What Makes a Security Plan?

-
      Hello, and welcome back to my blog. This week, I would like to quickly discuss the levels that go into making a security plan. These types of plans are an important tool for IT departments and Cybersecurity Administrators to design a plan that will help protect or slow down an attack on the network.     Of course, security plans can vary from company to company; however, their purpose remains the same, with threats looming every day. With IT managers adjusting in response to the ever-changing threats, the created security plan must be designed to stop or slow down any attempt to breach network defenses. Below we will look at the principal components of a security plan and what they entail.    Separate Networks              As the name suggests, having more than one network can protect company assists from hackers and the like. The reason being is that having every computer on one network would lead to issues if that subsequent work were to fail, which would stop operati
8 comments

What is Penetration Testing?

-

Hello, and welcome to my blog!

 

This week, I will be discussing the topic of penetration testing and what it means for cybersecurity.

 

So, you may be wondering what penetration testing is and what is its purpose? Penetration testing, also known as pen testing, is a simulated cyberattack against a computer system to check for exploitable vulnerabilities. Pen testing is used to breach several applications, such as application protocol interfaces (APIs), and front-end/back-end servers. It can also be used to fine-tune the web application firewall (WAF).


Pen the testing process can be broken down into five stages.

 

Planning and reconnaissance, which includes defining the scope and goals of the test, the systems to be addressed, the testing methods to be used, and intelligence gathering.

 

Scanning, which is to understand how the target application will respond to various intrusion attempts. This includes:

 

·        Static analysis – Inspecting an application’s code to estimate the way it behaves while running. These tools can scan the entirety of the code in a single pass.

·        Dynamic analysis – Inspecting an application’s code in a running state. This is a more practical way of scanning, as it provides a real-time view of an application’s performance.

 

Gaining Access, which uses web application attacks, such as cross-site scripting, SQL, injection, and backdoors to uncover a target’s vulnerabilities. After discovery, testers then will try and exploit these areas.

 

Maintaining access, which the goal here is to achieve a persistent presence in the system. The idea here is to stay in the system long enough to gain in-depth access.

 

Finally, Analysis, which is the results of the pen test that are compiled into a report that details the specific vulnerabilities that were exploited, any sensitive data that was accessed, and the amount of time the pen test was able to remain in the system undetected.

 

There also different methods to perform a penetration test, such as:

 

External testing, which is a pen test to target the assets of a company that visible on the internet.

 

Internal testing, such as a tester with access to an application behind a firewall simulating an attack by a malicious insider.

 

Blind testing, which is a tester giving the name of an enterprise that is being targeted,

 

Double-blind testing, which is security personnel, has no prior knowledge of the simulated

attack.

 

And Targeted testing, which is both the tester and security personnel work together and keep each other apprised of their movements.

 

As you can see, a lot goes into a penetration test that can benefit any company looking to test its system and security IT teams. This type of test can help adjust areas that need attention and is suitable for a small or large company.

 

If you are interested in learning more about penetration testing, please check out the links

 

below for more information on the subject.

 

https://www.imperva.com/learn/application-security/penetration-testing/

 

https://searchsecurity.techtarget.com/definition/penetration-testing

 

https://en.wikipedia.org/wiki/Penetration_test

 

Have you been involved in a pen test before? If so, how was your experience? Would you recommend other companies to do the same? Please leave a comment below with your experiences. I love to hear from you!

 

Also, was there anything I left out or anything you would like to add? Please leave a comment below as well!


Until next time!

References

Imperva. (n.d.). Penetration testing. Learning Center. https://www.imperva.com/learn/application-security/penetration-testing/

Penetration test. (2004, November 23). Wikipedia, the free encyclopedia. Retrieved August 26, 2020, from https://en.wikipedia.org/wiki/Penetration_test

Rouse. (2018, October 31). What is pen test (penetration testing)? - Definition from WhatIs.com. SearchSecurity. https://searchsecurity.techtarget.com/definition/penetration-testing

Updated: 8/26/2020

Comments

Post a Comment

Popular posts from this blog

What Makes a Security Plan?

-
      Hello, and welcome back to my blog. This week, I would like to quickly discuss the levels that go into making a security plan. These types of plans are an important tool for IT departments and Cybersecurity Administrators to design a plan that will help protect or slow down an attack on the network.     Of course, security plans can vary from company to company; however, their purpose remains the same, with threats looming every day. With IT managers adjusting in response to the ever-changing threats, the created security plan must be designed to stop or slow down any attempt to breach network defenses. Below we will look at the principal components of a security plan and what they entail.    Separate Networks              As the name suggests, having more than one network can protect company assists from hackers and the like. The reason being is that having every computer on one network would lead to issues if that subsequent work were to fail, which would stop operati
Read more

Outsourcing vs. Cloud Computing, a quick look

-
 This week we will discuss an exciting topic of outsourcing and cloud computing.   To understand what the two are, let’s look at both and how they benefit or hinder a company.    Outsourcing , as we come to know it, is the method where a company hires a third-party provider who then performs a specific task or function on behalf and for the benefit of a business. This method can perform functions that cloud computing cannot do or does not execute.    Cloud computing  is the practice of using a network of remote servers that are hosted over the internet to manage, store, and process data, rather than doing so on a local server or a personal computer.                                             *Cloud computing is not the same as outsourcing*  The difference between the two is that cloud computing can do computing between different machines at different locations and combine the data from one application to another.  While outsourcing is where a business hires someone to do
Read more

Public vs. Private Clouds: A quick look at the Pros and Cons

-
Hello, and welcome back to my blog! This week we will be discussing the positive and negative sides of using public and private clouds.         For many small businesses, turning to the cloud would seem like a daunting and challenging task. Just thinking about the many different types of Cloud services and various companies that offer them would take time to sort out what you want and how to make the change.       I will cover the pros and cons of using public and private clouds in the hopes that you will come away with a little bit more knowledge on the matter than when you arrived. Of course, if you would like to know more about the different types of cloud services outside of these two, I am about to discuss, here is a link to one of my earlier postings here,  Link      So, let us go and dive into what these two types of cloud services are. If you have heard of companies like Google, Microsoft, and Amazon, you may also know that they offer paid or free cloud services. Other vendors
Read more