Topic Overview
It seems like every day dawns with a new headline regarding the latest cybersecurity attack. Hackers continue to steal millions of records and billions of dollars at an alarming frequency. The key to combating their efforts is to conduct thorough penetration tests throughout the year.
渗透测试 的设计是为了在攻击者之前评估您的安全性. 渗透测试 tools simulate real-world attack scenarios to discover and exploit security gaps that could lead to stolen records, 妥协的凭证, 知识产权, 个人身份信息(PII), cardholder data, personal, 受保护的健康信息, data ransom, 或其他有害的商业结果. 通过利用安全漏洞, penetration testing helps you determine how to best mitigate and protect your vital business data from future cybersecurity attacks.
With any typical pen test, there are five key stages that must be completed:
在渗透测试团队采取任何行动之前, suitable information gathering must be completed on the prospective target. This period is vital to establishing an attack plan and serves as the staging ground for the entirety of the engagement.
在侦察阶段之后, a collection of scans are performed on the target to decipher how their security systems will counter multiple breach attempts. 漏洞的发现, open ports, and other areas of weakness within a network’s infrastructure can dictate how pen testers will continue with the planned attack.
Once data has been collected, penetration testers leverage common web application attacks such as SQL Injection and 跨站点脚本编制 利用任何现有的漏洞. 现在已经获得了访问权限, testers attempt to imitate the scope of the potential damage that could be generated from a malicious attack.
The main goal of this stage is to achieve a state of constant presence within the target environment. 随着时间的推移, more data is collected throughout the exploited system which allows the testers to mimic advanced persistent threats.
Finally, 一旦交战结束, 必须消除攻击的任何痕迹,以确保匿名. Log events, scripts, and other executables that could be discovered by the target should be completely untraceable. A comprehensive report with an in-depth analysis of the entire engagement will be shared with the target to highlight key vulnerabilities, gaps, 泄露的潜在影响, 以及其他各种必要的安全程序组件.
渗透测试 can either be done in-house by your own experts using 渗透测试工具,或者你也可以外包给 渗透测试服务提供商. A penetration test starts with the security professional enumerating the target network to find vulnerable systems and/or accounts. This means scanning each system on the network for open ports that have services running on them. It is extremely rare that an entire network has every service configured correctly, 正确密码保护, 完全修补好了. Once the penetration tester has a good understanding of the network and the vulnerabilities that are present, he/she will use a penetration testing tool to exploit a vulnerability in order to gain unwelcome access.
然而,安全专业人员并不仅仅针对系统. Often, 渗透测试人员通过网络钓鱼邮件攻击网络上的用户, pre-text calling, 或者现场社会工程.
您的用户也会带来额外的风险因素. Attacking a network via human error or 妥协的凭证 is nothing new. If the continuous cybersecurity attacks and data breaches have taught us anything, it’s that the easiest way for a hacker to enter a network and steal data or funds is still through network users.
Compromised credentials are the top attack vector across reported data breaches year after year, Verizon数据泄露报告证实了这一趋势. Part of a penetration test’s job is to resolve the aforementioned security threat caused by user error. A pen tester will attempt brute-force password guessing of discovered accounts to gain access to systems and applications. 而破坏一台机器可能会导致入侵, in a real-life scenario an attacker will typically use lateral movement to eventually land on a critical asset.
Another common way to test the security of your network users is through a simulated phishing attack. 钓鱼式攻击。 use personalized communication methods to convince the target to do something that’s not in their best interest. For example, a phishing attack might convince a user that it’s time for a "mandatory password reset" and to click on an embedded email link. Whether clicking on the malicious link drops malware or it simply gives the attacker the door they need to steal credentials for future use, 网络钓鱼攻击是利用网络用户的最简单方法之一. If you are looking to test your users’ awareness around phishing attacks, make sure that the penetration testing tool you use has these capabilities.
渗透测试是网络安全的重要组成部分. 通过这些测试,企业可以确定:
通过渗透测试, security professionals can effectively find and test the security of multi-tier network architectures, 自定义应用程序, web services, 及其他资讯科技组件. These penetration testing tools and services help you gain fast insight into the areas of highest risk so that you may effectively plan security budgets and projects. Thoroughly testing the entirety of a business's IT infrastructure is imperative to taking the precautions needed to secure vital data from cybersecurity hackers, while simultaneously improving the response time of an IT department in the event of an attack.