. (If the remote overflow operation has a devastating impact on the system, we recommend that you do not perform this operation, but it is described in the report); obtain the telnet, ftp service account of the remote target host, or remote control account 3389 through weak password prediction; by scanning the Web application with the target address, you can find that the SQL injection vulnerability exists in the application SQL technology. You can use the SQL injection vulnerability to upload the Webshell to improve the permissions and obtain the website control permissions. You can use various methods to obtain permissions based on vulnerabilities in business applications. In addition, we do not recommend that you use social engineering, website Trojans, or other methods to obtain permissions.

Although a lot of work has been done in the early stage, the true value of penetration testing is reflected in the report and report of the later work. If the report is not clear and understandable, the value of the entire process cannot be maximized. The perfect report should introduce the intrusion process for the test target, the risk analysis and the description of the solution. The senior personnel must understand the solution in a concise manner, and the technical management personnel need the overall solution, the system administrator must solve the vulnerability step by step.

The penetration evaluation only comprehensively evaluates network information security within a limited period of time. It can only reduce the security risks of the Organization, however, it cannot be guaranteed that hackers will not intrude into the system again after the penetration evaluation. There is no time limit for hacker attacks. They can not only spend a week to discover system vulnerabilities, but also spend years to discover problems. With the development of technology, new security vulnerabilities are discovered. If security management fails to keep up with each other in time, new security risks will emerge. Therefore, we recommend that you perform at least two Security penetration assessments each year to further protect the information security of your organization.

The above are only some of my personal understanding about the penetration assessment in China. I hope you will give me more advice and further communicate with you.