What Makes a Security Plan?

      Hello, and welcome back to my blog. This week, I would like to quickly discuss the levels that go into making a security plan. These types of plans are an important tool for IT departments and Cybersecurity Administrators to design a plan that will help protect or slow down an attack on the network.     Of course, security plans can vary from company to company; however, their purpose remains the same, with threats looming every day. With IT managers adjusting in response to the ever-changing threats, the created security plan must be designed to stop or slow down any attempt to breach network defenses. Below we will look at the principal components of a security plan and what they entail.    Separate Networks              As the name suggests, having more than one network can protect company assists from hackers and the like. The reason being is that having every computer on one network would lead to issues if that subsequent work were to fail, which would stop operati

What is Penetration Testing?

Hello, and welcome to my blog!

 

This week, I will be discussing the topic of penetration testing and what it means for cybersecurity.

 

So, you may be wondering what penetration testing is and what is its purpose? Penetration testing, also known as pen testing, is a simulated cyberattack against a computer system to check for exploitable vulnerabilities. Pen testing is used to breach several applications, such as application protocol interfaces (APIs), and front-end/back-end servers. It can also be used to fine-tune the web application firewall (WAF).


Pen the testing process can be broken down into five stages.

 

Planning and reconnaissance, which includes defining the scope and goals of the test, the systems to be addressed, the testing methods to be used, and intelligence gathering.

 

Scanning, which is to understand how the target application will respond to various intrusion attempts. This includes:

 

·        Static analysis – Inspecting an application’s code to estimate the way it behaves while running. These tools can scan the entirety of the code in a single pass.

·        Dynamic analysis – Inspecting an application’s code in a running state. This is a more practical way of scanning, as it provides a real-time view of an application’s performance.

 

Gaining Access, which uses web application attacks, such as cross-site scripting, SQL, injection, and backdoors to uncover a target’s vulnerabilities. After discovery, testers then will try and exploit these areas.

 

Maintaining access, which the goal here is to achieve a persistent presence in the system. The idea here is to stay in the system long enough to gain in-depth access.

 

Finally, Analysis, which is the results of the pen test that are compiled into a report that details the specific vulnerabilities that were exploited, any sensitive data that was accessed, and the amount of time the pen test was able to remain in the system undetected.

 

There also different methods to perform a penetration test, such as:

 

External testing, which is a pen test to target the assets of a company that visible on the internet.

 

Internal testing, such as a tester with access to an application behind a firewall simulating an attack by a malicious insider.

 

Blind testing, which is a tester giving the name of an enterprise that is being targeted,

 

Double-blind testing, which is security personnel, has no prior knowledge of the simulated

attack.

 

And Targeted testing, which is both the tester and security personnel work together and keep each other apprised of their movements.

 

As you can see, a lot goes into a penetration test that can benefit any company looking to test its system and security IT teams. This type of test can help adjust areas that need attention and is suitable for a small or large company.

 

If you are interested in learning more about penetration testing, please check out the links

 

below for more information on the subject.

 

https://www.imperva.com/learn/application-security/penetration-testing/

 

https://searchsecurity.techtarget.com/definition/penetration-testing

 

https://en.wikipedia.org/wiki/Penetration_test

 

Have you been involved in a pen test before? If so, how was your experience? Would you recommend other companies to do the same? Please leave a comment below with your experiences. I love to hear from you!

 

Also, was there anything I left out or anything you would like to add? Please leave a comment below as well!


Until next time!

References

Imperva. (n.d.). Penetration testing. Learning Center. https://www.imperva.com/learn/application-security/penetration-testing/

Penetration test. (2004, November 23). Wikipedia, the free encyclopedia. Retrieved August 26, 2020, from https://en.wikipedia.org/wiki/Penetration_test

Rouse. (2018, October 31). What is pen test (penetration testing)? - Definition from WhatIs.com. SearchSecurity. https://searchsecurity.techtarget.com/definition/penetration-testing

Updated: 8/26/2020

Comments

Popular posts from this blog

What Makes a Security Plan?

Outsourcing vs. Cloud Computing, a quick look

Public vs. Private Clouds: A quick look at the Pros and Cons