Pen Testing from Contract to Report (eBook)
672 Seiten
Wiley (Verlag)
978-1-394-17680-9 (ISBN)
Protect your system or web application with this accessible guide
Penetration tests, also known as 'pen tests', are a means of assessing the security of a computer system by simulating a cyber-attack. These tests can be an essential tool in detecting exploitable vulnerabilities in a computer system or web application, averting potential user data breaches, privacy violations, losses of system function, and more. With system security an increasingly fundamental part of a connected world, it has never been more important that cyber professionals understand the pen test and its potential applications.
Pen Testing from Contract to Report offers a step-by-step overview of the subject. Built around a new concept called the Penetration Testing Life Cycle, it breaks the process into phases, guiding the reader through each phase and its potential to expose and address system vulnerabilities. The result is an essential tool in the ongoing fight against harmful system intrusions.
In Pen Testing from Contract to Report readers will also find:
- Content mapped to certification exams such as the CompTIA PenTest+
- Detailed techniques for evading intrusion detection systems, firewalls, honeypots, and more
- Accompanying software designed to enable the reader to practice the concepts outlined, as well as end-of-chapter questions and case studies
Pen Testing from Contract to Report is ideal for any cyber security professional or advanced student of cyber security.
Alfred Basta, PhD, CCP (CMMC), CISM, CPENT, LPT, OSCP, PMP, CRTO, CHPSE, CRISC, CISA, CGEIT, CASP+, CYSA+, is a professor of mathematics, cryptography, and information security as well as a professional speaker on internet security, networking, and cryptography. He is a member of many associations, including ISACA, ECE, and the Mathematical Association of America. Dr. Basta's other publications include Computer Security and Penetration Testing, Mathematics for Information Technology, Linux Operations and Administration, and Database Security. In addition, Dr. Basta is the chair of EC-Council's CPENT Scheme Committee. He has worked as a faculty member and curriculum advisor for programming and cyber security programs at numerous colleges and universities.
Nadine Basta, MSc., CEH, is a professor of computer science, cybersecurity, mathematics, and information technology. Her numerous certifications include CEH, MCSE, MSDBA, CCDP, NCSE, NCTE, and CCA. A security consultant and auditor, she combines strong 'in the field' experience with her academic background. She is also the author of Computer Security and Penetration Testing, Mathematics for Information Technology, and Linux Operations and Administration. Nadine has extensive teaching and research experience in computer science and cybersecurity.
Waqar Anwar is a Cybersecurity Curriculum Specialist with over 10 years of experience in the field. He also develops and delivers training to faculty and staff on cybersecurity topics and conducts research on cybersecurity topics. Mr. Anwar is a frequent speaker at industry conferences. He is also a member of several cybersecurity organizations including SysAdmin, Audit, Network and Security SANS, CYBRARY, and Information Systems Security Association International ISSA.
Protect your system or web application with this accessible guide Penetration tests, also known as pen tests , are a means of assessing the security of a computer system by simulating a cyber-attack. These tests can be an essential tool in detecting exploitable vulnerabilities in a computer system or web application, averting potential user data breaches, privacy violations, losses of system function, and more. With system security an increasingly fundamental part of a connected world, it has never been more important that cyber professionals understand the pen test and its potential applications. Pen Testing from Contract to Report offers a step-by-step overview of the subject. Built around a new concept called the Penetration Testing Life Cycle, it breaks the process into phases, guiding the reader through each phase and its potential to expose and address system vulnerabilities. The result is an essential tool in the ongoing fight against harmful system intrusions. In Pen Testing from Contract to Report readers will also find: Content mapped to certification exams such as the CompTIA PenTest+Detailed techniques for evading intrusion detection systems, firewalls, honeypots, and moreAccompanying software designed to enable the reader to practice the concepts outlined, as well as end-of-chapter questions and case studies Pen Testing from Contract to Report is ideal for any cyber security professional or advanced student of cyber security.
1
Introduction to Penetration Testing
Table of Contents
- Introduction to Penetration Testing
- Common Penetration Testing Approaches and Techniques
- Types of Penetration Testing
- Coverage, Speed, and Efficiency Between Pentesting Approaches
- Penetration Testing Teams
- Penetration Testing Types
- Penetration Testing Methodologies
- Required Skill Sets for a Penetration Tester
- Penetration Testing Methodology
- Penetration Testing Methodologies List
- Frequency of Penetration Testing
- Certifications that Pentesters may Acquire
- Why Companies Should do Penetration Testing
- Penetration Testing’s Advantages
- Phases of Pentesting
- Points to Consider Before Signing a Contract
- Most Commonly Used Penetration Testing Tools
- Pentesting Use Cases
- Opportunities and Challenges
- Trends and Emerging Technologies
- References and Resources
Introduction to Penetration Testing
Penetration Testing
Penetration testing, commonly known as pentesting, is a method of evaluating the security of computer systems, networks, and applications by simulating an attack from a malicious actor. The goal of a penetration test is to identify vulnerabilities and weaknesses in the target system that could be exploited by attackers. Penetration testing is a vital aspect of cybersecurity, as it helps organizations identify and address security weaknesses before they can be exploited by malicious actors. The process of penetration testing involves identifying potential entry points, attempting to exploit vulnerabilities, and reporting on the effectiveness of the security measures in place.
Penetration testing can be performed manually or with the help of automated tools. It is frequently directed at the following endpoints:
- Servers: This can include various types of servers, such as web servers, file transfer servers, Dynamic Host Configuration Protocol (DHCP) servers, and domain name system (DNS) servers.
- Network services and devices: This includes all types of network services and devices, such as routers, switches, and firewalls. Penetration testers may try to find flaws in how these devices are set up or check if they allow unauthorized access to sensitive data or the ability to manipulate or shut down the network.
- Wireless devices and networks: This includes all types of wireless devices and networks, such as WiFi, NFC, and Bluetooth. Penetration testers may attempt to identify vulnerabilities in the wireless protocols or encryption mechanisms used by these devices and networks.
- Network security devices: This includes all types of network security devices, such as firewalls, intrusion detection and prevention systems, and virtual private network (VPN) gateways. Penetration testers may try to find flaws in the way these devices are set up or put together that could let attackers get around or avoid them.
- Web applications and software: This includes all types of web applications and software used by the organization.
- Mobile devices: This includes all types of mobile devices, such as smartphones and tablets. Penetration testers may attempt to identify vulnerabilities in the operating system or applications installed on these devices that could allow attackers to compromise them or steal sensitive data.
It should be noted, though, that the real pentest simply does not end here. The main objective is to penetrate the IT infrastructure to reach a company’s electronic assets.
Common Penetration Testing Approaches and Techniques
- Clients: Organizations that engage penetration testers to test their systems and networks are referred to as clients. Client‐focused topics could include:
- Testing methods and styles: Each customer has a varied choice for how they want the penetration test to be done. Some may prefer a “black box” approach in which the penetration tester has no previous knowledge of the system, while others may prefer a “white box” approach in which the penetration tester has access to certain system information. This enables the penetration tester to personalize the test to the unique demands of the customer, resulting in a more complete and effective test. It also helps the client confirm that the test is being carried out in a safe and secure manner because the penetration tester has a better grasp of the system.
- Frequency: How often should a penetration test be carried out? Some businesses may require annual penetration tests, while others may prefer more regular testing. Tests can be performed quarterly, biannually, or as needed to maintain the security of their systems and networks, depending on the demands of the company.
- Why should a company do a penetration test? Compliance requirements, risk management, or just detecting vulnerabilities before an attacker does can all fall under this category.
- Phases: The penetration testing process has different parts, such as planning, reconnaissance, scanning, exploitation, and post‐exploitation.
- Use cases: Clients may want to know how penetration testing can be used for specific business use cases, such as securing a cloud‐based infrastructure or protecting sensitive customer data.
Example: A healthcare institution may choose to conduct a penetration test to ensure compliance with HIPAA regulations. To guarantee that all systems and networks are adequately tested, the business may require a “white box” approach. They may also wish to repeat the test on a yearly basis to assure continuous compliance.
- Penetration testers: Professionals who conduct penetrating tests are known as penetration testers.
- What skills are required for a penetration tester? These can involve technical skills like programming language expertise and network protocol understanding, as well as soft skills like communication and problem‐solving.
- Certifications: What credentials should a penetration tester possess? This can include certifications like Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), and Offensive Security Certified Professional (OSCP) (CISSP).
- Common tools: What tools do penetration testers usually use? This could include network scanners, vulnerability scanners, and exploitation frameworks.
Example: A penetration tester working for a financial institution, for example, may need to be well‐versed in banking protocols and transactional systems, as well as hold a certification such as the Certified Information Systems Auditor (CISA) or CISSP.
- Both: Topics that can focus on both clients and penetration testers can include:
- Penetration testing services: What do penetration testers provide? This can involve web application testing, network testing, and wireless testing.
- Points to consider: What should clients consider before hiring a penetration tester? This can include things like the scope of the penetration test, the cost, and the amount of time necessary.
- Considerations before signing a contract: What should penetration testers take into account before establishing a contract with a client? This includes things like the scope of the penetration test, payment conditions, and legal liabilities.
Example: A major e‐commerce firm, for example, may choose to engage a penetration tester to evaluate its website...
Erscheint lt. Verlag | 12.2.2024 |
---|---|
Sprache | englisch |
Themenwelt | Mathematik / Informatik ► Informatik ► Netzwerke |
ISBN-10 | 1-394-17680-5 / 1394176805 |
ISBN-13 | 978-1-394-17680-9 / 9781394176809 |
Haben Sie eine Frage zum Produkt? |
Kopierschutz: Adobe-DRM
Adobe-DRM ist ein Kopierschutz, der das eBook vor Mißbrauch schützen soll. Dabei wird das eBook bereits beim Download auf Ihre persönliche Adobe-ID autorisiert. Lesen können Sie das eBook dann nur auf den Geräten, welche ebenfalls auf Ihre Adobe-ID registriert sind.
Details zum Adobe-DRM
Dateiformat: EPUB (Electronic Publication)
EPUB ist ein offener Standard für eBooks und eignet sich besonders zur Darstellung von Belletristik und Sachbüchern. Der Fließtext wird dynamisch an die Display- und Schriftgröße angepasst. Auch für mobile Lesegeräte ist EPUB daher gut geeignet.
Systemvoraussetzungen:
PC/Mac: Mit einem PC oder Mac können Sie dieses eBook lesen. Sie benötigen eine
eReader: Dieses eBook kann mit (fast) allen eBook-Readern gelesen werden. Mit dem amazon-Kindle ist es aber nicht kompatibel.
Smartphone/Tablet: Egal ob Apple oder Android, dieses eBook können Sie lesen. Sie benötigen eine
Geräteliste und zusätzliche Hinweise
Buying eBooks from abroad
For tax law reasons we can sell eBooks just within Germany and Switzerland. Regrettably we cannot fulfill eBook-orders from other countries.
aus dem Bereich