Tuesday, November 15, 2022

view of PenTesting

 




We all know what is Penetration Testing. Right?
In this post, I am trying to present you an holistic view of real-life IT penetration testing.

If you want to gain assurance in your organisation’s vulnerability assessment and management processes through a realistic simulation of a hacker attack, then IT penetration testing is a MUST. There is no doubt about that.

When you do that you get a number of benefits immediately:
You get a good Vulnerability Assessment within your IT network
Potential attacker’s entry points become transparent to you.
Your risk posture improves as most of exploitable vulnerabilities are identified.

Red/Blue Team gets practical exercise to test detection capabilities in real-time.

Security level of the investigated systems become measurable.
Compliance requirements (e.g. national regulations, GDPR, TISAX) for mandatory pentesting is fulfilled, if it done by third-party/consultants' pentesters.

You also receive a number of important recommendations regarding the improvements to be made to your information security and respective guidelines

In the hindsight, the pentesting is nothing but the real-life simulation of damages which might be carried out malicious threat actors.

My personal point of view is that--

Risk analysis of cyber-attacks are usually carried out on the basis of theoretical assessments only. The implementation of a Penetration Test is an ideal supplement to it, as it enables a real measurement of the resistance capability of your IT environment. Once the important vulnerabilities are confirmed and based on these findings, you can actually make a realistic risk assessment.

In the elaborated scheme of Pentesting, your Purple Team is the result of the collaboration between your Blue Team and the Red Team and can simulate Advanced Persistent Threats (APT).

As the lower-portion of the picture shows, the third party consultants can offer the various level of IT Penetration Testing services. It is you to make the judgment about which level of Pentesting your company needs at a given point in time. This picture also depicts the actual steps of pentesting process you/pentesters would need to undergo in real-life.

From your point of view, you can seek the pentesting of one or all of the following:

@) IT Pentesting
@) OT Pentesting
@) Platform Pentesting

This picture also depicts the actual steps of pentesting process you/pentesters would need to undergo in real-life. Let me brief you about.

1. Scope Qualification : You select all the assets which are in-the-scope of the Penetration Testing exercise/assignment and mark in written.

2. Kick-off : You meet all the involved stakeholders. You also introduce them into the scoped assets.

3. Execution of Penetration Test : You carry out real penetration tests against all the scoped assets, based on standardized methodology

4. Analysis & Report : You prepare and deliver a 'Penetration Test Report' officially with all the major recommendations clearly mentioned in it.

5. Improvement Workshop (Optional) : You may also carry out a technical workshop to help the defenders in mitigating all the risks involved with vulnerable assets.

6. Retest after Mitigation phase (Optional) : You may also carry out one more rounds of pentesting-attacks, to ensure that all the vulnerabilities which were found have actually been fixed or not

No comments:

Post a Comment

Evil Twin attack

Evil Twin Attack is attack is frequently carried upon wireless access points with malicious intentions. This attack happens when...