Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống
1
/ 41 trang
THÔNG TIN TÀI LIỆU
Thông tin cơ bản
Định dạng
Số trang
41
Dung lượng
796,42 KB
Nội dung
.c om cu u du o ng th an co ng Introduction To Penetration Testing CuuDuongThanCong.com https://fb.com/tailieudientucntt Introduction to Penetration testing an The objects of Penetration testing co ng Types of Penetration testing .c om Contents ng th Benefits of Penetration Testing du o The locations of Penetration testing cu u Penetration test Process overview Penetration testing standards Setting up virtual lab CuuDuongThanCong.com https://fb.com/tailieudientucntt .c om cu u du o ng th an co ng Introduction to Penetration testing CuuDuongThanCong.com https://fb.com/tailieudientucntt .c om How to improve your system security? ng Vulnerability Assessment cu u du o ng th an co Penetration Testing CuuDuongThanCong.com https://fb.com/tailieudientucntt .c om Vulnerability Assessment A vulnerability is an assessment where you identify areas in the co ng configuration that make your system vulnerable to an attack or security th an incident du o ng Using tools: Nessus, Nexpose, Microsoft Baseline Security Analyzer, … The software is not performing attacks on the system, it simply checks the cu u configuration of the system => Passive Assessment CuuDuongThanCong.com https://fb.com/tailieudientucntt .c om Vulnerability Assessment ng Vulnerability assessment for Operating system: co Unused accounts cu u Unpatched software du o ng Unpatched operating system th an Administrative accounts Vulnerability software CuuDuongThanCong.com https://fb.com/tailieudientucntt .c om Characteristics of vulnerability assessment Passively testing security controls: you are not actually trying to hack co ng into the system or exploit it th an Identify vulnerability: identify vulnerabilities, or weaknesses du o ng Identify lack of security controls: when performing a vulnerability assessment, you are looking to identify of there are any security controls cu u that should be used that are not currently being used CuuDuongThanCong.com https://fb.com/tailieudientucntt ng Identify common misconfigurations c om Characteristics of vulnerability assessment co False positive: somethings that is being reported as a vulnerability, but it cu u du o ng th an is not CuuDuongThanCong.com https://fb.com/tailieudientucntt .c om Penetration Testing Penetration testing or pentesting: involves simulating real attacks to co ng assess the risk associated with potential security breaches th an Using many tools and techniques, the penetration tester attempts to exploit cu u du o ng critical systems and gain access to sensitive data CuuDuongThanCong.com https://fb.com/tailieudientucntt .c om Penetration Testing characteristics ng Verify a threat exists an cu u du o ng Exploiting vulnerabilities th Actively test security control co Bypass security controls CuuDuongThanCong.com https://fb.com/tailieudientucntt .c om Determination of scope Before you can accurately determine the scope of the test, you will need to co ng gather as much information as possible: th an Does your customer understand the difference between a vulnerability du o ng assessment and a penetration test? u What is the purpose of the test? cu Who has the authority to authorize testing? What is the proposed timeframe for the testing? CuuDuongThanCong.com https://fb.com/tailieudientucntt .c om Determination of scope ng Are there any restrictions as to when the testing can be performed? co Will you be conducting this test with, or without cooperation of the IT th an Security Operations Team? du o ng Is social engineering permitted? u How about Denial of Service attacks? cu Are you allowed to see the network documentation or to be informed of the network architecture prior to testing to speed things along? CuuDuongThanCong.com https://fb.com/tailieudientucntt .c om Determination of scope ng What are the IP ranges that you are allowed to test against? co What are the physical locations of the company? th an Will additional permission be required once a vulnerability has been du o ng exploited? cu and so on? u How are databases to be handled? Are you allowed to add records, users, CuuDuongThanCong.com https://fb.com/tailieudientucntt ng Rules of engagement documentation: c om Determination of scope co Proper permissions by appropriate personnel th an Begin and end dates for your testing du o ng The type of testing that will be performed cu u Limitations of testing (DDOS, Social engineering, …) IP ranges and physical locations to be tested CuuDuongThanCong.com https://fb.com/tailieudientucntt .c om Determination of scope ng How the report will be transmitted at the end of the test co Which tools will be used during the test? th an Let your client know how any illegal data that is found during testing du o ng would be handled u How sensitive information will be handled cu Contact information for both your team and for the key employees of the company you are testing CuuDuongThanCong.com https://fb.com/tailieudientucntt .c om Determination of scope An agreement of what you will to ensure the customer's system co ng information does not remain on unsecured laptops and desktops used cu u du o ng th an during testing CuuDuongThanCong.com https://fb.com/tailieudientucntt .c om cu u du o ng th an co ng Penetration Testing Standards CuuDuongThanCong.com https://fb.com/tailieudientucntt .c om Penetration Testing Execution Standard - PTES PTES (old but good) co ng Pre-engagement Interactions an Intelligence Gathering Post Exploitation du o cu Exploitation u Vulnerability Analysis ng th Threat Modeling Reporting CuuDuongThanCong.com https://fb.com/tailieudientucntt .c om Payment Card Industry Data Security Standard cu u du o ng th an co ng PCI Information Supplement: Penetration Testing Guidance March 2015 CuuDuongThanCong.com https://fb.com/tailieudientucntt .c om OWASP Testing Guide ng Web Application Security co Excellent resource cu u du o ng th an Detailed, practical methods CuuDuongThanCong.com https://fb.com/tailieudientucntt A component for obtaining an ISO c om ISO 27001 co ng 27001 certification is performing a an penetration test It provides insight du o improve where you need to u shows cu and ng th into the current status of your security CuuDuongThanCong.com https://fb.com/tailieudientucntt .c om cu u du o ng th an co ng Setting up virtual lab CuuDuongThanCong.com https://fb.com/tailieudientucntt .c om Setting up virtual lab ng Installing VMware co Setting Up Kali Linux th an Configuring the Network for Your Virtual Machine ng Installing Nessus du o Installing Additional Software (mingw32, Hyperion, Veil-Evasion, Ettercap cu u Setting Up Android Emulators Smartphone Pentest Framework CuuDuongThanCong.com https://fb.com/tailieudientucntt .c om Setting up virtual lab Target Virtual Machines co ng Creating the Windows XP Target th an Setting Up the Ubuntu 10 Target cu u du o ng Creating the Windows Target CuuDuongThanCong.com https://fb.com/tailieudientucntt .c om ng co an th ng du o u cu CuuDuongThanCong.com https://fb.com/tailieudientucntt ... Introduction to Penetration testing an The objects of Penetration testing co ng Types of Penetration testing .c om Contents ng th Benefits of Penetration Testing du o The... objects of Penetration testing CuuDuongThanCong.com https://fb.com/tailieudientucntt .c om The objects of penetration testing ng Network Penetration Testing co Application Penetration Testing. .. .c om Penetration Testing Penetration testing or pentesting: involves simulating real attacks to co ng assess the risk associated with potential security breaches th an Using many tools and