Join the 40,000+ candidates in over 58 countries that have found a faster, better way to pass their certification exam.
Comprehensive practice exam engine!
All features in the FREE plan, plus:
Welcome to our penetration testing module. Penetration testing will help you to determine whether a malicious user can gain access to your system, and how they would gain this unauthorized access to your assets. It can help you to confirm that your controls and segmentation are configured correctly compared to your written security policy.
Penetration testers can check for unauthorized hosts on your network, identify vulnerable systems and services, assist you with configuring your controls, such as your intrusion detection or prevention systems. And also assist with collecting forensic evidence. They can help you verify the capabilities of your staff to spot intrusions as well.
Penetration testing is designed to simulate a real world attack which is targeted at a specific organization. You can simulate either an inside attack or an outside attack. External attacking is conducted from outside of your network and this usually occurs first. Internal testing is conducted from inside your secure perimeter.
Some penetration testing has a team approach where you have a red team, or attack team, that is simulating an exercise where they attack one of your assets. And the blue team is the defender, and they will be participating in the same exercise attempting to defend that asset while the red team attacks.
Before conducting any penetration testing you should have a statement of work and rules of engagement, so that the testers know what they are and are not allowed to do, and you have an understanding of the steps they will take or what their goals are. You should also consider notifying your users that testing will occur so they do not begin flooding your help desk with phone calls because they believe there is a problem with the system.
There are issues to consider with penetration testing. Three of these issues need to be handled before the testing begins. You should have a defined goal and document this goal clearly in an agreed upon rules of engagement, or ROE. Your penetration testing should always be approved by senior management, and only management staff should be approving this type of activity.
You should remember that for the CISSP examination. You can also choose whether or not to notify your administrators. You can notify them that the testing will be occurring so that they are prepared for it. Or, you can not notify them, to see if they detect the intrusion, and if they followed proper procedures.
The overall goal of penetration testing is to determine if your systems can withstand an attack, and determine the effectiveness of your current security controls. One of the issues with penetration testing is that it could disrupt productivity, and it could also disrupt your systems. So you should be careful if there are any sensitive systems that the penetration testers should not attempt to attack because you cannot afford to have them go offline.
Your testers should determine the effectiveness of the safeguards that you've put in place and provide you with areas of improvement an order to strengthen the security of your system. Your rules of engagement can include different types of items that the testers are or are not allowed to attack.
You can provide them with specific IP addresses or ranges of IP addresses that they are to test as well as any restricted hosts or sensitive systems that you do not want them attempting to attack. You can provide a list of acceptable testing techniques, the time when the test is going to be conducted, a list of contacts for the penetration testing team, the targeted systems and networks in case they cause something to go offline they would be able to notify the administrators.
You should also have measures to prevent law enforcement from being contacted with false alarms, and you should determine how you're going to handle the very sensitive information that will collected by the penetration testing team. You have three different types of targets for penetration testing. You can have your physical security tested where individuals attempt to access your building or departments, gain access to wiring closets, sensitive areas, server rooms, locked filing cabinets and so on.
Attempting to remove company property, or sensitive materials from your building, and attaching sniffers or other tools to network cords or network cabling. You can have them test your operational security to see if your help desk will give out sensitive information, and to make sure the data has been destroyed on any disks that you are no longer using.
For example, do you have staff members that are happy to assist the new employee figure out where everything is in your business? While really the new employee is a penetration tester who does not work for the company. You can also have your electronic security tested. This is probably the most common type of penetration testing where they will test your systems, networks, communications, and data to see if there are any vulnerabilities.
They an also attempt phishing and vishing attacks where they contact your employees by email or via phone and try to trick them into taking some action or providing some information that they should not be providing. It is important that you have the results of the penetration test documented so that you can review them for any areas of improvement.
During the planning phase, you should document the rules of engagement, test plans, and written permission from the company to perform the penetration testing. During the discovery and attack phase, you would want to document log information and provide periodic reports to the client of the types of access that you have been able to gain to their system. Once the test is completed, you will provide an overall report that will describe any identified vulnerabilities and a risk rating for those vulnerabilities, as well as some guidance on how you can mitigate these weaknesses to prevent actual attackers from taking advantage of these vulnerabilities. This concludes our penetration testing module.
Thank you for watching.
Classified by skill and ranked by difficulty. Choose to answer questions in STUDY MODE to review and you go.
Know when you’re ready for the high-stakes exam. Have the confidence that you will pass on your first attempt.
Don’t forget what you’ve just studied! Use the intelligent reinforcement questions to stay fresh.
THANK YOU! Just bloody thank you! I’m doing the CEH minor at my college and well...I’ve learned more from this site in a few hours than I’ve learned from my school in 9 weeks about the subject. Keep up the good work!
Skillset’s Exam Engine continuously assesses your knowledge and determines when you are ready take and pass your exam. When Skillset learns that there is a gap between your knowledge and what you need to know to pass, we present you with a focused training module that gets you up to speed quickly. No fluff! Find your knowledge gaps and fill them.
Skillset is confident that we can help anyone pass their exam. If you reach 100% readiness, and you do not pass your exam, we will refund you plus pay for a replacement exam voucher. That’s how powerful our learning system is, we can offer this guarantee and stand behind our products with this no risk to you guarantee. See terms and conditions.
Don’t waste time studying concepts you have already mastered. Focus on what you need to know to pass. The Skillset Competency Diagnostic aligns our Exam Engine and Learning Plan to your baseline knowledge. This saves an average of 31% of the time required to prep for a professional certification exam.
More PRO benefits are being built all the time!