Download presentation
Presentation is loading. Please wait.
Published byMay Stone Modified over 9 years ago
1
PENETRATION TESTING
2
A scare at bedtime! There is no hiding place, you can be found through a variety of means: DNS, Name Server Lookup, NSlookup, Newsgroups, web site trawling, e-mail properties and so on. There is no hiding place, you can be found through a variety of means: DNS, Name Server Lookup, NSlookup, Newsgroups, web site trawling, e-mail properties and so on.
3
Why Test? professional penetration services are growing in popularity. Organizations are increasingly aware that controlled security vulnerability testing is a major element in identifying exposures, and ensuring that they are not exploited by a hostile party. The objective of penetration testing is to investigate the system from the attacker’s perspective. The primary aim is to identify exposures and risk before seeking a solution.
4
What is it? Many types of testing are available, one is IP Penetration Tests, which consists of Evidential testing, amongst others. Evidential Testing tends to be employed for those who consider themselves to be potentially greater targets for hostile parties, and is far more structured and comprehensive than the former.
5
Evidential Test The Evidential Test has the objective of proving that within a short period of time, an intrusion can be achieved, thus providing proof that the system is vulnerable to attack. Most attempted Internet attacks are performed by Script-Kiddies, uninventive hackers who simply try out others’ new attacks by testing lots and lots of IP addresses for the weakness that can be exploited. There is a great spectrum between these and the ultimate, an engineer with lots of networking experience and probably a wealth of programming knowledge backed up by the commitment to achieve their goal no matter how long or how hard that might be.
6
Case Study The UK government is in the process of implementing one of the most ambitious E- Business systems in the World today. The Government Secure Intranet (GSI) will probably be the largest VPN in Europe encompassing hundreds of large organisations – government departments, local councils, government agencies and the Police National Network (PNN2), an intranet within an intranet – and thousands of firewalls. Designed to connect departments, cut costs, centralising (or at least interlinking) records on citizens, providing greater accessibility to services for everybody, etc.
7
continued….. Security is a manifest issue. From the start, CESG (Communications-Electronics Security Group – the government’s ICT security advisors) realised that such a huge project was beyond the resources of themselves and DERA (Defence Evaluation & Research Agency – the MOD’s research agency.). This was not their only concern, with the arrival of information warfare \ cyber-terrorism, major companies such as utilities and banks – the so-called Critical National Infrastructure - have become even more important as targets. Example - bringing the nation’s gas supply to a halt could quickly bring the country to a halt. Consequently, with the support of the Cabinet Office, CESG set about finding companies it felt could be trusted with such sensitive work and invited them to join.
8
The Major Test An IP Penetration Test is an exhaustive examination of the client’s Internet connectivity. It covers every conceivable angle to give the client an objective, authoritative and up-to-date report on their security status as seen from the outside world.
9
Vulnerability Testing This is a high-intensity search procedure identifying the probable weak points in the system topology. For example: software bugs in the operating systems of computers and communications hardware which allow non-standard access. straightforward attacks on systems. E-mail exploits.
10
The Outcome The deliverables can be two reports authored from the submissions of the whole team. The first is an executive summary discussing the major issues and business risks. The second is an in- depth catalogue of the test covering discovered vulnerabilities, how these might affect security and suggested solutions.
11
continued…… The reports remain a tangible asset to the customer providing a baseline upon which to conduct future tests, and as a Change Control Document when reconfiguring the associated IT and communications systems. The two documents can be a management summary giving an overview of findings, with details on legal issues, business impact, and risk management. The second is an in-depth, blow- by-blow account of findings with suggestions on how to solve each issue. Drafts will be provided to nominated client personnel before the Post-Test Consultation.
12
Post test Options can be; –Intrusion stage –Repeat test –Denial of Service Test –Direct attack –Covert testing
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.