Penetration Testing

Penetration Testing

(Pentesting) involves simulating attacks to assess the risk associated with potential security breaches. Testers discover and exploit vulnerabilities where possible to assess what attackers might gain after a successful exploitation.

Zero-day

A vulnerability unpatched by software publishers

Social-engineering

In the context of information security, refers to the psychological manipulation of people into performing actions divulging confidential information. For the purpose of information gathering, fraud, or system access. Ex. Phishing

Internal Penetration Test

Insider, malicious employee or attacker who has already breached the perimeter

Proprietary software

Closed source software. Computer science software licensed under exclusive legal right of the copyright holder with the intent that the licensee is given the right to use the software only under certain conditions and restricted from other users such as modification sharing studying redistribution or reverse engineering. Usually the source code is not made available.

Passive Digital Footprint

Created when data is collected about an action without any client activation

Active Digital Footprint

Created when personal data is released deliberately by a user for the purpose of sharing information about oneself

Executive Summary

Describes the goals of the test and offers a high level overview of the findings, intended for the executives in charge or the security program

Vulnerability Modeling

Done before attacking systems, attempts to discover vulnerabilities in the system that can be taken advantage of in the exploitation phase

Pre-engagement Phase

Pentesting begins with this, involves talking to the client about their goals for the pentest, mapping out the scope (extent and parameters of the test) and so on.

External Penetration Test

Simulate an attack via the Internet

Information-gathering Phase

The pentester searches for publicly available information about the client and identifies potential ways to connect to its systems

Reporting Phase

The pentester summarizes the findings for both the executives and technical practitioners

Post-exploitation Phase

The result of the exploitation is leveraged to find additional information, sensitive data, access to other systems and so on

Threat-modeling Phase

The tester uses information from the previous phase to determine the value of each finding and the impact to the client if the finding permitted an attacker to break into a system. Allows development of action plan and methods of attack

Digital Footprint

The trail of data that is left behind by users on digital services